Security Experts:

Connect with us

Hi, what are you looking for?



Pro-Russian Hackers Spread Hoaxes to Divide Ukraine, Allies

As Ukrainians flooded into Poland earlier this year to flee Russian invaders, a hacking group aligned with the Kremlin sought to spread rumors that criminal gangs were waiting to harvest the organs of child refugees.

As Ukrainians flooded into Poland earlier this year to flee Russian invaders, a hacking group aligned with the Kremlin sought to spread rumors that criminal gangs were waiting to harvest the organs of child refugees.

The network, known to cybersecurity experts as Ghostwriter, seemingly aimed to sow distrust between Ukraine and Poland. It’s one of several tactics outlined in a new report that outlines how Russia has used disinformation, fear and propaganda alongside bullets, tanks and soldiers in an effort to demoralize Ukraine and divide its allies.

The unfounded claim made its way into Russian-state media and online platforms popular with far-right groups in the U.S., where posts spreading the hoax have been shared many thousands of times on sites like Telegram and Twitter. The disinformation operation exploited legitimate concerns that Ukrainian refugees could be kidnapped by human traffickers, but no evidence of organ harvesting has surfaced.

“Ghostwriter operations will often piggyback on news stories or recent events,” said Alden Wahlstrom, a senior analyst at Mandiant, the cyber security firm that published the report Thursday. “There are certain motives that are consistent: Undercutting trust in NATO. Creating tensions.”

The report detailed several other Russian-aligned disinformation and propaganda campaigns, including bogus online claims that Ukrainian President Vladimir Zelenskyy had committed suicide or fled Ukraine. In some cases, the campaigns relied on Russian state media or fake social media accounts to disseminate the disinformation. Mandiant also identified cases in which groups linked to Russian intelligence disguised their disinformation as independent journalism. Russian diplomats have also emerged as a key vector for disinformation.

In one instance in March, groups linked to Russia spread claims online that Zelenskyy had surrendered on the same day he was preparing to address the U.S. Congress.

“Influence efforts and propaganda are used to shape public opinion, to impact the morale of participants in a conflict,” said Renee DiResta, research manager at the Stanford Internet Observatory and an expert on disinformation and social media. DiResta said Russia relies on this sophisticated network to “wage narrative warfare around the globe.”

Ghostwriter has been linked to Belarus, a key Russian ally. The network was also blamed for attempting to hack into the social media accounts of dozens of Ukrainian officers earlier this year. That operation was revealed by Meta, the parent company of Facebook, who said the hackers were foiled before they could use the officers’ accounts to post videos of surrendering Ukrainian soldiers.

The organ harvesting hoax was further amplified by Russian state media and ultimately seeped into English-language websites and platforms. It can now be found on major platforms including Twitter and Telegram, where Russian forces are portrayed as the saviors of trafficking victims.

“The pro-Russian government… foiled a massive kidnapping plot organized by organ traffickers,” reads one example on Twitter. “US Government is complicit,” reads another post, from a user in Texas.

Mandiant’s report also highlighted pro-Chinese and Iranian disinformation networks that sought to leverage the war in Ukraine for their own ends.

The pro-Chinese network amplified a discredited Russian claim that the U.S. was running secret bioweapon research in Ukraine. That claim is similar to ones spread by Chinese officials who sought to blame the U.S. for the COVID-19 pandemic.

The Iranian network, by contrast, seemingly sought to create tensions between Russians and Israel by spreading claims that Israel had taken Ukraine’s side in the conflict.

In both cases, researchers at Mandiant stopped short of attributing the work to government agencies in either Iran or China, noting the difficulty in proving such linkages. Nonetheless, Wahlstrom said, they are using online disinformation to further Iran and China’s objectives, and using Russia’s invasion to do it.

“They’re parroting official Russian narratives,” Wahlstrom told The AP. “They’ve also given it their own twist.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.