Russian Hackers Target Ukraine with Disinformation and Credential-Harvesting Attacks

Feb 21, 2024NewsroomPhishing Attack / Information Warfare

Cybersecurity researchers have unearthed a new influence operation targeting Ukraine that leverages spam emails to propagate war-related disinformation.

The activity has been linked to Russia-aligned threat actors by Slovak cybersecurity company ESET, which also identified a spear-phishing campaign aimed at a Ukrainian defense company in October 2023 and a European Union agency in November 2023 with an aim to harvest Microsoft login credentials using fake landing pages.

Operation Texonto, as the entire campaign has been codenamed, has not been attributed to a specific threat actor, although some elements of it, particularly the spear-phishing attacks, overlap with COLDRIVER, which has a history of harvesting credentials via bogus sign-in pages.

The disinformation operation took place over two waves in November and December 2023, with the email messages bearing PDF attachments and content related to heating interruptions, drug shortages, and food shortages.

The November wave targeted no less than a few hundred recipients in Ukraine, including the government, energy companies, and individuals. It's currently not known how the target list was created.

"What's interesting to note is that the email was sent from a domain masquerading as the Ministry of Agrarian Policy and Food of Ukraine, while the content is about drug shortages and the PDF is misusing the logo of the Ministry of Health of Ukraine," ESET said in a report shared with The Hacker News.

"It is possibly a mistake from the attackers or, at least, shows they did not care about all details."

The second disinformation email campaign that commenced on December 25, 2023, is notable for expanding its targeting beyond Ukraine to include Ukrainian speakers in other European nations owing to the fact that all the messages are in Ukrainian.

These messages, while wishing recipients a happy holiday season, also adopted a darker tone, going as far as to suggest that they ampute one of their arms or legs to avoid military deployment. "A couple of minutes of pain, but then a happy life!," the email goes.

ESET said one of the domains used to propagate the phishing emails in December 2023, infonotification[.]com, also engaged in sending hundreds of spam messages beginning January 7, 2024, redirecting potential victims to a fake Canadian pharmacy website.

It's exactly unclear why this email server was repurposed to propagate a pharmacy scam, but it's suspected that the threat actors decided to monetize their infrastructure for financial gain after realizing that their domains have been detected by defenders.

"Operation Texonto shows yet another use of technologies to try to influence the war," the company said.

The development comes as Meta, in its quarterly Adversarial Threat Report, said it took down three networks across its platforms originating from China, Myanmar, and Ukraine that engaged in coordinated inauthentic behavior (CIB).

While none of the networks were from Russia, social media analytics firm Graphika said posting volumes by Russian state-controlled media has declined 55% from pre-war levels and engagement has plummeted 94% compared to two years ago.

"Russian state media outlets have increased their focus on non-political infotainment content and self-promotional narratives about Russia since the start of the war," it said. "This could reflect a wider off-platform effort to cater to domestic Russian audiences after multiple Western countries blocked the outlets in 2022."

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.