HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

State‑Sponsored GhostWriter Phishing Campaign Targets Gmail Accounts of Polish Public Figures and Their Families

GhostWriter, a Belarus‑linked hacker group, has begun phishing personal Gmail accounts belonging to Polish officials, journalists and their families, stealing passwords and 2FA codes. The attack underscores the need for robust SOC 2 access‑control evidence and security‑awareness programs.

LiveThreat™ Intelligence · 📅 June 15, 2026· 📰 therecord.media
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
5 sector(s)
Actions
4 recommended
📰
Source
therecord.media

State‑Sponsored GhostWriter Phishing Campaign Targets Gmail Accounts of Polish Public Figures and Their Families

What Happened — A Belarus‑linked threat group known as GhostWriter has shifted its phishing operations from Polish email providers to personal Gmail accounts. Since March, the group has been sending credential‑stealing emails that harvest login passwords and two‑factor authentication (2FA) codes from senior officials, journalists, researchers, law‑enforcement personnel and their relatives.

Why It Matters for Compliance & Audit Readiness

  • Credential‑theft attacks directly test the effectiveness of SOC 2 Access Control (CC6.1) and Identity Management policies – controls you must evidence continuously.
  • Successful phishing compromises can expose sensitive documents and contact lists, creating audit‑ready evidence gaps for data‑handling and incident‑response procedures.
  • The campaign highlights the need for documented Security Awareness Training and periodic phishing‑simulation results as part of a defensible SOC 2 audit trail.

Who Is Affected – Government agencies, public‑administration bodies, media outlets, research institutions, and law‑enforcement entities in Poland (and potentially their families).

Recommended Actions

  • Map the phishing scenario to SOC 2 CC6.1 (Logical Access) and CC7.1 (System Operations) controls; verify that MFA enforcement and password‑policy logs are collected.
  • Conduct a targeted phishing simulation for high‑risk user groups and capture results as audit evidence.
  • Review and update Security Awareness Training curricula to include state‑sponsored spear‑phishing tactics.
  • Enable automated alerting on anomalous login attempts from personal email services and retain logs for the audit period.

Source: The Record

Technical Notes – The attackers use daily‑rotating phishing domains, lure victims with fake Gmail login pages, and harvest both passwords and 2FA codes. No specific CVE is cited; the vector is social engineering (phishing). Data at risk includes email contents, contact lists, and linked accounts.

📰 Original Source
https://therecord.media/ghostwriter-targets-personal-gmail-accounts-in-poland

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →