{ "id": "d635755f-7bad-4e0d-a5bc-b02bd9d2ba6f", "created_at": "2026-04-06T00:11:05.587111Z", "updated_at": "2026-04-10T03:37:50.804039Z", "deleted_at": null, "sha1_hash": "e455dcc71879e2a56c92242f5850ab6d9878d350", "title": "Russian influence and cyber operations adapt for long haul and exploit war fatigue - Microsoft On the Issues", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 293276, "plain_text": "Russian influence and cyber operations adapt for long haul and\r\nexploit war fatigue - Microsoft On the Issues\r\nBy Clint Watts\r\nPublished: 2023-12-07 · Archived: 2026-04-05 14:04:02 UTC\r\nSince July 2023, Russia-aligned influence actors have tricked celebrities into providing video messages that were\r\nthen used in pro-Russian propaganda. These videos were then manipulated to falsely paint Ukrainian President\r\nVolodymyr Zelensky as a drug addict. This is one of the insights in the latest biannual report on Russian digital\r\nthreats from the Microsoft Threat Analysis Center: “Russian Threat Actors Dig In, Prepare to Seize on War\r\nFatigue”\r\nAs described in more detail in the report, this campaign aligns with the Russian government’s broader strategic\r\nefforts during the period from March to October 2023, across cyber and influence operations (IO), to stall\r\nUkrainian military advances and diminish support for Kyiv.\r\nVideo messages from American celebrities are used in Russian propaganda\r\nUnwitting American actors and others appear to have been asked, likely via video message platforms such as\r\nCameo, to send a message to someone called “Vladimir”, pleading with him to seek help for substance abuse. The\r\nvideos were then modified to include emojis, links and sometimes the logos of media outlets and circulated\r\nthrough social media channels to advance longstanding false Russian claims that the Ukrainian leader struggles\r\nwith substance abuse. The Microsoft Threat Analysis Center has observed seven such videos since late July 2023,\r\nfeaturing personalities such as Priscilla Presley, musician Shavo Odadjian and actors Elijah Wood, Dean Norris,\r\nKate Flannery, and John McGinley.\r\nSamples of the videos promoting pro-Russian propaganda aiming to malign Ukrainian President Volodymyr\r\nZelensky that feature different celebrities\r\nhttps://blogs.microsoft.com/on-the-issues/2023/12/07/russia-ukraine-digital-threat-celebrity-cameo-mtac/\r\nPage 1 of 5\n\nPrigozhin’s death has not slowed Russia’s influence operations\r\nThe August 2023 death of Russian businessman Yevgeny Prigozhin, who owned the Wagner Group and the\r\ninfamous Internet Research Agency troll farm, led many to question the future of Russia’s influence and\r\npropaganda capabilities. However, since then, Microsoft has observed widespread influence operations by Russian\r\nactors that are not linked to Prigozhin, indicating that Russia has the capacity to continue prolific and\r\nsophisticated malign influence operations without him.\r\nRussia’s seasonal focus switched to degrade Ukrainian agriculture\r\nJust as the past winter saw Russia focus on creating an energy crisis and attacking Ukraine’s energy sector, so this\r\nsummer saw a convergence of Russian kinetic, cyber, and propaganda attacks on Ukraine’s agriculture sector.\r\nDuring the warmer growing and harvest months, Russia penetrated agribusinesses, stole data, deployed malware,\r\nand used military strikes to destroy grain that reportedly could have fed one million people for a year.[1]\r\nMicrosoft’s report  shows a strong alignment among its military, propaganda, and cyberattack efforts. For\r\nexample, in a four-day period in late July 2023, following Moscow’s withdrawal from the Black Sea Grain\r\nInitiative, Russia:\r\nAttacked agricultural facilities in Odessa with 10 cruise missiles\r\nLaunched a cyberattack on a Ukrainian agricultural equipment organization\r\nDisseminated false narratives in pro-Russian media outlets claiming, in one example, that Ukraine, the\r\nU.S., and NATO were abusing the grain corridor for terrorist purposes not humanitarian aid\r\nIt remains to be seen if this winter will see Russia revert to its seasonal focus on the Ukrainian energy sector.\r\nHowever, in September 2023, the Government Computer Emergency Response Team of Ukraine (CERT-UA)\r\nannounced that Ukrainian energy networks were under sustained threat and Microsoft Threat Intelligence has\r\nobserved artifacts of Russian Military Intelligence (GRU) threat activity on Ukrainian energy sector networks\r\nfrom August through October 2023.\r\nRussian cyberespionage prioritized war crimes investigations, governmental bodies, and think tanks\r\nhttps://blogs.microsoft.com/on-the-issues/2023/12/07/russia-ukraine-digital-threat-celebrity-cameo-mtac/\r\nPage 2 of 5\n\nRussian authorities have not only been accused of war crimes, but have directed cyber resources to target the\r\ncriminal investigators and prosecutors building cases against them. There is mounting tension between Moscow\r\nand organizations like the International Criminal Court (ICC), which issued an arrest warrant for Russian\r\nPresident Vladimir Putin on war crimes charges in March 2023.  Actors linked to Russian military and foreign\r\nintelligence breached Ukrainian legal and investigative networks and a law firm working on war crimes\r\ninvestigations as part of a wider effort that targeted global diplomatic, defense, public policy, and IT organizations.\r\nOne of those threat actors, aligned to the Russian Foreign Intelligence Service (SVR)and that we call Midnight\r\nBlizzard, has pursued access to more than 240 organizations since March 2023, predominantly in the U.S., Canada\r\nand European countries. Nearly 40% of the targeted organizations were governments, inter-governmental\r\norganizations, or policy-focused think tanks.\r\nRussia shifted anti-Ukraine messaging to U.S., Israel\r\nSophisticated Russia-affiliated influence actor Storm-1099 (best known for a mass-scale website forgery operation\r\ndubbed “Doppelganger” by research group EU DisinfoLab) has been targeting international supporters of Ukraine\r\nsince Spring 2022. The group creates unique, branded outlets such as the Reliable News Network (RNN) and\r\nstokes on-the-ground demonstrations, bridging the digital and physical worlds through amplification of these\r\nevents. Despite efforts by technology companies and research entities to report on and mitigate its reach, Storm-1099 remains fully active. It has historically targeted Western European countries, especially Germany, but has\r\nnow shifted focus to Israel and the U.S., reflecting an increased prioritization of content on the Israel-Hamas war,\r\nU.S. political themes, and the 2024 U.S. presidential election. Storm-1099 assets pushed the false claim that\r\nHamas acquired Ukrainian weapons on the black market for its October 7 attack on Israel. Elsewhere, Russian-affiliated media pushed the false narrative that foreign recruits, including Americans, were transferred from\r\nUkraine to join IDF forces in Gaza.\r\nIn late October 2023, French authorities suspected four Moldovan nationals of painting graffiti of the Star of\r\nDavid in public spaces in Paris, images of which were then amplified by Storm-1099 assets. Two of the\r\nMoldovans reportedly claimed that they were directed by a Russian-speaking individual, suggesting possible\r\nRussian responsibility for the incident, which strongly aligns with Russia’s Active Measures playbook. Russia\r\nlikely assesses that the ongoing Israel-Hamas conflict is to its geopolitical advantage, as it believes the conflict\r\ndistracts the West from the war in Ukraine.\r\nUkrainian military infrastructure and defense partners remain key targets\r\nSince Russian forces launched their spring 2023 offensive in Ukraine, Russian intelligence-affiliated cyber actors\r\nhave concentrated their efforts on intelligence collection from Ukrainian communications and military\r\ninfrastructure in combat zones, and from Ukraine’s partners. One actor, that we call Forest Blizzard, attempted to\r\ngain initial access to defense organizations via phishing messages that incorporated novel and evasive techniques.\r\nFor example, in August, Forest Blizzard sent a phishing email to accountholders at a European defense\r\norganization.\r\nhttps://blogs.microsoft.com/on-the-issues/2023/12/07/russia-ukraine-digital-threat-celebrity-cameo-mtac/\r\nPage 3 of 5\n\nScreenshot of a sample PDF lure associated with Forest Blizzard phish of defense organizations. Actor\r\nmasquerades as European Parliament staff.\r\nLooking forward\r\nUkraine’s military chief has suggested the war with Russia is moving to a new stage of static trench warfare,\r\nprotracting the conflict further. Russian cyber and influence operators will aim to demoralize the Ukrainian\r\npopulation and degrade Kyiv’s external sources of military and financial assistance, along with possible winter\r\nattacks on Ukraine’s energy sector.\r\nElsewhere, the 2024 U.S. presidential election and other major political contests give malign influence actors an\r\nopportunity to degrade support for Ukraine-supporting political candidates. To date, Russian threat actors and\r\npropagandists have not demonstrated sophisticated capabilities leveraging or integrating artificial intelligence (AI)\r\ntools into influence operations. However, Microsoft continues to monitor this area closely.\r\nMicrosoft is working across multiple fronts to protect our customers in Ukraine and worldwide from these\r\nmultifaceted threats. With our Secure Future Initiative, we are integrating advances in AI-driven cyberdefense and\r\nsecure software engineering, with efforts to fortify international norms to protect civilians from cyber threats. In\r\nthe elections space, we are deploying resources across a core set of principles to safeguard voters, candidates,\r\nhttps://blogs.microsoft.com/on-the-issues/2023/12/07/russia-ukraine-digital-threat-celebrity-cameo-mtac/\r\nPage 4 of 5\n\ncampaigns, and election authorities worldwide, as more than two billion people prepare to engage in the\r\ndemocratic process over the coming year.\r\n[1] https://www.gov.uk/government/news/new-intelligence-shows-russias-targeting-of-a-cargo-ship\r\nTags: cyberattacks, cybersecurity, cyberwar, digital threats, Microsoft Threat Analysis Center, MTAC, Russia,\r\nthreat, Ukraine\r\nSource: https://blogs.microsoft.com/on-the-issues/2023/12/07/russia-ukraine-digital-threat-celebrity-cameo-mtac/\r\nhttps://blogs.microsoft.com/on-the-issues/2023/12/07/russia-ukraine-digital-threat-celebrity-cameo-mtac/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blogs.microsoft.com/on-the-issues/2023/12/07/russia-ukraine-digital-threat-celebrity-cameo-mtac/" ], "report_names": [ "russia-ukraine-digital-threat-celebrity-cameo-mtac" ], "threat_actors": [ { "id": "cb28ca1d-a3c8-4edf-9c2e-015ac6539708", "created_at": "2024-02-02T02:00:04.070404Z", "updated_at": "2026-04-10T02:00:03.549765Z", "deleted_at": null, "main_name": "Storm-1099", "aliases": [], "source_name": "MISPGALAXY:Storm-1099", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434265, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e455dcc71879e2a56c92242f5850ab6d9878d350.pdf", "text": "https://archive.orkl.eu/e455dcc71879e2a56c92242f5850ab6d9878d350.txt", "img": "https://archive.orkl.eu/e455dcc71879e2a56c92242f5850ab6d9878d350.jpg" } }