



November 29, 2024

A Moscow-based company sanctioned by the United States earlier this year has been linked to a new influence operation aimed at turning public opinion against Ukraine and eroding Western support since at least December 2023.

The covert campaign undertaken by the Social Design Agency (SDA) leverages artificial intelligence (AI)-enhanced videos and fake websites impersonating reputable news sources to target audiences in Ukraine, Europe and in the United States. It was dubbed Operation Undercut by Recorded Future's band Insikt. .

“This operation, carried out in tandem with other campaigns like Doppelganger, aims to discredit Ukrainian leaders, question the effectiveness of Western aid and inflame socio-political tensions,” the cybersecurity company said.

“The campaign also seeks to shape narratives around the 2024 US elections and geopolitical conflicts, such as the situation between Israel and Gaza, in order to deepen divisions.”

Social Design Agency has previously been attributed to Doppelganger, which also uses social media accounts and a network of inauthentic news sites to influence public opinion. The company and its founders were sanctioned by the United States in early March, alongside another Russian company known as Structura.

Operation Undercut shares its infrastructure with Doppelganger and Operation Overload (aka Matryoshka and Storm-1679), a Russia-aligned influence campaign that attempted to undermine the 2024 French elections, the Paris Olympics, and the US presidential election using a combination of fake news. websites, fake fact-checking resources, and AI-generated audio.

The latest campaign is no different in that it abuses the trust users place in trusted media brands and leverages AI-powered videos and images mimicking media sources to give it more credibility. As many as 500 accounts across various social media platforms, like 9gag and America's Best Pics & Videos, were used to amplify the content.

Additionally, the operation was found to use trending hashtags in targeted countries and languages ​​to reach a wider audience, as well as to promote CopyCop (aka Storm-1516) content.

“Operation Undercut is part of Russia’s broader strategy to destabilize Western alliances and portray Ukraine’s leaders as ineffective and corrupt,” Recorded Future said. “By targeting audiences in Europe and the United States, the SDA seeks to amplify anti-Ukrainian sentiment, hoping to reduce the flow of Western military aid to Ukraine.”

APT28 carries out a nearest neighbor attack

The disclosure comes as Russia-linked threat actor APT28 (aka GruesomeLarch) was observed breaching a US company in early February 2022 through an unusual technique called a nearest neighbor attack that first involved compromise a different entity located in an adjacent building located in the country. Wi-Fi range of the target.

The ultimate goal of the attack on this anonymous organization, which took place just before Russia's invasion of Ukraine, was to collect data from individuals with expertise and projects actively involving the nation.

“GruesomeLarch has finally broken through [the organization’s] network by connecting to their company’s Wi-Fi network,” Volexity said. “The threat actor achieved this by connecting their approach in series to compromise multiple organizations in close proximity to their target. »

The attack was allegedly carried out by conducting password spraying attacks against a utility on the company's network in order to obtain valid wireless credentials, and leveraging the fact that connecting to the The company's Wi-Fi network did not require multiple connections. authentication factor.

The strategy, Volexity said, was to penetrate the second organization across the street from the target and use it as a channel to move laterally through its network and ultimately connect to the affected company's Wi-Fi network by providing previously obtained credentials, while being thousands of miles away.

“The compromise of these credentials alone did not provide access to the customer's environment because all Internet-accessible resources required the use of multi-factor authentication,” said Sean Koessel, Steven Adair and Tom Lancaster. “However, the Wi-Fi network was not protected by MFA, meaning proximity to the target network and valid credentials were the only requirements to connect.”

