On Dec. 19, a news report describing an attempted carjacking involving two U.S. Army sergeants appeared on leading news sites in Lithuania, including the Baltic Times web portal.

The report detailed an alleged assault on the driver of a BMW 320 and included quotes from Lithuanian law enforcement officials. It was bylined with the name of a prominent defense reporter and distributed via email, ostensibly by the same journalist.

The news report

The “news item” reported that “on December 12 at about 3.40 pm two unidentified men approached a BMW 320, got in the car, threatened the driver with a knife, struck him in the face and tried to seize him. When the driver called for help, the attackers disappeared.”

The report claimed two U.S. Army sergeants had been identified on CCTV camera footage of the carjacking and detained. It named the two sergeants as “Sgt Gomez and Sgt Ortiz” and claimed they belonged to the “1st Battalion, 9th US Cavalry Regiment, 1st Cavalry Division from Fort Hood, Texas, deployed in Lithuania.”

The Vilnius police noted in a Dec. 12 press release that an attempted carjacking had indeed taken place.

The law enforcement officials named in the news report -- Saulius Gagas, chief of Vilnius County police, and Lithuania's Prosecutor General Evaldas Pasilis -- are also real. So is the reporter named in the byline – Vaidas Saldžiūnas, defense editor for DELFI, a leading Baltic media portal. He is also one of Lithuania’s prominent investigative journalists and involved in Debunk.eu, a European Union program that debunks fake news and disinformation, mainly coming out of Russia.

Moreover, the report accurately identified the U.S. Army unit deployed in Lithuania under NATO auspices.

Given that the report contained a lot of correct information, it appeared authentic. It ended with a reference to the 2017 agreement between the U.S. and Lithuania regulating the status of the American troops there, which gives the U.S. judicial authority to prosecute crimes committed by its troops on Lithuanian territory.

“Thus, U.S. soldiers once again will not be punished for their crimes,” the report concluded, implying that this was not the first such incident and that none of the perpetrators in “previous” ones had been brought to justice.

The cyber-attack

Apart from the real information – that a carjacking had taken place, the names of Lithuanian officials and a real U.S. Army unit that has members deployed in Lithuania – a Polygraph.info fact-check found that everything else in the report was fabricated. That includes the quotes by the law enforcement officials and the identities of the U.S. troops allegedly involved, as well as their alleged detention.

“It was an information cyber-attack against U.S. soldiers. So far the attack had only limited outreach and was printed in a few Lithuanian news websites,” Kęstutis Vaskelevicius, a representative of the Lithuanian Embassy in Washington, D.C. told Polygraph.info.

The U.S. Army-Europe told VOA national security correspondent Jeff Seldin that it is "aware of the reports in the press concerning two U.S. soldiers being arrested in Lithuania.”

“We can confirm that the reports are false,” U.S. Army-Europe said.

DELFI issued a statement debunking the report as a cyber-attack, and the Baltic Times removed it from its website. The fake report is still available on a cached page, as seen in the screenshot below.

Vaidas Saldžiūnas, the DELFI reporter whose name was used in the byline of a fake report on the carjacking, confirmed the report was fabricated and said it was not the first time he was targeted in a cyber-attack.

“It's the second time this happened in my name,” Saldžiūnas told Polygraph.info. “[The] (f)irst case [was] in October about alleged US nukes in Lithuania. Those behind [it] used my name and spoofed email sent to targeted recipients in Lithuania.”

Saldžiūnas shared this screenshot of the earlier hoax email:

That earlier cyber-attack involved the distribution of a fake Lithuanian Foreign Ministry press release asking the U.S. to deploy nuclear weapons to Lithuania, as well as a fake response from the U.S. State Department thanking Lithuanian leadership for the “offer.” (see the screenshot below)

“This time the audience was targeted more broadly - went to other media as well as abroad,” Saldžiūnas said.

To execute the operation, the hackers created a fake persona on the website LiveLeak a few days prior the cyber-attack.

A fake name was used along with Saldžiūnas’s real name to distribute the report via a hoax email and an another website.

Who was behind the cyber-attack?

In Lithuania, investigations of cyber-attacks fall under the jurisdiction of several state entities, Saldžiūnas said.

The National Cyber Security Center of Lithuania is tasked with investigating the technical aspects, while the Strategic Communication units of the country’s Defense and Foreign ministries take on the disinformation angle, producing their own assessment of the nature of the attack.

“Both institutions rarely share evidence directly specifying who's behind it. This time they say they're ‘working hard on it’,” Saldžiūnas said.

However, there are “some clues” about hackers, Saldžiūnas said, “like sloppy English and Lithuanian.”

“I've been writing on both military deployments and debunking fake stories for years, so I believe it was just a matter of time before I became a target,” Saldžiūnas said, adding: “My bet would be on local proxies, perhaps on a payroll. The anti-American, anti-NATO, pro-Kremlin narrative correlation is uncanny.”

NATO -- and specifically the U.S. -- troops in the Baltics have long been the targets of the Russian disinformation, including cyber operations. Besides the fake “request to deploy nuclear weapons” in Lithuania cited above, among the most reported cases was a fake story about a U.S. military vehicle accidentally killing a local boy and getting away with the crime.