Disruptive Russian misinformation efforts target Ukraine's narrative consensus

In recent times, the Cybersecurity and Infrastructure Security Agency (CISA) has warned of foreign influence operations creating false narratives around global conflicts, particularly the war in Ukraine, and the potential threat to critical U.S. infrastructure.

Research by Mandiant has revealed that threat actors linked to Russia have launched disinformation campaigns to support the country's war in Ukraine. One such campaign, Ghostwriter, has also published opinion pieces to discredit NATO's presence in the Baltic states. APT 28, another threat actor with ties to Russia, has used Telegram before the invasion to undermine public confidence in the Ukrainian government and weaken support from Western allies.

These disinformation campaigns employ a wide range of tactics, including defacing websites, publishing propaganda, and targeting individuals with false and misleading information. Threat actors behind these campaigns are either state-linked or sympathetic to Russia. The actors are usually based in Russia or Belarus, but a few cases have been traced to China and Iran.

One notable campaign, "Secondary Infektion," has used forged documents, screenshots, pamphlets, fabricated interviews, and counterfeit petitions about the war. Microsoft recently issued a report detailing Russia's targeting of television towers, phishing attacks against Ukraine military personnel, and other operations to control information narratives.

Examples from these campaigns include claims of Pentagon-linked bioweapons labs operating in Ukraine and Ukraine and Poland seeking to deploy Polish troops to western Ukraine. The group behind "Secondary Infektion" is believed to be a well-experienced and well-organized attacker with deep technical knowledge. However, the exact name of the group remains unconfirmed.

The Security Service of Ukraine has blamed the Russian General Staff's Main Intelligence Directorate (GRU) for the activities of APT 28. Another suspected threat actor, Ghostwriter, has published false information using compromised websites or social media accounts to foment distrust between Ukraine and Poland.

Corporate stakeholders are growing increasingly concerned about the risk posed by these disinformation campaigns and are seeking to better understand the risk calculus of their technology stacks. They want to answer the question: Are we a target? These campaigns sometimes coincide with dangerous wiper attacks or malicious cyber activity, further heightening the concern.

Dragonbridge, a pro-People's Republic of China campaign traced to 2019, has shifted its focus to Ukraine. This campaign uses single-use burner personas on social media in Russian or Ukrainian languages.

As these disinformation campaigns continue to evolve and target critical infrastructure, it is essential for corporations and governments to stay vigilant and take necessary measures to protect themselves from these threats.