Russia is continuing its campaign of disinformation around the
Ukraine war through advanced social engineering delivered by a
threat group tracked as TA499.
According to a report from
Proofpoint, TA499 targets US and European politicians, and leading
businessmen and celebrities who have spoken out against Putin’s
invasion. The primary purpose is to persuade the victims to take
part in phone calls or video chats from which pro-Putin snippets
can be elicited and published – thereby discrediting any previous
anti-Putin comments.
It continues Russia’s efforts to fracture anti-Russian sentiment
in North America and the EU with campaigns of disinformation. The
European Parliament already contains numerous members opposed to
any pro-Ukrainian activity – and Russia seeks to build on this.
TA499 appears to be a two-person group of operators publicly
known as Vovan and Lexus. It is not known how closely they are tied
to the Russian government. However, their operations are
sophisticated, complex, and do not seem to be financially
motivated. Proofpoint classifies them as ‘patriotically motivated’
and ‘aligned with the Russian state’.
The operation begins with TA499 making email or phone contact
with their targets. Although this activity began before the
invasion of Ukraine, “TA499’s campaigns began to ramp up in late
January 2022, culminating in increasingly aggressive attempts after
Russia invaded Ukraine in late February 2022,” say the
researchers.
By March 2022, emails or phone calls began to masquerade as the
Ukrainian Prime Minister Denys Shmyhal and his supposed assistant.
Emails pretended to come from official embassies. with subjects
such as ‘Prime Minister of Ukraine Request’. For example (although
not proven, but assessed with ‘high confidence’, to be TA499), the
UK Secretary of State for Defense, Ben Wallace, tweeted on March
17, 2022, “Today an attempt was made by an imposter claiming to be
Ukrainian PM to speak with me. He posed several misleading
questions and after becoming suspicious I terminated the call.”
Other approaches from TA499, pre-dating the Ukraine invasion,
have targeted individuals that have made positive statements about
the imprisoned Russian opposition leader Alexei Navalny – emails
have masqueraded as messages from Leonid Volkov, Navalny’s chief of
staff.
The purpose of such contacts is to persuade the target to join a
telephone conversation or remote video call with TA499. If
successful, the group engages in conversation with the attempt to
elicit contradictory statements designed to discredit earlier
anti-Kremlin statements. Proofpoint does not believe that TA499 has
used deepfake technology in these exchanges, instead relying on an
actor – for example, ‘Lexus’ pretended to be Volkov in
Navalny-themed attacks.
If successful, the recordings have been made public; for
example, on YouTube and RuTube. “There are videos already publicly
available of previous successful interactions,” the researchers
told SecurityWeek. But they believe the YouTube recordings
have already been taken down.
“According to open-source reporting, the following have been
targets of the threat actor we track as TA499,” the researchers
told SecurityWeek: “The mayor of Vienna Michael Ludwig, as
well as other mayors in Warsaw, Budapest, Berlin, and Madrid.
Celebrities JK Rowling and Elton John have also been targeted in
the past.
“Overall, TA499 has not targeted based on government roles,”
they continued, “but based on comments being made about the
Russia-Ukraine war, general negative commentary about Russia and
Putin, and involvement of government officials, celebrities, or
prominent individuals running charities in support of Ukraine.
“
Some reports have suggested that TA499 has used deepfake
technology. Proofpoint cannot confirm this, but warns that even if
they haven’t, they are likely to do at some point in the future.
This threat, and other similar threats, will only become more
effective as the technology improves. “There is a likelihood that
if TA499 has not already adopted deepfakes, they will at some
point,” said the researchers.
It is possible that TA499 started as a patriotic prankster
group. “They have personas that not only post the material
discussed in this report online but also perform reenactments on
Russia state-sponsored media as well as attend conferences,” says
Proofpoint “With the war between Russia and Ukraine unlikely to end
in the near-term and Ukraine continuing to garner support from
organizations worldwide, Proofpoint assesses with high confidence
that TA499 will attempt to continue with its campaigns in support
of its influencer content and political agenda.”
The war has given pranks a serious and damaging incentive. So
far, it is likely that this has been achieved without the use of
deepfake technology. It is, however, a clear warning on the
likelihood of even more compelling social engineering attacks in
the future.
Related: Deepfakes – Significant or Hyped Threat?
Related: The Lessons From Cyberwar, Cyber-in-War and
Ukraine
Related: Russian Espionage APT Callisto Focuses on Ukraine
War Support Organizations
Related: A Year of Conflict: Cybersecurity Industry Assesses
Impact of Russia-Ukraine War
