Russia-related threat actors have employed both PysOps and spear phishing to target users for several months in late 2023 in a multi-wave campaign aimed at spreading disinformation in Ukraine and stealing Microsoft 365 credentials across Europe.
The operation – called Operation Textonto – occurred in two distinct waves, the first in October-November 2023 and the second in November-December 2023, ESET researchers found. The campaign used a wide range of pysop tactics and spam emails as its primary distribution method, they revealed in a blog post published on February 22.
Chronologically, the first campaign was a spear-phishing attack targeting a Ukrainian defense company in October 2023 and an EU agency in November 2023. The second was a disinformation campaign focused primarily on targets Ukrainians using arguments related to heating outages, drug shortages and food shortages – “typical Russian propaganda campaign themes,” the researchers said.
Although they had different goals, they both used similar network infrastructure, which is how ESET connected them. Then, in a bit of a twist, a URL associated with the Textonto operation was supposed to send typical Canadian pharmacy spam in a separate campaign that occurred in January.
Hybrid war Russia-Ukraine
Threat campaigns have been employed by Russian-aligned threat actors such as Sand worm AND Gamaredon In a cyber war with Ukraine run at the same time with the two-year land operation, according to ESET. Particularly sand worms used windshield wipers TO disrupt Ukraine’s IT infrastructure at the start of the war, while Gamaredon has recently stepped up its cyber espionage operations.
“Operation Textonto shows yet another use of technologies to try to influence warfare,” the researchers wrote in the post, although they did not attribute the operation to a specific actor. “We found some typical Microsoft fake login pages but, more importantly, there were two waves of email pysops, probably to try to influence Ukrainian citizens into believing that Russia will win.”
Operation Textonto also demonstrates other notable deviations from typical malicious activity, notes Matthieu Faou, the ESET researcher who conducted the investigation, in an email to Dark Reading.
“What is interesting in the case of Operation Textonto is that the same threat actor is engaging in both disinformation and spear-phishing campaigns, whereas most threat actors do one or the other,” he notes . “As such, it is clear that this is a planned pysop and not simply someone posting misinformation on the internet.”
The campaign also shows a move away from using common channels like Telegram or fake websites to convey malicious messages, the researchers noted.
Two distinct waves
The first sign of the operation came in October, when employees of a major Ukrainian defense company received an award phishing emails presumably from the IT department. The message warned that their mailbox may be removed and that to access they would need to click a link to a web version of the mailbox and log in using their credentials.
The link instead leads to a phishing page, which ESET researchers speculated from another domain belonging to the operation sent to VirusTotal that it was a fake Microsoft login page to steal Microsoft 365 credentials, although they were not able to able to recover the phishing page itself.
The next wave of the campaign was the first pysops operation, which was dispatched disinformation email with PDF attachment to at least several hundred people working for the Ukrainian government and energy companies, as well as individual citizens.
In contrast to the phishing campaign described above, the goal of these emails appeared to be purely disinformation to instill doubt in Ukrainians, rather than spreading malicious links.
The campaign emails informed recipients of potential food, heating and medication shortages, going so far as to suggest eating “pigeon risotto” and even providing photos of a live pigeon and a cooked one which “proves that those documents have been created specifically to annoy readers,” the researchers noted.
“Overall, the messages are in line with common themes of Russian propaganda,” they wrote. “They are trying to make Ukrainians believe that they will not have medicines, food and heating because of the Russia-Ukraine war.”
The second phase of pysops wave occurred in December and spread to other European countries, with a random series of a few hundred targets ranging from the Ukrainian government to an Italian shoe manufacturer, but always written in Ukrainian. The researchers discovered two different email templates in the campaign that sent sarcastic Christmas greetings to Ukrainians in another attempt to denigrate and discourage them.
Malicious domains and defense tactics
The researchers mainly monitored the domains to keep up with the cybercriminals involved in the Textonto operation, which led them down interesting paths. One involved a seemingly unrelated but typical Canadian pharmaceutical spam campaign that used an email server operated by the attackers, a “category of illegal activity [that] has been very popular within the Russian cybercrime community,” they said.
Other domain names associated with the campaign reflect more recent news events such as the death of Alexei Navalny, the well-known Russian opposition leader who died in prison on February 16. The existence of these domains — including navalny votes[.]net, navalny-votesmart[.]net and naval voting[.]net – “means that the Textonto operation likely includes spear-phishing or intelligence operations against Russian dissidents,” the researchers wrote.
ESET has included a number of indicators of compromise (IOC) in its report, including domains, email addresses and MITER ATT&CK techniques. The researchers also recommend that organizations enable strong strategies two-factor authentication – such as a phone authenticator app or a physical key – to defend against spear phishing attacks that target Office 365, Faou says.
As for defending against malicious actors’ attempts to spread misinformation online, “the best protection is to use our critical mindset and not trust any information on the Internet,” he adds.