Operation Texonto loosely resembles Russia-aligned Callisto APT group activities; however, ESET Research does not have enough evidence to attribute the operations to any specific group
ESET Research uncovers Operation Texonto, a Russian-led PSYOPs campaign using spam emails to spread disinformation among Ukrainians. Conducted in two waves in November and December 2023, the messages aimed to influence and demoralize citizens with false information on war-related topics. Themes included heating, drug, and food shortages, typical of Russian propaganda. Additionally, spearphishing campaigns in October and November 2023 targeted a Ukrainian defense company and an EU agency, respectively, using fake Microsoft login pages to steal credentials. ESET links these operations due to shared network infrastructure, indicating a coordinated effort.
Since the start of the war in Ukraine, Russia-aligned groups such as Sandworm have been busy disrupting Ukrainian IT infrastructure using wipers
Matthieu Faou, Senior Malware Researcher, ESET researcher
“Since the start of the war in Ukraine, Russia-aligned groups such as Sandworm have been busy disrupting Ukrainian IT infrastructure using wipers. In recent months, we have observed an uptick in cyberespionage operations, especially by the infamous Gamaredon group. Operation Texonto shows yet another use of technologies to try to influence the war,” said, ESET researcher Matthieu Faou, who discovered Operation Texonto.
“The strange brew of espionage, information operations, and fake pharma messages can only remind us of Callisto, a well-known Russia-aligned cyberespionage group, some members of which were the subject of an indictment by the U.S. Department of Justice in December 2023. Callisto targets government officials, staff in think tanks, and military-related organizations via spearphishing websites designed to mimic common cloud providers. The group has also run disinformation operations such as a document leak just ahead of the 2019 UK general election. Finally, pivoting on its old network infrastructure leads to fake pharma domains,” continues Faou. However, he concludes: “While there are several high-level points of similarity between Operation Texonto and Callisto operations, we haven’t found any technical overlap, and we currently do not attribute Operation Texonto to a specific threat actor. However, given the TTPs, targeting, and the spread of messages, we attribute the operation with high confidence to a group that is Russia aligned.”
An email server, operated by the attackers and used to send the PSYOPs emails, was reused two weeks later to send typical Canadian pharmacy spam. This category of illegal business has been very popular within the Russian cybercrime community for a long time. A few more pivots also revealed domain names that are part of Operation Texonto and related to internal Russian topics, such as Alexei Navalny, the well-known Russian opposition leader who was in jail and died on February 16, 2024. This means that Operation Texonto probably includes spearphishing or information operations targeting Russian dissidents and supporters of the late opposition leader.
The goal of the first wave of disinformation emails was to sow doubt in the minds of Ukrainians; for instance, one email says “There may be heating interruptions this winter.” Others purportedly from the Ministry of Health talk about medicine shortages. It doesn’t seem that there were any malicious links or malware in this specific wave, only disinformation. One domain masquerading as the Ministry of Agrarian Policy and Food of Ukraine recommended replacing unavailable medicine with herbs. In yet another email “from” the Ministry, they suggest eating “pigeon risotto” a photo of a live pigeon and a cooked pigeon. Those documents were purposely created in order to rile up and demoralize the readers. Overall, these fake messages align with common Russian propaganda themes. They are trying to make Ukrainian people believe they won’t have drugs, food, and heating because of the Russia-Ukraine war.
About a month after the first wave, ESET detected a second PSYOPs email campaign targeting not only Ukrainians, but also people in other European countries. The targets are somewhat random, ranging from the Ukrainian government to an Italian shoe manufacturer. According to ESET telemetry, a few hundred people received emails in this wave. The second wave was darker in its messaging, with the attackers suggesting people amputate a leg or an arm to avoid military deployment. Overall, it has all the characteristics of PSYOPs during wartime.
ESET products and research have been protecting Ukrainian IT infrastructure for many years. And since the start of the Russian invasion in February 2022, ESET Research has prevented and investigated a significant number of attacks launched by Russia-aligned groups.
