Data operation concentrating on Ukrainian audio system within the context of the battle

0
49

[ad_1]

ESET merchandise and analysis have been defending Ukrainian IT infrastructure for years. For the reason that begin of the battle in February 2022, we’ve prevented and investigated a major variety of assaults launched by Russia-aligned teams. We’ve got additionally printed among the most attention-grabbing findings on WeLiveSecurity:

Although our foremost focus stays on analyzing threats involving malware, we’ve discovered ourselves investigating an info operation or psychological operation (PSYOP) making an attempt to lift doubts within the minds of Ukrainians and Ukrainian audio system overseas.
Operation Texonto
Operation Texonto is a disinformation/PSYOP marketing campaign utilizing spam mails as the principle distribution technique. Surprisingly, it doesn’t appear that the perpetrators used widespread channels reminiscent of Telegram or faux web sites to convey their messages. We’ve got detected two totally different waves, the primary one in November 2023 and the second on the finish of December 2023. The contents of the emails have been about heating interruptions, drug shortages, and meals shortages, that are typical themes of Russian propaganda.
Along with the disinformation marketing campaign, we’ve detected a spearphishing marketing campaign that focused a Ukrainian protection firm in October 2023 and an EU company in November 2023. The objective of each was to steal credentials for Microsoft Workplace 365 accounts. Due to similarities within the community infrastructure utilized in these PSYOPs and phishing operations, we’re linking them with excessive confidence.
Apparently, a number of extra pivots additionally revealed domains which are a part of Operation Texonto and associated to inside Russian subjects reminiscent of Alexei Navalny, the well-known Russian opposition chief who was in jail and died on February sixteenth, 2024. Because of this Operation Texonto in all probability consists of spearphishing or info operations concentrating on Russian dissidents and supporters of the late opposition chief. These domains embrace:

navalny-votes[.]web
navalny-votesmart[.]web
navalny-voting[.]web

Maybe even stranger is that an e mail server, operated by the attackers and used to ship PSYOP emails, was reused two weeks later to ship typical Canadian pharmacy spam. This class of unlawful enterprise has been very talked-about throughout the Russian cybercrime group for a very long time, as this blogpost from 2011 explains.
Determine 1 summarizes the principle occasions of Operation Texonto.

Determine 1. Timeline of Operation Texonto

The unusual brew of espionage, info operations, and faux pharma can solely remind us of Callisto, a widely known Russia-aligned cyberespionage group who was the topic of an indictment by the US DOJ in December, 2023. Callisto targets authorities officers, individuals in assume tanks, and military-related organizations by way of spearphishing web sites designed to imitate widespread cloud suppliers. The group has additionally run disinformation operations reminiscent of a doc leak simply forward of the 2019 UK normal election. Lastly, pivoting on its outdated community infrastructure results in faux pharma domains reminiscent of musclepharm[.]high or ukrpharma[.]ovh.
Whereas there are a number of high-level factors of similarity between Operation Texonto and Callisto operations, we haven’t discovered any technical overlap and we at the moment don’t attribute Operation Texonto to a selected menace actor. Nevertheless, given the TTPs, concentrating on, and the unfold of messages, we attribute the operation with excessive confidence to a bunch that’s Russian aligned.
Phishing marketing campaign: October–November 2023
Staff working at a significant Ukrainian protection firm obtained a phishing e mail in October 2023, purportedly coming from their IT division. The emails have been despatched from it.[redacted_company_name]@gmail.com, an e mail deal with probably created particularly for this marketing campaign, and the e-mail topic was Запрошено утверждение:Планова інвентаризація (machine translation from Ukrainian: Approval requested: Deliberate stock).
The content material of the e-mail is the next:

У період з 02 жовтня по 13 жовтня співробітники відділу інформаційних технологій проводять планову інвентаризацію та видалення поштових скриньок, що не використовуються. Якщо Ви плануєте використовувати свою поштову адресу ([redacted_address]@[redacted_company_name].com) у майбутньому, будь ласка, перейдіть на веб-версію поштової скриньки за цим посиланням та увійдіть до системи, використовуючи свої облікові дані.

 
Жодних додаткових дій не потрібно, Ваша поштова скринька отримає статус “підтверджений” і не буде видалена під час планової інвентаризації ресурсів. Якщо ця поштова адреса не використовується Вами (або її використання не планується в майбутньому), то в цьому випадку Вам не потрібно виконувати жодних дій – поштову скриньку буде видалено автоматично 13 жовтня 2023 року.
 
З повагою,
 
Відділ інформаційних технологій.

A machine translation of the e-mail is:
 

Within the interval from October 2 to October 13, workers of the data expertise division will conduct a deliberate stock and elimination of unused mailboxes. In the event you plan to make use of your e mail deal with ([redacted_address]@[redacted_company_name].com) sooner or later, please go to the online model of the mailbox at this hyperlink and log in utilizing your credentials.
 
No further actions are required, your mailbox will obtain the standing “confirmed” and won’t be eliminated throughout a scheduled useful resource stock. If this e mail deal with will not be utilized by you (or its use will not be deliberate sooner or later), then on this case you don’t want to take any motion – the mailbox can be deleted mechanically on October 13, 2023.
 
Finest regards,
 
Division of knowledge applied sciences.

The objective of the e-mail is to entice targets into clicking on за цим посиланням (machine translation: at this hyperlink), which results in https://login.microsoftidonline[.]com/widespread/oauth2/authorize?client_id=[redacted];redirect_uri=httpspercent3apercent2fpercent2foutlook.office365.compercent2fowapercent2f&useful resource=[redacted]&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=[redacted]&protectedtoken=true&claims=%7bpercent22id_tokenpercent22percent3apercent7bpercent22xms_ccpercent22percent3apercent7bpercent22valuespercent22percent3apercent5bpercent22CP1percent22percent5dpercent7dpercent7dpercent7d&domain_hint=[redacted]&nonce=[redacted]&state=[redacted] (partially redacted). This URL factors to the malicious area login.microsoftidonline[.]com. Observe that this area may be very near the official one, login.microsoftonline.com.
We haven’t been capable of retrieve the phishing web page, however it was probably a faux Microsoft login web page meant to steal the targets’ credentials.
For an additional area belonging to Operation Texonto, choicelive149200[.]com, there have been two VirusTotal submissions (one and two) for the URL https://choicelive149200[.]com/owa/auth/logon.aspx?replaceCurrent=1&url=https://hbd.eupolcopps.eu/owa/. Sadly, the positioning was now not reachable on the time of study, however it was seemingly a credential-phishing web page for the Outlook on the internet/OWA webmail of eupolcopps.eu, the EU Coordinating Workplace for Palestinian Police Help. Observe that we’ve not seen the e-mail pattern, simply the URL submitted to VirusTotal.
First PSYOP wave: November 2023
On November twentieth, we detected the primary wave of disinformation emails with a PDF attachment despatched to at the very least a number of hundred recipients in Ukraine. Individuals working on the Ukrainian authorities, power firms, and even people, obtained the emails. We have no idea how the listing of e mail addresses was constructed.
Opposite to the beforehand described phishing marketing campaign, the objective of those emails was to sow doubt within the thoughts of Ukrainians; as an example, one e mail says that “There could also be heating interruptions this winter”. It doesn’t appear there was any malicious hyperlink or malware on this particular wave, solely disinformation.
Determine 2 exhibits an e mail instance. Its topic is Рекомендації моз україни на тлі дефіциту ліків (machine translation from Ukrainian: Suggestions of the Ministry of Well being of Ukraine on the time of a scarcity of medicines) and the e-mail was despatched from mozua@ua-minagro[.]com. Observe that this deal with will be seen within the envelope-from and return-path fields.
ua-minagro[.]com is a website operated by the attackers and was used solely for sending disinformation emails on this marketing campaign. The area is masquerading because the Ministry of Agrarian Coverage and Meals of Ukraine whose legit area is minagro.gov.ua.

Determine 2. Disinformation e mail

Connected to the e-mail is a PDF doc, as proven in Determine 3. Whereas it’s not malicious per se, it additionally accommodates disinformation messages.
 

Determine 3. PDF attachment

The doc is misusing the brand of the Ministry of Well being of Ukraine and explains that as a result of battle, there’s a drug scarcity in Ukraine. It additionally says that the Ukrainian authorities is refusing to import medicine from Russia and Belarus. On the second web page, they clarify methods to exchange some medicine with crops.
What’s attention-grabbing to notice is that the e-mail was despatched from a website masquerading because the Ministry of Agrarian Coverage and Meals of Ukraine, whereas the content material is about drug shortages and the PDF is misusing the brand of the Ministry of Well being of Ukraine. It’s presumably a mistake from the attackers or, at the very least, exhibits they didn’t care about all particulars.
Along with ua-minagro[.]com, 5 further domains have been used to ship emails on this wave:

uaminagro[.]com
minuaregion[.]org
minuaregionbecareful[.]com
uamtu[.]com
minagroua[.]org

minuaregion[.]org and minuaregionbecareful[.]com are masquerading because the Ministry of Reintegration of the Quickly Occupied Territories of Ukraine whose legit web site is https://minre.gov.ua/en/.
uamtu[.]com is masquerading because the Ministry of Improvement of Communities, Territories and Infrastructure of Ukraine, whose legit web site is https://mtu.gov.ua.
We’ve got recognized three extra totally different e mail message templates, every with a unique mail physique and PDF attachment. A abstract is offered in Desk 1.
Desk 1. Disinformation emails

E-mail physique

Machine translation of the e-mail physique

Російськими військовими системно обстрілюються об’єкти енергетичної інфраструктури. У разі виникнення екстреної ситуації подача опалення та електрики в будинки може бути повністю припинена. Щоб вижити в такій ситуації, рекомендуємо вам наступне:

The Russian army is systematically shelling the power services infrastructure. Heating provide in case of an emergency and electrical energy to houses could also be utterly minimize off. To outlive in such a state of affairs, we advocate the next:

Цієї зими можуть спостерігатися перебої з опаленням. Рівень температури в будинках може бути нижче допустимих значень на кілька градусів. У деяких випадках можливо навіть відключення опалення, об’єкти енергетичної безпеки знаходяться під постійною загрозою. У зв’язку з цим, радимо взяти до уваги наступні рекомендації.

There could also be heating interruptions this winter. Temperature stage in homes will be a number of levels beneath the permissible values. In some instances, it’s even doable to show off the heating, services power safety are underneath fixed menace. On this regard, we advise you to consider the next suggestions.

Міністерство охорони здоров’я попереджає про дефіцит ліків в аптеках — доставка деяких препаратів на тлі підвищеного попиту може затримуватися. З початком війни з РФ Україна повністю відмовилася від лікарських засобів російських і білоруських фармацевтичних компаній, доходи населення впали, а іноземні ліки, логістика яких змінилася і стала більш складною і вартісною, значно подорожчали. При цьому, найбільшим попитом у громадян України користуються групи препаратів для лікування хронічних захворювань, заспокійливі, знеболюючі та хірургічні засоби. На тлі виниклого дефіциту МОЗ України нагадав громадянам, що не варто нехтувати безцінним досвідом перевірених століттями народних методів лікування і випустив відповідні рекомендації.

The Ministry of Well being warns of a scarcity of medicines in pharmacies — supply of some medicine in opposition to the background of elevated demand could also be delayed. With the start of the battle with the Russian Federation, Ukraine utterly refused Russian and Belarusian pharmaceutical medicine firms, incomes of the inhabitants fell, and overseas medicines, the logistics of which modified and have become extra advanced and costly, considerably grew to become costlier. On the similar time, the best demand is from residents. Ukraine makes use of teams of medicine for the therapy of continual ailments, sedatives, ache relievers and surgical means. Towards the background of the scarcity, the Ministry of Well being of Ukraine reminded residents that you shouldn’t neglect the invaluable expertise of the examined centuries of folks strategies of therapy and launched the suitable ones really helpful.

Агресія Росії призвела до значних втрат в аграрному секторі України. Землі забруднені мінами, пошкоджені снарядами, окопами і рухом військової техніки. У великій кількості пошкоджено та знищено сільськогосподарську техніку, знищено зерносховища. До стабілізації обстановки Міністерство аграрної політики та продовольства рекомендує вам урізноманітнити раціон стравами з доступних дикорослих трав. Вживання свіжих, соковитих листя трав у вигляді салатів є найбільш простим, корисним і доступним. Пам’ятайте, що збирати рослини слід далеко від міст і селищ, а також від жвавих трас. Пропонуємо вам кілька корисних і простих у приготуванні рецептів.

Russia’s aggression led to vital losses within the agricultural sector of Ukraine. The lands are polluted by mines, broken by shells, trenches, and the motion of army tools. A considerable amount of agricultural equipment was broken and destroyed, and granaries have been destroyed. Till the state of affairs stabilizes, the Ministry of Agrarian Coverage and Meals recommends diversifying your food regimen with dishes created from accessible wild herbs. Consuming recent, juicy leaves of herbs within the type of salads is the most straightforward, helpful, and reasonably priced. Do not forget that it is best to gather crops removed from cities and cities, in addition to from busy roads. We give you a number of helpful and easy-to-prepare recipes.

The associated PDF attachments are allegedly from the Ukrainian Ministry of Areas (see Determine 4) and the Ministry of Agriculture (see Determine 5).

Determine 4. PDFs allegedly from the Ministry of Areas

Determine 5. PDF allegedly from the Ministry of Agriculture

Within the final doc, allegedly from the Ministry of Agriculture, they counsel to eat “pigeon risotto” and so they even present a photograph of a dwelling pigeon and a cooked pigeon.… This exhibits these paperwork have been purposely created to be able to rile the readers.
Total, the messages align with widespread Russian propaganda themes. They’re making an attempt to make Ukrainian individuals imagine they gained’t have medicine, meals, and heating due to the Russia-Ukraine battle.
Second PSYOP wave: December 2023
A few month after the primary wave, we detected a second PSYOP e mail marketing campaign concentrating on not solely Ukrainians, but in addition individuals in different European international locations. The targets are considerably random, starting from the Ukrainian authorities to an Italian shoe producer. As a result of all of the emails are written in Ukrainian, it’s seemingly that the overseas targets are Ukrainian audio system. In accordance with ESET telemetry, a number of hundred individuals obtained emails on this second wave.
We discovered two totally different e mail templates on this wave. The primary one was despatched on December twenty fifth and is proven in Determine 6. As for the primary wave, the e-mail messages have been despatched from an e mail server operated by the attackers, infoattention[.]com on this case.

Determine 6. First e mail template of the second wave

A machine translation of the e-mail physique is the next:

Expensive Ukrainians, we congratulate you on the warmest and most household vacation – the New 12 months!
We sincerely need you to have fun 2024 with your loved ones! Could your loved ones and associates by no means get sick! Care for one another! Solely collectively we can drive out the Satanists from the USA and their minions from the unique Russian soil! Let’s revive Kievan Rus despite our enemies! Let’s save individuals’s lives! From Russia with love!
Glad vacation, pricey associates!

The second e mail template, proven in Determine 7, was despatched on December twenty sixth, 2023 from a unique e mail server: stronginfo1[.]com. Throughout this wave, two further e mail addresses have been used:

happyny@infonotifi[.]com
happyny@infonotification[.]com

Determine 7. Second e mail template of the second wave

A machine translation of the e-mail physique is the next:

Glad New 12 months, Ukrainian brothers! On New 12 months’s Eve, it is time to bear in mind how good it’s to have two pairs of legs and arms, however you probably have misplaced one in all them, then do not be upset – which means you will not meet a Russian soldier in a trench. And right here if all of your limbs are intact, then we don’t envy you. We advocate slicing or sawing off at the very least one of many 4 your self – a few minutes of ache, however then a cheerful life!
Glad New 12 months, Ukrainians! Do not forget that generally one is best than two!

Whereas the primary PSYOP e mail marketing campaign in November 2023 was moderately well-prepared, with specifically created PDF paperwork that have been considerably convincing, this second marketing campaign is moderately extra fundamental and darker in its messaging. The second e mail template is especially disturbing, with the attackers suggesting individuals amputate a leg or arm to keep away from army deployment. Total, it has all of the traits of PSYOPs throughout battle time.
Canadian pharmacy spam: January 2024
In a fairly shocking twist of occasions, one of many domains used to ship PSYOP emails in December 2023, infonotification[.]com, began getting used to ship Canadian pharmacy spam on January seventh, 2024.
An instance is offered in Determine 8 and the hyperlink redirects to the faux Canadian pharmacy web site onlinepharmacycenter[.]com. The spam marketing campaign was reasonably giant (within the a whole lot of messages at the very least) and folks in lots of international locations obtained such emails.
 

Determine 8. Canadian pharmacy spam

The emails have been despatched from happyny@infonotification[.]com and this was verified within the e mail headers:
Return-Path: <happyny@infonotification[.]com>
Delivered-To: [redacted]
[redacted]
Obtained: from infonotification[.]com ([185.12.14[.]13])
by [redacted] with esmtps (TLS1.3:TLS_AES_256_GCM_SHA384:256)
[redacted]
Solar, 07 Jan 2024 12:39:10 +0000
 
Pretend Canadian pharmacy spam is a enterprise traditionally operated by Russian cybercriminals. It was extensively coated previously by bloggers reminiscent of Brian Krebs, particularly in his Spam Nation guide.
Hyperlinks between these spam campaigns
Whereas we don’t know why the operators of the PSYOP campaigns determined to reuse one in all their servers to ship faux pharmacy spam, it’s seemingly that they realized that their infrastructure was detected. Therefore, they could have determined to attempt to monetize the already burnt infrastructure, both for their very own revenue or to fund future espionage operations or PSYOPs. Determine 9 summarizes the hyperlinks between the totally different domains and campaigns.

Determine 9. Operation Texonto abstract

Conclusion
For the reason that begin of the battle in Ukraine, Russia-aligned teams reminiscent of Sandworm have been busy disrupting Ukrainian IT infrastructure utilizing wipers. In current months, we’ve noticed an uptick in cyberespionage operations, particularly by the notorious Gamaredon group.
Operation Texonto exhibits one more use of applied sciences to attempt to affect the battle. We discovered a number of typical faux Microsoft login pages however most significantly, there have been two waves of PSYOPs by way of emails in all probability to attempt to affect and demoralize Ukrainian residents with disinformation messages about war-related subjects.
A complete listing of Indicators of Compromise (IoCs) and samples will be present in our GitHub repository.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com.ESET Analysis gives personal APT intelligence experiences and information feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.

IoCs
Information

SHA-1

Filename

ESET detection title

Description

3C201B2E40357996B3832C72EA305606F07477E3

Minagroua111.pdf

PDF/Fraud.CDY

PDF utilized in an info operation in opposition to Ukraine.

15BF71A771256846D44E8CB3012EE6BC6F9E1532

Mozua.pdf

PDF/Fraud.CDU

PDF utilized in an info operation in opposition to Ukraine.

960341B2C296C425821E4B42435A0618B89D4037

Minregion.pdf

PDF/Fraud.CDT

PDF utilized in an info operation in opposition to Ukraine.

BB14153040608A4F559F48C20B98C1056C794A60

Minregion.pdf

PDF/Fraud.CDX

PDF utilized in an info operation in opposition to Ukraine.

Community

IP

Area

Internet hosting supplier

First seen

Particulars

N/A

navalny-votes[.]web

N/A

2023-09-09

Area associated to Alexei Navalny.

N/A

navalny-votesmart[.]web

N/A

2023-09-09

Area associated to Alexei Navalny.

N/A

navalny-voting[.]web

N/A

2023-09-09

Area associated to Alexei Navalny.

45.9.148[.]165

infoattention[.]com

Good IT Providers Group Inc.

2023-12-25

Server used to ship emails in Operation Texonto.

45.9.148[.]207

minuaregionbecareful[.]com

Good IT Providers Group Inc.

2023-11-23

Server used to ship emails in Operation Texonto.

45.9.150[.]58

stronginfo1[.]com

Good IT Providers Group Inc.

2023-12-25

Server used to ship emails in Operation Texonto.

45.129.199[.]200

minuaregion[.]org

Hostinger

2023-11-21

Server used to ship emails in Operation Texonto.

45.129.199[.]222

uamtu[.]com

Hostinger

2023-11-20

Server used to ship emails in Operation Texonto.

46.249.58[.]177

infonotifi[.]com

serverius-mnt

2023-12-28

Server used to ship emails in Operation Texonto.

89.116.52[.]79

uaminagro[.]comua-minagro[.]com

IPXO LIMITED

2023-11-17

Server used to ship emails in Operation Texonto.

154.49.137[.]16

choicelive149200[.]com

Hostinger

2023-10-26

Phishing server.

185.12.14[.]13

infonotification[.]com

Serverius

2023-12-28

Server used to ship emails in Operation Texonto.

193.43.134[.]113

login.microsoftidonline[.]com

Hostinger

2023-10-03

Workplace 365 phishing server.

195.54.160[.]59

minagroua[.]org

BlueVPS

2023-11-21

Server used to ship emails in Operation Texonto.

E-mail addresses

minregion@uaminagro[.]com
minregion@minuaregion[.]org
minregion@minuaregionbecareful[.]com
minregion@uamtu[.]com
mozua@ua-minagro[.]com
mozua@minagroua[.]org
minagroua@vps-3075.lethost[.]community
happyny@infoattention[.]com
happyny@stronginfo1[.]com
happyny@infonotifi[.]com
happyny@infonotification[.]com

MITRE ATT&CK methods
This desk was constructed utilizing model 14 of the MITRE ATT&CK framework.

Tactic

ID

Identify

Description

Useful resource Improvement

T1583.001

Purchase Infrastructure: Domains

Operators purchased domains at Namecheap.

T1583.004

Purchase Infrastructure: Server

Operators rented servers at Good IT, Hostinger, Serverius, and BlueVPS.

Preliminary Entry

T1566

Phishing

Operators despatched emails with disinformation content material.

T1566.002

Phishing: Spearphishing Hyperlink

Operators despatched emails with a hyperlink to a faux Microsoft login web page.

Protection Evasion

T1036

Masquerading

Operators used domains just like official Ukrainian authorities domains.

[ad_2]