Operation Texonto spreads false war info, reveals ESET Research
ESET Research has recently uncovered a disinformation and psychological operations (PSYOPs) scheme dubbed "Operation Texonto", aiming to deliver war-related misleading information to Ukrainian citizens. Using spam emails, which were dispatched in two series, Russian-aligned threat actors sought to dishearten Ukrainians with disinformation on battle-connected subjects.
The first wave of disinformation emails was sent in November 2023, followed by a second at the end of December 2023. These messages circulated rumours about heating disruptions and deficiencies in drugs and food - typical tropes of Russian propaganda. In addition to this, ESET also recognised spearphishing efforts against a Ukrainian defence company in October 2023 and an EU agency in November 2023. These missions aimed to capture credentials for Microsoft Office 365 accounts using misleading Microsoft login pages. Owing to the parallels in the network structure employed in these PSYOPs and phishing operations, ESET has high confidence in the interconnection of these activities.
Matthieu Faou, an ESET researcher who discovered Operation Texonto, declared, "Since the start of the war in Ukraine, Russia-aligned groups such as Sandworm have been busy disrupting Ukrainian IT infrastructure using wipers. In recent months, we have observed an uptick in cyber espionage operations, especially by the infamous Gamaredon group. Operation Texonto shows yet another use of technologies to try to influence the war."
The researcher further compared features of Operation Texonto to those of Callisto; a well-known Russia-aligned cyberespionage group, partially prosecuted by the U.S. Department of Justice in December 2023. Still, Faou concluded, "While there are several high-level points of similarity between Operation Texonto and Callisto operations, we haven't found any technical overlap, and we currently do not attribute Operation Texonto to a specific threat actor. However, given the TTPs, targeting, and the spread of messages, we attribute the operation with high confidence to a group that is Russia aligned."
It was found that an email server used by the attackers to circulate the PSYOPs emails was later repurposed to dispatch typical Canadian pharmacy spam. This revelation indicated a potential connection between Operation Texonto and operations targeting Russian dissenters and late opposition leader Alexei Navalny's supporters.
The initial wave of disinformation emails aimed to instil doubt in Ukrainians via messages predicting heating interruptions in winter and medicine shortages. The emails mimicked directives from governmental departments and proposed solutions such as substituting scarce medicine with herbs and recommending eating pigeon risotto due to alleged food shortages. A second, more dismal wave of emails was detected a month later, aimed at a wider European audience, suggesting people amputate limbs to escape military deployment.
While ESET products and research have long defended the Ukrainian IT infrastructure, the company has observed a significant uptick in attacks launched by Russia-aligned groups since the onset of the Russian invasion in February 2022.