The Moscow-based campaign, hit by US sanctions earlier this year, has been linked to another influence-peddling operation designed to turn public opinion against Ukraine and undermine Western support from at least December 2023.
The covert campaign, carried out by the Social Design Agency (SDA), uses artificial intelligence (AI)-enhanced videos and fake websites impersonating authoritative news sources to target audiences in Ukraine, Europe and the US. She got a name Operation Undercut. by Insikt Group Recorded Future.
“This operation is in tandem with other companies such as Doubledesigned to discredit Ukraine’s leadership, question the effectiveness of Western aid and inflame socio-political tensions,” the cyber security company said in a statement. said.
“The campaign also seeks to shape narratives around the 2024 US election and geopolitical conflicts, such as the situation between Israel and Gaza, to deepen divisions.”
The Social Design agency has previously been attributed to Doppelganger, which also uses social media accounts and a network of fake news sites to influence public opinion. The company and its founders were sanctioned USA earlier this March along with another Russian company known as Structura.
Operation Undercut shares infrastructure with both Double and Operation Overload (aka Matryoshka and Storm-1679), a Russian-focused influence campaign that attempted to disrupt the 2024 French election, the Paris Olympics, and the US presidential election using a combination of fake news sites, fake fact-checking resources, and artificial intelligence. -generated audio.
The latest campaign is no different in that it abuses users’ trust in trusted media brands and uses AI-powered videos and images that mimic media sources to give it more credibility. At least 500 accounts on various social media platforms, such as 9gag and America’s Best Pics and Videos, were used to promote the content.
In addition, the operation was found to use popular hashtags in the target countries and languages to reach a larger audience as well as promote content from CopyCop (aka Bura-1516).
“Operation Undercut is part of a broader Russian strategy to destabilize Western alliances and portray Ukraine’s leadership as ineffective and corrupt,” Recorded Future said. “Targeting audiences in Europe and the United States, the SDA seeks to increase anti-Ukrainian sentiment, hoping to reduce the flow of Western military aid to Ukraine.”
APT28 conducts a nearest neighbor attack
The disclosure is made as related to Russia APT28 (aka GruesomeLarch) in early February 2022. an attacker at a US company was spotted using an unusual technique called a “nearest neighbor attack”, which first involved threatening another object located in a nearby building that is within the target’s Wi-Fi range.
The ultimate goal of the attack on the unnamed organization, which occurred just before Russia’s invasion of Ukraine, was to collect data on individuals with experience and projects in which the nation is actively involved.
“GruesomeLarch was able to ultimately hack into (the organization’s) network by connecting to their corporate Wi-Fi network,” Volexity said. “The threat actor accomplished this by chaining together their approach to compromise multiple organizations in close proximity to the intended target.”
The attack is said to have been carried out by performing password spraying attacks on a public service on the company’s network in order to obtain valid wireless network credentials and exploit the fact that multi-factor authentication was not required to connect to the corporate Wi-Fi network.
According to Volexity, the strategy was to hack into a second organization located across the street from the target and use it as a conduit to laterally move around its network and eventually connect to the company’s suspected Wi-Fi network by providing previously obtained credentials , while being thousands of miles away.
“Compromise of these credentials alone does not provide access to the client’s environment, as all online resources require the use of multi-factor authentication,” Sean Koesel, Steven Ader and Tom Lancaster said. “However, the Wi-Fi network was not MFA protected, meaning the only requirements to connect were proximity to the target network and valid credentials.”
