Russian Cyberattackers Launch Multiphase PsyOps Campaign

Russia-linked threat actors employed both PysOps and spear-phishing to target users over several months at the end of 2023 in a multiwave campaign aimed at spreading misinformation in Ukraine and stealing Microsoft 365 credentials across Europe.

The operation — dubbed Operation Texonto — came in two distinct waves, the first in October-November 2023 and the second in November-December 2023, researchers from ESET discovered. The campaign used a diverse range of pysop tactics and spam mails as its main distribution method, they revealed in a blog post published Feb. 22.

Chronologically, the first campaign was a spear-phishing attack that targeted a Ukrainian defense company in October 2023 and an EU agency in November 2023. The second was a disinformation campaign focused mainly on Ukrainian targets using topics related to heating interruptions, drug shortages, and food shortages — "typical themes of Russian propaganda-related campaign," the researchers said.

Though they had different aims, both used similar network infrastructure, which is how ESET linked the two. Then, in a bit of a plot twist, a URL associated with Operation Texonto was to send typical Canadian pharmacy spam in a separate campaign that occurred in January.

Russia-Ukraine Hybrid War

Threat campaigns have been employed by Russian-aligned threat actors such as Sandworm and Gamaredon in a cyberwar with Ukraine that's run concurrently with the two-year ground operation, according to ESET. Sandworm notably used wipers to disrupt Ukrainian IT infrastructure early in the war, while Gamaredon recently has ramped up cyber espionage operations.

"Operation Texonto shows yet another use of technologies to try to influence the war," the researchers wrote in the post, though they did not attribute the operation to a specific actor. "We found a few typical fake Microsoft login pages but most importantly, there were two waves of pysops via emails probably to try to influence Ukrainian citizens and make them believe Russia will win."

Operation Texonto also demonstrates other notable deviations from typical malicious activity, notes Matthieu Faou, the ESET researcher who lead the investigation, in an email to Dark Reading.

"What is interesting in the Operation Texonto case is that the same threat actor is both engaged in disinformation and in spear-phishing campaigns, while most of the threat actors do one or the other," he observes. "As such, it's clear that it is a planned pysop and not just someone posting misinformation on the Internet."

The campaign also shows a move away from using common channels such as Telegram or fake websites to convey the malicious messages, the researchers noted.

Two Distinct Waves

The first sign of the operation came in October when employees working at a major Ukrainian defense company received a phishing email purportedly from the IT department. The message warned that their mailbox may be removed and that to sign in, they must click on a link to a Web version of the mailbox and log in using their credentials.

The link instead leads to a phishing page, which ESET researchers surmised from another domain belonging to the operation submitted to VirusTotal that it was a fake Microsoft login page to steal Microsoft 365 credentials, though they weren't able to retrieve the phishing page itself.

The next wave of the campaign was the first pysops operation, which sent disinformation emails with a PDF attachment to at least a few hundred people working for the Ukrainian government and energy companies, as well as individual citizens.

Contrary to the previously described phishing campaign, however, the goal of these emails appeared to be purely disinformation to sow doubt in the mind of Ukrainians, rather than spread malicious links.

Emails in the campaign informed recipients of potential food, heating, and drug shortages, with one going so far as to suggest they eat "pigeon risotto" and even providing photos of a living pigeon and a cooked pigeon that "shows those documents were purposely created in order to rile the readers," the researchers noted.

"Overall, the messages align with common Russian propaganda themes," they wrote. "They are trying to make Ukrainian people believe they won't have drugs, food, and heating because of the Russia-Ukraine war."

The second phase of the pysops wave occurred in December and expanded to other European countries, with a random array of a few hundred targets ranging from the Ukrainian government to an Italian shoe manufacturer, but still written in Ukrainian. The researchers discovered two different email templates in the campaign that sent sarcastic holiday greetings to Ukrainians in another effort to disparage and discourage them.

Malicious Domains and Defense Tactics

The researchers mainly tracked domains to keep up with the cybercriminals involved in Operation Texonto, which led them down some interesting paths. One was to a seemingly unrelated but typical Canadian pharmacy spam campaign that used an email server operated by the attackers, a "category of illegal business [that] has been very popular within the Russian cybercrime community," they said.

Other domain names associated with the campaign reflected more recent current events such as the death of Alexei Navalny, the well-known Russian opposition leader who died Feb. 16 in prison. The existence of those domains — including navalny-votes[.]net, navalny-votesmart[.]net, and navalny-voting[.]net — "means that Operation Texonto probably includes spear-phishing or information operations targeting Russian dissidents," the researchers wrote.

ESET included a range of indicators of compromise (IOCs), including domains, email addresses, and MITRE ATT&CK techniques in their report. The researchers also recommend that organizations enable strong two-factor authentication — such as a phone authenticator app or a physical key — to defend against spear-phishing attacks that target Office 365, Faou says.

Regarding defending against malicious actors' attempts to spread disinformation online, "the best protection is to use our critical mindset and not to trust any information on the Internet," he adds.