The Bear Necessities: A Look at the Drivers, Dynamics, and Applications of the Pro-Russia Influence Ecosystem
Google Threat Intelligence Group analyzes the evolution of the pro-Russia influence ecosystem four years into the full-scale invasion of Ukraine, identifying a pivot from war-focused operations back to global strategic objectives targeting the West, NATO, and the EU. The ecosystem comprises six interconnected components — overt media, covert IO campaigns, hacktivism, cyber espionage, government direction, and outsourced proxies — that cross-promote and amplify narratives. Key trends include the increasing use of generative AI for content creation, the blending of cyber espionage with influence operations via hack-and-leak tactics, and the outsourcing of capability development to contractors like NTC Vulkan for plausible deniability.
- emaildickbilling[@]protonmail[.]comEmail address associated with the 'Very English Coop d'Etat' covert influence campaign
- emailgiselastuart[@]protonmail[.]comEmail address associated with the 'Very English Coop d'Etat' covert influence campaign, likely used for hack-and-leak or direct dissemination of influence content
- emailrichardteller[@]protonmail[.]comEmail address associated with the 'Very English Coop d'Etat' covert influence campaign
- emailRobert1611[@]protonmail[.]comEmail address associated with the 'Very English Coop d'Etat' covert influence campaign
Detection / Hunteropenrouter
What Happened
A detailed report from Google's Threat Intelligence Group explains how Russia's influence operations have evolved since the 2022 invasion of Ukraine. The report finds that pro-Russia influence actors are shifting their focus back to global targets like the US, Europe, and NATO, after years of concentrating on Ukraine. These actors are increasingly using artificial intelligence to create convincing fake content, and they blend cyberattacks (like data theft and website defacement) with propaganda campaigns to manipulate public opinion. The ecosystem is highly organized, involving state media, covert operatives, hacktivist groups, and outside contractors who all work together — sometimes knowingly, sometimes not — to spread pro-Russia messages. Organizations and governments in the West should be aware that these influence operations are likely to intensify and may target elections, public institutions, and critical infrastructure. Defenders should monitor for coordinated inauthentic behavior, protect against DDoS attacks, and educate audiences about influence tactics.
Key Takeaways
- The pro-Russia influence ecosystem is pivoting from a near-singular focus on Ukraine back to global strategic objectives, increasing the likelihood of intensified influence operations targeting the EU, NATO, and the US.
- Pro-Russia actors are increasingly leveraging generative AI tooling for planning, research, and content creation, marking a shift toward industrial-scale application of AI in adversarial workflows.
- Cyber-enabled information operations, including hack-and-leak campaigns and wiper deployments alongside website defacements, remain a critical hybrid tactic blending espionage with psychological manipulation.
- The ecosystem is highly interconnected and resilient, with six core components (overt media, covert IO, hacktivism, cyber espionage, government, and outsourced proxies) that cross-promote and amplify each other.
- Outsourcing to third-party contractors like NTC Vulkan and Social Design Agency enables scaling, custom tooling development, and plausible deniability for Russian intelligence services.
Affected Systems
- Social media platforms and messaging applications (Telegram, email, SMS)
- Web infrastructure targeted by DDoS attacks and defacements
- Government online portals and election systems
- Critical infrastructure and transportation systems in Western countries
Attack Chain
The pro-Russia influence ecosystem operates through a blended attack chain that combines cyber espionage, hacktivist personas, and covert information operations. Cyber espionage actors (e.g., APT44, UNC4057/COLDRIVER) conduct intrusions to steal data, which is then laundered through hacktivist personas (e.g., XakNet Team, Solntsepek, PalachPro) who publicly claim responsibility and disseminate stolen or fabricated content via Telegram channels and leak websites. Concurrently, covert IO campaigns (e.g., Doppelganger, Operation Overload) use AI-generated content and media mimicry to amplify narratives across social media, email, SMS, and messaging apps. Overt Russian state media (e.g., RT) coordinates with covert actors and outsourced contractors (e.g., NTC Vulkan, Social Design Agency) to scale operations and provide plausible deniability. DDoS attacks by groups like NoName057(16) and wiper deployments alongside website defacements serve as cyber-enabled IO to amplify psychological impact.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, queries, or signatures. It references external hardening guides for DDoS protection and destructive attack mitigation.
Detection Engineering Assessment
EDR Visibility: Low — The article primarily describes influence operations, social media manipulation, and DDoS activity rather than endpoint-based malware tradecraft. EDR visibility would only apply to the cyber-enabled IO components such as wiper deployments or data exfiltration from compromised hosts. Network Visibility: Medium — DDoS attacks by groups like NoName057(16) and network intrusions by espionage actors would generate network telemetry. However, much of the influence activity occurs on social media platforms and messaging apps outside the defender's network perimeter. Detection Difficulty: Hard — Influence operations span multiple platforms (social media, messaging apps, email, Telegram) that are largely outside a traditional SOC's visibility. The blending of legitimate-looking media mimicry with AI-generated content makes attribution and detection extremely challenging. Domain cycling and mirror domains further complicate infrastructure-based detection.
Required Log Sources
- Web proxy and DNS logs for domain infrastructure cycling
- Network flow data for DDoS detection
- Email gateway logs for influence-related phishing or direct dissemination
- EDR telemetry for wiper malware and data exfiltration detection
- Social media monitoring platforms for coordinated inauthentic behavior
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for newly registered domains that mimic legitimate media brands or government portals, as pro-Russia IO campaigns like Doppelganger cycle domain infrastructure to evade bans. | DNS logs, passive DNS, domain registration WHOIS data, web proxy logs | Resource Development (T1583) | Medium — legitimate brand protection and typosquatting monitoring may generate similar alerts |
| If you have visibility into email gateway logs, consider hunting for emails from ProtonMail accounts associated with known influence campaigns, particularly those delivering narratives aligned with Russian geopolitical interests. | Email gateway logs, email security platform alerts | Execution / Initial Access via phishing (T1566) | Medium — ProtonMail is a legitimate service used by many privacy-conscious users |
| Consider monitoring for coordinated DDoS patterns against your infrastructure that coincide with geopolitical events or Russian grievances, as NoName057(16) targets organizations based on Western support for Ukraine. | Network flow data, CDN/WAF logs, DDoS mitigation platform alerts | Impact (T1498/T1499) | Low — coordinated DDoS patterns tied to geopolitical events are relatively distinctive |
| If your organization operates in critical infrastructure or transportation, consider hunting for signs of reconnaissance or intrusion attempts that may be precursors to wiper deployment alongside website defacement, as described in cyber-enabled IO tactics. | EDR telemetry, web server logs, network intrusion detection logs | Impact / Defense Evasion (T1490, T1565) | Low to Medium — wiper and defacement activity is relatively distinctive but initial access vectors may resemble routine scanning |
Control Gaps
- Traditional endpoint and network security controls provide minimal visibility into influence operations conducted on social media platforms and messaging apps
- AI-generated content used in influence operations may bypass email security and content filtering that relies on known-bad indicators
- Domain cycling and mirror domains by campaigns like Doppelganger can evade static domain blocklists
- Outsourced IO execution through third-party contractors creates attribution challenges that complicate threat intelligence pivoting
- Hacktivist personas provide plausible deniability for state-sponsored espionage, making it difficult to distinguish independent actors from state-directed operations
Key Behavioral Indicators
- Coordinated inauthentic behavior patterns across social media accounts amplifying pro-Russia narratives
- Newly registered domains mimicking legitimate media brands or government portals
- Telegram channels claiming cyber intrusions with screenshots that cannot be independently verified
- DDoS attacks coinciding with geopolitical events or statements about Western support for Ukraine
- Hack-and-leak operations where stolen data is publicized through actor-controlled personas shortly after exfiltration
- Email campaigns from ProtonMail accounts disseminating politically divisive content aligned with Russian objectives
False Positive Assessment
- Medium — The identified email addresses and social media handles are specific enough to have low false positive rates, but the behavioral indicators (DDoS patterns, domain registration, social media amplification) require contextual analysis to distinguish from legitimate activity. ProtonMail is a widely used legitimate service, so email-based detections require content and behavioral correlation rather than domain-level blocking.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider reviewing your organization's exposure to the email addresses and personas identified in this report, particularly if your organization operates in government, media, or critical infrastructure sectors.
- Consider evaluating whether your DDoS mitigation posture is adequate, especially if your organization has publicly expressed support for Ukraine or operates in sectors historically targeted by NoName057(16).
- If applicable, consider blocking or flagging the identified ProtonMail email addresses associated with the 'Very English Coop d'Etat' campaign in your email security platform.
Infrastructure Hardening
- Consider implementing domain monitoring for lookalike domains that mimic your organization's brand, as pro-Russia IO campaigns employ media mimicry and domain cycling tactics.
- Evaluate whether your web infrastructure has adequate protections against defacement, particularly if your organization is a government entity or media outlet that could be targeted for cyber-enabled IO.
- If your organization operates critical infrastructure, consider reviewing network segmentation and backup strategies to mitigate potential wiper malware deployments alongside influence operations.
User Protection
- Consider rolling out Advanced Protection Program enrollment for high-risk users such as executives, journalists, and campaign staff who may be targeted by espionage-enabled influence operations.
- Evaluate whether your organization would benefit from Project Shield or equivalent DDoS protection for public-facing websites.
- Consider implementing enhanced email security controls that can detect socially engineered content from influence operations, not just traditional phishing payloads.
Security Awareness
- Consider incorporating awareness of coordinated influence operations into existing security awareness training, particularly for employees in communications, public relations, and government relations roles.
- If applicable to your organization, consider training staff to recognize and report media mimicry attempts where pro-Russia actors impersonate legitimate news outlets.
- Consider educating leadership and public-facing staff about hack-and-leak tactics, where stolen or fabricated data may be publicized through hacktivist personas to influence public perception.
MITRE ATT&CK Mapping
- T1498 - Network Denial of Service
- T1499 - Endpoint Denial of Service
- T1490 - Inhibit System Recovery
- T1565 - Data Manipulation
- T1567 - Exfiltration Over Web Service
- T1656 - Impersonation
- T1583 - Develop Capabilities
- T1585 - Establish Operational Support
Additional IOCs
- Other:
@Alan_naebc (Alan Krupka)- Social media handle linked to the NAEBC influence campaign; persona mocked public exposure of influence assetsXakNet Team (Telegram channel)- Telegram channel operated by the APT44-affiliated hacktivist persona XakNet Team, used to mock attribution and publicize claimed cyber activity