Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Pro-Russian Hackers Spread Hoaxes to Divide Ukraine, Allies

As Ukrainians flooded into Poland earlier this year to flee Russian invaders, a hacking group aligned with the Kremlin sought to spread rumors that criminal gangs were waiting to harvest the organs of child refugees.

As Ukrainians flooded into Poland earlier this year to flee Russian invaders, a hacking group aligned with the Kremlin sought to spread rumors that criminal gangs were waiting to harvest the organs of child refugees.

The network, known to cybersecurity experts as Ghostwriter, seemingly aimed to sow distrust between Ukraine and Poland. It’s one of several tactics outlined in a new report that outlines how Russia has used disinformation, fear and propaganda alongside bullets, tanks and soldiers in an effort to demoralize Ukraine and divide its allies.

The unfounded claim made its way into Russian-state media and online platforms popular with far-right groups in the U.S., where posts spreading the hoax have been shared many thousands of times on sites like Telegram and Twitter. The disinformation operation exploited legitimate concerns that Ukrainian refugees could be kidnapped by human traffickers, but no evidence of organ harvesting has surfaced.

“Ghostwriter operations will often piggyback on news stories or recent events,” said Alden Wahlstrom, a senior analyst at Mandiant, the cyber security firm that published the report Thursday. “There are certain motives that are consistent: Undercutting trust in NATO. Creating tensions.”

The report detailed several other Russian-aligned disinformation and propaganda campaigns, including bogus online claims that Ukrainian President Vladimir Zelenskyy had committed suicide or fled Ukraine. In some cases, the campaigns relied on Russian state media or fake social media accounts to disseminate the disinformation. Mandiant also identified cases in which groups linked to Russian intelligence disguised their disinformation as independent journalism. Russian diplomats have also emerged as a key vector for disinformation.

In one instance in March, groups linked to Russia spread claims online that Zelenskyy had surrendered on the same day he was preparing to address the U.S. Congress.

“Influence efforts and propaganda are used to shape public opinion, to impact the morale of participants in a conflict,” said Renee DiResta, research manager at the Stanford Internet Observatory and an expert on disinformation and social media. DiResta said Russia relies on this sophisticated network to “wage narrative warfare around the globe.”

Ghostwriter has been linked to Belarus, a key Russian ally. The network was also blamed for attempting to hack into the social media accounts of dozens of Ukrainian officers earlier this year. That operation was revealed by Meta, the parent company of Facebook, who said the hackers were foiled before they could use the officers’ accounts to post videos of surrendering Ukrainian soldiers.

Advertisement. Scroll to continue reading.

The organ harvesting hoax was further amplified by Russian state media and ultimately seeped into English-language websites and platforms. It can now be found on major platforms including Twitter and Telegram, where Russian forces are portrayed as the saviors of trafficking victims.

“The pro-Russian government… foiled a massive kidnapping plot organized by organ traffickers,” reads one example on Twitter. “US Government is complicit,” reads another post, from a user in Texas.

Mandiant’s report also highlighted pro-Chinese and Iranian disinformation networks that sought to leverage the war in Ukraine for their own ends.

The pro-Chinese network amplified a discredited Russian claim that the U.S. was running secret bioweapon research in Ukraine. That claim is similar to ones spread by Chinese officials who sought to blame the U.S. for the COVID-19 pandemic.

The Iranian network, by contrast, seemingly sought to create tensions between Russians and Israel by spreading claims that Israel had taken Ukraine’s side in the conflict.

In both cases, researchers at Mandiant stopped short of attributing the work to government agencies in either Iran or China, noting the difficulty in proving such linkages. Nonetheless, Wahlstrom said, they are using online disinformation to further Iran and China’s objectives, and using Russia’s invasion to do it.

“They’re parroting official Russian narratives,” Wahlstrom told The AP. “They’ve also given it their own twist.”

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights