Ukraine Targeted by Russian Misinformation and Data-Harvesting Attack

Security researchers have discovered a new 'influence operation' targeting Ukraine that utilizes spam emails to spread disinformation related to the war. The activity, known as Operation Texonto, has been linked to threat actors aligned with Russia.

In October 2023, a spear-phishing campaign targeting a Ukrainian defense company and a European Union agency aimed to harvest Microsoft login credentials using fake landing pages, with similarities to the COLDRIVER threat actor.

Operation Texonto unfolded in two waves in November and December 2023, using email messages with PDF attachments discussing heating interruptions, drug shortages, and food shortages. The November wave focused on hundreds of recipients in Ukraine, including government entities, energy companies, and individuals.

Misinformation and Dark Suggestions from the Russian Hackers

The emails were sent from a domain pretending to be the Ministry of Agrarian Policy and Food of Ukraine, with content about drug shortages using the logo of the Ministry of Health of Ukraine, indicating a potential oversight by the attackers.

The second wave, starting on December 25, 2023, expanded its target beyond Ukraine to include Ukrainian speakers in other European nations. While wishing recipients a happy holiday season, these messages took a darker turn, suggesting recipients amputate an arm or leg to avoid military deployment, with a disturbing statement encouraging a "happy life" after a brief moment of pain.

Curiously, the same email server was later repurposed to propagate a pharmacy scam. It is suspected that threat actors chose to monetize their infrastructure for financial gain after realizing that their domains had been detected by defenders.