Press Center

Malware and antivirus software

News

Russian-made PSYOPs in Ukraine: Operation Texonto targets Ukrainians with war-related disinformation, ESET Research discovers

Created: 2024-02-23 07:35:25

  • A Russian-aligned aligned threat actor spread war-related disinformation to Ukrainian readers via spam emails.
  • The spearphishing campaign targeted a Ukrainian defense company and an EU agency.
  • Due to the similarities in the network infrastructure used in these PSYOPs and phishing operations, ESET research can say with high confidence that they are linked.
  • Operation Texonto loosely resembles Russia-aligned Callisto APT group activities; however, ESET Research does not have enough evidence to attribute the operations to any specific group.
  • In the first wave of disinformation emails in November 2023, the Russia-aligned threat actors tried to influence and demoralize Ukrainian citizens with disinformation messages about war-related topics. The second wave in December 2023 was even darker in tone.

BRATISLAVA, MONTREAL — February 21, 2024 — ESET Research recently discovered Operation Texonto, a disinformation/psychological operations (PSYOPs) campaign using spam emails as the main distribution method. Via messages sent in two waves of PSYOPs, the Russia-aligned threat actors tried to influence and demoralize Ukrainian citizens with disinformation messages about war-related topics. The first wave took place in November 2023 and the second one at the end of December 2023. The contents of the emails were about heating interruptions, drug shortages, and food shortages, which are typical themes of Russian propaganda. Additionally, in October 2023, ESET detected a spearphishing campaign that targeted a Ukrainian defense company, and one targeting an EU agency in November 2023 utilizing standard-looking fake Microsoft login pages. The goal of both was to steal credentials for Microsoft Office 365 accounts. Due to the similarities in the network infrastructure used in these PSYOPs and phishing operations, ESET research can say with high confidence that they are linked.

“Since the start of the war in Ukraine, Russia-aligned groups such as Sandworm have been busy disrupting Ukrainian IT infrastructure using wipers. In recent months, we have observed an uptick in cyberespionage operations, especially by the infamous Gamaredon group. Operation Texonto shows yet another use of technologies to try to influence the war,” says ESET researcher Matthieu Faou, who discovered Operation Texonto.

“The strange brew of espionage, information operations, and fake pharma messages can only remind us of Callisto, a well-known Russia-aligned cyberespionage group, some members of which were the subject of an indictment by the U.S. Department of Justice in December 2023. Callisto targets government officials, staff in think tanks, and military-related organizations via spearphishing websites designed to mimic common cloud providers. The group has also run disinformation operations such as a document leak just ahead of the 2019 UK general election. Finally, pivoting on its old network infrastructure leads to fake pharma domains,” continues Faou. However, he concludes: “While there are several high-level points of similarity between Operation Texonto and Callisto operations, we haven’t found any technical overlap, and we currently do not attribute Operation Texonto to a specific threat actor. However, given the TTPs, targeting, and the spread of messages, we attribute the operation with high confidence to a group that is Russia aligned.”

An email server, operated by the attackers and used to send the PSYOPs emails, was reused two weeks later to send typical Canadian pharmacy spam. This category of illegal business has been very popular within the Russian cybercrime community for a long time. A few more pivots also revealed domain names that are part of Operation Texonto and related to internal Russian topics, such as Alexei Navalny, the well-known Russian opposition leader who was in jail and died on 2024-02-16. This means that Operation Texonto probably includes spearphishing or information operations targeting Russian dissidents and supporters of the late opposition leader.

The goal of the first wave of disinformation emails was to sow doubt in the minds of Ukrainians; for instance, one email says “There may be heating interruptions this winter.” Others purportedly from the Ministry of Health talk about medicine shortages. It doesn’t seem that there were any malicious links or malware in this specific wave, only disinformation. One domain masquerading as the Ministry of Agrarian Policy and Food of Ukraine recommended replacing unavailable medicine with herbs. In yet another email “from” the Ministry, they suggest eating “pigeon risotto” a photo of a live pigeon and a cooked pigeon. Those documents were purposely created in order to rile up and demoralize the readers. Overall, these fake messages align with common Russian propaganda themes. They are trying to make Ukrainian people believe they won’t have drugs, food, and heating because of the Russia-Ukraine war.

About a month after the first wave, ESET detected a second PSYOPs email campaign targeting not only Ukrainians, but also people in other European countries. The targets are somewhat random, ranging from the Ukrainian government to an Italian shoe manufacturer. According to ESET telemetry, a few hundred people received emails in this wave. The second wave was darker in its messaging, with the attackers suggesting people amputate a leg or an arm to avoid military deployment. Overall, it has all the characteristics of PSYOPs during wartime.

ESET products and research have been protecting Ukrainian IT infrastructure for many years. And since the start of the Russian invasion in February 2022, ESET Research has prevented and investigated a significant number of attacks launched by Russia-aligned groups.

For more technical information about Operation Texonto, check out the blogpost “Operation Texonto: Information operation targeting Ukrainian speakers in the context of the war” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

Timeline of Operation Texonto

 


About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

Why ESET?

ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.