By Givi Gigitashvili, for DFRLab
Russian Telegram channels possibly linked to Ghostwriter amplified forged letters published by hacktivist assets
On August 16, 2022, pro-Kremlin Telegram channel Joker DPR (Джокер ДНР) published a forged letter allegedly written by Ukrainian Foreign Minister Dmytro Kuleba. In the letter, Kuleba supposedly asked relevant Polish authorities to rename Belwederska Street in Warsaw — the location of the Russian embassy building — as Stepan Bandera Street, in honor of the far-right nationalist who led the Ukrainian Insurgent Army during WWII.
More than sixty years after his death, Bandera remains a polarizing figure. While still highly regarded in far-right Ukrainian nationalist circles, he is largely remembered for his role in the massacres of Polish civilians and collaborating with Nazi officials. In Russia, the word Banderite has become synonymous with “fascist” or even “Nazi.” During the early months of the war in Ukraine, Kremlin propaganda spoke of “de-nazifying” Ukraine and removing its democratically elected government, which it referred to contemptuously as “Banderite.”
The forged letter claimed that renaming the street after Bandera would be seen as a gesture of support to Ukraine, and highlighted that Russia changed the names of the streets in Moscow where the US and UK embassies are located. The letter is not dated, and Dmytro Kuleba’s signature seems to be copied from a publicly available letter signed by him in 2021.
The day after releasing the letter, Joker DPR published another document on Telegram, allegedly signed by Polish Deputy Foreign Minister Marcin Przydacz. The document contained several orders supposedly issued by Przydacz, including an order for the President of the Polish Institute of National Remembrance to provide a written expert opinion by August 31 about the possibility of changing the street in Warsaw to Stepan Bandera Street. It also proposed to conduct a publicity campaign to improve Bandera’s popularity among Polish citizens, despite his role in WWII-era Polish massacres.
Deputy Foreign Minister Przydac wrote on Twitter that the document published under his name was forged and that no one at the Polish Foreign Ministry had written such a letter. “It’s a fake,” he tweeted. “Never would such a magazine be created by the Polish Ministry of Foreign Affairs. The linguistic errors clearly point to the potential authors of this provocation.”
The August 17 Telegram post also contained screenshots of Facebook posts that appeared on two Facebook accounts belonging to Polish nationals Piotr Górka, an expert in the history of the Polish Air Force, and Dariusz Walusiak, a Polish historian and documentary maker. The Górka post suggested that he fully supported the Polish government’s decision to change Belwederska Street to Stepan Bandera Street.
In a statement to the DFRLab, Górka said his account was accessed without his consent. “This is not my post loaded to my Facebook page,” he explained. “My site was hacked, some days ago.” At the time of publishing, Piotr Górka’s post and his Facebook account were no longer accessible.
The post on Górka’s Facebook page was shared by Dariusz Walusiak’s Facebook account; the account also reposted it on the Facebook walls of more than twenty other Facebook users, including Adam Kalita, currently working at Krakow branch of the Institute of National Remembrance; Jan Kasprzyk, head of the Office for War Veterans and Victims of Oppression; and Alicja Kondraciuk, a Polish public figure living in Krakow.
Walusiak’s Facebook account is also no longer accessible. Given his work on Polish history and identity, it seems highly unlikely he would support the Bandera measure; the DFRLab has also reached out to him for comment.
The fact that Joker DPR’s Telegram post included screenshots of their Facebook posts raises the strong possibility that both Facebook accounts were compromised, and that hackers planted false statements on their pages that would seem out of character for them in order to gain further attention to the forged documents.
A pattern of behavior by Joker DPR
Joker DPR launched a similar information operation two months prior to the latest incident. On June 17, 2022, Joker DPR posted a forged letter allegedly written by Ukrainian Foreign Minister Dmytro Kuleba in which he supposed asked the Polish government to deport Ukrainian male refugees from Poland to Ukraine. The letter claimed that Ukrainian President Volodymyr Zelenskyy had decided to force all Ukrainian males of fighting age to return to Ukraine so they could take up arms and defend the country. The forged letter, addressed to Polish Foreign Minister Zbigniew Rau, asked the Polish government to provide all necessary information about Ukrainian males living in the country.
Both letters published by Joker DPR on June 17 and August 16 are written in Polish and look quite similar, though it includes an alternative signature. Like the August 16 letter, though, Kuleba’s June 17 signature appears to have been copied from yet another previous letter and slightly adjusted in terms of size and angle; the DFRLab found an official letter signed by Kuleba in March 2022 which appears to match the signature on the June 17 letter.
A few hours after publishing Kuleba’s forged letter, Joker DPR also published a screenshot of a Facebook post from a user named Cezary Nobis. The post contained photos of three letters allegedly written by Wiaczesław Wojnarowśkyj, General Consul of Ukraine in Krakow; Deputy Foreign Minister Marcin Przydacz; and Adam Struzik, Marshal of the Masovian Voivodeship.
The letter allegedly written by Wojnarowśkyj encouraged Poland to deport Ukrainian male citizens aged eighteen to sixty for illegally trying to avoid service in the Ukrainian armed forces. The letter also asked Polish authorities to “transfer all necessary information and documents” about these individuals to Ukraine. The letter allegedly written by Przydacz included an order for Polish Voivodeship offices and local government bodies to provide comprehensive assistance to Ukrainian consulates in Poland “in searching, identifying and detaining Ukrainian nationals.” And the third letter, allegedly written by Struzik, contained a statement that starting on June 27, 2022, Masovian Voivodeship officials would begin to search, identify, and detain Ukrainian males of fighting age who were avoiding service in the Ukrainian armed forces.
All three letters were determined to be fake by Polish news outlet Konkret24. The DFRLab has reached out to Cezary Nobis for comment; his Facebook page remains active but the post in question is no longer available.
Meanwhile, one day before Joker DPR published the June 17 letter, another pro-Russian Telegram channel, Beregini, posted a letter allegedly sent to Dmytro Kuleba by Ukrainian Defense Minister Oleksiy Reznikov. The letter claimed that the Ukrainian army had an acute shortage of manpower, and it that was necessary to return Ukrainian males back to Ukraine with the help of the foreign ministry’s diplomatic corps.
The letter also contained a QR code that resolves into a Google search for the phrase “СЕД АСКОД- Міністерство оборони України№ документа: 220/3034Дата реєстрації: 29.04.2022 14:17:18ЕП: Резніков Олексій Юрійович,” which translates to “SED ASKOD — Ministry of Defense of Ukraine Document no.: 220/3034 Date of registration: 29.04.2022 14:17:18 EP: Oleksiy Yuriyovych Reznikov.” “SED ASKOD” is a reference to ASKOD Electronic Document Sharing (“АСКОД Система Електронного Документообігу”), a cloud storage service used by the Ukrainian government to track and store official documents online. The search query revealed two results: an official biography of Reznikov on a Ukrainian government portal, and an April 2021 letter sent by Reznikov to Ukraine’s territorial reintegration ministry about setting up a communications hotline within occupied Ukrainian territory.
Reznikov’s correspondences routinely include QR codes using the ASKOD system to help internet users find official copies stored on Ukrainian government servers. For example, these two letters written by Reznikov in June 2022 both contain QR codes that help readers find their official copies online. If the Reznikov letter published by Beregini had been legitimate, its QR code should have pointed to its official copy in the ASKOD system. The fact that it points to an entirely different letter from 2021 raises additional suspicions about its provenance.
As documented above, Joker DPR and Beregini promulgated letters allegedly written by multiple Ukrainian and Polish officials, alongside suspicious Facebook posts that appear to be hacks. Polish ministerial spokesman Stanislaw Zaryn wrote on Twitter that the main objective of this disinformation campaign was “to provoke hostility of Ukrainians towards the Polish state.” In a subsequent tweet, he added, “This is yet another disinformation action calculated to destabilize relations between Poles and Ukrainians.”
The DFRLab is not alone in its assessment that the letters and subsequent Facebook posts are suspicious and likely coordinated. In an assessment of the June 2022 Telegram posts published by CyberScoop, cyber security firm Mandiant concluded that the campaign launched by Joker DPR and Beregini bore notable similarities to Ghostwriter, a hybrid disinformation/hacking campaign based in Belarus that is believed to coordinate with the Kremlin. Moreover, the Mandiant researchers concluded that the forged letters published by Beregini and Joker DPR in June 2022 were a Ghostwriter operation, and that these Telegram channels were possibly coordinating with Ghostwriter. The DFRLab has previously reported on information operations attributed to Ghostwriter in which several social media accounts of Polish nationals were hacked to plant false information and give it an air of legitimacy.
Amplifiers of Joker DPR and Beregini Telegram channels
The DFRLab analyzed the Beregini and Joker DPR Telegram channels using Telegram analytics tool TGStat and found that the Telegram channel ЧВК Медиа (“ChVK Media”) is the top amplifier of both channels. (ChVK is the Russian abbreviation for Частная Военная Компания, or private military company.) For example, Beregini published 945 posts between March 2, 2020 and August 18, 2022, and ChVK Media mentioned Beregini’s posts almost 500 times during that time period, beginning just one day after Beregini’s first post.
The Joker DPR channel was created on March 25, 2022, but its first post noted that “enemies blocked” a previous version of the channel that had 60,000 followers. In December 2019, the pro-Kremlin website NewsFront interviewed an administrator of the Joker DPR channel, which confirms that prior version of the channel existed at that point in time. Although the older channel is no longer active, an analysis of ChVK Media showed that it forwarded posts from the earlier channel as early as April 2020. As for the new channel, Joker DPR had published 152 posts as of August 18; during the same time period, ChVK Media had mentioned it 198 times. ChVK Media had forwarded nearly every Joker DPR post, as well as posts from other channels mentioning Joker DPR. The DFRLab compared the timestamps of Joker DPR posts with timestamps of them being subsequently reposted by ChVK Media, but found that the timing was mostly irregular and did not suggest any specific pattern. Therefore, this process does not appear to be automated; most likely, ChVK Media administrators manually forward Joker DPR posts to its own channel.
As previously noted, “ЧВК” is the Russian abbreviation for “private military company” (PMC). ChVK Media is a part of the Russian Federal News Agency RIA FAN, which is connected with the Internet Research Agency (IRA) and the Patriot media group. Patriot is chaired by Putin associate Yevgeny Prigozhin, who is also believe to be responsible for the IRA as well as the infamous Wagner Group PMC, which has been accused of war crimes in conflicts in Ukraine, Syria, and multiple countries in Africa. The Moscow Times has suggested that the IRA rebranded itself as a network of sixteen news websites and that RIA FAN is the hub of these websites. The Alliance for Securing Democracy also concluded that the ChVK Media Telegram channel is a central asset in RIA FAN’s online ecosystem.
In 2021, Polish Media outlet Oko.press reported that ChVK Media amplified Russian-language Telegram channel Тайны Европы (“Secrets of Europe”), which published materials stolen from Michał Dworczyk’s email inbox. Dworczyk is the head of the chancellery of Poland’s prime minister; according to Polish authorities, Ghostwriter hacked his email and stole information that was later released through Telegram channels. Marcin Siedlarz, a cyber security expert at Mandiant, argued that a phishing message sent to Dworczyk came from an IP address that was previously used in other confirmed Ghostwriter attacks. After compromising his mailbox, the attackers also hacked the Facebook account of Dworczyk’s wife and planted information about an email hack there. The DFRLab reviewed the Secrets of Europe channel using TGStat and found that it had published 111 posts, of which forty seven had been forwarded from ChVK Media.
It is notable that ChVK Media actively amplifies the Joker DPR and Beregini Telegram channels, both of which published suspicious documents to undermine Poland-Ukraine relations, as well as the Secrets of Europe Telegram channel, which published the leaked documents from the inbox of Polish official Michał Dworczyk. Given these factors and the others outlined in this case study, the possibility of coordination between Ghostwriter, the pro-Kremlin Telegram ecosystem, and media assets affiliated with Yevgeny Prigozhin warrants further investigation.
By Givi Gigitashvili, for DFRLab
Givi Gigitashvili is Research Associate, Caucasus, with the Digital Forensic Research Lab.
