A group of hackers with ties to the Belarusian government broke into the Facebook accounts of Ukrainian military officials and posted videos calling on the Ukrainian army to surrender. According to Facebook’s parent company, Meta, the posts appeared as if they were coming from the legitimate account owners.
The group of hackers, known in the security industry as Ghostwriter, typically targets victims by compromising their email addresses and using them to gain access to social media accounts.
“When it comes to persistent threat actors, we’ve seen a further spike in activity by Ghostwriter,” Ben Nimmo, Meta’s global threat intelligence lead for influence operations, said on a call with reporters. He added that since February, “they’ve attempted to hack into the Facebook accounts of dozens of Ukrainian military personnel.”
Meta’s head of security policy, Nathaniel Gliecher, said the videos posted on the accounts of Ukrainian military officials were not seen by users and were taken down by the platform before it could be shared with others.
Meta also removed a network of 200 accounts operating from Russia that were falsely filing hundreds — and in some cases thousands — of reports against users, mainly in Ukraine and Russia, for various policy violations. The mass reporting was an attempt to silence critics and Ukrainians, Meta said.
The operation spiked in mid-February, just before Russia invaded Ukraine. The actors used a variety of fake, authentic and duplicate accounts to falsely report users for violations of hate speech and bullying. Meta said in an attempt to evade detection, the threat actors coordinated their mass reporting activity in a cooking-themed Facebook group that had about 50 members when discovered.
“Since Russia’s invasion of Ukraine, we’ve seen attacks on internet freedom and access to intensify information sharply,” said Nick Clegg, president of global affairs at Meta. He said those attacks are manifested through Russian state propaganda, media influence operations, espionage campaigns and attempts to close the flow of credible information.
Meta said threat actors with links to Russia and Belarus who are engaging in cyber espionage and covert influence operations have an interest in the Ukrainian telecom industry, defense and energy sectors, tech platforms and journalists.
But Ukrainian officials believe Russia is behind the disinformation efforts, timed to coincide with conventional warfare. “Cyberwar is a component of conventional war, provided by Russia against Ukraine,” said top Ukrainian cybersecurity official Victor Zhora during a briefing with reporters on Tuesday.
One group with ties to the Belarusian KGB, which Meta previously took down in November, returned with a new operation a day before Russia’s invasion began. Meta said the group “suddenly” began posting in Polish and English about Ukrainian troops surrendering and leaders surrendering without a fight.
On March 14, the group created an event in Warsaw calling for a protest against the Polish government, Meta alleged. The event was on the platform for “a few hours at most” and taken down along with the account behind it, Nimmo said.
New information about threat actors with ties to Russia who are targeting Ukrainian officials and public figures on Facebook is part of the company’s new quarterly Adversarial Threat report. It builds on the existing quarterly community standards report and the monthly coordinated inauthentic behavior report.
The disinformation campaign by Russian-aligned actors targeting Ukrainians on social media and online comes at the same time as other cyberattacks targeting Ukrainian government agencies, media groups and telecommunications.
The Security Service of Ukraine announced Thursday it uncovered another text message campaign pushing 5,000 SMS messages to Ukrainian military and law enforcement officers demanding that they defect and surrender to Russian forces.
“The outcome of events is predetermined!” the messages said, according to Ukrainian officials. “Be prudent and refuse to support nationalism and leaders of the country who discredited themselves and already fled the capital!!!”
Between March 23 and March 29, Ukrainian critical infrastructure registered 65 cyberattacks – five times more than the previous week – according to a report by Ukraine’s State Service of Special Communication and Information Protection (SSSCIP).
The agency said top targets included state and local authorities, the security and defense sector, financial companies, satellite telecommunications and the energy sector.
“We do not see serious and complicated attacks on critical infrastructure which can be successful so far,” said Zhora, deputy chief of Ukraine’s SSSCIP. “We register attempts, but I hope we will be able to effectively counteract them and provide security to our IT systems.”
But hackers did launch a “sophisticated and massive” attack against the infrastructure of one of Ukraine’s largest providers, Ukrtelecom, on March 28, Kirill Goncharuk, the company’s chief information officer, told reporters on Tuesday.
The attack against Ukrtelecom was launched from inside Russian-occupied Ukrainian territory, though Goncharuk did not disclose the specific location, citing security reasons.
Goncharuk said hackers used an employee’s compromised account to gain entry. The employee is currently safe, but the CIO declined to say whether the individual was physically coerced into handing over access.
Traffic in the network fell to 13% of the regular regime of the network’s functioning but, according to the SSSCIP, Ukrtelecom security experts detected the attack within 15 minutes after its launch and restored 85% of service within 24 hours.
During the attack, intruders attempted to disable the company’s servers and take control of Ukrtelecom’s network by attempting to change the passwords of employees’ accounts as well as the passwords to equipment and firewalls, according to Goncharuk.
Investigators say it appears that the attackers did not access customer data. Officials have not yet attributed the attack. The investigation – in coordination with Microsoft and Cisco – is ongoing.
“The majority of [cyber]attacks that come to Ukrainian infrastructure at the moment have Russian origins,” Zhora told reporters. “And it doesn’t matter whether the FSB or GRU originate it. Different APT groups can sit on the same floor in the same buildings.”
The hack follows an attack on U.S. telecommunications firm Viasat on February 24 that targeted terminals in Ukraine but also caused outages in Germany and other European countries at the start of the Russian invasion.
A U.S. official tells CBS News that American intelligence officials believe Russian state-actors were behind the Viasat hack, though the White House has not publicly said so.
U.S. officials believe it was meant to disrupt service in Ukraine but spread beyond the intended targets.
The Biden administration remains concerned that cyberattacks targeting Ukrainian critical infrastructure could “spill over” to the U.S. and its allies, similar to events surrounding the 2017 NotPetya malware attack.
Homeland Security Secretary Alejandro Mayorkas told “CBS Evening News” anchor and managing editor Norah O’Donnell on Wednesday that Russian actors “have not attacked our critical infrastructure in retaliation to the sanctions we’ve imposed.”
“We are preparing for an attack,” Mayorkas added, noting that U.S. officials are on high alert for potential breaches of critical infrastructure, including U.S. banks, the energy grid and water system. “We are poised to defend ourselves.”
Testifying in the Senate this week, U.S. Cyber Command chief Gen. Paul Nakasone cautiously supported the creation of a “social media data threat analysis center” to help combat foreign influence campaigns.
“Based on my experience, watching two different election cycles and the work of our adversaries attempt to garner greater influence, I think such a center would be helpful,” he told lawmakers, adding that researchers must evaluate “the full spectrum” of adversaries’ capabilities, including tactics, tradecraft and procedures.”
First published on April 7, 2022 / 8:02 AM
© 2022 CBS Interactive Inc. All Rights Reserved.