{ "id": "d4c7e093-f8aa-4fb5-8cd1-b5767da2f916", "created_at": "2026-04-06T01:31:03.619526Z", "updated_at": "2026-04-10T13:12:31.408982Z", "deleted_at": null, "sha1_hash": "dd52226ac4e990ac209a53d95f615e8e5670fd58", "title": "The IO Offensive: Information Operations Surrounding the Russian Invasion of Ukraine | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1851347, "plain_text": "The IO Offensive: Information Operations Surrounding the\r\nRussian Invasion of Ukraine | Mandiant\r\nBy Mandiant\r\nPublished: 2022-05-19 · Archived: 2026-04-06 01:11:50 UTC\r\nWritten by: Alden Wahlstrom, Alice Revelli, Sam Riddell, David Mainor, Ryan Serabian\r\nThe recent phase of Russian aggression toward Ukraine, manifested by Russia’s full-scale invasion, has flooded\r\nthe information environment with disinformation promoted by a full spectrum of actors. Concerted information\r\noperations have proliferated, ranging from cyber-enabled information operations, including those that coincided\r\nwith disruptive and destructive cyber threat activity, to campaigns leveraging coordinated and inauthentic\r\nnetworks of accounts to promote fabricated content and desired narratives across various social media platforms,\r\nwebsites, and forums.\r\nWhile the full extent of this activity has yet to be seen, more than two months after the start of the invasion,\r\nMandiant has identified activity that we attributed to information operations campaigns conducted by actors we\r\njudge to be operating in support of the political interests of nation-states such as Russia, Belarus, China, and Iran,\r\nincluding ongoing campaigns that we have tracked for years. This report examines a slice of this activity,\r\nhighlighting significant information operations Mandiant has observed in our work responding to the invasion and\r\npresenting our early analysis of those events.\r\nInformation Operations Aligned with Russian Interests Concurrent with Disruptive and\r\nDestructive Cyber Threat Activity\r\nMandiant identified information operations aligned with Russian political interests that occurred concurrently with\r\ndisruptive and destructive, likely Russian sponsored cyber threat activity in the weeks immediately preceding and\r\nfollowing the start of the invasion, including incidents involving the deployment of wiper malware disguised as\r\nransomware (Table 1). Cyber-enabled information operations by nature require access to diverse skillsets to\r\nsupport different operational components, which varies based on the complexity of the operation. While we cannot\r\nlink these operations to the concurrent disruptive and destructive activity, this limited pattern of overlap may\r\nsuggest that some of the actors behind information operations observed in this conflict are linked to groups with\r\nextensive capabilities.\r\nDate Information Operation\r\nConcurrent Disruptive and\r\nDestructive Activity\r\nhttps://www.mandiant.com/resources/information-operations-surrounding-ukraine\r\nPage 1 of 12\n\nJan.\r\n14,\r\n2022\r\nMultiple Ukrainian government websites, including\r\nthat of the Ministry of Foreign Affairs, were defaced\r\nwith a message in Russian, Ukrainian, and Polish\r\nclaiming that data had been deleted from government\r\nservers and would be released.\r\nThe defacements likely coincided with\r\nthe January deployment of destructive\r\ntools PAYWIPE, an MBR wiper\r\ndisguised as ransomware, and the\r\nSHADYLOOK file corrupter against\r\nUkrainian government and other targets.\r\nFeb.\r\n23,\r\n2022\r\nDozens of Ukrainian government websites were\r\ndefaced with the same image displayed in the Jan. 14\r\nincident.\r\nThis incident coincided with destructive\r\nattacks against Ukrainian government\r\ntargets using the NEARMISS master\r\nboot record (MBR) wiper and\r\nPARTYTICKET wiper disguised as\r\nransomware.\r\nMarch\r\n16,\r\n2022\r\nAn information operation targeting Ukraine promoted\r\na fabricated message alleging Ukraine's surrender to\r\nRussia via the suspected compromise and defacement\r\nof the Ukraine 24 website and news ticker in a\r\nUkraine 24 TV broadcast with a written message, as\r\nwell as via an artificial intelligence (AI)-generated\r\n\"deepfake\" video impersonating Ukrainian President\r\nZelenskyy delivering that same text.\r\nOn the same day, Mandiant identified the\r\nJUNKMAIL wiper targeting a Ukrainian\r\norganization. The malware was\r\nconfigured via a scheduled task to\r\nexecute approximately three hours before\r\nZelenskyy was scheduled to deliver a\r\nspeech to the U.S. Congress.\r\nTable 1: Significant information operations that occurred concurrent with other disruptive or destructive cyber\r\nthreat activity\r\nRussian and Belarusian Information Operations Include Cyber-Enabled Operations, Use of\r\nEstablished Assets\r\nRussian and Belarusian information operations actors and campaigns, including those that have historically been\r\nlinked to cyber threat activity such as hack-and-leak operations, have engaged in activity surrounding the invasion\r\nthat is consistent with their previously established motives. Their use of developed campaign infrastructure,\r\nincluding in some instances the refocusing of established assets, demonstrates how years-long efforts of Russian,\r\npro-Russian, and Belarusian information operations targeting Ukraine and the broader region have been leveraged\r\nto address emerging security interests. In addition to known campaigns, we have also identified information\r\noperations activity promoting pro-Russian content on the invasion that we have not attributed to a previously\r\nobserved campaign or actor.\r\nhttps://www.mandiant.com/resources/information-operations-surrounding-ukraine\r\nPage 2 of 12\n\nFigure 1: Vectors leveraged by identified Russia-aligned actors and campaigns in observed information operations\r\nsurrounding the Russian invasion of Ukraine. \"Russia-aligned\" refers to Russian, Belarusian, and pro-Russia\r\nactivity; this graphic does not reflect activity pre-dating this conflict\r\nAPT28: Telegram channels that the Security Service of Ukraine (SBU) has attributed as information operations\r\nassets of the 85th Main Special Service Center of the Russian General Staff’s Main Intelligence Directorate\r\n(GRU), the same organization to which the U.S. and UK governments attributed APT28 activity, have continued\r\nto post content pertaining to the current conflict. These channels were active prior to the invasion, and while we\r\nwere unable to independently confirm the SBU’s attribution, we note that the channels’ activity includes\r\npromoting content that appears intended to weaken Ukrainians’ confidence in their government and its response to\r\nthe invasion. The content also appears intended to undermine support for Ukraine from its Western partners,\r\ninterspersed with more seemingly benign posts relaying apolitical content or news reporting.\r\nAPT28 has an extensive history of involvement in information operations, ranging from hack-and-leak\r\noperations to disruptive activity. Prominent operations involving APT28 have included compromises of the\r\nU.S. Democratic National Committee (DNC) and U.S. Democratic Congressional Campaign Committee\r\n(DCCC) in 2016, documents from which were subsequently leaked by the false hacktivist persona Guccifer\r\n2.0, and the 2014 compromise, defacement, data leak, and data destruction of the Ukrainian Central\r\nElection Commission’s network and website.\r\nGhostwriter: A suspected Ghostwriter operation in April leveraged a suspected compromised website and\r\nmultiple suspected compromised or otherwise actor-controlled social media accounts to publish fabricated content\r\nto promote a narrative that appeared intended to foment distrust between Ukrainians and the Polish government.\r\nInauthentic personas we attributed to the Ghostwriter campaign have also continued to publish and promote\r\nopinion articles criticizing NATO and its presence in the Baltic States, with increased references to Ukraine in that\r\ncontext. We have assessed with moderate confidence that Belarus is likely at least partially responsible for the\r\nGhostwriter campaign.\r\nhttps://www.mandiant.com/resources/information-operations-surrounding-ukraine\r\nPage 3 of 12\n\nIn the weeks leading up to the invasion and subsequent weeks thereafter, we observed multiple campaigns\r\nconducted by Belarusian espionage group UNC1151 targeting European countries, including a recent\r\nspear-phishing campaign targeting Lithuania. Observed targeting associated with UNC1151 threat activity\r\nis notable, given the group’s technical support to information operations attributed to Ghostwriter.\r\nNiezależny Dziennik Polityczny (NDP): Immediately following Russia’s invasion of Ukraine, we observed\r\nassets associated with NDP, an information operations campaign centered around an online journal of the same\r\nname, shift toward an aggressive defense of Russian strategic interests. During this period, we observed the\r\ncampaign’s concerted promotion of narratives seeded by both overt and covert sources within Russia’s\r\npropaganda and disinformation ecosystem. We do not attribute the NDP campaign to a specific actor. However,\r\nwe have observed overlaps between NDP and the Ghostwriter campaign that may suggest some degree of\r\ncoordination or advanced shared knowledge of operational planning between the two campaigns.\r\nSecondary Infektion: Both prior to and during the invasion, the ongoing suspected Russian influence campaign\r\nreferred to as “Secondary Infektion” has continued its operations, targeting audiences with fabricated narratives\r\nthat are often supported by falsified source materials, such as forged documents, correspondence, pamphlets, and\r\nscreenshots, as well as counterfeit petitions and interviews. All specific Secondary Infektion activity referenced in\r\nthis blog are operations that we are sharing our attribution of publicly for the first time.\r\nInternet Research Agency (IRA): Reporting from the Russian newspaper Fontanka.ru suggested the existence of\r\ncovert influence operations related to the Telegram channel “Cyber Front Z.” The channel is overtly dedicated to\r\norganizing the coordinated promotion of pro-Russia content pertaining to the invasion to audiences in Russia,\r\nUkraine, and the West on social media (Figure 2). The Fontanka.ru report claimed that Cyber Front Z may be run\r\nby individuals linked to entities sanctioned by the U.S. as related to the IRA, and that the paid positions promoted\r\nby this Telegram channel are part of a “troll factory” that uses inauthentic personas to promote pro-Russia content\r\non multiple platforms. We are unable to independently confirm these claims, but note that such activity is aligned\r\nwith what we have previously observed from known IRA assets.\r\nhttps://www.mandiant.com/resources/information-operations-surrounding-ukraine\r\nPage 4 of 12\n\nFigure 2: Example of content posted to the Cyber Front Z Telegram channel, which it encourages its followers to\r\npost on the social media accounts of specified targets. Provided content often includes crude or offensive imagery;\r\nfeatured here is a meme of Ukrainian forces trapped at the Azovstal steel plant in Mariupol while a cartoon\r\nRussian soldier calls in an airstrike\r\nRussian Intelligence-Linked Covert Media Outlets: We observed outlets that self-present as independent\r\nentities, but have been publicly reported to be linked to Russian intelligence entities, engaged in the publication\r\nand amplification of pro-Russia narratives related to the invasion. These include outlets with reported links to the\r\nForeign Intelligence Service of the Russian Federation (SVR), Federal Security Service of the Russian Federation\r\n(FSB), and Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).\r\nRussia-Aligned “Hacktivist” Groups: Established hacktivist personas JokerDNR and Beregini have remained\r\nactive in their targeting of Ukraine in the leadup to and since Russia’s invasion, including through their\r\npublication of allegedly leaked documents featuring possible personally identifiable information (PII) of\r\nUkrainian military members. Additionally, newly established “hacktivist” groups, whose degrees of affiliation to\r\nhttps://www.mandiant.com/resources/information-operations-surrounding-ukraine\r\nPage 5 of 12\n\nthe Russian state are yet unknown, like Killnet, Xaknet, and RahDit, have engaged in hacktivist-style threat\r\nactivity in support of Russia, including distributed denial-of-service (DDoS) attacks, hack-and-leak operations,\r\nand defacements.\r\nObserved Pro-Russia Narratives Seek to Demoralize Ukrainians, Sow Division Between Ukraine\r\nand Western Allies, Bolster Public Perception of Russia\r\nDisinformation narratives promoted through concerted information operations have made an array of claims\r\nattempting to shape perceptions of the invasion and the larger geopolitical context surrounding it. Many of the\r\nnarratives we have observed promoted appear intended to serve at least one of these three functions: demoralizing\r\nUkrainians and fomenting internal unrest; dividing Ukraine from its allies; and bolstering perceptions of Russia\r\n(Figure 3). Much of this activity has targeted audiences in Ukraine and Europe. However, we have also identified\r\ninformation operations assets promoting messaging that we judge to be aimed at Russian domestic audiences,\r\nunderscoring Russia’s need to sell the war to its own people.\r\nFigure 3: Observed Russia-aligned narrative themes related to Russia’s invasion of Ukraine\r\nDemoralize the Ukrainian Population\r\nWe have identified multiple narratives that appeared intended to demoralize Ukrainians and incite internal unrest\r\nwithin Ukraine, including false claims of the surrender of the Ukrainian government or military.\r\nAn information operation in March disseminated an artificial intelligence (AI)-generated “deepfake” video\r\nof Zelenskyy stating that Ukraine had surrendered to Russia, and defaced the Ukraine 24 website and news\r\nticker in a Ukraine 24 TV broadcast with an identical message or screenshot from the deepfake video\r\n(Figure 4). Since the start of the war, other Ukrainian websites have also been defaced with messages\r\nalleging Ukraine’s surrender.\r\nA Secondary Infektion operation in March falsely claimed that Zelenskyy had committed suicide in the\r\nmilitary bunker in Kyiv where he had been leading the fight against the invasion, alleging that he had been\r\ncontemplating suicide due to Ukraine’s military failures.\r\nAnother Secondary Infektion operation from April alleged that the Azov “gang” sought vengeance against\r\nZelenskyy for abandoning their fighters to die in Mariupol, and claimed that Azov commanders had\r\nattempted to escape the city by pretending to be civilians. (The narrative here specifically refers to\r\nUkraine's Azov Regiment, a special operations detachment within the Ukrainian National Guard, which is\r\nitself part of a broader ultranationalist movement—segments of which have been known to espouse white\r\nhttps://www.mandiant.com/resources/information-operations-surrounding-ukraine\r\nPage 6 of 12\n\nnationalist rhetoric; Azov has frequently appeared in pro-Russia narratives seeking to cast the Ukrainian\r\ngovernment, and Ukrainians more broadly, as Nazis.)\r\nTelegram channels attributed by Ukraine to the GRU highlighted alleged corruption and incompetence on\r\nthe part of the Ukrainian government, such as claims that Ukraine was unprepared for the conflict, and that\r\nUkrainian oligarchs had “paid Zelenskyy for the right to leave the country.”\r\nFigure 4: Screenshot from an artificial intelligence (AI)-generated “deepfake” video of Zelenskyy stating that\r\nUkraine would surrender to Russia\r\nDivide Ukraine from Its Allies\r\nA recent Ghostwriter operation, which we are making our attribution of public for the first time, leveraged\r\ncompromised assets to publish fabricated content promoting the narrative that a Polish criminal ring was\r\nharvesting organs from Ukrainian refugees to illegally traffic in the European Union, and that Poland’s\r\nInternal Security Agency was investigating the criminal enterprise, which was said to involve “high-ranking Polish officials.”\r\nOpinion articles published by suspected inauthentic personas associated with NDP promoted narratives\r\nseemingly intended to damage Polish-Ukrainian relations by creating fear, uncertainty, and doubt (FUD)\r\nsurrounding Poland’s acceptance of Ukrainian refugees. These narratives included falsehoods that sought\r\nto portray the refugees as overly burdening Poland’s economy and healthcare system and to stoke fears\r\nhttps://www.mandiant.com/resources/information-operations-surrounding-ukraine\r\nPage 7 of 12\n\namong Polish citizens that “neo-Nazis”, or other undesirable immigrants, would begin exploiting mass\r\nborder crossings to carry out attacks on Polish soil.\r\nThe Jan. 14 and Feb. 23 defacements of Ukrainian government websites referenced war crimes committed\r\nby the \"Ukrainian Insurgent Army\" (UPA) against ethnic Poles during World War II, a theme previously\r\nobserved in Russian and Belarusian information operations. For example, a November 2021 Ghostwriter\r\noperation featured a fabricated account from a retired Polish general, stating that the alleged presence of\r\nUkrainian volunteers with far-right political leanings in Poland was “an insult” to the victims of the same\r\nwar crimes.\r\nRecent Ukrainian- and Russian-language Secondary Infektion operations claimed that the Ukrainian and\r\nPolish governments sought to enable Polish troops to deploy in western Ukraine, a move they portrayed as\r\nanathema to the Ukrainian people. One operation in early April claimed that Poland attempted to use an\r\nalleged “provocation,” staged by Ukraine, showing Russian troops committing atrocities in Bucha to\r\njustify stationing troops in the country, while an operation in early February involved the dissemination of\r\na map showing specific locations where Polish troops would be located, with the suggestion that those\r\ntroops would occupy large swaths of Ukraine for years (Figure 5).\r\nObserved narratives from Telegram channels Ukraine attributed to the GRU included suggestions that the\r\nWest would soon forget about and abandon Ukraine, due in part to the diversion of its attention to\r\nimpending conflicts elsewhere, such as a potential war launched by the U.S. against Iran.\r\nFigure 5: A map disseminated in a suspected Secondary Infektion operation claimed to show specific locations\r\nwhere Polish troops would be stationed in western Ukraine\r\nBolster Perceptions of Russia\r\nhttps://www.mandiant.com/resources/information-operations-surrounding-ukraine\r\nPage 8 of 12\n\nMultiple identified narratives have appeared intended to bolster perceptions of Russia through denial and\r\ndeflection, including by refuting Russian war crimes in Ukraine and making counter-allegations against Ukrainian\r\nforces.\r\nCyber Front Z, in its coordinated promotion of pro-Russia commentary, called on social media users to\r\nclaim that Ukrainian “Nazis” forced civilians into a theater in Mariupol, which they then detonated.\r\nWe identified a coordinated and inauthentic network of social media accounts that promoted Russian-language messaging, including assertions that Ukrainian forces had used chemical weapons.\r\nThese accounts also denied the effects of the West’s response to Russia’s invasion of Ukraine, such as\r\nsanctions on Russia, and claimed that such measures had negative consequences for the West.\r\nPro-PRC Information Operations Campaign DRAGONBRIDGE Messaging Includes Echoes of\r\nRussian State-Promoted Narratives\r\nDRAGONBRIDGE, a pro-PRC campaign which comprises a network of thousands of inauthentic accounts across\r\nnumerous social media platforms, websites, and forums that we first reported to customers in 2019, has shifted its\r\nmessaging in response to the Ukraine crisis and subsequent invasion. DRAGONBRIDGE content in English and\r\nChinese has included echoing narratives promoted by Russian state media and influence campaigns, such as\r\nalleging the existence of Pentagon-linked laboratories conducting biological weapons research in Ukraine.\r\nNotably, such echoing of narratives is not unusual, and charging the U.S. with malfeasance and interference in\r\nother countries is likewise in line with PRC political interests; we have previously observed both pro-PRC and\r\npro-Russia information operations promoting content on the alleged involvement of U.S. biolabs in hazardous\r\nresearch. The campaign’s leveraging of Russia-aligned narratives on Ukraine may constitute a form of political\r\nopportunism in its continued attempts to target the U.S. and the West’s global standing.\r\nOn March 6, Russian Defense Ministry spokesperson Igor Konashenkov claimed that Russia’s military\r\noperation in Ukraine had uncovered evidence of Pentagon-linked laboratories in Ukraine conducting\r\nbioweapons research. DRAGONBRIDGE accounts subsequently amplified this claim, including\r\nallegations that U.S.-funded biolabs existed not only in Ukraine, but also around the world.\r\nDRAGONBRIDGE accounts also insinuated that the alleged biolabs in Ukraine were responsible for\r\n“mysterious outbreaks,” the nature of which went unexplained, and that biolabs elsewhere in the world\r\nwere likewise harming local populations (Figure 6).\r\nhttps://www.mandiant.com/resources/information-operations-surrounding-ukraine\r\nPage 9 of 12\n\nFigure 6: Screenshot from DRAGONBRIDGE video insinuating a connection between the presence of a U.S.\r\nbiolab in Ukraine and the occurrence of multiple “mysterious outbreaks”\r\nDRAGONBRIDGE messaging on the invasion also appeared to take aim at U.S. foreign policy and its relations\r\nwith other countries through claims that the U.S. is self-serving in its actions and that it is an unreliable partner in\r\nits alliances. Some accounts alleged that the U.S. sought to fan the flames of the conflict as it stood to benefit the\r\nmost, citing its arms sales to Ukraine, while others cast doubt on the U.S. and Europe’s seeming policy alignment\r\non sanction measures against Russia, suggesting that the U.S. had bullied Europe into enacting those sanctions,\r\ndespite deepening energy woes on the continent.\r\nPro-Iran Information Operations Denigrate Western Response to Conflict, Take Aim at Russia-Israel Relationship\r\nSimilarly, Mandiant has observed Iranian and pro-Iran information operations leveraging narratives pertaining to\r\nthe invasion to take aim at the West, Saudi Arabia, and Israel. Involved campaigns have included the Liberty Front\r\nPress (LFP) campaign, as well as activity from a pro-Iran campaign we have not previously named that we are\r\ndubbing “Roaming Mayfly”, due to its potential links to the Iran-aligned Endless Mayfly influence campaign that\r\nCitizen Lab reported on in 2019.\r\nMessaging directed at Arabic-language audiences asserted that the U.S. fled from Afghanistan in 2021, and\r\nhad now abandoned Ukraine, which deserved its fate due to its alliance with the “American axis of evil.”\r\nSimilarly, English-language content averred that NATO had sacrificed Ukraine to avoid engaging in a war\r\nwith Russia.\r\nPro-Iran information operations assets also declared that Ukraine should not have surrendered its nuclear\r\nweapons, implying that such a concession had left it vulnerable to the subsequent invasion.\r\nPro-Iran information operations have also leveraged the conflict to accuse the West of hypocrisy in its\r\ndealings with Saudi Arabia compared to Russia, by juxtaposing the war in Ukraine against the war in\r\nYemen. Tangentially, assets leveled accusations of racism on the part of the West against Arabs and\r\nhttps://www.mandiant.com/resources/information-operations-surrounding-ukraine\r\nPage 10 of 12\n\nMuslims, noting alleged differences in its response to the conflict in Ukraine in comparison to conflicts in\r\nthe Middle East.\r\nWe also observed Roaming Mayfly target Russian audiences on the eve of the war in what appeared to be an\r\nattempt to use the crisis in order to drive tensions between Russia and Israel. Namely, the campaign leveraged a\r\n(now-suspended) impersonator of the Russian journalist and foreign policy thinker, Fyodor Lukyanov, to publish\r\ntweets suggesting that Israeli intelligence was supporting Ukraine against Russia in the current crisis, and that\r\nIsrael had supported the “Ukrainian color [revolutions]” of 2000, 2004, and 2014 (Figure 7).\r\nFigure 7: Tweets by suspected Fyodor Lukyanov impersonator suggesting that Israeli intelligence was supporting\r\nUkraine against Russia in the current crisis and that Israel had supported the “Ukrainian color [revolutions]” of\r\n2000, 2004, and 2014\r\nOutlook\r\nInformation operations observed in the context of Russia’s invasion of Ukraine have exhibited both tactical aims\r\nresponding to, or seeking to shape, events on the ground and strategic objectives attempting to influence the\r\nshifting geopolitical landscape. While these operations have presented an outsized threat to Ukraine, they have\r\nalso threatened the U.S. and other Western countries. As a result, we anticipate that such operations, including\r\nthose involving cyber threat activity and potentially other disruptive and destructive attacks, will continue as the\r\nconflict progresses.\r\nOne notable feature of operations attributed to known actors thus far is their apparent consistency with the\r\nrespective campaign’s established motives. Russia-aligned operations, including those attributed to Russian,\r\nBelarusian, and pro-Russia actors, have thus far employed the widest array of tactics, techniques, and procedures\r\n(TTPs) to support tactical and strategic objectives, directly linked to the conflict itself. This is especially beneficial\r\nwhen the facts on the ground shape Russia’s need to influence events in Ukraine, marshal domestic Russian\r\nsupport, and manage global perceptions of Russia’s actions. Meanwhile, pro-PRC and pro-Iran campaigns have\r\nleveraged the Russian invasion opportunistically to further progress long-held strategic objectives. We likewise\r\nexpect this dynamic to continue, and are actively monitoring for expansions in their scope of information\r\noperations activity surrounding the conflict.\r\nhttps://www.mandiant.com/resources/information-operations-surrounding-ukraine\r\nPage 11 of 12\n\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/information-operations-surrounding-ukraine\r\nhttps://www.mandiant.com/resources/information-operations-surrounding-ukraine\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.mandiant.com/resources/information-operations-surrounding-ukraine" ], "report_names": [ "information-operations-surrounding-ukraine" ], "threat_actors": [ { "id": "f29188d8-2750-4099-9199-09a516c58314", "created_at": "2025-08-07T02:03:25.068489Z", "updated_at": "2026-04-10T02:00:03.827361Z", "deleted_at": null, "main_name": "MOONSCAPE", "aliases": [ "TA445 ", "UAC-0051 ", "UNC1151 " ], "source_name": "Secureworks:MOONSCAPE", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "0bce7575-ba34-4742-afb7-a4d3ade12dbe", "created_at": "2023-11-14T02:00:07.091122Z", "updated_at": "2026-04-10T02:00:03.448867Z", "deleted_at": null, "main_name": "XakNet", "aliases": [ "UAC-0100", "UAC-0106" ], "source_name": "MISPGALAXY:XakNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b4a6d558-3cba-499c-b58a-f15d65b7a604", "created_at": "2023-01-06T13:46:39.346924Z", "updated_at": "2026-04-10T02:00:03.295317Z", "deleted_at": null, "main_name": "Killnet", "aliases": [], "source_name": "MISPGALAXY:Killnet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a90ae795-3c01-4419-8365-07b68df72661", "created_at": "2024-07-02T02:00:04.158227Z", "updated_at": "2026-04-10T02:00:03.668289Z", "deleted_at": null, "main_name": "Dragonbridge", "aliases": [ "Spamouflage Dragon" ], "source_name": "MISPGALAXY:Dragonbridge", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9a11c31f-ebed-4b8d-9a5a-b3c842bfe293", "created_at": "2024-09-20T02:00:04.58523Z", "updated_at": "2026-04-10T02:00:03.700883Z", "deleted_at": null, "main_name": "RaHDit", "aliases": [ "Russian Angry Hackers Did It" ], "source_name": "MISPGALAXY:RaHDit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439063, "ts_updated_at": 1775826751, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dd52226ac4e990ac209a53d95f615e8e5670fd58.pdf", "text": "https://archive.orkl.eu/dd52226ac4e990ac209a53d95f615e8e5670fd58.txt", "img": "https://archive.orkl.eu/dd52226ac4e990ac209a53d95f615e8e5670fd58.jpg" } }