A highly sophisticated Russian disinformation campaign that tricked high-profile individuals into committing embarrassing comments and videos has been discovered by cybersecurity firm Proofpoint.
Researchers have revealed they are tracking a malicious email campaign by the Russian-affiliated group TA499. The campaign will invite prominent businessmen and individuals who support Ukrainian humanitarian efforts or criticize the Russian government to reach out further via phone or remote video of him.
Targets include government officials and CEOs of well-known companies in North America or Europe.
An edited recording of the call was posted on the group’s YouTube and RUTUBE channels, casting a bad light on the target for influence and misinformation purposes.
Proofpoint researchers said Information security These efforts are designed to influence a primarily Russian audience and have proven effective in doing so.
“TA499 content was parroted in front of Vladimir Putin’s audience by Belarusian President Alexander Lukashenko and reported in Russian state media. Unlike TA499, TA499’s activities seem to be directed more toward a Russian audience,” they explained.
The researchers also observed that video deepfakes were used during these calls to impersonate Leonid Volkov, the chief of staff of the Russian opposition leader, and possibly others.
Increased activity since the Russian invasion
According to Proofpoint, TA499 ramped up its social engineering email campaign in late January 2022 as preparations were made for Russia to invade Ukraine, and from then on “mostly focused on topics related to the war between Russia and Ukraine.” It is said that The group has expanded its targets from government officials and prominent businessmen to include other public figures, including celebrities, from March 2022.
In early 2022, TA499 used the same actor-controlled domain (oleksandrmerezhko).[.]com) and sender address (office@oleksandrmerezhko)[.]com) 2021 campaign – purported to be from Ukrainian MP Oleksandr Merezhko. Initially, the emails were aimed at individuals who spoke out on the following areas: bills to arm Ukraine against Russia, support for sanctions on the Nord Stream II pipeline, bombing of Russian military assets and other military actions.
By March 2022, the group began impersonating a new person in their emails. Among them were Ukrainian Prime Minister Denys Shmyhal and his alleged assistant. They use popular internet services and his provider of e-mail, he Ukr.net, to pretend to be legitimate and claim the “Embassy of Ukraine in the United States” or “Embassy of Ukraine in the United States”. It claimed to be an email from
Later that year, TA499 began utilizing additional embassy and nuclear agency-themed domains in their campaigns.
Malware-free emails attempt to extract information from their targets and lure them into further contact via phone or remote video. A Proofpoint researcher said: This activity is similar in nature to telephone directed attack delivery (TOAD) and social engineering. “
recorded video call
Once a high-profile target agrees to a video call, TA499 uses extensive make-up to look exactly like the individual it impersonates, such as Shmyhal. Additionally, there are suspicions that deepfake technology is being used to impersonate Volkoff and others, which the group denies.
“TA499 primarily utilizes make-up and social engineering, and so far we have not seen any deepfakes used in their machinations, but the technology is becoming more accessible to the masses. and deployed by malicious actors,” the researchers explained.
They added that the threat actor does not appear to use voice modulation in these calls, “primarily focusing on the target’s unfamiliarity with the contact and element of surprise.”
A typical call begins by allowing the target to voluntarily say as much information as possible. Encourage the target to demonstrate effort. When remarks are made on these areas, “the video evolves into playfulness and attempts to catch the target with embarrassing comments or actions.”
The recording is then edited for effect and posted on YouTube and Twitter for Russian and English speaking audiences.
But attempts to influence Russians have been more successful than with Western audiences, Proofpoint says. However, these channels have been deleted, his second of which was deleted on his March 5th, 2023. “
Going forward, researchers expect TA499 to continue these campaigns, making it unlikely that the Russian-Ukrainian war will end in the near future. They said that celebrities who have made remarks in support of Ukraine or criticized the Kremlin, “when verifying the identity of a person who invites them to conduct business or discuss political topics in a video conference. pay attention to.”
