Russia-linked information campaign aims to ‘sow doubt’ among Ukrainians

In a new disinformation campaign linked to Moscow, hackers are using dark satirical emails to convince Ukrainian users that a war with Russia is not worth fighting.

The messages, often sent under the guise of Ukrainian state health, energy or agriculture agencies, "are trying to make Ukrainian people believe they won’t have drugs, food, and heating because of the war," according to the Slovakia-based cybersecurity company ESET, which analyzed the campaign. The main goal is to “sow doubt,” ESET said.

For example, in one of the emails, the hackers suggest that Ukrainians should diversify their diets due to potential food shortages caused by damage to the local agricultural sector from mines and the movement of military equipment. One of the fake documents includes two recipes: nettle soup and pigeon risotto.

“They even provide a photo of a living pigeon and a cooked pigeon,” researchers said. “This shows those documents were purposely created to rile the readers.”

Another email suggests that Ukrainians should consider amputating a leg or arm to avoid military deployment. This email was part of the second wave of a disinformation campaign, which, according to ESET, was less convincing and had a darker messaging tone.

The campaign, labeled Operation Texonto, unfolded in multiple waves in November and December last year and targeted different groups — regular Ukrainian users; local governments and energy companies; Ukrainians residing abroad; and even Russian dissidents who support the opposition movement and its late leader Alexei Navalny.

In contrast to other Russia-linked disinformation campaigns that typically use the Telegram messaging app or fake websites to spread their messages, Operation Texonto relied solely on spam emails. There doesn't appear to be any malicious link or malware in these emails, only disinformation, researchers said.

During the first wave in November, the emails were sent to at least a few hundred recipients in Ukraine. In the second wave a month later, emails were sent to a few hundred users in Ukraine and Europe. Although all the emails were written in Ukrainian, the targets appeared to be random, spanning from the Ukrainian government to an Italian shoe manufacturer.

In addition to the disinformation campaign, researchers also identified a spearphishing operation that targeted a Ukrainian defense company in October 2023 and an EU agency in November 2023 with the goal of stealing credentials for Microsoft Office 365 accounts.

The resemblance in the network infrastructure used in both the disinformation and phishing operations allowed researchers to link them with “high confidence.”

But that’s not all. An email server operated by the attackers was later repurposed to distribute fake Canadian pharmacy spam. Such campaigns have been popular among Russian cybercriminals.

The researchers said that the hackers likely decided to reuse one of their servers to send fake pharmacy spam because they realized that their infrastructure had been detected and may have tried to monetize it, either for their own profit or to fund future espionage operations. The spam campaign was moderately large, consisting of hundreds of messages sent to users across the world.

Researchers haven't attributed the campaign to a specific threat actor, but they said that the operation is most likely linked to Russia.

ESET also noted similarities between the group behind Operation Texonto and a well-known Russian cyber gang known as Callisto Group, indicted by the U.S. in December of last year.

"The strange combination of espionage, information operations, and fake pharmaceuticals can only remind us of Callisto," ESET said. The group is also tracked as Star Blizzard by Microsoft and COLDRIVER by Google.

Such disinformation efforts are one of the many ways Russia is trying to wage war against Ukraine in cyberspace. Last week, Russian hackers attacked several popular Ukrainian media outlets, posting fake news related to the conflict.

All of the websites were hacked to spread the same piece of fake news — that Russia had destroyed a unit of Ukrainian special forces in the eastern Ukrainian city of Avdiivka. There was no official information from Ukrainian authorities indicating that local special forces in the city had been destroyed by Russians.