Cybersecurity researchers have unearthed a new influence operation targeting Ukraine that leverages spam emails to propagate war-related disinformation.
The activity has been linked to Russia-aligned threat actors by Slovak cybersecurity company ESET, which also identified a spear-phishing campaign aimed at a Ukrainian defense company in October 2023 and a European Union agency in November 2023 with an aim to harvest Microsoft login credentials using fake landing pages.
Operation Texonto, as the entire campaign has been codenamed, has not been attributed to a specific threat actor, although some elements of it, particularly the spear-phishing attacks, overlap with COLDRIVER, which has a history of harvesting credentials via bogus sign-in pages.
The disinformation operation took place over two waves in November and December 2023, with the email messages bearing PDF attachments and content related to heating interruptions, drug shortages, and food shortages.
The November wave targeted no less than a few hundred recipients in Ukraine, including the government, energy companies, and individuals. It's currently not known how the target list was created.
"What's interesting to note is that the email was sent from a domain masquerading as the Ministry of Agrarian Policy and Food of Ukraine, while the content is about drug shortages and the PDF is misusing the logo of the Ministry of Health of Ukraine," ESET said in a report shared with The Hacker News.
"It is possibly a mistake from the attackers or, at least, shows they did not care about all details."
The second disinformation email campaign that commenced on December 25, 2023, is notable for expanding its targeting beyond Ukraine to include Ukrainian speakers in other European nations. All the messages were written in Ukrainian and sent to a diverse set of targets ranging from the Ukrainian government to an Italian shoe manufacturer.
These messages, while wishing recipients a happy holiday season, also adopted a darker tone, going as far as to suggest that they ampute one of their arms or legs to avoid military deployment. "A couple of minutes of pain, but then a happy life!," the email goes.
ESET said one of the domains used to propagate the phishing emails in December 2023, infonotification[.]com, also engaged in sending hundreds of spam messages beginning January 7, 2024, redirecting potential victims to a fake Canadian pharmacy website.
It's exactly unclear why this email server was repurposed to propagate a pharmacy scam, but it's suspected that the threat actors decided to monetize their infrastructure for financial gain after realizing that their domains have been detected by defenders.
"Operation Texonto shows yet another use of technologies to try to influence the war," the company said.
The development comes as Meta, in its quarterly Adversarial Threat Report, said it took down three networks originating from China, Myanmar, and Ukraine across its platforms that engaged in coordinated inauthentic behavior (CIB).
While none of the networks were from Russia, social media analytics firm Graphika said posting volumes by Russian state-controlled media has declined 55% from pre-war levels and engagement has plummeted 94% compared to two years ago.
"Russian state media outlets have increased their focus on non-political infotainment content and self-promotional narratives about Russia since the start of the war," it said. "This could reflect a wider off-platform effort to cater to domestic Russian audiences after multiple Western countries blocked the outlets in 2022."
Russia-Aligned Influence Operation Targets Germany
Doppelganger, an aggressive and persistent pro-Kremlin network known for propagating anti-Ukrainian propaganda and disinformation, targeted German audiences with content criticizing the ruling government coalition and its support for Ukraine, according to a joint report published by SentinelOne and ClearSky. It overlaps with activities previously disclosed by Meta and Recorded Future last year.
The information warfare campaign, dubbed Doppelganger NG, leverages a network of X (formerly Twitter) accounts that share "content from third-party websites whose content aligns with Doppelgänger propaganda goals, as well as from sites that Doppelganger itself has created," security researcher Aleksandar Milenkoski said.
Additionally, links have been observed between Doppelganger NG and the Russian cyber espionage group APT28 based on similarities of text and HTML code fragments found in the campaign and a set of phishing attacks aimed at stealing credentials entered by prospective victims on fake pages imitating email services like UKR.NET and Yahoo!
"The transfer of stolen data is carried out using previously compromised Ubiquiti devices," the Computer Emergency Response Team of Ukraine (CERT-UA) noted in July 2023. Last week, the U.S. government said it had disrupted a network of Ubiquiti routers that was used by APT28 to conceal its malicious activities.
