Pro-Putin scammers trick politicians and celebrities into low-tech hoax video calls
Who needs deepfakes when you've got makeup and 'element of surprise'?
Pro-Russian scammers using social engineering and impersonation to trick prominent western commentators into conducting recorded video calls have kicked these campaigns "into high gear" over the past 12 months, according to security researchers.
Security software vendor Proofpoint tracks the scammers, whose names are Vladimir Kuznetsov and Alexei Stolyarov and who go by Vovan and Lexus, as TA499.
The scammers typically target politicians, CEOs and celebrities in the hope of generating content they can selectively edit to support their cause.
One example of the tricksters at work is this video with former British Foreign Secretary William Hague, who thinks he is speaking with the former president of Ukraine, Petro Poroshenko.
Shortly after Russia invaded Ukraine in late February 2022, "the threat actor has engaged in steady activity and expanded its targeting to include prominent businesspeople and high-profile individuals that have either made large donations to Ukrainian humanitarian efforts or those making public statements about Russian disinformation and propaganda," Proofpoint analyst Zydeca Cass wrote in research published today.
Once their targets bite the email lure, and agree to follow-up hoax video calls, TA499 kicks things off with a serious question or two. The scammers' goal is to coax the individuals into saying something that can later be edited for maximum pro-Russian play.
"Once the target makes a statement on the matter, the video devolves into antics, attempting to catch the target in embarrassing comments or acts," Cass wrote.
The recordings are then posted on YouTube (although YouTube has since blocked some of the group's channels), Rutube, and Twitter.
While it's tempting to write the duo off as a couple of Sacha Baron Cohen-inspired pranksters, "TA499 is not a threat to take lightly," Cass said.
Getting duped into participating in TA499's pro-Putin propaganda can damage a person or company's brand and reputation, and it also amplifies the duo's disinformation campaigns, the report states.
The hoaxes have become more political in nature since the war started, Proofpoint researchers said, in an email to The Register.
"The methods used by TA499 have continued to be successful from their days of genuine pranks to this current highly clustered and politically aligned activity," they said.
'Element of surprise'
It's also worth noting that, despite earlier reports of the two using deepfakes to impersonate government officials — including a video call recorded in 2021 purporting to be Russian politician Leonid Volkov — the actual modus operandi is decidedly more low-tech: makeup, physical disguises, and acting.
"The actor does not appear to be using any voice modulation, primarily focusing on the targets' lack of familiarity with the contact and the element of surprise," Cass wrote, confirming the duo's claims that they didn't use deepfakes.
Proofpoint's researchers told The Register there's no incentive — yet — for the pair to do so.
"Generally speaking, threat actors will upgrade their techniques when there is an incentive to do so — such as increasing their attack success rate or improving their stealthiness," they said, in an email. "In this case, it may be easier for the threat actor to use makeup and/or actors instead of training an artificial intelligence or adopting the learning curve to utilize such a technology; however; we cannot confirm that reasoning."
These campaigns typically target "high-profile persons of interest" who have been vocal in their opposition to Putin and the Ukraine war and supportive of sanctions against Russia and sending aid and weapons to Ukraine, Proofpoint says.
"Since late-January 2022, the threat actor has largely focused its email attempts on scheduling a video or phone call meeting with high-profile North American or European government officials and CEOs of prominent companies," according to the research.
By March 2022, the duo "adopted new personality impersonations," most notably Ukrainian Prime Minister Denys Shmyhal and his assistant. To make the emails look legitimate, TA499 used popular email provider "Ukr.net" and wrote subject lines to appear as if they are Ukrainian government officials making a request of the target-slash-victim.
In addition to the Proofpoint-discovered email campaigns, Cass calls out a similar attempt using a phony email address allegedly controlled by Shmyhal to contact British politician Robert Ben Lobban Wallace.
"Today an attempt was made by an imposter claiming to be Ukrainian PM to speak with me. He posed several misleading questions and after becoming suspicious I terminated the call," Wallace tweeted in March 2022.
In the report, Proofpoint "assess with high confidence that this was the work of TA499."
Other notable targets reportedly include German chancellor Angela Merkel, Prince Harry, Elton John, and JK Rowling.
By mid-2022, the miscreants began using another embassy-themed email addresses and a threat-actor-controlled International Atomic Energy Agency (IAEA)-themed domain to send emails with an "URGENT: IAEA Director General" subject line to senior government officials.
The timing of this coincided with a public statement by IAEA Director General Rafael Mariano Grossi after Russian troops captured Ukraine's Zaporizhzhia nuclear power plant.
"It is likely that the international attention surrounding the state of the power plant inspired TA499's decision to use an IAEA lure," Cass wrote.
- As Russia wages disinfo war, Ukraine's cyber chief calls for global anti-fake news fight
- Russian meddling in 2016 US presidential election was weak sauce
- DoppelPaymer ransomware suspects cuffed, alleged ringleaders escape
- Ukraine invasion blew up Russian cybercrime alliances
As the war sparked by Russia's illegal invasion of Ukraine moves into its second year, Proofpoint cautions C-suite execs and politicians to be on alert for high-profile "Ukrainian" sources who reach out "suddenly via email" with no prior introduction. The security shop's research includes a list of indicators of compromise, and suggests potential targets "proceed with caution."
"With the war between Russia and Ukraine unlikely to end in the near-term and Ukraine continuing to garner support from organizations worldwide," Cass wrote, "Proofpoint assesses with high confidence that TA499 will attempt to continue with its campaigns in support of its influencer content and political agenda." ®