Researchers have discovered a Russia-aligned PSYOPs campaign with a curious mix of espionage, disinformation, and Canadian pharmacy spam. It also has links to Alexi Navalny, the Kremlin critic who died last week in an Arctic penal colony.
The PSYOPs — a military term for “psychological operations” — were unearthed by analysts at ESET, a cybersecurity firm headquartered in Slovakia. They named the campaign “Operation Texonto.”
The operation disseminated war-related disinformation to Ukrainians via spam emails. Through two waves of messages, the PSYOPs spread fears about shortages of food, medicines, and heating supplies — typical themes of Russian propaganda.
Alongside the disinformation, ESET detected a recent spear-phishing campaign that targeted a Ukrainian company and an EU agency. It aimed to steal credentials for Microsoft Office 365 accounts.
The <3 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!
Due to similarities in their network infrastructure, ESET is confident that the PSYOPs and phishing are connected.
Matthieu Faou, Senior Malware Researcher at ESET, said the company’s customers had sparked the hunt for Operation Texonoto.
“ESET has a significant user base in Ukraine and as such, our research team dedicates a lot of its time to track Russia-aligned groups,” Faou told TNW via email.
“We first uncovered a spear-phishing campaign and then pivoted on the artefacts, which led to the discovery of the two PSYOPs.”
It also led to that connection with Navalny.
Real dissidents and fake pharmacies
Operation Texonto used domain names related to Navalny. These included the following:
- navalny-votes[.]net
- navalny-votesmart[.]net
- navalny-voting[.]net
These domains suggest that the campaign had another objective. The researchers suspect it deployed spearphishing or information operations against Russian dissidents and Navalny supporters.
Another link was made to fake Canadian pharmacies, which have been popular with Russian cybercriminals for decades. In 2004, “Canadian Pharmacy” was named “the world’s currently most voluminous spam generator.”
One of the servers used to send the spam emails was later reused to send typical Canadian pharmacy spam.
ESET surmised that the campaign operators had realised they had been detected. Consequently, they may have tried to monetise the burnt infrastructure for personal profit.
Detecting PSYOPs
In the disinformation campaign, the first wave of emails was sent in November 2023. They targeted Ukrainian politicians, energy companies, and citizens. ESET estimates that the messages had “at least a few hundred” recipients.
Rather than spread malicious links or malware, the messages sought to fracture support for Ukraine’s resistance.
One sender masquerading as the Ukrainian government advised citizens to replace drugs with “folk methods” using plants. Another email, allegedly from the Ministry of Agriculture, recommended eating “pigeon risotto.”
The second wave of emails was sent last December. All of them were written in Ukrainian, but they targeted people in both Ukraine and other European cities.
They featured darker messaging. One email suggested that recipients amputate a limb to avoid military deployment.
The PSYOPs campaign joins the “firehouse of falsehood” that has targeted Ukraine since Russia’s full-scale invasion.
To tackle such disinformation, ESET recommends a mix of smart email filtering, education, and double-checking.
“Additionally, using trusted fact-checking services can help individuals and organisations verify the validity of contentious information,” Jake Moore, Global Cybersecurity Advisor at ESET, told TNW.
“Lastly, if you spot a dodgy source of disinformation, it can help reduce the spread by notifying the email service provider by placing it in the spam folder.”