Russian-made PSYOPs in Ukraine


ESET Research recently discovered Operation Texonto, a disinformation/psychological operations (PSYOPs) campaign using spam emails as the main distribution method.

Via messages sent in two waves of PSYOPs, the Russia-aligned threat actors tried to influence Ukrainian citizens and make them believe that Russia is winning the war. The first wave took place in November 2023 and the second one at the end of December 2023. The contents of the emails were about heating interruptions, drug shortages, and food shortages, which are typical themes of Russian propaganda. Additionally, in October 2023, ESET detected a spearphishing campaign that targeted a Ukrainian defense company, and one targeting an EU agency in November 2023 utilizing standard-looking fake Microsoft login pages. The goal of both was to steal credentials for Microsoft Office 365 accounts. Due to the similarities in the network infrastructure used in these PSYOPs and phishing operations, ESET research can say with high confidence that they are linked.

“Since the start of the war in Ukraine, Russia-aligned groups such as Sandworm have been busy disrupting Ukrainian IT infrastructure using wipers. In recent months, we have observed an uptick in cyberespionage operations, especially by the infamous Gamaredon group. Operation Texonto shows yet another use of technologies to try to influence the war,” says ESET researcher Matthieu Faou, who discovered Operation Texonto.

“The strange brew of espionage, information operations, and fake pharma messages can only remind us of Callisto, a well-known Russia-aligned cyberespionage group, some members of which were the subject of an indictment by the U.S. Department of Justice in December 2023. Callisto targets government officials, staff in think tanks, and military-related organizations via spearphishing websites designed to mimic common cloud providers. The group has also run disinformation operations such as a document leak just ahead of the 2019 UK general election. Finally, pivoting on its old network infrastructure leads to fake pharma domains,” continues Faou. However, he concludes: “While there are several high-level points of similarity between Operation Texonto and Callisto operations, we haven’t found any technical overlap, and we currently do not attribute Operation Texonto to a specific threat actor. However, given the TTPs, targeting, and the spread of messages, we attribute the operation with high confidence to a group that is Russia aligned.”

An email server, operated by the attackers and used to send the PSYOPs emails, was reused two weeks later to send typical Canadian pharmacy spam. This category of illegal business has been very popular within the Russian cybercrime community for a long time. A few more pivots also revealed domain names that are part of Operation Texonto and related to internal Russian topics, such as Alexei Navalny, the well-known Russian opposition leader who was in jail and died on 2024-02-16. This means that Operation Texonto probably includes spearphishing or information operations targeting Russian dissidents and supporters of the late opposition leader.

The goal of the first wave of disinformation emails was to sow doubt in the minds of Ukrainians; for instance, one email says “There may be heating interruptions this winter.” Others purportedly from the Ministry of Health talk about medicine shortages. It doesn’t seem that there were any malicious links or malware in this specific wave, only disinformation. One domain masquerading as the Ministry of Agrarian Policy and Food of Ukraine recommended replacing unavailable medicine with herbs. In yet another email “from” the Ministry, they suggest eating “pigeon risotto” a photo of a live pigeon and a cooked pigeon. Those documents were purposely created in order to rile up and demoralize the readers. Overall, these fake messages align with common Russian propaganda themes. They are trying to make Ukrainian people believe they won’t have drugs, food, and heating because of the Russia-Ukraine war.

About a month after the first wave, ESET detected a second PSYOPs email campaign targeting not only Ukrainians, but also people in other European countries. The targets are somewhat random, ranging from the Ukrainian government to an Italian shoe manufacturer. According to ESET telemetry, a few hundred people received emails in this wave. The second wave was darker in its messaging, with the attackers suggesting people amputate a leg or an arm to avoid military deployment. Overall, it has all the characteristics of PSYOPs during wartime.

ESET products and research have been protecting Ukrainian IT infrastructure for many years. And since the start of the Russian invasion in February 2022, ESET Research has prevented and investigated a significant number of attacks launched by Russia-aligned groups.

Ray Carney, Director of Security Response and Zero-Day Research at Tenable said,”LockBit is a very successful criminal enterprise. Like any large revenue generating enterprise, LockBit likely had established contingency plans in place. It’s widely believed that LockBit operates out of Russia, and as such they almost certainly operate with some degree of state protection and support. They won’t take their ball and go home over this.”

Toby Lewis, Global Head of Threat Analysis, Darktrace said, “Although a partial takedown of the world’s most prolific ransomware gang is a huge win for global law enforcement, it likely won’t be fatal for LockBit. It’s probable we’ll see them go underground to regroup, re-tool and come out again, swinging. One interesting aspect, however, is LockBit’s reputation. Their affiliate model means reputation matters and LockBit may struggle to retain credibility following this shut down, even if they attempt a re-launch. They’ll likely do what any business would do – rebrand.”

“There will certainly be a lot of good from this. Law enforcement have seized nearly 1000 decryption keys, so I’m optimistic that many of the current victims will be able to unlock their data and systems and, in the longer term, they could go on to turn the affiliate model on itself, using chat logs and information from private forums to pursue, shutdown and arrest LockBit’s network of affiliates,” concluded Lewis.