Nearly three months into the Ukraine war, a clearer picture is emerging of the array of cyber forces the Kremlin has deployed against the country it invaded on February 24 and its allies.
Threat intelligence analyst Mandiant has been tracking Russia’s movements in the digital sphere for years and released a comprehensive overview of its latest findings on Wednesday. These include troll factories and fake news portals linked to Moscow’s secret service, in what the report’s authors call a campaign of “disinformation promoted by a full spectrum of actors.”
Alden Wahlstrom, one of the lead authors of the Mandiant report, said that many of the groups it highlighted, such as Ghostwriter and Secondary Infektion, had long been on its radar – but that the escalation in hostilities has seen such outfits repurposed to serve in Russia’s cyberarmy.
“Known actors and campaigns can be leveraged or otherwise refocused to support emerging security interests, including large-scale conflict,” said Wahlstrom. “For years, analysts have documented that Ukraine, a key strategic interest of Russia's, is a testing ground for Russian cyber-threat activity that they may subsequently deploy elsewhere. Now, we witness how pro-Russia actors have leveraged the assets and campaign infrastructure developed over time to target Ukraine.”
Cyberattacks on Ukrainian government websites in the run-up to the war are now believed to have coincided with parallel assaults using tools disguised as ransomware – including the wiper programs PayWipe, NearMiss, and PartyTicket. Whereas the self-publicizing primary attacks on January 14 and February 23 mainly defaced government portals, these secondary destructive hacks aimed at causing more serious damage to vital Ukrainian data under the hood.
This pattern of “disruptive and destructive” attacks launched in tandem continued after the outbreak of war, with Mandiant identifying another wiper named Junkmail released at the same time as a deepfake video of Ukrainian president Volodymr Zelensky surrendering to Russia on March 16. The Junkmail attack was also timed to anticipate the real Zelensky’s speech to US Congress three hours later.
Russian military intelligence agencies, including the GRU, have also been working in tandem with allies and affiliated nations, most notably Belarus.
“Russian and Belarusian information operations actors and campaigns – including those that have historically been linked to cyber-threat activity such as hack-and-leak operations – have engaged in activity surrounding the invasion that is consistent with their previously established motives,” said Mandiant.
These included fake news portals run by Russian information operations (IO) outfit NDP, Telegram channels controlled by the GRU, and other misinformation campaigns by Belarusian-backed hacktivist group Ghostwriter.
“Immediately following Russia’s invasion of Ukraine, we observed assets associated with NDP shift toward an aggressive defense of Russian strategic interests,” said Mandiant. “During this period, we observed the campaign’s concerted promotion of narratives seeded by both overt and covert sources within Russia’s propaganda and disinformation ecosystem.”
While it could not attribute its activities to a specific actor, Mandiant said it had observed “overlaps between NDP and the Ghostwriter campaign that may suggest some degree of coordination or advanced shared knowledge of operational planning between the two campaigns.”
Ghostwriter itself was detected last month running social media accounts designed to spread fake news “to foment distrust between Ukrainians and the Polish government,” as well as publishing opinion articles criticizing NATO’s continued presence in the Baltic states – feared by many residents there to be next on Russia’s list of targets should it prevail in Ukraine.
Another Belarusian group, UNC1151, was also identified by Mandiant as being behind a spear-phishing espionage campaign against the citizens of Lithuania. “Observed targeting associated with UNC1151 threat activity is notable, given the group’s technical support of information operations attributed to Ghostwriter,” it added.
Turning friends into enemies
Fake pundits thought to be backed by the NDP targeted Poland’s acceptance of refugees from Ukraine, playing on the negative reputation garnered by far-right paramilitary group the Azov Brigade to support claims that by doing so, it would open its doors to Ukrainian fascist elements.
“These narratives included falsehoods that sought to portray the refugees as overly burdening Poland’s economy and healthcare system, and to stoke fears among Polish citizens that ‘neo-Nazis’ or other undesirable immigrants would begin exploiting mass border crossings to carry out attacks on Polish soil,” said Mandiant.
Meanwhile, Secondary Infektion sought to do just the reverse – stirring up fears of a partial Polish occupation of Ukraine, in further evidence of a sophisticated and coordinated campaign designed to drive a wedge between the two allies.
“Secondary Infektion operations claimed that the Ukrainian and Polish governments sought to enable Polish troops to deploy in western Ukraine, a move they portrayed as anathema to the Ukrainian people,” said Mandiant, adding that these included a bogus map indicating the alleged Polish troop deployments circulated in February, “with the suggestion that those troops would occupy large swaths of Ukraine for years.”
Another false story circulated by Ghostwriter took the attempt to split Ukraine from Poland to a macabre level – “promoting the narrative that a Polish criminal ring was harvesting organs from Ukrainian refugees to illegally traffic in the European Union.”
Mandiant also cited Russia’s own media sources as reporting on Cyber Front Z, a Telegram channel “overtly dedicated to the promotion of pro-Russia content pertaining to the invasion, to audiences in Russia, Ukraine, and the West on social media.”
It was unable to corroborate the story, run by Russian online newspaper Fontanka, which claimed that Cyber Front Z is masterminded by entities previously sanctioned by the US, and comprises a “troll factory” including “inauthentic personas to promote pro-Russia content on multiple platforms.”
However, it produced a cartoon piece of propaganda to support the claims, originally posted by Cyber Front Z, which portrays Ukrainian soldiers as pigs in uniform defending the Azovstal steel plant in Mariupol, while a Russian officer – bizarrely depicted as a frog or toad apparently smirking – calls in an airstrike.
Other pro-Russian Telegram channels were also linked to the Special Service Center of the GRU, which has sometimes gone under the alias APT28, according to Ukrainian intelligence reports from the SBU cited by Mandiant.
“These channels were active prior to the invasion, and while we were unable to independently confirm the SBU’s attribution, we note that the channels’ activity includes promoting content that appears intended to weaken Ukrainians’ confidence in their government and its response to the invasion,” said Mandiant.
“The content also appears intended to undermine support for Ukraine from its Western partners, interspersed with more seemingly benign posts relaying apolitical content or news reporting.”
This included fake reports released by Secondary Infektion in March of Zelensky committing suicide in his bunker in Kyiv, another false account by the same group the following month of Azov fighters seeking vengeance against the President for “abandoning their fighters to die in Mariupol,” and stories alleging incompetence and corruption in Ukraine.
One of the latter claimed that Ukrainian oligarchs had “paid Zelensky for the right to leave the country” – an apparent reference to the President’s ordinance early on in the war that able-bodied male citizens remain to fight against the Russian invaders.
Evidence uncovered by the Mandiant report also suggests that Russia has been hard at work to bolster its image both at home and abroad – primarily by portraying itself as being in a righteous struggle against Ukrainian fascism. This included Cyber Front Z exhorting “social media users to claim that Ukrainian ‘Nazis’ forced civilians into a theater in Mariupol, which they then detonated,” and falsified accounts of the use of chemical weapons by Ukrainian forces.
Against the West
And in a sign of a broader geopolitical alliance, countries farther afield – most prominently China – appear to be echoing the Kremlin’s narrative.
Dragonbridge – a Chinese-backed network of thousands of accounts spanning social media platforms, websites, and forums detected by Mandiant in 2019 – lent its voice to claims made in March by Russian Defense Ministry spokesman Igor Konashenkov “that Russia’s military operation in Ukraine had uncovered evidence of Pentagon-linked laboratories in Ukraine conducting bioweapons research.”
It circulated photos that appeared to suggest the presence of such sites in Kharkiv and Poltava, but Konashenkov’s claims were refuted by scientists, including some Russian citizens who risked their liberty to speak out against them.
“Dragonbridge accounts also insinuated that the alleged biolabs in Ukraine were responsible for ‘mysterious outbreaks,’ the nature of which went unexplained, and that biolabs elsewhere in the world were likewise harming local populations,” said Mandiant.
The Chinese network also criticized the US for its own controversial foreign policy, with some narratives claiming it “sought to fan the flames of the conflict, as it stood to benefit the most, citing its arms sales to Ukraine.” Others claimed the US had “bullied” European nations into imposing sanctions on Moscow in disregard of their energy dependence on Russia.
Iran has also weighed in on the information war, citing previously belligerent US foreign policy in the Middle East, with its own IO running stories claiming Ukraine deserved to be invaded for its alliance with the “American axis of evil” and accusing the West of hypocrisy over its arms sales to Saudi Arabia, which has waged war on Yemen since 2015.
“Tangentially, [Iranian] assets leveled accusations of racism on the part of the West against Arabs and Muslims, noting alleged differences in its response to the conflict in Ukraine in comparison to conflicts in the Middle East.”
The report added: “Information operations observed in the context of Russia’s invasion of Ukraine have exhibited tactical aims seeking to shape events on the ground, and strategic objectives attempting to influence the shifting geopolitical landscape.”
“While these operations have presented an outsized threat to Ukraine, they have also threatened the US and other Western countries. As a result, we anticipate that such operations, including those involving cyber-threat activity and potentially other disruptive and destructive attacks, will continue as the conflict progresses.”
More from Cybernews:
Subscribe to our newsletter