Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Russians Pummel Ukrainians With Psychological Operations

Morale Targeted Via Spam Focusing on Heating Interruptions, Medical Shortages
Russians Pummel Ukrainians With Psychological Operations
Ukrainian soldiers in an undated file photo (Image: Ukrainian Military Portal)

Russian psychological operations targeting Ukraine and its allies go beyond spear-phishing attacks and use spam techniques to spread messages meant to demoralize Ukrainians and also possibly target Russian dissidents, warned security firm Eset.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

Next Saturday marks the two-year anniversary of Moscow's initiation of a war of conquest against its European neighbor - a period marked by a high volume of phishing, cyberespionage and targeted attacks against critical infrastructure (see: Russia Continues to Focus on Cyber Operations and Espionage).

Two waves of psychological operations launched last November and December by a Russia-aligned group that Eset says has the behavioral characteristics of the Russian Federal Security Service hacking group known as ColdRiver or Callisto were designed to make it look as if Russian forces were winning the war. The messaging focused on "heating interruptions, drug shortages and food shortages, which are typical themes of Russian propaganda," Eset said. Unusually, the same infrastructure, several weeks later, was used to send Canadian pharmacy spam.

The security researchers said the attacks traced back to a common infrastructure, suggesting they were launched by the same advanced persistent threat group. Eset dubbed the campaigns "Operation Texonto."

"The strange brew of espionage, information operations and fake pharma messages can only remind us of Callisto," said Matthieu Faou, a security researcher at Eset. But the company isn't attributing the campaigns to a specific threat actor.

All of those spam campaigns followed spear-phishing campaigns launched using the same infrastructure last October and November, which targeted a Ukrainian defense firm and then an unnamed EU government agency with fake Microsoft Office 365 login pages designed to steal victims' credentials. Some of these attacks tied to domains - such as navalny-votes.net, which was first registered in September 2023 and references the now-dead opposition leader Alexei Navalny - and therefore appeared to target Russian dissidents, Eset said.

U.S. and U.K. government officials have said the Callisto group, also known as Star Blizzard and previously tracked as Seaborgium by Microsoft, is run by Russia's FSB, formally known as the Federal Security Service, the successor to the Soviet Union's KGB. The group has been tied to numerous attacks targeting government and military agencies as well as think tanks, among others.

In December 2023, Britain's Ministry of Foreign Affairs accused the FSB of running a nearly decadelong series of spear-phishing campaigns that targeted multiple U.K. political parties and leaked information ahead of the country's 2019 general election. The same month, both the U.K. and U.S. governments sanctioned two individuals, including an FSB intelligence officer, for perpetrating Callisto attacks. U.S. federal prosecutors indicted them on charges of unauthorized access to email accounts belonging to American intelligence, defense and Department of Energy government employees.

Faou said that while Operation Texonto and recent Callisto operations have many similarities, including in their tactics, techniques and procedures, "we haven't found any technical overlap." That said, "given the TTPs, targeting, and the spread of messages, we attribute the operation with high confidence to a group that is Russia-aligned."

Russia's Ongoing Phishing Campaigns

Multiple Russian groups, or at least clusters of threat activity, have been running cyber operations, including phishing campaigns, nearly nonstop, both before and since Moscow ordered the all-out invasion of Ukraine nearly two years ago, experts said.

Google and its Mandiant intelligence group last week reported that Russia has continued to run numerous phishing campaigns both before and since launching its invasion. Campaigns it's been tracking surged from January to March 2023 and again from April to June 2023. Many of those targeted government and military users in Ukraine and largely traced to APT28 - aka FrozenLake - later joined by ColdRiver as well as another group with the codename IceCap.

Starting last September, Google said, it had seen a rise in campaigns that traced to the Russian GRU military intelligence agency's Sandworm team, aka FrozenBarents, as well as FrozenLake, after which FrozenLake and ColdRiver ran campaigns in October and November and additional groups joined the fray shortly thereafter.

In January, Google warned that it had seen ColdRiver evolve from phishing for credentials to delivering malware that used PDF documents as lures. Observed targets included a Ukrainian defense contractor, Eastern European militaries and a NATO Center of Excellence.

"Over the last year, I'd say what we've seen is very much an Eastern European and Ukrainian focus," said Shane Huntley, senior director of Google's Threat Analysis Group, in a call last week with reporters. With the invasion ordered by President Vladimir Putin largely remaining stalled, attacks perpetrated by "multiple groups representing multiple agencies" in Russia have shifted their targeting at different times "from military to political to civil society" and back again.

"The targeting has been ongoing. There are peaks; there are troughs. But we always have to take the peaks and troughs with a little bit of grain of salt because we don't have full visibility of everything going on," he said.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.