- Threat actors linked to Russia have launched a series of disinformation campaigns to sway public opinion to support the country’s war in Ukraine, according to Mandiant research released last week.
- The campaigns, launched by threat actors either state-linked or sympathetic to Russia, use wide-ranging tactics to deface websites, publish propaganda or target individuals with false and misleading information, sometimes coinciding with dangerous wiper attacks or malicious cyber activity.
- The threat actors were usually based in Russia or Belarus, but a few cases were traced to China and Iran.
Alden Wahlstrom, a senior analyst at Mandiant, said via email that the campaigns used a variety of methods to weaken the resolve of the Ukrainian population, create discord with some neighboring countries like Poland, send out false narratives about the role of NATO or create positive narratives about Russia.
The various campaigns included:
- Threat actor APT 28 used Telegram before the invasion to intersperse news with information designed to undermine public confidence in the Ukrainian government, or weaken support from Western allies. The Security Service of Ukraine has blamed the Russian General Staff’s Main Intelligence Directorate (GRU), a threat actor linked to the 2016 attack on the U.S. Democratic National Committee.
- A suspected campaign by Ghostwriter published false information using compromised websites or social media accounts to foment distrust between Ukraine and Poland. The campaign also published opinion pieces to discredit NATO’s presence in the Baltic states.
- A suspected Russian campaign known as “Secondary Infektion” used forged documents, screenshots, pamphlets, fabricated interviews and counterfeit petitions about the war. The campaign mainly uses single-use burner personas on social media in Russian or Ukrainian languages. One example claimed Ukraine and Poland sought to deploy Polish troops to western Ukraine.
- Dragonbridge, a pro-People’s Republic of China campaign traced to 2019, shifted tactics to focus on Ukraine. One recent example claimed Pentagon-linked bioweapons labs were operating in Ukraine.
The Cybersecurity and Infrastructure Security Agency previously released information on how foreign influence operations were creating false narratives around the war and could target critical U.S. infrastructure.
Microsoft last month issued an extensive report about how Russia has targeted television towers, launched phishing attacks against Ukraine military personnel and conducted other operations to control information narratives.