Russian hackers target Ukraine with disinformation and credential harvesting attacks

Disinformation and Credential-Harvesting Attacks

Cybersecurity researchers have unearthed a new influence operation targeting Ukraine that uses spam emails to spread war-related disinformation.

The activity has been linked to Russia-linked threat actors by Slovak cybersecurity company ESET, which also identified a spear-phishing campaign targeting a Ukrainian defense company in October 2023 and a European Union agency in November 2023 targeting Microsoft credentials to collect. the use of fake landing pages.

Operation Texonto, as the entire campaign has been codenamed, has not been attributed to a specific threat actor, although some elements of it, particularly the spearphishing attacks, overlap with COLDRIVER, which has a history of collecting credentials through fake logins. Pages.

The disinformation operation took place in two waves in November and December 2023, with the email messages containing PDF attachments and content related to heating cuts, medicine shortages and food shortages.


The November wave targeted no fewer than a few hundred recipients in Ukraine, including the government, energy companies and private individuals. It is currently unknown how the target list was created.

“What is interesting to note is that the email was sent from a domain pretending to be the Ministry of Agricultural Policy and Food Supply of Ukraine, while the content is about drug shortages and the PDF contains the logo of the Ministry of Health of Ukraine misused,” says ESET. said in a report shared with The Hacker News.

“It may be a mistake on the part of the attackers, or at least it shows they didn’t care about all the details.”

The second disinformation email campaign that started on December 25, 2023 is notable for expanding its target audience beyond Ukraine and also to Ukrainian speakers in other European countries, due to the fact that all messages are in Ukrainian.

Disinformation and credential collection attacks

While these messages wished recipients happy holidays, they also had a darker tone, even going so far as to suggest amputating one of their arms or legs to avoid military deployment. “A few minutes of pain, but then a happy life!” the email reads.

ESET said that one of the domains used to distribute the phishing emails in December 2023 was infonotification[.]com, was also involved in sending hundreds of spam messages starting on January 7, 2024, redirecting potential victims to a fake Canadian pharmacy website.

It is unclear exactly why this email server was repurposed to spread pharmacy scams, but it is suspected that the threat actors decided to monetize their infrastructure for financial gain after realizing their domains had been detected by defenders.

“Operation Texonto demonstrates another use of technologies to influence the war,” the company said.


The development comes as Meta said in its quarterly Adversarial Threat Report that it has disabled three networks on its platforms, originating from China, Myanmar and Ukraine, that were engaging in coordinated inauthentic behavior (CIB).

While none of the networks came from Russia, social media analytics firm Graphika said posts by Russian state media are down 55% from pre-war levels and engagement is down 94% from two years ago.

“Russian state media have increased their focus on non-political infotainment content and self-promotional stories about Russia since the start of the war,” the report said. said. “This could reflect a broader effort off-platform to cater to domestic Russian audiences after several Western countries blocked the outlets in 2022.”

#Russian #hackers #target #Ukraine #disinformation #credential #harvesting #attacks

Notify of
Inline Feedbacks
View all comments
Previous Post
VMware EAP

VMware Warning: Uninstall EAP now

Next Post
Malicious PyPI Packages

New malicious PyPI packages discovered using covert side-loading tactics

Related Posts