A Moscow-based company sanctioned by the U.S. earlier this year has been linked to yet another influence operation designed to turn public opinion against Ukraine and erode Western support since at least December 2023.
The covert campaign undertaken by Social Design Agency (SDA), leverages videos enhanced using artificial intelligence (AI) and bogus websites impersonating reputable news sources to target audiences across Ukraine, Europe, and the U.S. It has been dubbed Operation Undercut by Recorded Future’s Insikt Group.
“This operation, running in tandem with other campaigns like Doppelganger, is designed to discredit Ukraine’s leadership, question the effectiveness of Western aid, and stir socio-political tensions,” the cybersecurity company said.
“The campaign also seeks to shape narratives around the 2024 U.S. elections and geopolitical conflicts, such as the Israel-Gaza situation, to deepen divisions.”
Social Design Agency has been previously attributed to Doppelganger, which also employs social media accounts and a network of inauthentic news sites to sway public opinion. The company and its founders were sanctioned by the U.S. earlier this March, alongside another Russian company known as Structura.
Operation Undercut shares infrastructure with both Doppelganger and Operation Overload (aka Matryoshka and Storm-1679), a Russia-aligned influence campaign that has attempted to undermine the 2024 French elections, the Paris Olympics, and the U.S. presidential election using a combination of fake news sites, false fact-checking resources, and AI-generated audio.
The latest campaign is no different in that it abuses the trust users place on trusted media brands and leverages AI-powered videos and images mimicking media sources to lend it more credibility. No less than 500 accounts spanning various social media platforms, such as 9gag and America’s best pics and videos, have been used to amplify the content.
Furthermore, the operation has been found to use trending hashtags in targeted countries and languages to reach a bigger audience, as well as promote content from CopyCop (aka Storm-1516).
“Operation Undercut is part of Russia’s broader strategy to destabilize Western alliances and portray Ukraine’s leadership as ineffective and corrupt,” Recorded Future said. “By targeting audiences in Europe and the U.S., the SDA seeks to amplify anti-Ukraine sentiment, hoping to reduce the flow of Western military aid to Ukraine.”
APT28 Conducts Nearest Neighbor Attack
The disclosure comes as the Russia-linked APT28 (aka GruesomeLarch) threat actor has been observed breaching a U.S. company in early February 2022 through an unusual technique called the nearest neighbor attack that involved first compromising a different entity located in an adjacent building located within the Wi-Fi range of the target.
The end goal of the attack aimed at the unnamed organization, which took place just ahead of Russia’s invasion of Ukraine, was to collect data from individuals with expertise on and projects actively involving the nation.
“GruesomeLarch was able to ultimately breach [the organization’s] network by connecting to their enterprise Wi-Fi network,” Volexity said. “The threat actor accomplished this by daisy-chaining their approach to compromise multiple organizations in close proximity to their intended target.”
The attack is said to have been accomplished by conducting password-spray attacks against a public-facing service on the company’s network to obtain valid wireless credentials, and taking advantage of the fact that connecting to the enterprise Wi-Fi network did not require multi-factor authentication.
The strategy, Volexity said, was to breach the second organization located across the street from the target and use it as a conduit to laterally move across its network and ultimately connect to the intended company’s Wi-Fi network by supplying the previously obtained credentials, while being thousands of miles away.
“The compromise of these credentials alone did not yield access to the customer’s environment, as all internet-facing resources required use of multi-factor authentication,” Sean Koessel, Steven Adair, and Tom Lancaster said. “However, the Wi-Fi network was not protected by MFA, meaning proximity to the target network and valid credentials were the only requirements to connect.”