Researchers at security vendor ESET have uncovered a two-pronged war-related cyberattack, comprising Psyops and credential-stealing campaigns, targeting Ukrainian civilians and businesses.
Researchers Uncover Russia-Aligned Psyops Campaign ‘Operation Texonto’
Researchers from security vendor ESET have confirmed that they discovered a cyber-psyops campaign, named Operation Texonto, following analysis of two waves of sysops messages sent in November and December 2023. The contents were based around typical Russian propaganda themes of drug and food shortages as well as interruptions to heating for Ukrainian citizens. The goal appears to be to make Ukrainian citizens believe Russia is winning the war.
The war-related disinformation was distributed by way of spam emails. In October, the researchers also saw a spear-phishing campaign targeting both Ukrainian organizations, including a defense company, and EU agencies. This was designed to steal login credentials for Microsoft Office 365 accounts. ESET says that “due to the similarities in the network infrastructure used in these PSYOPs and phishing operations,” it can be said with high confidence they are linked.
Operation Texonto Attributed With High Confidence To Russia-Aligned Operatives
Operation Texonto, attributed “with high confidence to a group that is Russia aligned” by ESET Research, appears to resemble previous operations by a Russia-aligned advanced persistent threat group known as Callisto. However, the ESET researcher behind the discovery of these latest cyberattacks, Matthieu Faou, says that without technical overlap “we currently do not attribute Operation Texonto to a specific threat actor.”
Faou says that ESET has seen an uptick in cyber espionage operations in recent months. “The strange brew of espionage, information operations, and fake pharma messages,” Faou says, “can only remind us of Callisto, a well-known Russia-aligned cyber-espionage group, some members of which were the subject of an indictment by the U.S. Department of Justice in December 2023.”
The fake pharmacy messages aspect is interesting as the same email server used by the attackers to send the psyops messages was also used, just two weeks later, to send Canadian pharmacy spam. This blurring of the lines between criminal and political activity is far from unusual, especially in countries such as Russia.
Eat Pigeon Risotto, Disinformation Campaign Tells Ukrainians
It wouldn’t appear that there was any malware, or malicious links, included with the first wave of email distributed. “One domain masquerading as the Ministry of Agrarian Policy and Food of Ukraine recommended replacing unavailable medicine with herbs,” Faou says, with another suggesting “eating pigeon risotto” and including “a photo of a live pigeon and a cooked pigeon.” According to ESET, the second wave was darker with messages “suggesting people amputate a leg or an arm to avoid military deployment.”
META Reports Success In Russian-Origin Influence Campaign Takedowns
The latest META Adversarial Threat Report also talks about Russian influence campaigns since the start of the war in Ukraine. “Our teams remain on high alert to monitor for adversarial changes related to this war,” the report says, “as Ukraine or Ukraine-related issues remain the largest focus of Russian-origin influence operations.” META reports that it has seen posting volumes from Russian state-controlled media decline by 55% and engagement levels by 94% compared to pre-war levels since it started enforcement measures. “For covert influence operations, since 2022, we’ve seen fewer attempts to build complex deceptive personas in favor of thinly-disguised, short-lived fake accounts in an effort to spam the internet, hoping something will stick.” The META report says that it expects to see spam campaigns that throw “large volumes of accounts across many internet services and websites” to continue in 2024.