A group of hackers with ties to the Belarusian government broke into the Facebook accounts of Ukrainian military officials and posted videos calling on the Ukrainian military to surrender. According to Facebook’s parent company, Meta, the messages appeared to be from the legitimate account owners.
The group of hackers, known in the security industry astypically targets victims by compromising their email addresses and using them to access social media accounts.
“When it comes to persistent threat actors, we’ve seen a further spike in Ghostwriter activity,” Ben Nimmo, Meta’s global threat intelligence lead for influence operations, said during a conversation with reporters. He added that since February “they have been trying to hack into the Facebook accounts of dozens of Ukrainian military personnel.”
Meta’s head of security policy, Nathaniel Gliecher, said the videos posted to the accounts of Ukrainian military officials were not seen by users and were removed by the platform before being shared with others.
Meta also deleted a network of 200 accounts operating out of Russia that falsely filed hundreds – and in some cases thousands – of reports against users, mainly in Ukraine and Russia, for various policy violations. The mass coverage was an attempt to silence critics and Ukrainians, Meta said.
The operation peaked in mid-February, just before Russia invaded Ukraine. The actors used various fake, authentic and duplicate accounts to falsely report users for hate speech violations and bullying. Meta said that in an effort to evade detection, the threat actors coordinated their massive reporting activity in a cooking-themed Facebook group that had about 50 members when they were discovered.
“Sincewe’ve seen attacks on internet freedom and access to information,” said Nick Clegg, president of global affairs at Meta. He said those attacks manifest themselves through Russian state propaganda, media influence operations, spy campaigns and attempts to shut down the flow of credible information.
Meta said threat actors with ties to Russia and Belarus engaged in cyber espionage and covert influence operations have an interest in Ukraine’s telecom industry, defense and energy sectors, tech platforms and journalists.
But Ukrainian officials believe Russia is behind the disinformation efforts, timed to coincide with conventional warfare. “Cyberwar is part of the conventional war waged by Russia against Ukraine,” Ukrainian cybersecurity official Victor Zhora said during a briefing with reporters on Tuesday.
A group with ties to the Belarusian KGB, which shot down Meta earlier in November, returned with another operation a day before the Russian invasion began. Meta said the group “suddenly” began posting in Polish and English about Ukrainian troops surrendering and leaders surrendering without a fight.
On March 14, the group staged an event in Warsaw calling for protests against the Polish government, Meta claimed. The event was on the platform for “a few hours at most” and was removed along with the account behind it, Nimmo said.
New information on threat actors with ties to Russia targeting Ukrainian officials and public figures on Facebook is part of the company’s new quarterly Adversarial Threat report. It builds on the existing quarterly report on community standards and the monthly coordinated report on inauthentic behavior.
The disinformation campaign by Russia-affiliated actors targeting Ukrainians on social media and online comes at the same time as other cyberattacks targeting Ukrainian government agencies, media groups and telecommunications.
Ukraine’s security service announced on Thursday that it had uncovered a new texting campaign that sent 5,000 text messages to Ukrainian military personnel and law enforcement officers, demanding that they defect and surrender to Russian troops.
“The outcome of events is predetermined!” according to the reports, according to Ukrainian officials. “Be careful and refuse to support nationalism and the country’s leaders who have discredited themselves and have already fled the capital!!!”
According to a report by the Ukrainian State Service for Special Communications and Information Protection (SSSCIP), Ukraine’s critical infrastructure registered 65 cyber attacks between March 23 and 29 – five times more than the week before.
The agency said the main targets were state and local authorities, the security and defense sector, financial companies, satellite telecommunications and the energy sector.
“We don’t see any serious and complicated attacks on critical infrastructure that could be successful so far,” said Zhora, deputy head of Ukraine’s SSSCIP. “We are recording attempts, but I hope we can counter them effectively and secure our IT systems.”
But hackers launched a “advanced and massive” attack on the infrastructure of one of Ukraine’s largest providers, Ukrtelecom, on March 28, Kirill Goncharuk, the company’s chief information officer, told reporters on Tuesday.
The attack on Ukrtelecom was launched from Russian-occupied Ukrainian territory, although Goncharuk did not disclose the specific location for security reasons.
Goncharuk said hackers used an employee’s compromised account to gain access. The employee is currently safe, but the CIO declined to say if the person was physically forced to relinquish access.
Traffic on the network dropped to 13% of normal network operation, but according to the SSSCIP, security experts from Ukrtelecom detected the attack within 15 minutes of launch and recovered 85% of service within 24 hours.
During the attack, intruders attempted to disable the company’s servers and take control of Ukrtelecom’s network by attempting to change the passwords of employees’ accounts, as well as passwords for equipment and firewalls, Goncharuk said.
Investigators say it appears that the attackers were unable to access customer data. Officials have not yet attributed the attack. The investigation – in coordination with Microsoft and Cisco – is still ongoing.
“The majority of [cyber]attacks that are currently coming to the Ukrainian infrastructure have a Russian origin,” Zhora told reporters. “And it doesn’t matter if the FSB or the GRU are causing it. Different APT groups can be on the same floor in the same buildings.”
The hack follows an attack on US telecommunications company Viasat on February 24, which targeted terminals in Ukraine but also caused power outages in Germany and other European countries at the start of the Russian invasion.
A US official tells CBS News that US intelligence officials believe Russian state actors were behind the Viasat hack, although the White House has not said so publicly.
US officials believe it was intended to disrupt services in Ukraine but spread beyond its intended targets.
The Biden administration remains concerned that cyberattacks targeting Ukraine’s critical infrastructure could spill over to the US and its allies, similar to the events surrounding the 2017 NotPetya malware attack.
Homeland Security Secretary Alejandro Mayorkas told Norah O’Donnell, executive editor and editor-in-chief of CBS Evening News on Wednesday that Russian actors “have not attacked our critical infrastructure in retaliation for the sanctions we have imposed.”
“We are preparing for an attack,” Mayorkas added, noting that US officials are very alert to potential breaches of critical infrastructure, including US banks, the energy grid and the water system. “We are ready to defend ourselves.”
US Cyber Command general Paul Nakasone testified in the Senate this week, cautiously supporting the creation of a “social media data threat center” to help fight campaigns with foreign influence.
“Based on my experience, looking at two different electoral cycles and the work of our opponents trying to gain more influence, I think such a center would be helpful,” he told lawmakers, adding that investigators “have the full spectrum” of opponents. capabilities, including tactics, crafts and procedures.”