The hackers hit at noon …… and operations seemed to be organized perfectly. They chose the prominent target - the Chancellor – Commandant of the Polish War Studies University, which is one of the most important military universities in Poland. In order to increase the credibility of actions, they impersonated Polish former parliament member and used mailbox, which looks similarly to official mailbox used by Polish parliament. The next target of the operation was an attack on local Polish press portals and publication of the fake press article to make it more convincing and reached out wider audience. How was the attack planned and executed? How many entities were involved in it? Was it the next organized hostile malign information against Poland?
April 22, 2020 at noon – publication of the fake open letter from gen. Ryszard Parafinowicz - the Chancellor – Commandant of the Polish War Studies University on the university page
The attackers wrote the fake open letter and attributed it to gen. Ryszard Parafinowicz Chancellor – Commandant of the Polish War Studies University and published on the university page. Then they prepared a screenshot and saved the distorted version of university page on internet archives. The letter included many damaging information not only for a general reputation but also for a country image. Fortunately, a few minutes after the fake letter had been published, the Ministry of Defence alarmed the university government. The website administrator blocked the university page and later moved to secure military infrastructure.
The letter was addressed to the highest military commanders in Poland and it criticized Law and Justice government and hit the Polish-American relations. The authors of the fabricated letter accused government of participating in “different USA’s scandals” and accused Americans that they are not on Polish soil to train and to ensure the security of NATO’s eastern flank but to pursue their own interests. In the next paragraph, they hit on the Polish-American relationship and indicated the unfair treatment of Russia.
“We are under American so-called voluntary occupation which is, in fact, a forced one. Carrying out Defender Europe 20 maneuvers near the Russian border is an obvious provocation suggesting that a significant threat to Poland and the entire Alliance actually originates from Russia. Today, the phobic disposition of the Polish leaders dominates common sense. It does not promote Poland’s security, our country is rather perceived as a battlefield” – the letter claims. The letter arguments are well known and popularized by other pro-kremlin news portal in Poland and were also used during the last information attack on American military during Polish American military drill Defender 2020. The other popular narrative used in disinformation operation is a history. “The fascist ideology which killed 6 million Poles in earlier times is being reborn under the protection of the state. I swear it hurts me to my heart, but I have to admit that it also flows from the Ministry of National Defense” – the fake letter claimed.
“Today you serving evil, you serving lie and you are building the international divisions. Under the leadership of PiS, you don’t contribute to building defense capabilities of the army and its morale. “Our blood has always been cheap, but this time politicians play with your blood. It’s your life, your decisions and your shame!”– we can read in the letter.
The press secretary of the Chancellor – Commandant confirmed that attack took place and the fake letter was published on the university page. In consequence of the attack the website was closed for further investigation and later moved to secure military web infrastructure. In addition, the text of the letter is an interesting subject of deeper analysis. The good level of Polish language is surprising and unusual but in the end the letter turned out to be a compilation of fragments of texts taken from other portals with pro-Russian inclination.
April 22, 2020 on early afternoon – publishing the note about the letter on the web information portals
The articles with the baleful headline “scandalous letter from the Chancellor – Commandant of the War Studies University: PiS politicians are leading us to catastrophe” was published on the three Polish web portals: “Prawy.pl”, “Lewy.pl” and “Podlasie.pl”. Each article was published backdated and were not available on the main page (but it was possible to find them using Google). The author of the one of the articles impersonated a well-known journalist. Both portals (“Prawy.pl” and “Lewy.pl”) published right-wing content and were followed by the significant group of audience. 32 thousand users followed Prawy.pl official profile on Facebook.
We contacted with the Prawy.pl and Lewy.pl editorial teams, who denied their involvement in these publications, cut off from the contents and claimed that they were the victims of cyberattacks.
April 22, 2020 in the afternoon - legitimizing letter on the international information portal
Information about the Chancellor – Commandant letter, entitled “Polish General encourages Polish soldiers to fight against American occupation”, was published also on the English-language portal The Duran. The publication of article in English, shortly after the appearance of fake letter on the university webpage is suspicious and we can conclude that the content in English language was prepared before the attack on university website. The publication on the international portal was deliberate and aimed at weakening Polish-American relationship and to undermine the purpose of presence of American troops in Poland among international audience.
The Duran portal is professional looking information portal on security and defense issues, which uses sophisticated disinformation methods through combining the fake information with true one. This portal is prepared so professionally that even recognized experts are lured by the fake or distorted information published there.
It was not the first article published on this portal hitting the Polish army. Earlier, on February 2020, The Duran published an article loaded with the fake news. There were several fabricated quotations from German gen. Hartmut Renk, who compared the Polish army preparation to disaster. Additionally, he allegedly evaluated conditions on Ustka and Drawsko Pomorskie training grounds as awful and claimed that American soldiers would live in terrible conditions, worse than pigs in Germany.
April 22, 2020 just before 3 pm – increasing credibility of the fake letter by using the Polish former member of parliament credentials and parliamentary mailbox
Fake letter publication on the university page and distribution by Polish and foreign portals were not the only elements of this information campaign. The next episode was a letter sent to popular media outlets in Poland via email encouraging the publication of its content. Hackers used in that operation credentials of the Polish former member of parliament (2007-2015) Tomasz Arkit and mailbox which looked identically as the real parliament email box.
This e-mail included two attachments – one with the direct link to the fake letter published on the War University website and the second to Internet archived. It means that, hackers were prepared and ready for fake letter removal from the university page.
Methods of this operation were similar to the attack on Defence24.pl editorial team, which took place at the beginning of this year. During that action hackers sent e-mails to Polish public institutions impersonating operation director.The message included request for a comment fake news about the march against the US army presence in Poland. In this case, hackers also breached the security of local portals and published fake articles about protest.
However, methods used during the attack in April were more sophisticated. Firstly, the hacker attacked War Studies University website. Secondly, they used a mailbox, which looks like the official parliament. Furthermore, the message attached a link for archive contents with the fake letter of General which shows that attackers secured the operation in a wake of removing letter from the university website. Internationalization of this operation is also an interesting issue. Hackers published the article in English-language news portal The Duran which means that they tried to reach out international audience.
April 22, 2020 late afternoon and evening – social media users comments
Late afternoon the War Studies University informed on Facebook that they were a victim of cyber attack and the letter Chancellor – Commandant letter was indeed fake.
Meantime, Facebook users wrote first comments on Lewy.pl and Prawy.pl links with the fake articles. Links were sent by suspicious users (with a little number of Facebook friends) but the “normal” users joint conversation and started commenting this post supporting the content of the letter. Most of the users who commented the article did not manifest any suspicion about the content of the article. Later, the Polish media outlets started to inform about the potential attack and warning about the fake letter. However, the biggest newspaper in Poland, Gazeta Wyborcza published the general fake letter, one day after the attack. Fortunately, it was removed after a couple of minutes, so we assumed that it was the editorial mistake.
Lessons for future
The operation against War Studies University is an example of advanced, sophisticated multistage hostile information operation. It was prepared to hit Polish-American relationship and to undermine the role of NATO troops stationing in Poland. Time of this operation was not a coincidence – just before election and also during the COVID-19 pandemic and infodemic. What is more, it was another information operation and someone was testing Polish cybersecurity and information security system and its warning and reaction methods. Did Poland pass this test?
Unfortunately, it is the next time when the state security system has a problem with the cybersecurity and information operations. The Polish authorities still do not treat these issues seriously enough and do not see the interdependence between them. Indeed, Poland took some important steps in developing cybersecurity systems, but failed in creating similar structure regarding information operations. The other problem is lack of possibility to attribute the attack and catch the perpetrators, which only encourage others to engage in next attacks. The other problem is the management of information incidents. The editorial teams of the Prawy.pl and Lewy. and the former member of parliament were not informed by state authorities that they were victims of information operations but by the journalists of CyberDefence24.pl. This a serious flaw in system of reacting on information incidents. Poland needs to expect future similar information operations, which will be only more sophisticated than previous operations and will use new methods and techniques.
However, there are positive aspects of this attack too. It was widely publicized in the country and paid attention of decision makers and the military about the real threat coming from the information operations. Not only Poland, but also the countries from region need to face this growing threat. Secondly, the security of website of Polish military entities was strengthened and moved to infrastructure protected by military CSIRT.
This information operation is the next step in the information warfare, which took place in region. Fortifying the military entities website is a positive step but it will not protect Poland from next information operations. There is a need for systematic solution and the cooperation between different stakeholders with a strong pressure on reforming education.
Andrzej Kozłowski. You can follow him on Twitter: @andrzejkozl.
Sylwia Gliwa. You can follow her on Twitter: @GliwaSylwia.