Russian Influence Duo Targets Politicians, CEOs for Embarrassing Video Calls
A
Russian
duo
notorious
for
pranking
numerous
high-profile
individuals,
including
Canadian
Prime
Minister
Trudeau,
is
at
it
again
—
this
time
seeking
to
embarrass
public
figures
that
have
expressed
support
for
Ukraine
in
its
war
with
Russia.
Over
the
past
year,
the
two
individuals
—
known
publicly
as
Vovan
and
Lexus
—
have
targeted
high-ranking
government
officials
and
CEOs
at
large
companies
in
North
America
and
Europe,
according
to
Proofpoint
researchers, in
a
campaign
to
lure
them
into
saying
potentially
volatile
things on
video
and
phone
calls.
The
effort
seems
to
be
in
retaliation
for
the
targets’
support
for
Ukraine
in
the
war
with
Russia.
An
Elaborate
Impersonation
Con
In
a
blog
post
this
week,
Proofpoint
said
it
had
observed
a
sharp
increase
in
activity
from
the
pair
following
Russia’s
invasion
of
Ukraine
last
February.
Since
then,
Vovan
and
Lexus
have
contacted
numerous
prominent
business
leaders
and
politicians
that
have
either
made
public
statements
against
the
war
or
have
donated
to
Ukrainian
humanitarian
programs.
In
emails
to
the
targeted
individuals,
the
pair
have
variously
presented
themselves
as
Ukrainian
Prime
Minister
Denys
Shmyhal,
Ukrainian
Member
of
Parliament
Oleksandr
Merezhko,
and
Russian
opposition
leader
Alexei
Navalny’s
Chief
of
Staff
Leonid
Volkov.
Other
emails
have
purported
to
be
from
the
“Embassy
of
Ukraine
to
the
US”
and
the
“Embassy
of
Ukraine
in
the
US,”
and
were
sent
from
plausible-looking,
embassy-themed
email
addresses.
The
emails
have
attempted
to
convince
recipients
into
participating
in
recorded
video
chats
and
phone
calls,
where
they
are
encouraged
to
speak
on
various
matters
associated
with
the
war
in
Ukraine. In
some
of
the
video
conversations,
the
two
individuals
have
worn
heavy
makeup
and
likely
used
deepfake
technology
to
take
on
the
appearance
of
figures
they
were
impersonating.
Edited
versions
of
the
recordings
have
later
appeared
on
YouTube,
Telegram,
Twitter,
and
Russian-video
platform
Rutube.
“Once
the
target
makes
a
statement
on
the
matter,
the
video
devolves
into
antics,
attempting
to
catch
the
target
in
embarrassing
comments
or
acts,”
Proofpoint’s
report
said.
“The
recordings
are
then
edited
for
emphasis
and
placed
on
YouTube
and
Twitter
for
Russian
and
English-speaking
audiences.”
A
Who’s
Who
of
Victims
Proofpoint’s
report
did
not
name
any
specific
individuals
that
might
have
fallen
for
Lexus
and
Vovan’s
tricks.
But
researchers
from
the
company
pointed
Dark
Reading
to
publicly
known
examples
of
their
work.
In
one
instance,
the
pair
posed
as
Ukrainian
Prime
Minister
Shmyhal
and
tricked
former
UK
Home
Secretary
Priti
Patel
into
a
15-minute
conversation
with
them
on
the
war
and
the
related
refugee
crisis.
The
hoaxers
later
posted
a
video
of
them
duping
Patel
on
YouTube
and
other
social
media
channels.
In
another
campaign
last
June,
Vovan
and
Lexus
tricked
the
mayors
of
Warsaw,
Berlin,
Vienna,
and
Budapest
into
making
video
calls
with
an
individual
they
believed
was
Vitaliy
Klychko,
the
mayor
of
Kyiv.
Vovan
and
Lexus,
whose
real
names
are
Vladimir
Kuznetsova
and
Aleksei
Stolyarov,
have
also,
as
mentioned, tricked
Canadian
Prime
Minister
Trudeau
(into
thinking
he
was
speaking
with
climate
change
activist
Greta
Thunberg).
Last
year,
they
posted
a
video
on
YouTube
that
purported
to
show
former
US
President
George
Bush
speaking
with
an
individual
he
assumed
was
Ukrainian
President
Volodymyr
Zelenskyy.
In
May
2021,
the
pair
tricked
multiple
European
members
of
Parliament
into
video
meetings
using
deepfake
technology
to
impersonate
Russian
opposition
leaders,
including
Navalny.
A
Russian
State-Backed
Threat?
Researchers
at
Proofpoint
have
been
tracking
the
two
individuals
since
2021
under
the
threat
actor
designation
“TA499.”
This
week,
they
cautioned
against
dismissing
them
merely
as
pranksters,
as
some
have
previously.
“While
Vovan
and
Lexus
brand
themselves
as
‘pranksters
and
comedians,’
multiple
governments
and
officials
deem
the
pair
to
be Russian,
state-funded
bad
actors,” Alexis
Dorais-Joncas,
senior
manager
for
threat
research
at
Proofpoint, tells
Dark
Reading.
Proofpoint
has
not
been
able
to
confirm
the
level
of
government
involvement
with
the
pair, but
the
company
has
determined
from
open
source
intelligence
that
the
two
actors
are
likely
state
encouraged
and
patriotically
motivated.
“It’s
fair
to
consider
Vovan
and
Lexus
as
‘influencers’
or
‘propagandists,’
as
they
deem
to
influence
the
political
nature
of
Russia
as
a
whole
and
reach
an
English
audience
through
various
methods,”
Dorais-Joncas says.
“TA499’s
elevation
to
state-aligned
activity
is
due
to
the
targeted
nature
of
its
campaigns,
utilization
of
actor-controlled
domain
infrastructure,
[and]
multiple
VoIP
fake
phone
numbers
for
separate
recipients,”
he
notes.
The
two
individuals
perform
reconnaissance
to
target
both
directly
and
via
the
close
contacts
of
selected
targets,
and
presents
a
risk
to
organizations,
the
researcher
says.
“These
things
combined
with
their
specific
focus
on
Russia-aligned
propaganda,
make
them
a
state-aligned
threat.”
Proofpoint
assessed
with
high
confidence
that
TA499
will
continue
with
its
influence
campaign,
and
likely
reuse
old
or
additional
infrastructure
to
do
so.
The
primary
target
continues
to
be
C-level
executives
or
those
at
the
highest-profile
positions
at
their
respective
organizations.
The
security
vendor
posted
a
list
of
email
addresses
that
the
duo
has
used
so
far
in
their
campaigns
and
advised
anyone
who
has
reason
to
believe
they
could
be
targeted
to
verify
the
identities
of
people
inviting
them
to
discuss
political
topics.
About Author
