Russian group targets Kremlin critics with doctored YouTube videos


High-profile Westerners who speak out against the Kremlin are being targeted by twin threat groups, thought to be affiliated to Russia, who trick them into recorded conversations. These are edited to make the subject appear foolish or not credible and posted on YouTube and other platforms, a cyber watchdog warns.

Proofpoint said it had tracked two groups, known as Vovan and Lexus, which together form up the composite entity codenamed TA499, which it described as “a Russia-aligned threat actor that has aggressively engaged in email campaigns since at least 2021.”

Vovan and Lexus apparently use social engineering, essentially online con artistry, to go after targets, impersonating senior Ukrainian politicians to lure victims into a false sense of security.

The attacks center on convincing the targets - predominantly senior EU and North American politicians opposed to Russia’s invasion of Ukraine - to participate in recorded phone calls or video chats.

This is done with the intention of creating propaganda that can later be used against the victims by defaming them online, in apparent reprisal for opposing the Kremlin’s war.

“TA499 posts recordings of its video calls on YouTube and [Russian digital video channel] RUTUBE,” said Proofpoint, adding that one threat actor’s channels on the former platform had been suspended early on in the war, forcing the cyber-partisans to revert to an older one.

Do not dismiss this threat

“The calls are almost certainly a pro-Russia propaganda effort designed to create negative political content about those who have spoken out against Russian President Vladimir Putin and, in the last year, opposed Russia’s invasion of Ukraine,” it added.

Proofpoint insists that such campaigns are “not a threat to take lightly, due to the damage such propaganda could have on the brand and public perception of those targeted as well as the perpetuation of disinformation.”

"Once the target makes a statement [...], the video devolves into antics, attempting to catch the target in embarrassing comments or acts."

Cyber analyst Proofpoint

TA499 typically begins with the illusion of a sincere discussion about geopolitical and other related events, which “allow the target to voluntarily say as much information as possible.”

“Once the target begins asking questions, the actor mirrors the target’s replies to keep the conversation going,” said Proofpoint. “Once the target makes a statement [...], the video devolves into antics, attempting to catch the target in embarrassing comments or acts. The recordings are then edited for emphasis and placed on YouTube and Twitter for Russian and English-speaking audiences.”

Ukraine politicians mimicked

Proofpoint said that while TA499’s activities predate last year’s invasion, it had observed a notable rise at the beginning of 2022, “culminating in increasingly aggressive attempts after Russia invaded Ukraine.”

“Since that time, the threat actor has engaged in steady activity and expanded its targeting to include prominent businesspeople and high-profile individuals that have either made large donations to Ukrainian humanitarian efforts or those making public statements about Russian disinformation and propaganda,” it added.

The bogus messages aim at drawing information from the targeted individuals “and entice them into further contact via phone calls or remote video.”

Proofpoint added that the emails it tracked did not contain malware, “only communications or invitations purporting to be from an embassy of Ukraine, Ukraine’s Prime Minister, a Ukrainian parliamentarian, or their assistants.”

The social engineering campaigns it observed coinciding with the start of the invasion could be pinpointed to the same domain name (oleksandrmerezhko[.]com) and sender address (office@oleksandrmerezhko[.]com) as were used in previous TA499 attacks, both of them controlled by the threat groups.

Russians raised their game

By March, Vovan and Lexus had raised the stakes somewhat to impersonate higher-ranking members of Ukraine’s political class, including Prime Minister Denys Shmyhal and his “purported assistant.”

To further allay suspicions, TA499 threat actors also spoofed the Ukrainian Embassy to the US, using the fake email addresses embassy.usa@ukr[.]net and embassy.us@ukr[.]net.

The emails themselves are notably convincing, being almost devoid of the bad grammar common to many phishing and business email compromise attacks.

“My name is [Ukrainian MP] Olexandr Merezkho, I am the Head of the Foreign Affairs Committee of the Parliament of Ukraine,” reads one bogus message intercepted by Proofpoint. “First of all, I would like to thank [name redacted] for its work in Ukraine. This is a very important step for our country in documenting Russia’s crimes and subsequently bringing the perpetrators to justice.”

"TA499 has pretended to be various people, going so far as to use extensive makeup to appear exactly like the impersonated individual."

Cybersecurity analyst Proofpoint

Of course, the same message ends with a call to action: urging the victim to agree to a half-hour video conferencing call. This is recorded by the threat actors and then used in Russian propaganda efforts aimed at smearing or otherwise compromising the target.

“For high-profile targets that agree to follow-up video calls, TA499 has pretended to be various people, going so far as to use extensive makeup to appear exactly like the impersonated individual,” said Proofpoint.

The analyst warned that TA499 is enjoying something akin to celebrity status among threat groups, with a growing “fan following,” presumably drawn by the satirical nature of its content.

“They have personas that not only post the material discussed in this report online but also perform reenactments on Russia state-sponsored media, as well as attend conferences,” said Proofpoint. “With the war between Russia and Ukraine unlikely to end in the near-term and Ukraine continuing to garner support from organizations worldwide [...] TA499 will [likely] attempt to continue with its campaigns in support of its influencer content and political agenda.”