Russian Hackers Goal Ukraine with Disinformation and Credential-Harvesting Assaults

Feb 21, 2024NewsroomPhishing Assault / Data Warfare

Cybersecurity researchers have unearthed a brand new affect operation focusing on Ukraine that leverages spam emails to propagate war-related disinformation.

The exercise has been linked to Russia-aligned menace actors by Slovak cybersecurity firm ESET, which additionally recognized a spear-phishing marketing campaign geared toward a Ukrainian protection firm in October 2023 and a European Union company in November 2023 with an intention to reap Microsoft login credentials utilizing faux touchdown pages.

Operation Texonto, as the complete marketing campaign has been codenamed, has not been attributed to a particular menace actor, though some components of it, significantly the spear-phishing assaults, overlap with COLDRIVER, which has a historical past of harvesting credentials by way of bogus sign-in pages.

The disinformation operation happened over two waves in November and December 2023, with the e-mail messages bearing PDF attachments and content material associated to heating interruptions, drug shortages, and meals shortages.

The November wave focused at least a number of hundred recipients in Ukraine, together with the federal government, power firms, and people. It is presently not recognized how the goal listing was created.

“What’s attention-grabbing to notice is that the e-mail was despatched from a site masquerading because the Ministry of Agrarian Coverage and Meals of Ukraine, whereas the content material is about drug shortages and the PDF is misusing the brand of the Ministry of Well being of Ukraine,” ESET mentioned in a report shared with The Hacker Information.

“It’s probably a mistake from the attackers or, no less than, exhibits they didn’t care about all particulars.”

The second disinformation e-mail marketing campaign that commenced on December 25, 2023, is notable for increasing its focusing on past Ukraine to incorporate Ukrainian audio system in different European nations owing to the truth that all of the messages are in Ukrainian.

These messages, whereas wishing recipients a cheerful vacation season, additionally adopted a darker tone, going so far as to recommend that they ampute considered one of their arms or legs to keep away from navy deployment. “A few minutes of ache, however then a cheerful life!,” the e-mail goes.

ESET mentioned one of many domains used to propagate the phishing emails in December 2023, infonotification[.]com, additionally engaged in sending lots of of spam messages starting January 7, 2024, redirecting potential victims to a faux Canadian pharmacy web site.

It is precisely unclear why this e-mail server was repurposed to propagate a pharmacy rip-off, nevertheless it’s suspected that the menace actors determined to monetize their infrastructure for monetary acquire after realizing that their domains have been detected by defenders.

“Operation Texonto exhibits yet one more use of applied sciences to attempt to affect the warfare,” the corporate mentioned.

The event comes as Meta, in its quarterly Adversarial Menace Report, mentioned it took down three networks throughout its platforms originating from China, Myanmar, and Ukraine that engaged in coordinated inauthentic conduct (CIB).

Whereas not one of the networks had been from Russia, social media analytics agency Graphika mentioned posting volumes by Russian state-controlled media has declined 55% from pre-war ranges and engagement has plummeted 94% in comparison with two years in the past.

“Russian state media retailers have elevated their concentrate on non-political infotainment content material and self-promotional narratives about Russia because the begin of the warfare,” it mentioned. “This might mirror a wider off-platform effort to cater to home Russian audiences after a number of Western international locations blocked the retailers in 2022.”