A Russian threat-actor is targeting Ukrainian citizens with email Psychological Operations (PSYOPs) campaigns aimed at making them believe Russia is winning the war, new research from ESET has revealed.
Two different waves of the disinformation campaign were detected by the firm – the first in November 2023 and the second at the end of December.
The PSYOP campaign, dubbed Operation Texonto, is designed to raise doubts about the progress of the conflict among Ukrainians and Ukrainian speakers abroad. The contents of the emails contained warnings of impacts such as heating interruptions, medicine shortages and food shortages in the region.
ESET also highlighted a separate spearphishing campaign designed the steal credentials for Microsoft Office 365 accounts, which it believes are linked to the PSYOPs emails due to similarities in the network infrastructure used.
This spearphishing campaign targeted a Ukrainian defense company in October 2023 and an EU agency in November 2023.
Additionally, the email server used by the attackers to send the PSYOP emails was reused two weeks later to send typical Canadian pharmacy spam messages – a popular campaign within the Russian cybercrime community.
The researchers have linked all these campaigns to a single Russian-aligned group with high confidence, due to the tactics, techniques and procedures used, its targets, the content of the messages.
Russian PSYOP Campaigns in Operation
The first wave of disinformation emails was sent to at least a few hundred recipients in Ukraine, including employees of the Ukrainian government, energy companies and individual citizens. The researchers said they do not know how the list of email addresses was created.
These emails contained a variety of messages designed to sow doubt into the minds of Ukrainians about the war, such as “there may be heating interruptions this winter.”
The emails contained PDF attachments, which contained further disinformation messages. In one example, the PDF attachment described a medicine shortage and that the Ukrainian government is refusing to import drugs from Russian and Belarus. The document misused the logo of the Ministry of Health of Ukraine.
The email domain used by the attackers in this example was us-minagro[.]com, which was designed to masquerade as the Ministry of Agrarian Policy and Food of Ukraine whose legitimate domain is minagro.gov.ua.
During this first PSYOPs wave, the researchers observed five other domains being used, each of which masqueraded Ukrainian government agencies, such as the Ministry of Development of Communities, Territories and Infrastructure of Ukraine.
The content of these emails included warnings and recommendations around:
- Russian shelling of the energy facilities infrastructure could cause electricity in homes being completely cut off
- The potential for heating interruptions this winter
- Significant losses in the agricultural sector potentially leading to food shortages in Ukraine
In the latter example, the message purportedly from Ukraine’s Ministry of Agriculture suggested eating “pigeon risotto,” with a photo provided of a living pigeon and cooked pigeon. These documents were purposely designed to anger the recipients, according to ESET.
Second Russian PSYOP Email Wave
The second Russian PSYOP wave took place at the end of December 2023. This was broader than the first wave as it targeted Ukrainian speakers in other European countries as well as Ukrainian citizens.
ESET believe a few hundred people received emails in this wave, ranging from employees in Ukrainian government agencies to an Italian shoe manufacturer.
These emails provided happy new year messages containing overtly pro-Russian content, such as “only together we will be able to drive out the Satanists from the USA and their minions from the original Russian soil!”
One of the messages even suggested Ukrainians should amputate an arm or leg to avoid military deployment.
“Overall, it has all the characteristics of PSYOPs during war time,” the researchers wrote.
The emails were sent from servers operated by the attackers, such as infoattention[.]com.
Russian Actors Carry Out Credential Phishing Campaign
The researchers believe the same threat actor was also behind a spearphishing campaign designed to steal credentials for Microsoft Office 365 accounts from targets.
The first wave took place in October 2023, with phishing emails sent to employees working a major Ukrainian defense company.
These messages purportedly came from the firm’s IT department, informing the recipients that it will be conducting a planned inventory of unused mailboxes. The targets were told to click a link and log in using their credentials “if you plan to use your email address in the future.”
The researchers believe the link would take you to a fake Microsoft login page intended to steal the targets’ credentials.
The attackers used an email address created specifically for this campaign.
A similar wave of emails was sent to employees of the EU Coordinating Office for Palestinian Police Support in November. ESET said it has not seen the email sample for this wave, just the URL of the malicious link submitted to VirusTotal.
An Unusual Combination of Email Campaigns
On January 7, 2024, ESET observed one of the domains used to send PSYOP emails in December 2023 was sending Canadian pharmacy spam.
These emails provided a malicious link to purportedly allow recipients to purchase “brand-new pharmaceutically approved drugs against impotence.”
The researchers noted that the unusual mix of espionage, disinformation and fake pharma campaigns bears similarities with the tactics employed Russia-aligned espionage group Callisto, also known as Star Blizzard, which was indicted by the US government in December 2023.
This group is known for targeting government officials, people in think tanks, and military-related organizations via spearphishing campaigns.
However, there is currently no other evidence linking Callisto to this new campaign.
Another interesting aspect of the campaigns was that some of the domain names are related to internal Russian topics, such as the former Russian opposition leader Alexei Navalny, who died in Jail on February 16, 2024.
“This means that Operation Texonto probably includes spearphishing or information operations targeting Russian dissidents and supporters of the late opposition leader,” said the researchers.