July 21, 2024

Researchers have discovered a Russia-aligned PSYOPs campaign with a curious mix of espionage, disinformation, and Canadian pharmacy spam. It also has links to Alexi Navalny, the Kremlin critic who died last week in an Arctic penal colony.

The PSYOPs — a military term for “psychological operations” — were unearthed by analysts at ESET, a cybersecurity firm headquartered in Slovakia. They named the campaign “Operation Texonto.”

The operation disseminated war-related disinformation to Ukrainians via spam emails. Through two waves of messages, the PSYOPs spread fears about shortages of food, medicines, and heating supplies — typical themes of Russian propaganda. 

Alongside the disinformation, ESET detected a recent spear-phishing campaign that targeted a Ukrainian company and an EU agency. It aimed to steal credentials for Microsoft Office 365 accounts.

Due to similarities in their network infrastructure, ESET is confident that the PSYOPs and phishing are connected. 

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

Matthieu Faou, Senior Malware Researcher at ESET, said the company’s customers had sparked the hunt for Operation Texonoto. 

“ESET has a significant user base in Ukraine and as such, our research team dedicates a lot of its time to track Russia-aligned groups,” Faou told TNW via email.

“We first uncovered a spear-phishing campaign and then pivoted on the artefacts, which led to the discovery of the two PSYOPs.”

It also led to that connection with Navalny.

Real dissidents and fake pharmacies

Operation Texonto used domain names related to Navalny. These included the following:

  • navalny-votes[.]net
  • navalny-votesmart[.]net
  • navalny-voting[.]net

These domains suggest that the campaign had another objective. The researchers suspect it deployed spearphishing or information operations against Russian dissidents and Navalny supporters.

Another link was made to fake Canadian pharmacies, which have been popular with Russian cybercriminals for decades. In 2004, “Canadian Pharmacy” was named “the world’s currently most voluminous spam generator.”

One of the servers used to send the spam emails was later reused to send typical Canadian pharmacy spam.

ESET surmised that the campaign operators had realised they had been detected. Consequently, they may have tried to monetise the burnt infrastructure for personal profit.

Detecting PSYOPs

In the disinformation campaign, the first wave of emails was sent in November 2023. They targeted Ukrainian politicians, energy companies, and citizens. ESET estimates that the messages had “at least a few hundred” recipients.

Rather than spread malicious links or malware, the messages sought to fracture support for Ukraine’s resistance.

One sender masquerading as the Ukrainian government advised citizens to replace drugs with “folk methods” using plants. Another email, allegedly from the Ministry of Agriculture, recommended eating “pigeon risotto.”

The second wave of emails targeted both Ukrainian citizens and residents of other European countries. All of them, however, were written in Ukrainian.

They featured darker messaging. One email suggested that recipients amputate a limb to avoid military deployment.

A PDF attached to one of the disinformation emails that suggested eating