State‑Sponsored GhostWriter Phishing Campaign Targets Gmail Accounts of Polish Public Figures and Their Families
What Happened — A Belarus‑linked threat group known as GhostWriter has shifted its phishing operations from Polish email providers to personal Gmail accounts. Since March, the group has been sending credential‑stealing emails that harvest login passwords and two‑factor authentication (2FA) codes from senior officials, journalists, researchers, law‑enforcement personnel and their relatives.
Why It Matters for Compliance & Audit Readiness
- Credential‑theft attacks directly test the effectiveness of SOC 2 Access Control (CC6.1) and Identity Management policies – controls you must evidence continuously.
- Successful phishing compromises can expose sensitive documents and contact lists, creating audit‑ready evidence gaps for data‑handling and incident‑response procedures.
- The campaign highlights the need for documented Security Awareness Training and periodic phishing‑simulation results as part of a defensible SOC 2 audit trail.
Who Is Affected – Government agencies, public‑administration bodies, media outlets, research institutions, and law‑enforcement entities in Poland (and potentially their families).
Recommended Actions –
- Map the phishing scenario to SOC 2 CC6.1 (Logical Access) and CC7.1 (System Operations) controls; verify that MFA enforcement and password‑policy logs are collected.
- Conduct a targeted phishing simulation for high‑risk user groups and capture results as audit evidence.
- Review and update Security Awareness Training curricula to include state‑sponsored spear‑phishing tactics.
- Enable automated alerting on anomalous login attempts from personal email services and retain logs for the audit period.
Source: The Record
Technical Notes – The attackers use daily‑rotating phishing domains, lure victims with fake Gmail login pages, and harvest both passwords and 2FA codes. No specific CVE is cited; the vector is social engineering (phishing). Data at risk includes email contents, contact lists, and linked accounts.