Tuesday, June 25, 2024
HomeCyber SecurityInfo operation focusing on Ukrainian audio system within the context of the...

Info operation focusing on Ukrainian audio system within the context of the conflict


ESET merchandise and analysis have been defending Ukrainian IT infrastructure for years. For the reason that begin of the conflict in February 2022, we’ve got prevented and investigated a big variety of assaults launched by Russia-aligned teams. We now have additionally printed a few of the most attention-grabbing findings on WeLiveSecurity:

Despite the fact that our most important focus stays on analyzing threats involving malware, we’ve got discovered ourselves investigating an info operation or psychological operation (PSYOP) making an attempt to lift doubts within the minds of Ukrainians and Ukrainian audio system overseas.

Operation Texonto

Operation Texonto is a disinformation/PSYOP marketing campaign utilizing spam mails as the primary distribution methodology. Surprisingly, it doesn’t appear that the perpetrators used frequent channels akin to Telegram or faux web sites to convey their messages. We now have detected two totally different waves, the primary one in November 2023 and the second on the finish of December 2023. The contents of the emails had been about heating interruptions, drug shortages, and meals shortages, that are typical themes of Russian propaganda.

Along with the disinformation marketing campaign, we’ve got detected a spearphishing marketing campaign that focused a Ukrainian protection firm in October 2023 and an EU company in November 2023. The objective of each was to steal credentials for Microsoft Workplace 365 accounts. Because of similarities within the community infrastructure utilized in these PSYOPs and phishing operations, we’re linking them with excessive confidence.

Curiously, just a few extra pivots additionally revealed domains which might be a part of Operation Texonto and associated to inside Russian subjects akin to Alexei Navalny, the well-known Russian opposition chief who was in jail and died on February 16th, 2024. Which means that Operation Texonto in all probability contains spearphishing or info operations focusing on Russian dissidents and supporters of the late opposition chief. These domains embody:

  • navalny-votes[.]web
  • navalny-votesmart[.]web
  • navalny-voting[.]web

Even perhaps stranger is that an e mail server, operated by the attackers and used to ship PSYOP emails, was reused two weeks later to ship typical Canadian pharmacy spam. This class of unlawful enterprise has been extremely popular throughout the Russian cybercrime neighborhood for a very long time, as this blogpost from 2011 explains.

Determine 1 summarizes the primary occasions of Operation Texonto.

Figure 1. Timeline
Determine 1. Timeline of Operation Texonto

The unusual brew of espionage, info operations, and pretend pharma can solely remind us of Callisto, a widely known Russia-aligned cyberespionage group who was the topic of an indictment by the US DOJ in December, 2023. Callisto targets authorities officers, folks in suppose tanks, and military-related organizations through spearphishing web sites designed to imitate frequent cloud suppliers. The group has additionally run disinformation operations akin to a doc leak simply forward of the 2019 UK common election. Lastly, pivoting on its outdated community infrastructure results in faux pharma domains akin to musclepharm[.]prime or ukrpharma[.]ovh.

Whereas there are a number of high-level factors of similarity between Operation Texonto and Callisto operations, we haven’t discovered any technical overlap and we at the moment don’t attribute Operation Texonto to a particular risk actor. Nevertheless, given the TTPs, focusing on, and the unfold of messages, we attribute the operation with excessive confidence to a gaggle that’s Russian aligned.

Phishing marketing campaign: October–November 2023

Workers working at a significant Ukrainian protection firm obtained a phishing e mail in October 2023, purportedly coming from their IT division. The emails had been despatched from it.[redacted_company_name]@gmail.com, an e mail handle almost certainly created particularly for this marketing campaign, and the e-mail topic was Запрошено утверждение:Планова інвентаризація (machine translation from Ukrainian: Approval requested: Deliberate stock).

The content material of the e-mail is the next:

У період з 02 жовтня по 13 жовтня співробітники відділу інформаційних технологій проводять планову інвентаризацію та видалення поштових скриньок, що не використовуються. Якщо Ви плануєте використовувати свою поштову адресу ([redacted_address]@[redacted_company_name].com) у майбутньому, будь ласка, перейдіть на веб-версію поштової скриньки за цим посиланням та увійдіть до системи, використовуючи свої облікові дані.

 

Жодних додаткових дій не потрібно, Ваша поштова скринька отримає статус “підтверджений” і не буде видалена під час планової інвентаризації ресурсів. Якщо ця поштова адреса не використовується Вами (або її використання не планується в майбутньому), то в цьому випадку Вам не потрібно виконувати жодних дій – поштову скриньку буде видалено автоматично 13 жовтня 2023 року.

 

З повагою,

 

Відділ інформаційних технологій.

A machine translation of the e-mail is:

 

Within the interval from October 2 to October 13, staff of the knowledge know-how division will conduct a deliberate stock and elimination of unused mailboxes. Should you plan to make use of your e mail handle ([redacted_address]@[redacted_company_name].com) sooner or later, please go to the online model of the mailbox at this hyperlink and log in utilizing your credentials.

 

No extra actions are required, your mailbox will obtain the standing “confirmed” and won’t be eliminated throughout a scheduled useful resource stock. If this e mail handle is just not utilized by you (or its use is just not deliberate sooner or later), then on this case you don’t want to take any motion – the mailbox will likely be deleted routinely on October 13, 2023.

 

Finest regards,

 

Division of data applied sciences.

The objective of the e-mail is to entice targets into clicking on за цим посиланням (machine translation: at this hyperlink), which ends up in https://login.microsoftidonline[.]com/frequent/oauth2/authorize?client_id=[redacted];redirect_uri=httpspercent3apercent2fpercent2foutlook.office365.compercent2fowapercent2f&useful resource=[redacted]&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=[redacted]&protectedtoken=true&claims=%7bpercent22id_tokenpercent22percent3apercent7bpercent22xms_ccpercent22percent3apercent7bpercent22valuespercent22percent3apercent5bpercent22CP1percent22percent5dpercent7dpercent7dpercent7d&domain_hint=[redacted]&nonce=[redacted]&state=[redacted] (partially redacted). This URL factors to the malicious area login.microsoftidon-line[.]com. Be aware that this area could be very near the official one, login.microsoftonline.com.

We haven’t been capable of retrieve the phishing web page, nevertheless it was almost certainly a faux Microsoft login web page supposed to steal the targets’ credentials.

For an additional area belonging to Operation Texonto, choicelive149200[.]com, there have been two VirusTotal submissions (one and two) for the URL https://choicelive149200[.]com/owa/auth/logon.aspx?replaceCurrent=1&url=https://hbd.eupolcopps.eu/owa/. Sadly, the location was not reachable on the time of research, nevertheless it was probably a credential-phishing web page for the Outlook on the internet/OWA webmail of eupolcopps.eu, the EU Coordinating Workplace for Palestinian Police Assist. Be aware that we’ve got not seen the e-mail pattern, simply the URL submitted to VirusTotal.

First PSYOP wave: November 2023

On November 20th, we detected the primary wave of disinformation emails with a PDF attachment despatched to at the very least just a few hundred recipients in Ukraine. Individuals working on the Ukrainian authorities, vitality corporations, and even people, obtained the emails. We have no idea how the record of e mail addresses was constructed.

Opposite to the beforehand described phishing marketing campaign, the objective of those emails was to sow doubt within the thoughts of Ukrainians; as an example, one e mail says that “There could also be heating interruptions this winter”. It doesn’t appear there was any malicious hyperlink or malware on this particular wave, solely disinformation.

Determine 2 reveals an e mail instance. Its topic is Рекомендації моз україни на тлі дефіциту ліків (machine translation from Ukrainian: Suggestions of the Ministry of Well being of Ukraine on the time of a scarcity of medicines) and the e-mail was despatched from mozua@ua-minagro[.]com. Be aware that this handle may be seen within the envelope-from and return-path fields.

ua-minagro[.]com is a website operated by the attackers and was used solely for sending disinformation emails on this marketing campaign. The area is masquerading because the Ministry of Agrarian Coverage and Meals of Ukraine whose reliable area is minagro.gov.ua.

Figure 2. Disinformation email
Determine 2. Disinformation e mail

Connected to the e-mail is a PDF doc, as proven in Determine 3. Whereas it isn’t malicious per se, it additionally incorporates disinformation messages.

 

Figure 3. PDF attachments
Determine 3. PDF attachment

The doc is misusing the emblem of the Ministry of Well being of Ukraine and explains that because of the conflict, there’s a drug scarcity in Ukraine. It additionally says that the Ukrainian authorities is refusing to import medicine from Russia and Belarus. On the second web page, they clarify tips on how to exchange some medicine with crops.

What’s attention-grabbing to notice is that the e-mail was despatched from a website masquerading because the Ministry of Agrarian Coverage and Meals of Ukraine, whereas the content material is about drug shortages and the PDF is misusing the emblem of the Ministry of Well being of Ukraine. It’s presumably a mistake from the attackers or, at the very least, reveals they didn’t care about all particulars.

Along with ua-minagro[.]com, 5 extra domains had been used to ship emails on this wave:

  • uaminagro[.]com
  • minuaregion[.]org
  • minuaregionbecareful[.]com
  • uamtu[.]com
  • minagroua[.]org

minuaregion[.]org and minuaregionbecareful[.]com are masquerading because the Ministry of Reintegration of the Briefly Occupied Territories of Ukraine whose reliable web site is https://minre.gov.ua/en/.

uamtu[.]com is masquerading because the Ministry of Growth of Communities, Territories and Infrastructure of Ukraine, whose reliable web site is https://mtu.gov.ua.

We now have recognized three extra totally different e mail message templates, every with a distinct mail physique and PDF attachment. A abstract is offered in Desk 1.

Desk 1. Disinformation emails

Electronic mail physique

Machine translation of the e-mail physique

Російськими військовими системно обстрілюються об’єкти енергетичної інфраструктури. У разі виникнення екстреної ситуації подача опалення та електрики в будинки може бути повністю припинена. Щоб вижити в такій ситуації, рекомендуємо вам наступне:

The Russian army is systematically shelling the vitality services infrastructure. Heating provide in case of an emergency and electrical energy to houses could also be utterly lower off. To outlive in such a scenario, we advocate the next:

Цієї зими можуть спостерігатися перебої з опаленням. Рівень температури в будинках може бути нижче допустимих значень на кілька градусів. У деяких випадках можливо навіть відключення опалення, об’єкти енергетичної безпеки знаходяться під постійною загрозою. У зв’язку з цим, радимо взяти до уваги наступні рекомендації.

There could also be heating interruptions this winter. Temperature stage in homes may be a number of levels beneath the permissible values. In some circumstances, it’s even potential to show off the heating, services vitality safety are underneath fixed risk. On this regard, we advise you to bear in mind the next suggestions.

Міністерство охорони здоров’я попереджає про дефіцит ліків в аптеках — доставка деяких препаратів на тлі підвищеного попиту може затримуватися. З початком війни з РФ Україна повністю відмовилася від лікарських засобів російських і білоруських фармацевтичних компаній, доходи населення впали, а іноземні ліки, логістика яких змінилася і стала більш складною і вартісною, значно подорожчали. При цьому, найбільшим попитом у громадян України користуються групи препаратів для лікування хронічних захворювань, заспокійливі, знеболюючі та хірургічні засоби. На тлі виниклого дефіциту МОЗ України нагадав громадянам, що не варто нехтувати безцінним досвідом перевірених століттями народних методів лікування і випустив відповідні рекомендації.

The Ministry of Well being warns of a scarcity of medicines in pharmacies — supply of some medicine towards the background of elevated demand could also be delayed. With the start of the conflict with the Russian Federation, Ukraine utterly refused Russian and Belarusian pharmaceutical medicine corporations, incomes of the inhabitants fell, and overseas medicines, the logistics of which modified and have become extra complicated and costly, considerably grew to become costlier. On the identical time, the best demand is from residents. Ukraine makes use of teams of medication for the remedy of persistent illnesses, sedatives, ache relievers and surgical means. In opposition to the background of the scarcity, the Ministry of Well being of Ukraine reminded residents that you shouldn’t neglect the invaluable expertise of the examined centuries of folks strategies of remedy and launched the suitable ones advisable.

Агресія Росії призвела до значних втрат в аграрному секторі України. Землі забруднені мінами, пошкоджені снарядами, окопами і рухом військової техніки. У великій кількості пошкоджено та знищено сільськогосподарську техніку, знищено зерносховища. До стабілізації обстановки Міністерство аграрної політики та продовольства рекомендує вам урізноманітнити раціон стравами з доступних дикорослих трав. Вживання свіжих, соковитих листя трав у вигляді салатів є найбільш простим, корисним і доступним. Пам’ятайте, що збирати рослини слід далеко від міст і селищ, а також від жвавих трас. Пропонуємо вам кілька корисних і простих у приготуванні рецептів.

Russia’s aggression led to vital losses within the agricultural sector of Ukraine. The lands are polluted by mines, broken by shells, trenches, and the motion of army tools. A considerable amount of agricultural equipment was broken and destroyed, and granaries had been destroyed. Till the scenario stabilizes, the Ministry of Agrarian Coverage and Meals recommends diversifying your food regimen with dishes produced from accessible wild herbs. Consuming recent, juicy leaves of herbs within the type of salads is the simplest, helpful, and inexpensive. Do not forget that it is best to accumulate crops removed from cities and cities, in addition to from busy roads. We give you a number of helpful and easy-to-prepare recipes.

The associated PDF attachments are allegedly from the Ukrainian Ministry of Areas (see Determine 4) and the Ministry of Agriculture (see Determine 5).

Figure 4. PDFs allegedly from the Ministry of Regions
Determine 4. PDFs allegedly from the Ministry of Areas
Figure 5. PDF allegedly from the Ministry of Agriculture
Determine 5. PDF allegedly from the Ministry of Agriculture

Within the final doc, allegedly from the Ministry of Agriculture, they counsel to eat “pigeon risotto” and so they even present a photograph of a dwelling pigeon and a cooked pigeon.… This reveals these paperwork had been purposely created with the intention to rile the readers.

Total, the messages align with frequent Russian propaganda themes. They’re making an attempt to make Ukrainian folks imagine they received’t have medicine, meals, and heating due to the Russia-Ukraine conflict.

Second PSYOP wave: December 2023

A couple of month after the primary wave, we detected a second PSYOP e mail marketing campaign focusing on not solely Ukrainians, but additionally folks in different European international locations. The targets are considerably random, starting from the Ukrainian authorities to an Italian shoe producer. As a result of all of the emails are written in Ukrainian, it’s probably that the overseas targets are Ukrainian audio system. Based on ESET telemetry, just a few hundred folks obtained emails on this second wave.

We discovered two totally different e mail templates on this wave. The primary one was despatched on December 25th and is proven in Determine 6. As for the primary wave, the e-mail messages had been despatched from an e mail server operated by the attackers, infoattention[.]com on this case.

Figure 6. First email template of the second wave
Determine 6. First e mail template of the second wave

A machine translation of the e-mail physique is the next:

Expensive Ukrainians, we congratulate you on the warmest and most household vacation – the New 12 months!

We sincerely need you to rejoice 2024 with your loved ones! Might your loved ones and pals by no means get sick! Care for one another! Solely collectively we will drive out the Satanists from the USA and their minions from the unique Russian soil! Let’s revive Kievan Rus regardless of our enemies! Let’s save folks’s lives! From Russia with love!

Completely satisfied vacation, expensive pals!

The second e mail template, proven in Determine 7, was despatched on December 26th, 2023 from a distinct e mail server: stronginfo1[.]com. Throughout this wave, two extra e mail addresses had been used:

  • happyny@infonotifi[.]com
  • happyny@infonotification[.]com
Figure 7. Second email template of the second wave
Determine 7. Second e mail template of the second wave

A machine translation of the e-mail physique is the next:

Completely satisfied New 12 months, Ukrainian brothers! On New 12 months’s Eve, it is time to bear in mind how good it’s to have two pairs of legs and arms, however if in case you have misplaced one in every of them, then do not be upset – which means you will not meet a Russian soldier in a trench. And right here if all of your limbs are intact, then we don’t envy you. We advocate chopping or sawing off at the very least one of many 4 your self – a few minutes of ache, however then a contented life!

Completely satisfied New 12 months, Ukrainians! Do not forget that generally one is healthier than two!

Whereas the primary PSYOP e mail marketing campaign in November 2023 was somewhat well-prepared, with specifically created PDF paperwork that had been considerably convincing, this second marketing campaign is somewhat extra fundamental and darker in its messaging. The second e mail template is especially disturbing, with the attackers suggesting folks amputate a leg or arm to keep away from army deployment. Total, it has all of the traits of PSYOPs throughout conflict time.

Canadian pharmacy spam: January 2024

In a fairly shocking twist of occasions, one of many domains used to ship PSYOP emails in December 2023, infonotification[.]com, began getting used to ship Canadian pharmacy spam on January 7th, 2024.

An instance is offered in Determine 8 and the hyperlink redirects to the faux Canadian pharmacy web site onlinepharmacycenter[.]com. The spam marketing campaign was reasonably giant (within the a whole bunch of messages at the very least) and other people in lots of international locations obtained such emails.

 

Figure 8. Canadian pharmacy spam
Determine 8. Canadian pharmacy spam

The emails had been despatched from happyny@infonotification[.]com and this was verified within the e mail headers:

Return-Path: <happyny@infonotification[.]com>
Delivered-To: [redacted]
[redacted]
Acquired: from infonotification[.]com ([185.12.14[.]13])
        by [redacted] with esmtps (TLS1.3:TLS_AES_256_GCM_SHA384:256)
        [redacted]
        Solar, 07 Jan 2024 12:39:10 +0000

 

Faux Canadian pharmacy spam is a enterprise traditionally operated by Russian cybercriminals. It was extensively coated previously by bloggers akin to Brian Krebs, particularly in his Spam Nation guide.

Hyperlinks between these spam campaigns

Whereas we don’t know why the operators of the PSYOP campaigns determined to reuse one in every of their servers to ship faux pharmacy spam, it’s probably that they realized that their infrastructure was detected. Therefore, they might have determined to attempt to monetize the already burnt infrastructure, both for their very own revenue or to fund future espionage operations or PSYOPs. Determine 9 summarizes the hyperlinks between the totally different domains and campaigns.

Figure 9. Operation Texonto summary
Determine 9. Operation Texonto abstract

Conclusion

For the reason that begin of the conflict in Ukraine, Russia-aligned teams akin to Sandworm have been busy disrupting Ukrainian IT infrastructure utilizing wipers. In current months, we’ve got noticed an uptick in cyberespionage operations, particularly by the notorious Gamaredon group.

Operation Texonto reveals yet one more use of applied sciences to attempt to affect the conflict. We discovered just a few typical faux Microsoft login pages however most significantly, there have been two waves of PSYOPs through emails in all probability to attempt to affect and demoralize Ukrainian residents with disinformation messages about war-related subjects.

A complete record of Indicators of Compromise (IoCs) and samples may be present in our GitHub repository.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis gives personal APT intelligence reviews and information feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.

IoCs

Information

SHA-1

Filename

ESET detection title

Description

3C201B2E40357996B383
2C72EA305606F07477E3

Minagroua111.pdf

PDF/Fraud.CDY

PDF utilized in an info operation towards Ukraine.

15BF71A771256846D44E
8CB3012EE6BC6F9E1532

Mozua.pdf

PDF/Fraud.CDU

PDF utilized in an info operation towards Ukraine.

960341B2C296C425821E
4B42435A0618B89D4037

Minregion.pdf

PDF/Fraud.CDT

PDF utilized in an info operation towards Ukraine.

BB14153040608A4F559F
48C20B98C1056C794A60

Minregion.pdf

PDF/Fraud.CDX

PDF utilized in an info operation towards Ukraine.

Community

IP

Area

Internet hosting supplier

First seen

Particulars

N/A

navalny-votes[.]web

N/A

2023-09-09

Area associated to Alexei Navalny.

N/A

navalny-votesmart[.]web

N/A

2023-09-09

Area associated to Alexei Navalny.

N/A

navalny-voting[.]web

N/A

2023-09-09

Area associated to Alexei Navalny.

45.9.148[.]165

infoattention[.]com

Good IT Providers Group Inc.

2023-12-25

Server used to ship emails in Operation Texonto.

45.9.148[.]207

minuaregionbecareful[.]com

Good IT Providers Group Inc.

2023-11-23

Server used to ship emails in Operation Texonto.

45.9.150[.]58

stronginfo1[.]com

Good IT Providers Group Inc.

2023-12-25

Server used to ship emails in Operation Texonto.

45.129.199[.]200

minuaregion[.]org

Hostinger

2023-11-21

Server used to ship emails in Operation Texonto.

45.129.199[.]222

uamtu[.]com

Hostinger

2023-11-20

Server used to ship emails in Operation Texonto.

46.249.58[.]177

infonotifi[.]com

serverius-mnt

2023-12-28

Server used to ship emails in Operation Texonto.

89.116.52[.]79

uaminagro[.]com
ua-minagro[.]com

IPXO LIMITED

2023-11-17

Server used to ship emails in Operation Texonto.

154.49.137[.]16

choicelive149200[.]com

Hostinger

2023-10-26

Phishing server.

185.12.14[.]13

infonotification[.]com

Serverius

2023-12-28

Server used to ship emails in Operation Texonto.

193.43.134[.]113

login.microsoftidonline[.]com

Hostinger

2023-10-03

Workplace 365 phishing server.

195.54.160[.]59

minagroua[.]org

BlueVPS

2023-11-21

Server used to ship emails in Operation Texonto.

Electronic mail addresses

  • minregion@uaminagro[.]com
  • minregion@minuaregion[.]org
  • minregion@minuaregionbecareful[.]com
  • minregion@uamtu[.]com
  • mozua@ua-minagro[.]com
  • mozua@minagroua[.]org
  • minagroua@vps-3075.lethost[.]community
  • happyny@infoattention[.]com
  • happyny@stronginfo1[.]com
  • happyny@infonotifi[.]com
  • happyny@infonotification[.]com

MITRE ATT&CK methods

This desk was constructed utilizing model 14 of the MITRE ATT&CK framework.

Tactic

ID

Identify

Description

Useful resource Growth

T1583.001

Purchase Infrastructure: Domains

Operators purchased domains at Namecheap.

T1583.004

Purchase Infrastructure: Server

Operators rented servers at Good IT, Hostinger, Serverius, and BlueVPS.

Preliminary Entry

T1566

Phishing

Operators despatched emails with disinformation content material.

T1566.002

Phishing: Spearphishing Hyperlink

Operators despatched emails with a hyperlink to a faux Microsoft login web page.

Protection Evasion

T1036

Masquerading

Operators used domains much like official Ukrainian authorities domains.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments