Security researchers at ESET uncovered a disinformation campaign aimed at Ukrainian speakers both within Ukraine and abroad. Dubbed “Operation Texonto,” the campaign employs a variety of tactics aimed at sowing seeds of doubt and spreading false information among the Ukrainian populace.
The operation, characterized as a psychological operation (PSYOP), primarily leverages spam emails as its distribution method. What sets Operation Texonto apart is its divergence from conventional channels such as Telegram or fake websites commonly associated with disinformation campaigns. Instead, it relies on spam mail to disseminate its misleading messages.
The researchers spotted two waves of activity, the first occurring in November 2023, followed by a second surge in late December of the same year. The themes of the spam emails revolve around narratives typically used by Russian propaganda, such as heating interruptions, drug and food shortages.
In addition to the dissemination of disinformation, Operation Texonto also incorporates spearphishing tactics. In October 2023, a Ukrainian defense company was targeted, followed by an EU agency in November of the same year. The goal of these spearphishing attempts was to obtain credentials for Microsoft Office 365 accounts.
One particularly interesting aspect of Operation Texonto is the repurposing of an email server by the perpetrators. Two weeks after being used to send PSYOP emails, the same server was utilized for the distribution of typical Canadian pharmacy spam.
“This category of illegal business has been very popular within the Russian cybercrime community for a long time,” ESET noted.
The researchers identified some technical similarities between Operation Texonto and the Russia-linked Callisto cyberespionage group, indicted by the US Department of Justice in December 2023. Callisto ,aka Seaborgium, Star Blizzard and ColdRiver, is believed to be a cyber unit within Russia’s Federal Security Service (“FSB”) known as “Center 18.”
However, ESET hadn’t observed direct overlaps with Callisto. At present, the researchers have not attributed Operation Texonto to any specific threat actor. Nonetheless, given the tactics, techniques, and targets involved, there is a high degree of confidence that the operation is aligned with Russian interests.