Hackers “aligned with Russian security interests” have been engaged in a sustained campaign to compromise news websites in Poland and Lithuania to plant false stories aimed at discrediting Nato, according to a new report. Part of the campaign – labelled “Ghostwriter” – involved gaining access to news sites publishing systems, deleting stories and replacing them with false news that sought to delegitimise the transatlantic alliance. In one example, a Lithuanian news site was compromised last September and a false article was inserted into its archive wrongly claiming that German soldiers serving with Nato had desecrated a Jewish cemetery. In May this year, a series of Polish sites were targeted and stories published with fake quotes attributed to the commander of the US army in Europe, in which he was said to have ridiculed the capability of the Polish military. Emails purporting to be from a local news service with links to the doctored articles were then sent out to other media and public institutions in an attempt to disseminate the fakes and give them further credibility. Lithuanian sites were targeted again in January, with a false story that the first Covid-19 case in the Baltic country came from a US officer, part of the standing deployment to protect the country from Russian incursion. Researchers at Mandiant, a specialist cybersecurity firm, have pieced together what had been reported as 14 isolated incidents and argue that they are part of a broader anti-Nato campaign that has been since running since at least March 2017. The attribution of hacking attacks is notoriously difficult, but the research firm said it was evident that the arguments made were “aligned with Russian security interests”, and that given that none of the culprits had been immediately detected, it would imply that “the actors behind the campaign are relatively well resourced”. John Hultquist, senior director of intelligence analysis at Mandiant, said: “The method of hacking media sites to push fabricated narratives is a powerful one,” and added that he expected it to recur in Europe and the US “as a means to alter perception there”. Faking news stories was part of a wider disinformation operation that also included articles being published on websites accepting user-generated content pushing the same anti-Nato narratives. Several pieces were authored by a “Rod Renny” and often appeared on the pro-Russian site the Duran in English. There was one instance of a non-news site being targeted. This April a fabricated letter appeared on the website of the Polish War Studies Academy, supposedly written by its commander, and calling for Polish troops to fight against “American occupation” – an apparent reference to the Nato exercise Defender Europe 20. Also in April, an email saying Nato was going to withdraw troops from Lithuania because of the coronavirus crisis was sent to media organisations, based on a faked letter supposedly sent by the secretary general, Jens Stoltenberg, to the country’s defence minister. Nato said it could not comment on the research, but that it was aware it was the target of disinformation. The military organisation has been careful about blaming Russia, saying only that it was targeted by “a number of specific disinformation attacks” in a briefing published this month. It instead made some more familiar accusations, blaming Russia’s international media – Russia Today and Sputnik – for spreading news stories that blend “true and false elements, which bypass people’s natural filters for detecting disinformation”, and Russian actors for using false social media accounts to spread lies online.