Go to listing page

Russian TA499 Targets North American and European Countries

Russian TA499 Targets North American and European Countries
Russia-aligned TA499 threat group is aggressively targeting high-profile government officials and CEOs of prominent companies as well as celebrities in North American and European countries. It is believed to be a group of two members Vovan (aka Vladimir Kuznetsov) and Lexus (aka Alexei Stolyarov), who primarily use fake video calls to lure its victims. 

About the TA499 campaign

Active since early 2021, the group suddenly increased its activities in late February 2022 after the Russian invasion of Ukraine, revealed Proofpoint researchers.
  • Since that time, it has been gradually expanding its attack scope to target high-profile individuals making donations to Ukraine or making statements against so-called Russian disinformation propaganda.
  • The high-profile targets include mayors of several cities, such as Vienna, Warsaw, Budapest, Berlin, and Madrid. In the past, attackers have targeted celebrities JK Rowling and Elton John, among others.

What's the attack tactics

The attack begins with an email or phone call, masquerading as prominent political figures, such as Ukrainian Prime Minister Denys Shmyhal or People's Deputy of Ukraine Oleksandr Merezhko.
  • The email samples observed in March 2022, pretend to be from either the Embassy of Ukraine to the U.S. or the Embassy of Ukraine in the U.S., requesting some information or urging targeted victims to contact further via phone or video calls. 
  • In mid-2022, along with embassy-themed lures, threat actors used the International Atomic Energy Agency-themed domain to send emails. Toward the end of 2022, they pretended to be Oleksandr Merezhko, Ukrainian MP and VP of the Parliamentary Assembly of the Council of Europe, and chief of staff Leonid Volkov.
  • The phone call recordings are then released to the public via YouTube and RuTube in an attempt to gain the sympathy and support of the public for the Russian regime and its actions.

Some researchers suggest that TA499 used advanced deepfake technology to create fake recordings, meanwhile, the Proofpoint report indicates that the group has used only lookalike personalities.

Concluding notes

Although TA499 is currently not using sophisticated deepfake technology, experts suspect they might do it soon to create more convincing social engineering lures. All high-profile targets are recommended to proceed with caution when approached suddenly for any interviews or video calls.
Cyware Publisher

Publisher

Cyware