Russian influence ops against Ukraine and its supporters. Successfully amplifying a crude AI-generated hoax.

Announcement

Join the Q2 Cybersecurity Analyst Call

We'd like to invite you to the Q2 Cybersecurity Analyst Call on Thursday, June 29th, 2023 at 2pm EST to take a look at exactly which developments and topics were the most important this quarter. Join our host, CSO, Chief Analyst, & Senior Fellow, Rick Howard, with N2K Networks President, Simone Petrella, and CISO of Centene, Alan Berry for an insightful discussion about industry events from this quarter that have made material impacts. This live event is typically a CyberWire Pro exclusive, but will be open to all readers and listeners! Be sure to submit questions and/or topics with your registration. Register now.

We'd like your feedback.

We're always looking for ways to improve your Pro experience to give you intelligence-driven news that saves you time and keeps you in the know on the latest developments in cybersecurity. Please share your feedback in our 2023 Audience Survey and you will have a chance to win a $100 Amazon gift card. Take the survey.

Summary

By the CyberWire staff

At a glance.

France alleges Russian disinformation campaign.
The GRU's Cadet Blizzard operation.
Ukraine's Cyber Police shut down a pro-Russian bot farm.
Pentagon explosion hoax amplified by pro-Russian social media accounts.

France alleges Russian disinformation campaign.

French authorities report that Russian actors attempted to plant and amplify disinformation using, in part, spoofed pages misrepresenting themselves as major news outlets. Bloomberg reports that France's Ministry of Foreign Affairs uncovered a coordinated campaign that "involved the creation of fake web pages impersonating French media including 20 Minutes, Le Monde, Le Parisien and Le Figaro, and government sites, as well as the creation of fake accounts on social networks." Foreign Minister Catherine Colonna said in a statement, “France condemns these actions, which are unworthy of a permanent member of the United Nations Security Council. No attempt at manipulation will distract France from its support for Ukraine in the face of Russia’s war of aggression.”

The GRU's Cadet Blizzard operation.

Microsoft researchers have now identified a cluster of cyberattacks as the work of a GRU unit Microsoft has named "Cadet Blizzard." Redmond thinks that Cadet Blizzard, formerly tracked as DEV-0586 has been operating since 2020. They associate the unit with last year's WhisperGate wiper attacks against Ukrainian targets, and they note that in recent months the threat actor has been associated with influence operations.

Cadet Blizzard isn't the only GRU threat actor working against Ukraine. "Microsoft assesses that Cadet Blizzard operations are associated with the Russian General Staff Main Intelligence Directorate (GRU) but are separate from other known and more established GRU-affiliated groups such as Forest Blizzard (STRONTIUM) and Seashell Blizzard (IRIDIUM)." Compared to Forest Blizzard and Seashell Blizzard, Microsoft assesses Cadet Blizzard as generally less effective than it better-known institutional siblings. Still, it's enjoyed a modest level of success. Beside its involvement with WhisperGate, Cadet Blizzard has more recently been linked to the defacements of several Ukrainian organization websites, as well as multiple influence operations.

Ukraine's Cyber Police shut down a pro-Russian bot farm.

Ukraine's Cyber Police on Monday announced the arrest of three bot-farmers who were operating from a garage in the west-central Ukrainian city of Vinnytsia. They were engaged in automated disinformation, distributed through inauthentic accounts they ran in the Russian interest. Their motivation may have been more financial than ideological, as they received payment in Russian rubles, presumably from Russian paymasters. The Record reports that the three men who operated the bot farm created about five-hundred bogus accounts each day, used them to distribute pro-Russian propaganda and disinformation, and received the equivalent of about $13,500 each month. The rubles (at present a prohibited currency in Ukraine) were laundered through illicit (in Ukraine) payment services like WebMoney and PerfectMoney, then converted to cryptocurrencies and loaded onto bank cards.

According to the Cyber Police, "Bot accounts in social networks were used to discredit the Defense Forces of Ukraine, to justify the armed aggression of the Russian Federation, to form public opinion among Ukrainians in the interests of the enemy, and to destabilize the socio-political situation in the country." There was also some direct criminal activity, Ukrainian authorities say. "Fake accounts have also been used to commit fraudulent activities on trading platforms." Should the three men arrested be found guilty, they could each face up to fifteen years in prison.

Pentagon explosion hoax amplified by pro-Russian social media accounts.

AI-generated, faked imagery of what was represented as an explosion at the Pentagon briefly roiled markets when it began circulating on May 22nd. Much of the amplification the admittedly crude fake received can be credited, the Washington Post reports, to a verified Twitter account, @CBKNEWS121, known for "standing with Putin" and retailing a grab-bag of tired and cranky conspiracy theories. If this story gained currency, what can be expected from more sophisticated fakes?

Selected Reading

Attacks, Threats, and Vulnerabilities

Viral Pentagon explosion hoax took off from pro-Russian accounts (Washington Post) The AI-generated image spread quickly after appearing on a verified Twitter account that traffics in conspiracy theories and praises Donald Trump and Vladimir Putin

Putin’s Pals Dream Up Fresh Plot to Help Trump Beat Biden (The Daily Beast) The talking heads on Kremlin TV are brainstorming ways to get Trump back into power after the shock of the indictment.

Russia claims it blew up advanced Ukrainian tank, but video shows its helicopter attacked a tractor (AP NEWS) A grainy black-and-white gunsight video Russia released this week to bolster a claim its military blew up some of Ukraine's most fearsome tanks actually documented the destruction of a tractor, according to a visual analysis by The Associated Press.

Trends

Overview and key findings of the 2023 Digital News Report (Reuters Institute for the Study of Journalism) This year’s report comes against the backdrop of a global cost-of-living crisis, a continuing war in the heart of Europe, and further climate instability across the world. In this context, a strong supply of accurate, well-funded, independent journalism remains critical, but in many of the countries covered in our survey, we find these conditions challenged by low levels of trust, declining engagement, and an uncertain business environment.

Marketplace

Twitter CEO Cites Need to Transform ‘Global Town Square’ in Memo to Staff (Wall Street Journal) Linda Yaccarino, who joined company last week, described her mission in a memo to staff.

Technologies, Techniques, and Standards

From “Heavy Purchasers” of Pregnancy Tests to the Depression-Prone: We Found 650,000 Ways Advertisers Label You (The Markup) A spreadsheet on ad platform Xandr’s website revealed a massive collection of “audience segments” used to target consumers based on highly specific, sometimes intimate information and inferences

Legislation, Policy, and Regulation

New WA law requires clear disclosures for ‘deepfakes’ used in election media (Center for an Informed Public) Washington Gov. Jay Inslee signed a bill this spring that will require clear disclosure when manipulated or synthetic video, images, and audio, sometimes called “deepfakes,” are used in election-re…