ESET, a leader in IT security and protection, has been at the forefront of safeguarding Ukrainian IT infrastructure for years. Since the outbreak of the war in February 2022, the company has diligently worked to prevent and investigate numerous cyberattacks launched by Russia-aligned groups. Not only does ESET remain focused on analyzing threats related to malware, but they have also dedicated resources to uncovering an information operation, or psychological operation (PSYOP), aimed at sowing doubt in the minds of Ukrainians and Ukrainian speakers around the world.
The disinformation campaign, known as Operation Texonto, relies on spam mails as its primary method of distribution. Interestingly, the perpetrators did not employ common channels such as Telegram or fake websites to disseminate their messages. Instead, they utilized email as the main vehicle for spreading their propaganda. ESET identified two distinct waves of this campaign, one in November 2023 and another in December 2023. The contents of the emails focused on topics such as heating interruptions, drug shortages, and food shortages—themes that are characteristic of Russian propaganda efforts.
In addition to the disinformation campaign, ESET also uncovered a spearphishing campaign targeting a Ukrainian defense company in October 2023, as well as an EU agency in November 2023. The objective of these spearphishing attacks was to steal credentials for Microsoft Office 365 accounts. By examining the network infrastructure used in these operations, ESET was able to confidently link them to Operation Texonto. Moreover, the investigation revealed domain names associated with internal Russian topics, further tying the campaign to potential spearphishing or information operations targeting Russian dissidents and supporters of the late opposition leader, Alexei Navalny.
Furthermore, ESET discovered that the email server operated by the attackers, used to disseminate the PSYOP emails, was subsequently reused to send typical Canadian pharmacy spam. This unexpected pivot points to a broader involvement of the Russian cybercrime community, adding a layer of complexity to Operation Texonto.
The complexity of Operation Texonto is reminiscent of the activities conducted by the Callisto cyberespionage group, which has been associated with Russia. Callisto is known to target government officials, individuals in think tanks, and military-related organizations through spearphishing campaigns. In addition, Callisto has engaged in disinformation operations, highlighting a high-level resemblance to the activities of Operation Texonto. Although there is no direct technical overlap between the two operations, the techniques, tactics, and procedures employed point strongly to a Russian-aligned group being responsible for Operation Texonto.
Moreover, ESET uncovered a phishing campaign that targeted employees at a major Ukrainian defense company in October–November 2023. The phishing email purported to come from the company’s IT department and urged recipients to confirm their email address through a fraudulent web link that mimicked the official Microsoft login page. This sophisticated attack aimed to trick targets into divulging their credentials.
The disinformation efforts escalated in November 2023, with ESET identifying the first wave of emails containing misleading information and PDF attachments. These emails were sent to a wide range of recipients across Ukraine, including individuals, government employees, and personnel at energy companies. Despite the lack of malicious links or malware in these emails, they were designed to raise doubts in the minds of recipients about potential heating interruptions during the winter. The PDF attachment, while not inherently malicious, contained misinformation about drug shortages in Ukraine, attributing them to the ongoing war and government policies. Notably, the attackers operated under a false domain masquerading as the Ministry of Agrarian Policy and Food of Ukraine, adding to the complexity and sophistication of their disinformation campaign.
Operation Texonto represents a multifaceted and highly sophisticated cyber threat that leverages disinformation, spearphishing, and the manipulation of public opinion to achieve its objectives. ESET’s ongoing research and analysis have shed light on the intricate nature of this campaign, further reinforcing the need for robust cybersecurity measures and continuous vigilance in the face of evolving threats. As the global cybersecurity landscape continues to evolve, companies like ESET play a crucial role in identifying, mitigating, and defending against such insidious cyber operations.