Ukraine at D+651: Disinformation and collection, wholesale and retail.
the cyberwire logoDec 7, 2023

Russian intelligence and security services are running at least two large-scale influence and cyberespionage campaigns against Western targets, one a mass-marketed coordinated inauthenticity effort, the other a closely targeted spearphishing operation.

Ukraine at D+651: Disinformation and collection, wholesale and retail.

As 2023 comes to a close, Ukraine has recovered half the territory Russia took in the invasion that began on February 24th, 2022. The Institute for the Study of War (ISW) "continues to assess that Ukraine must liberate strategically vital areas still under Russian occupation to ensure Ukraine’s long-term security and economic viability." Kyiv is planning its procurement and operations in accordance with NATO standards, and continues to look toward eventual accession to the Atlantic Alliance. "The adoption of NATO standards throughout the Ukrainian military and defense establishment," the ISW writes, "will facilitate NATO oversight of current and future Western security assistance to Ukraine."

The Aquarium wants to give Swifties their marching orders.

WIRED reports that Russia's military intelligence service, the GRU, is using the images of celebrities juxtaposed with fake quotations denouncing Ukraine in an attempt to sway public opinion, mostly in Europe, against support for Ukraine's defensive war. The tenor of the messages in this crude influence campaign portrays Ukraine as, first, at fault for the war, and second, as wasting the aid it's received from the West. The celebrities whose images are being misappropriated include Taylor Swift, Selena Gomez, Kim Kardashian, Beyoncé, Oprah, Gigi Hadid, Lady Gaga, Jennifer Lopez, Justin Bieber, Shakira, Gwyneth Paltrow, and Cristiano Ronaldo.

The disinformation is being spread over coordinated networks of inauthentic Facebook accounts as part of the GRU's Doppelgänger campaign. The messaging may be primitive, but there's considerable sophistication involved in spreading it. Doppelgänger automates creation of Facebook accounts and exploits loopholes in the platform's ad moderation to disseminate its bogus influencer posts. The not-for-profit disinformation research group Reset told WIRED the campaign “exploits loopholes in Facebook’s ad verification and content moderation systems to foster hostility against Ukrainians and undermine EU support for Kyiv.”

UK calls out an FSB influence campaign.

The British Government has summoned the Russian ambassador for an explanation of the "Cold River" campaign, a sustained effort by Russia's FSB security service to influence elections in the UK. Reuters quotes junior foreign minister Leo Docherty's statement to Parliament: "I can confirm today that the Russian Federal Security Services, the FSB, is behind a sustained effort to interfere in our democratic processes." Cold River, also tracked by researchers as "Callisto," "Iron Frontier," and "Star Blizzard," is associated with the FSB's "Centre 18." Richard Dearlove, former head of Britain's Secret Intelligence Service, MI6, told Reuters, "Because of the UK’s support for Ukraine we are in a state of ‘grey warfare’ with Russia; and the Russians will use every means at their disposal to attack British interests short of open conflict." ComputerWeekly describes the campaign's goal as being "to selectively leak information obtained through cyber espionage and amplify its release in line with Russia’s geopolitical goals, or to undermine trust in UK politics."

The UK's National Cyber Security Centre (NCSC) issued a report on the campaign. Unlike its GRU sister service's Doppelgänger, which is an exercise in automated mass-marketing, the FSB's operators make heavy use of highly tailored spearphishing. They're also given to careful preparation of their targeting. "Using open-source resources to conduct reconnaissance, including social media and professional networking platforms, Star Blizzard [the NCSC's preferred name for the FSB's Cold River operators] identifies hooks to engage their target. They take the time to research their interests and identify their real-world social or professional contacts," the NCSC writes. "Star Blizzard creates email accounts impersonating known contacts of their targets to help appear legitimate. They also create fake social media or networking profiles that impersonate respected experts and have used supposed conference or event invitations as lures."

The NCSC has also updated its guidance on resisting election interference.

GRU continues exploitation of Outlook vulnerability.

Palo Alto Network's Unit 42 this morning published research into the ongoing GRU exploitation of the Outlook vulnerability, CVE-2023-23397, against espionage targets in the West. "Unit 42 researchers have observed this group using CVE-2023-23397 over the past 20 months to target at least 30 organizations within 14 nations that are of likely strategic intelligence value to the Russian government and its military." APT28, the GRU unit responsible, is going after these target sets:

  • Energy production and distribution
  • Pipeline operations
  • Materiel, personnel and air transportation
  • Ministries of Defense
  • Ministries of Foreign Affairs
  • Ministries of Internal Affairs
  • Ministries of the Economy