Information operation targeting Ukrainian speakers in the context of the war

ESET merchandise and analysis have been defending Ukrainian IT infrastructure for years. For the reason that begin of the battle in February 2022, we now have prevented and investigated a major variety of assaults launched by Russia-aligned teams. We now have additionally printed among the most attention-grabbing findings on WeLiveSecurity:

Although our major focus stays on analyzing threats involving malware, we now have discovered ourselves investigating an info operation or psychological operation (PSYOP) attempting to lift doubts within the minds of Ukrainians and Ukrainian audio system overseas.

Operation Texonto

Operation Texonto is a disinformation/PSYOP marketing campaign utilizing spam mails as the primary distribution technique. Surprisingly, it doesn’t appear that the perpetrators used frequent channels reminiscent of Telegram or faux web sites to convey their messages. We now have detected two completely different waves, the primary one in November 2023 and the second on the finish of December 2023. The contents of the emails had been about heating interruptions, drug shortages, and meals shortages, that are typical themes of Russian propaganda.

Along with the disinformation marketing campaign, we now have detected a spearphishing marketing campaign that focused a Ukrainian protection firm in October 2023 and an EU company in November 2023. The aim of each was to steal credentials for Microsoft Workplace 365 accounts. Due to similarities within the community infrastructure utilized in these PSYOPs and phishing operations, we’re linking them with excessive confidence.

Curiously, a couple of extra pivots additionally revealed domains which are a part of Operation Texonto and associated to inner Russian subjects reminiscent of Alexei Navalny, the well-known Russian opposition chief who was in jail and died on February 16^th, 2024. Because of this Operation Texonto most likely contains spearphishing or info operations concentrating on Russian dissidents and supporters of the late opposition chief. These domains embody:

• navalny-votes[.]internet
• navalny-votesmart[.]internet
• navalny-voting[.]internet

Even perhaps stranger is that an electronic mail server, operated by the attackers and used to ship PSYOP emails, was reused two weeks later to ship typical Canadian pharmacy spam. This class of unlawful enterprise has been extremely popular inside the Russian cybercrime neighborhood for a very long time, as this blogpost from 2011 explains.

Determine 1 summarizes the primary occasions of Operation Texonto.

The unusual brew of espionage, info operations, and pretend pharma can solely remind us of Callisto, a well known Russia-aligned cyberespionage group who was the topic of an indictment by the US DOJ in December, 2023. Callisto targets authorities officers, folks in assume tanks, and military-related organizations by way of spearphishing web sites designed to imitate frequent cloud suppliers. The group has additionally run disinformation operations reminiscent of a document leak simply forward of the 2019 UK common election. Lastly, pivoting on its previous community infrastructure results in faux pharma domains reminiscent of musclepharm[.]high or ukrpharma[.]ovh.

Whereas there are a number of high-level factors of similarity between Operation Texonto and Callisto operations, we haven’t discovered any technical overlap and we at present don’t attribute Operation Texonto to a particular risk actor. Nonetheless, given the TTPs, concentrating on, and the unfold of messages, we attribute the operation with excessive confidence to a gaggle that’s Russian aligned.

Phishing marketing campaign: October–November 2023

Workers working at a significant Ukrainian protection firm obtained a phishing electronic mail in October 2023, purportedly coming from their IT division. The emails had been despatched from it.[redacted_company_name]@gmail.com, an electronic mail handle more than likely created particularly for this marketing campaign, and the e-mail topic was Запрошено утверждение:Планова інвентаризація (machine translation from Ukrainian: Approval requested: Deliberate stock).

The content material of the e-mail is the next:

У період з 02 жовтня по 13 жовтня співробітники відділу інформаційних технологій проводять планову інвентаризацію та видалення поштових скриньок, що не використовуються. Якщо Ви плануєте використовувати свою поштову адресу ([redacted_address]@[redacted_company_name].com) у майбутньому, будь ласка, перейдіть на веб-версію поштової скриньки за цим посиланням та увійдіть до системи, використовуючи свої облікові дані.

 

Жодних додаткових дій не потрібно, Ваша поштова скринька отримає статус “підтверджений” і не буде видалена під час планової інвентаризації ресурсів. Якщо ця поштова адреса не використовується Вами (або її використання не планується в майбутньому), то в цьому випадку Вам не потрібно виконувати жодних дій – поштову скриньку буде видалено автоматично 13 жовтня 2023 року.

 

З повагою,

 

Відділ інформаційних технологій.

A machine translation of the e-mail is:

Within the interval from October 2 to October 13, staff of the knowledge know-how division will conduct a deliberate stock and elimination of unused mailboxes. In case you plan to make use of your electronic mail handle ([redacted_address]@[redacted_company_name].com) sooner or later, please go to the net model of the mailbox at this hyperlink and log in utilizing your credentials.

 

No further actions are required, your mailbox will obtain the standing “confirmed” and won’t be eliminated throughout a scheduled useful resource stock. If this electronic mail handle isn’t utilized by you (or its use isn’t deliberate sooner or later), then on this case you don’t want to take any motion – the mailbox will likely be deleted routinely on October 13, 2023.

 

Finest regards,

 

Division of knowledge applied sciences.

The aim of the e-mail is to entice targets into clicking on за цим посиланням (machine translation: at this hyperlink), which ends up in https://login.microsoftidonline[.]com/frequent/oauth2/authorize?client_id=[redacted];redirect_uri=httpspercent3apercent2fpercent2foutlook.office365.compercent2fowapercent2f&useful resource=[redacted]&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=[redacted]&protectedtoken=true&claims=%7bpercent22id_tokenpercent22percent3apercent7bpercent22xms_ccpercent22percent3apercent7bpercent22valuespercent22percent3apercent5bpercent22CP1percent22percent5dpercent7dpercent7dpercent7d&domain_hint=[redacted]&nonce=[redacted]&state=[redacted] (partially redacted). This URL factors to the malicious area login.microsoftidon-line[.]com. Word that this area may be very near the official one, login.microsoftonline.com.

We haven’t been capable of retrieve the phishing web page, however it was more than likely a faux Microsoft login web page supposed to steal the targets’ credentials.

For an additional area belonging to Operation Texonto, choicelive149200[.]com, there have been two VirusTotal submissions (one and two) for the URL https://choicelive149200[.]com/owa/auth/logon.aspx?replaceCurrent=1&url=https://hbd.eupolcopps.eu/owa/. Sadly, the positioning was now not reachable on the time of study, however it was seemingly a credential-phishing web page for the Outlook on the net/OWA webmail of eupolcopps.eu, the EU Coordinating Workplace for Palestinian Police Assist. Word that we now have not seen the e-mail pattern, simply the URL submitted to VirusTotal.

First PSYOP wave: November 2023

On November 20^th, we detected the primary wave of disinformation emails with a PDF attachment despatched to a minimum of a couple of hundred recipients in Ukraine. Folks working on the Ukrainian authorities, vitality firms, and even people, obtained the emails. We have no idea how the listing of electronic mail addresses was constructed.

Opposite to the beforehand described phishing marketing campaign, the aim of those emails was to sow doubt within the thoughts of Ukrainians; as an illustration, one electronic mail says that “There could also be heating interruptions this winter”. It doesn’t appear there was any malicious hyperlink or malware on this particular wave, solely disinformation.

Determine 2 exhibits an electronic mail instance. Its topic is Рекомендації моз україни на тлі дефіциту ліків (machine translation from Ukrainian: Suggestions of the Ministry of Well being of Ukraine on the time of a scarcity of medicines) and the e-mail was despatched from mozua@ua-minagro[.]com. Word that this handle might be seen within the envelope-from and return-path fields.

ua-minagro[.]com is a website operated by the attackers and was used completely for sending disinformation emails on this marketing campaign. The area is masquerading because the Ministry of Agrarian Coverage and Meals of Ukraine whose authentic area is minagro.gov.ua.

Hooked up to the e-mail is a PDF doc, as proven in Determine 3. Whereas it’s not malicious per se, it additionally comprises disinformation messages.

The doc is misusing the emblem of the Ministry of Well being of Ukraine and explains that because of the battle, there’s a drug scarcity in Ukraine. It additionally says that the Ukrainian authorities is refusing to import medication from Russia and Belarus. On the second web page, they clarify find out how to change some medication with crops.

What’s attention-grabbing to notice is that the e-mail was despatched from a website masquerading because the Ministry of Agrarian Coverage and Meals of Ukraine, whereas the content material is about drug shortages and the PDF is misusing the emblem of the Ministry of Well being of Ukraine. It’s presumably a mistake from the attackers or, a minimum of, exhibits they didn’t care about all particulars.

Along with ua-minagro[.]com, 5 further domains had been used to ship emails on this wave:

• uaminagro[.]com
• minuaregion[.]org
• minuaregionbecareful[.]com
• uamtu[.]com
• minagroua[.]org

minuaregion[.]org and minuaregionbecareful[.]com are masquerading because the Ministry of Reintegration of the Briefly Occupied Territories of Ukraine whose authentic web site is https://minre.gov.ua/en/.

uamtu[.]com is masquerading because the Ministry of Growth of Communities, Territories and Infrastructure of Ukraine, whose authentic web site is https://mtu.gov.ua.

We now have recognized three extra completely different electronic mail message templates, every with a distinct mail physique and PDF attachment. A abstract is supplied in Desk 1.

Desk 1. Disinformation emails

The associated PDF attachments are allegedly from the Ukrainian Ministry of Areas (see Determine 4) and the Ministry of Agriculture (see Determine 5).

Within the final doc, allegedly from the Ministry of Agriculture, they recommend to eat “pigeon risotto” and so they even present a photograph of a dwelling pigeon and a cooked pigeon.… This exhibits these paperwork had been purposely created to be able to rile the readers.

General, the messages align with frequent Russian propaganda themes. They’re attempting to make Ukrainian folks imagine they received’t have medication, meals, and heating due to the Russia-Ukraine battle.

Second PSYOP wave: December 2023

A few month after the primary wave, we detected a second PSYOP electronic mail marketing campaign concentrating on not solely Ukrainians, but additionally folks in different European international locations. The targets are considerably random, starting from the Ukrainian authorities to an Italian shoe producer. As a result of all of the emails are written in Ukrainian, it’s seemingly that the overseas targets are Ukrainian audio system. In response to ESET telemetry, a couple of hundred folks obtained emails on this second wave.

We discovered two completely different electronic mail templates on this wave. The primary one was despatched on December 25^th and is proven in Determine 6. As for the primary wave, the e-mail messages had been despatched from an electronic mail server operated by the attackers, infoattention[.]com on this case.

A machine translation of the e-mail physique is the next:

Pricey Ukrainians, we congratulate you on the warmest and most household vacation – the New 12 months!

We sincerely need you to rejoice 2024 with your loved ones! Could your loved ones and pals by no means get sick! Care for one another! Solely collectively we can drive out the Satanists from the USA and their minions from the unique Russian soil! Let’s revive Kievan Rus regardless of our enemies! Let’s save folks’s lives! From Russia with love!

Joyful vacation, pricey pals!

The second electronic mail template, proven in Determine 7, was despatched on December 26^th, 2023 from a distinct electronic mail server: stronginfo1[.]com. Throughout this wave, two further electronic mail addresses had been used:

• happyny@infonotifi[.]com
• happyny@infonotification[.]com

A machine translation of the e-mail physique is the next:

Joyful New 12 months, Ukrainian brothers! On New 12 months’s Eve, it is time to bear in mind how good it’s to have two pairs of legs and arms, however in case you have misplaced one in all them, then do not be upset – which means you will not meet a Russian soldier in a trench. And right here if all of your limbs are intact, then we don’t envy you. We suggest slicing or sawing off a minimum of one of many 4 your self – a few minutes of ache, however then a contented life!

Joyful New 12 months, Ukrainians! Do not forget that generally one is healthier than two!

Whereas the primary PSYOP electronic mail marketing campaign in November 2023 was fairly well-prepared, with specifically created PDF paperwork that had been considerably convincing, this second marketing campaign is fairly extra primary and darker in its messaging. The second electronic mail template is especially disturbing, with the attackers suggesting folks amputate a leg or arm to keep away from army deployment. General, it has all of the traits of PSYOPs throughout battle time.

Canadian pharmacy spam: January 2024

In a fairly stunning twist of occasions, one of many domains used to ship PSYOP emails in December 2023, infonotification[.]com, began getting used to ship Canadian pharmacy spam on January 7^th, 2024.

An instance is supplied in Determine 8 and the hyperlink redirects to the faux Canadian pharmacy web site onlinepharmacycenter[.]com. The spam marketing campaign was reasonably giant (within the a whole bunch of messages a minimum of) and other people in lots of international locations obtained such emails.

The emails had been despatched from happyny@infonotification[.]com and this was verified within the electronic mail headers:

Return-Path: <happyny@infonotification[.]com>
Delivered-To: [redacted]
[redacted]
Obtained: from infonotification[.]com ([185.12.14[.]13])
        by [redacted] with esmtps (TLS1.3:TLS_AES_256_GCM_SHA384:256)
        [redacted]
        Solar, 07 Jan 2024 12:39:10 +0000

Faux Canadian pharmacy spam is a enterprise traditionally operated by Russian cybercriminals. It was extensively coated prior to now by bloggers reminiscent of Brian Krebs, particularly in his Spam Nation guide.

Hyperlinks between these spam campaigns

Whereas we don’t know why the operators of the PSYOP campaigns determined to reuse one in all their servers to ship faux pharmacy spam, it’s seemingly that they realized that their infrastructure was detected. Therefore, they might have determined to attempt to monetize the already burnt infrastructure, both for their very own revenue or to fund future espionage operations or PSYOPs. Determine 9 summarizes the hyperlinks between the completely different domains and campaigns.

Conclusion

For the reason that begin of the battle in Ukraine, Russia-aligned teams reminiscent of Sandworm have been busy disrupting Ukrainian IT infrastructure utilizing wipers. In current months, we now have noticed an uptick in cyberespionage operations, particularly by the notorious Gamaredon group.

Operation Texonto exhibits one more use of applied sciences to attempt to affect the battle. We discovered a couple of typical faux Microsoft login pages however most significantly, there have been two waves of PSYOPs by way of emails most likely to attempt to affect and demoralize Ukrainian residents with disinformation messages about war-related subjects.

A complete listing of Indicators of Compromise (IoCs) and samples might be present in our GitHub repository.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis presents non-public APT intelligence stories and knowledge feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.

IoCs

Information

Community

Electronic mail addresses

• minregion@uaminagro[.]com
• minregion@minuaregion[.]org
• minregion@minuaregionbecareful[.]com
• minregion@uamtu[.]com
• mozua@ua-minagro[.]com
• mozua@minagroua[.]org
• minagroua@vps-3075.lethost[.]community
• happyny@infoattention[.]com
• happyny@stronginfo1[.]com
• happyny@infonotifi[.]com
• happyny@infonotification[.]com

MITRE ATT&CK methods

This desk was constructed utilizing version 14 of the MITRE ATT&CK framework.