Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Russia continues its disinformation campaign around the Ukraine war through advanced social engineering tactics delivered by the TA499 threat group. Also known as Vovan and Lexus, TA499 is a Russian-aligned threat actor conducting aggressive email campaigns since at least 2021. They seem to target US and European politicians, business people, and celebrities who oppose Putin’s invasion, according to a report from Proofpoint.
The primary goal is to persuade victims to participate in phone calls or emails to elicit and publish pro-Putin snippets, thus discrediting any previous anti-Putin comments.
As tensions between Russia and Ukraine rose, TA499’s email campaigns accelerated and have not abated since Russia invaded Ukraine in February 2022.
Below, you’ll see a graphic picturing the timeline of these campaigns during the ongoing Russia-Ukraine war:
Several EU members already oppose any pro-Ukrainian activity – and Russia seeks to build on this support. This is part of Russia’s effort to erode anti-Russian sentiment in North America and the EU with disinformation campaigns.
TA499 appears to be a two-person group of operators known as Vovan and Lexus. We do not know how closely they are connected to the Russian government, but their operations appear sophisticated, complex, and not financially motivated. Instead, they seem to be patriotically motivated and aligned with the Russian state.
The operation begins with TA499 making email or phone call with their targets. This activity started before the invasion of Ukraine. Still, it ramped up in late January 2022, culminating in increasingly aggressive attempts after the Russian invasion of Ukraine in late February 2022, according to the researchers.
In March 2022, reports of emails and phone calls imitating Ukrainian Prime Minister Denys Shmyhal and his assistant began to surface.
Messages presented as being sent from official embassies with titles like ‘Prime Minister of Ukraine Request’ prompted UK Secretary of State for Defense, Ben Wallace, to tweet the following on March 17:
Today, an imposter claiming to be a Ukrainian PM attempted to speak with me. He posed several precarious questions, and after becoming suspicious, I terminated the call.
While nothing is definite, it has been estimated with high confidence that TA499 initiated the activity.
TA499 has also targeted individuals who have made positive statements about Alexei Navalny, the imprisoned Russian opposition leader – emails masquerading as messages from Navalny’s chief of staff, Leonid Volkov.
Such contacts aim to persuade the target to participate in a telephone or video call with TA499. The group then engages in conversation to elicit contradictory statements to discredit earlier anti-Kremlin reports.
Proofpoint does not believe that TA499 used deepfake technology in these exchanges but acted as Volkov in attacks focused on Navalny.
According to cybersecurity researchers, the mayor of Vienna, Michael Ludwig, and the mayors of Warsaw, Budapest, Berlin, and Madrid are all targets. JK Rowling and Elton John have both been targeted in the past.
TA499 has targeted comments about the Russia-Ukraine war, general negative commentary about Putin and Russia, and the involvement of politicians, celebrities, or prominent individuals running charities in support of Ukraine.
Proofpoint cannot confirm that the TA499 uses deep fake technology but warns that even if they haven’t already, they are likely to at some point.
So far, pranks have been carried out without the use of deep fake technology, but this is a warning of the possibility of even more compelling social engineering attacks to come in the future.
While the primary target of TA499 remains the C-level or the highest profile positions possible at any given entity, cybersecurity researchers advise anyone who suspects they may be a target of TA499 to exercise caution in verifying the identities of those inviting them to conduct business or discuss political topics via video conferencing.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.
Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company's social media channels. Her contributions amplify the brand's voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.
