Full Report
A Moscow-based company sanctioned by the U.S. earlier this year has been linked to yet another influence operation designed to turn public opinion against Ukraine and erode Western support since at least December 2023. The covert campaign undertaken by Social Design Agency (SDA), leverages videos enhanced using artificial intelligence (AI) and bogus websites impersonating reputable news sources
Analysis Summary
# Threat Actor: Social Design Agency (SDA)
## Attribution & Identity
**Attribution:** Moscow-based company sanctioned by the U.S. (earlier this year/March).
**Aliases/Associated Groups:** Linked to the influence operation **Doppelganger** and shares infrastructure with **Operation Overload** (aka Matryoshka and Storm-1679).
## Activity Summary
The actor is running **Operation Undercut** (since at least December 2023), a covert influence operation designed to erode Western support for Ukraine and shape public opinion against it. The campaign attempts to discredit Ukrainian leadership, question the effectiveness of Western aid, and deepen socio-political tensions. It also seeks to influence narratives surrounding the 2024 U.S. elections and the Israel-Gaza conflict.
## Tactics, Techniques & Procedures
- Leverages videos enhanced using artificial intelligence (AI) and bogus websites impersonating reputable news sources.
- Abuses trust placed in media brands by mimicking media sources with AI-powered videos and images for added credibility.
- Utilizes social media amplification campaigns (using no less than 500 accounts across platforms like 9gag and "America's best pics and videos").
- Promotes content from **CopyCop** (aka Storm-1516).
- Uses targeted hashtags in relevant languages to increase content reach.
- [No specific MITRE ATT&CK IDs were provided in the text.]
## Targeting
- **Sectors:** Not explicitly specified in terms of corporate sectors, but focused on swaying public opinion and political narratives.
- **Geography:** Audiences across Ukraine, Europe, and the U.S.
- **Victims:** General public/audiences in these regions, aiming to influence political outcomes and aid decisions.
## Tools & Infrastructure
- **Malware families used:** Not explicitly mentioned, focus is on influence/disinformation tools.
- **Infrastructure (C2, domains, IPs):** Bogus websites impersonating reputable news sources; use of over 500 social media accounts for amplification.
## Implications
SDA’s Operation Undercut represents a multifaceted, Russia-aligned strategy aimed at destabilizing Western alliances by amplifying anti-Ukraine sentiment. If successful, these operations could lead to a reduction in Western military and financial aid provided to Ukraine, aligning with broader Russian strategic goals.
## Mitigations
- Increased vigilance against content featuring AI-generated videos and impersonated news sources.
- Monitoring social media platforms for coordinated amplification campaigns utilizing trending hashtags in targeted regions.
- Public awareness campaigns regarding disinformation tactics targeting support for Ukraine and upcoming elections.
***
# Threat Actor: APT28 (GruesomeLarch)
## Attribution & Identity
**Attribution:** Russia-linked Advanced Persistent Threat (APT) group designated as **APT28**.
**Aliases/Associated Groups:** GruesomeLarch.
## Activity Summary
In early February 2022, APT28 executed a sophisticated espionage operation against an unnamed U.S. company. The goal was to collect data from individuals involved in projects related to Ukraine, occurring just prior to the Russian invasion.
## Tactics, Techniques & Procedures
- **Nearest Neighbor Attack:** Compromised an adjacent organization located within the target organization's Wi-Fi range.
- **Lateral Movement:** Used the compromised adjacent organization as a conduit to move laterally and connect to the intended target's enterprise Wi-Fi network.
- **Credential Harvesting:** Conducted password-spray attacks against a public-facing service on the adjacent organization's network to obtain wireless credentials.
- **MFA Evasion:** Exploited the lack of Multi-Factor Authentication (MFA) protection on the target company's internal Wi-Fi network, while internet-facing resources required MFA.
- [No specific MITRE ATT&CK IDs were provided in the text.]
## Targeting
- **Sectors:** Undisclosed U.S. company (likely related to defense, policy, or expertise concerning Ukraine).
- **Geography:** U.S.
- **Victims:** A specific unnamed organization whose data related to Ukraine expertise was sought.
## Tools & Infrastructure
- **Malware families used:** Not specified.
- **Infrastructure (C2, domains, IPs):** Utilized proximity and compromised neighboring organizational Wi-Fi networks as infrastructure.
## Implications
APT28 demonstrated sophisticated, physical proximity-dependent network intrusion methods ("Nearest Neighbor Attack") to bypass standard internet-facing MFA controls. This highlights a persistent, high-level threat targeting sensitive data sources ahead of major geopolitical events.
## Mitigations
- Ensure all network access points, including enterprise Wi-Fi networks, are protected with Multi-Factor Authentication (MFA).
- Review physical security around network infrastructure to prevent physical proximity exploitation.
- Implement strict monitoring for subsequent lateral movement after any initial network breach, even when accessing supposedly trusted internal networks (like Wi-Fi).