Cybersecurity researchers have uncovered a new influence operation against Ukraine that exploits spam emails to spread war-related disinformation.
The activity was linked to Russian-aligned threat actors by Slovakian cybersecurity firm ESET, which also identified a targeted spear-phishing campaign against a Ukrainian defense company in October 2023 and a European Union agency in November 2023 with the aim of harvesting Microsoft login credentials using fake landing pages.
Operation Textonto, as the entire campaign was codenamed, was not attributed to a specific threat actor, although some elements of it, particularly the spear-phishing attacks, overlap with COLDRIVER, which has a history of harvesting credentials via bogus login pages.
The disinformation operation took place in two waves, in November and December 2023, with the email messages containing PDF attachments and content related to heating outages, drug and food shortages.
The November wave targeted no fewer than a few hundred recipients in Ukraine, including the government, energy companies and private individuals. It is currently unknown how the target list was created.
“Interesting thing to note is that the email was sent from a domain masquerading as the Ministry of Agrarian Policy and Food of Ukraine, while the content is about drug shortages and the PDF misuses the logo of the Ministry of Health of Ukraine,” ESET said in a report shared with The Hacker News.
“It is possible that this was a mistake on the part of the attackers or, at least, it shows that they did not care about all the details.”
The second disinformation email campaign, which began on December 25, 2023, is notable for expanding its targeting beyond Ukraine to include Ukrainian speakers in other European nations. All messages were written in Ukrainian and sent to a diverse set of targets, from the Ukrainian government to an Italian shoe manufacturer.
These messages, while wishing recipients a happy holiday season, also adopted a more somber tone, going as far as suggesting they amputate an arm or leg to avoid military deployment. “A couple of minutes of pain, but then a happy life!”, the email reads.
ESET said one of the domains used to propagate phishing emails in December 2023, infonotification[.]com, which was also engaged in sending hundreds of spam messages starting January 7, 2024, redirecting potential victims to a fake Canadian pharmacy website.
It’s not exactly clear why this email server was repurposed to spread a pharmaceutical scam, but it is suspected that the threat actors decided to monetize their infrastructure for profit after realizing that their domains were were detected by the defenders.
“Operation Textonto shows yet another use of technologies to try to influence warfare,” the company said.
The development comes as Meta, in its quarterly Adversarial Threat report, said it has blocked three networks from China, Myanmar and Ukraine across its platforms engaging in coordinated inauthentic behavior (CIB).
While none of the networks were from Russia, social media analytics firm Graphika said posting volumes by state-controlled Russian media fell 55% from pre-war levels and engagement plummeted 94% from two years ago.
“Russian state media has increased its focus on non-political infotainment content and self-promotional narratives about Russia since the start of the war,” he said. “This may reflect a broader off-platform effort to cater to domestic Russian audiences after several Western countries block outlets in 2022.”