A highly sophisticated Russian disinformation campaign that involves duping high-profile individuals into embarrassing comments or acts on videos has been uncovered by cybersecurity firm Proofpoint.
The researchers revealed they have been tracking a malicious email campaign by Russia-aligned group TA499, in which it entices prominent businesspeople and other individuals who have either supported Ukrainian humanitarian efforts or criticised the Russian government into further contact via phone calls or remote video.
Targets include North American or European government officials and CEOs of prominent companies.
Edited recordings of the calls are then posted on the group’s YouTube and RUTUBE channels for influence and misinformation purposes, painting the targets in a bad light.
Proofpoint researchers told Infosecurity that these efforts are primarily designed to influence a Russian audience, and have proved effective in doing so.
“TA499’s content has been parroted by the President of Belarus, Alexander Lukashenko, in the audience of Vladimir Putin and reported on Russian State media. Unlike the heavily publicized misinformation efforts directed en masse at Americans, the activity of TA499 appears to be more directed towards a Russian audience,” they explained.
The researchers have also observed the suspected use of video deepfakes during these calls to impersonate the Russian opposition leader’s chief of staff, Leonid Volkov, and potentially others.
Ramped Up Activity Since Russian Invasion
Proofpoint said that TA499 ramped up its social engineering email campaigns in late January 2022 amid the build up to the Russian invasion of Ukraine and from then on “almost exclusively centered on topics relating to the Russia-Ukraine war.” The group expanded its targets from government officials and prominent businesspeople to include other public figures, including celebrities, from March 2022.
In early 2022, TA499 used the same actor controlled domain (oleksandrmerezhko[.]com) and sender address (office@oleksandrmerezhko[.]com) as its 2021 campaigns – purporting to be from Oleksandr Merezhko, a Ukrainian MP. Initially, the emails targeted individuals who had spoken out on the following areas: the bill to arm Ukraine against Russia, support of sanctions on the Nord Stream II Pipeline and the bombing of Russian military assets and other military actions.
By March 2022, the group began impersonating new people in their emails, including Ukrainian Prime Minister Denys Shmyhal and his purported assistant. They utilized the popular internet service and email provider Ukr.net to make them appear legitimate and claimed to be from “the Embassy of Ukraine to the US” or “the Embassy of Ukraine in the US.”
Later in the year, TA499 began leveraging additional embassy and atomic energy agency-themed domains in their campaign.
The emails, which are malware-free, attempt to elicit information from the targets to entice them into further contact via phone calls or remote video. Proofpoint researchers noted: “TA499 focuses on impersonation, benign conversation starters, and rapport building in order to gain the targets’ trust and attempt to extract highly sensitive information. This activity is more similar in nature to telephone-orientated attack delivery (TOAD) and social engineering.”
Recorded Video Calls
When high-profile targets agree to video calls, TA499 uses extensive makeup to appear exactly like the impersonated individual, such as Shmyhal. Additionally, it is suspected that deepfake technology has been used to impersonate Volkov, and possibly others, although that is denied by the group.
“While TA499 primarily utilizes makeup and social engineering, and we have not observed a use of deepfakes in their ruses so far, this technology is becoming more accessible to the masses and is being deployed by malicious actors,” explained the researchers.
They added that the threat actor does not appear to use any voice modulation on these calls, “primarily focusing on the targets’ lack of familiarity with the contact and the element of surprise.”
The calls typical begin by allowing the target to voluntarily say as much information as possible. TA499 then encourage the target into voicing particular obligations and efforts in relation to actors like the Russian opposition led by Alexei Navalny. Once a statement is made on these areas, “the video devolves into antics, attempting to catch the target in embarrassing comments or acts.”
The recordings are then edited for effect and placed on YouTube and Twitter for Russian and English-speaking audiences.
However, attempts to influence Russians have been more successful than for Western audiences, Proofpoint said: “It should be noted that TA499 has made numerous attempts to maximize a western English-speaking audience via YouTube; however, these channels have been taken down, the second of which was removed as of March 5, 2023.”
Going forward, the researchers expect that TA499 will continue with these campaigns, with the Russia-Ukraine war unlikely to end in the foreseeable future. They urged high profile individuals who have made statements supporting Ukraine or criticizing the Kremlin to “take care in verifying the identities of those inviting them to conduct business or discuss political topics over video conferencing.”