Security Experts:

Connect with us

Hi, what are you looking for?



Pro-Russian Hackers Spread Hoaxes to Divide Ukraine, Allies

As Ukrainians flooded into Poland earlier this year to flee Russian invaders, a hacking group aligned with the Kremlin sought to spread rumors that criminal gangs were waiting to harvest the organs of child refugees.

As Ukrainians flooded into Poland earlier this year to flee Russian invaders, a hacking group aligned with the Kremlin sought to spread rumors that criminal gangs were waiting to harvest the organs of child refugees.

The network, known to cybersecurity experts as Ghostwriter, seemingly aimed to sow distrust between Ukraine and Poland. It’s one of several tactics outlined in a new report that outlines how Russia has used disinformation, fear and propaganda alongside bullets, tanks and soldiers in an effort to demoralize Ukraine and divide its allies.

The unfounded claim made its way into Russian-state media and online platforms popular with far-right groups in the U.S., where posts spreading the hoax have been shared many thousands of times on sites like Telegram and Twitter. The disinformation operation exploited legitimate concerns that Ukrainian refugees could be kidnapped by human traffickers, but no evidence of organ harvesting has surfaced.

“Ghostwriter operations will often piggyback on news stories or recent events,” said Alden Wahlstrom, a senior analyst at Mandiant, the cyber security firm that published the report Thursday. “There are certain motives that are consistent: Undercutting trust in NATO. Creating tensions.”

The report detailed several other Russian-aligned disinformation and propaganda campaigns, including bogus online claims that Ukrainian President Vladimir Zelenskyy had committed suicide or fled Ukraine. In some cases, the campaigns relied on Russian state media or fake social media accounts to disseminate the disinformation. Mandiant also identified cases in which groups linked to Russian intelligence disguised their disinformation as independent journalism. Russian diplomats have also emerged as a key vector for disinformation.

In one instance in March, groups linked to Russia spread claims online that Zelenskyy had surrendered on the same day he was preparing to address the U.S. Congress.

“Influence efforts and propaganda are used to shape public opinion, to impact the morale of participants in a conflict,” said Renee DiResta, research manager at the Stanford Internet Observatory and an expert on disinformation and social media. DiResta said Russia relies on this sophisticated network to “wage narrative warfare around the globe.”

Ghostwriter has been linked to Belarus, a key Russian ally. The network was also blamed for attempting to hack into the social media accounts of dozens of Ukrainian officers earlier this year. That operation was revealed by Meta, the parent company of Facebook, who said the hackers were foiled before they could use the officers’ accounts to post videos of surrendering Ukrainian soldiers.

The organ harvesting hoax was further amplified by Russian state media and ultimately seeped into English-language websites and platforms. It can now be found on major platforms including Twitter and Telegram, where Russian forces are portrayed as the saviors of trafficking victims.

“The pro-Russian government… foiled a massive kidnapping plot organized by organ traffickers,” reads one example on Twitter. “US Government is complicit,” reads another post, from a user in Texas.

Mandiant’s report also highlighted pro-Chinese and Iranian disinformation networks that sought to leverage the war in Ukraine for their own ends.

The pro-Chinese network amplified a discredited Russian claim that the U.S. was running secret bioweapon research in Ukraine. That claim is similar to ones spread by Chinese officials who sought to blame the U.S. for the COVID-19 pandemic.

The Iranian network, by contrast, seemingly sought to create tensions between Russians and Israel by spreading claims that Israel had taken Ukraine’s side in the conflict.

In both cases, researchers at Mandiant stopped short of attributing the work to government agencies in either Iran or China, noting the difficulty in proving such linkages. Nonetheless, Wahlstrom said, they are using online disinformation to further Iran and China’s objectives, and using Russia’s invasion to do it.

“They’re parroting official Russian narratives,” Wahlstrom told The AP. “They’ve also given it their own twist.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...


While cyber eyes are trained on Russia, we should remember that it is not the West’s only cyber adversary. China, Iran, and North Korea...