Russia-linked threat actors employed both PysOps and spear-phishing to target users over several months at the end of 2023 in a multiwave campaign aimed at spreading misinformation in Ukraine and stealing Microsoft 365 credentials across Europe.
The operation - dubbed Operation Texonto - came in two distinct waves, the first in October-November 2023 and the second in November-December 2023, researchers from ESET discovered.
The campaign used a diverse range of pysop tactics and spam mails as its main distribution method, they revealed in a blog post published Feb. 22.
Chronologically, the first campaign was a spear-phishing attack that targeted a Ukrainian defense company in October 2023 and an EU agency in November 2023.
Though they had different aims, both used similar network infrastructure, which is how ESET linked the two.
In a bit of a plot twist, a URL associated with Operation Texonto was to send typical Canadian pharmacy spam in a separate campaign that occurred in January.
Russia-Ukraine Hybrid War Threat campaigns have been employed by Russian-aligned threat actors such as Sandworm and Gamaredon in a cyberwar with Ukraine that's run concurrently with the two-year ground operation, according to ESET. Sandworm notably used wipers to disrupt Ukrainian IT infrastructure early in the war, while Gamaredon recently has ramped up cyber espionage operations.
Operation Texonto also demonstrates other notable deviations from typical malicious activity, notes Matthieu Faou, the ESET researcher who lead the investigation, in an email to Dark Reading.
The campaign also shows a move away from using common channels such as Telegram or fake websites to convey the malicious messages, the researchers noted.
Two Distinct Waves The first sign of the operation came in October when employees working at a major Ukrainian defense company received a phishing email purportedly from the IT department.
The link instead leads to a phishing page, which ESET researchers surmised from another domain belonging to the operation submitted to VirusTotal that it was a fake Microsoft login page to steal Microsoft 365 credentials, though they weren't able to retrieve the phishing page itself.
The next wave of the campaign was the first pysops operation, which sent disinformation emails with a PDF attachment to at least a few hundred people working for the Ukrainian government and energy companies, as well as individual citizens.
Contrary to the previously described phishing campaign the goal of these emails appeared to be purely disinformation to sow doubt in the mind of Ukrainians, rather than spread malicious links.
The second phase of the pysops wave occurred in December and expanded to other European countries, with a random array of a few hundred targets ranging from the Ukrainian government to an Italian shoe manufacturer, but still written in Ukrainian.
The researchers discovered two different email templates in the campaign that sent sarcastic holiday greetings to Ukrainians in another effort to disparage and discourage them.
Malicious Domains and Defense Tactics The researchers mainly tracked domains to keep up with the cybercriminals involved in Operation Texonto, which led them down some interesting paths.
Other domain names associated with the campaign reflected more recent current events such as the death of Alexei Navalny, the well-known Russian opposition leader who died Feb. 16 in prison.
The existence of those domains - including navalny-votes[.
ESET included a range of indicators of compromise, including domains, email addresses, and MITRE ATT&CK techniques in their report.
The researchers also recommend that organizations enable strong two-factor authentication - such as a phone authenticator app or a physical key - to defend against spear-phishing attacks that target Office 365, Faou says.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 22 Feb 2024 19:50:35 +0000