Decoding Disinformation: The Spanish Election Information Operation Targeting Russian-Speakers

Malware News
1 
			<div>
			<div>
			
			
			
			
			<div>
			
			
			
			
			<div><p><strong>Audience-Role:</strong> Security Leadership&nbsp; <strong>|</strong>&nbsp; <strong>Sector:</strong> Government</p></div>
		</div><div>
			
			
			
			
			<img alt="Decoding Disinformation: The Spanish Election Information Operation Targeting Russian-Speakers" height="1013" src="https://quointelligence.eu/wp-content/uploads/2023/10/The-Spanish-Election-Information-Operation-Targeting-Russian-Speakers_-1800x1013-1.png" title="The Spanish Election Information Operation Targeting Russian-Speakers_ 1800x1013" width="1800" />
		</div><div><div></div></div><div>
			
			
			
			
			<div><h2><em>Disinformation campaigns to attempt to disrupt or influence European elections continue. A recent example in Spain shows how they can be structured to target niche groups.</em></h2></div>
		</div><div><div></div></div><div>
			
			
			
			
			<div><p>The recent years have seen an increase in information operations aimed at interfering with the election processes in Europe. These operations are designed to spread disinformation and manipulate public opinion to influence the outcome of elections. While these campaigns tend to exploit the widest demographics to maximize impact, some threat actors are willing to dedicate resources to reach niche populations.</p>

In this article, we provide an overview of a recent campaign that targeted the Russian-speaking population in Spain and discuss the implications for Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs).

In truth, the focus on the Russian-speaking population in Spain likely had a limited effect on the overall general election result. The population of Russian citizens in Spain was around 80,000 people in 2021, and over 100,000 short-term visas were issued in 2022. This number is low compared to the total election turnout of over 24 million, and doesn’t take into account the fact that the majority of Russian-speaking residents were not able to vote.

However, it demonstrates that disinformation operations can target demographics of any size — in this case Russian-speaking people in Spain — to increase the effectiveness of their operations. The goal of the threat actors is not clear, but it is likely that they are attempting to steer the targeted population to spread false information, such as allegations of incoming terrorist attacks, among their local communities in Spain. Furthermore, it demonstrates that these types of tailored disinformation campaigns challenge assumptions of what groups of voters are susceptible to election conspiracies and their distrust in voting systems.

			<div><h2>Analysis</h2>

From a technical perspective, the campaign showed basic but well-applied methodology with proper use of language, selection of targets, and preparation of disinformation materials. The campaign:

  • Messages contained a link to a fake website that mimicked the legitimate website of the Community of Madrid, which provided information about an alleged coming terrorist attack. The message encouraged recipients to skip the elections to avoid risking their lives.
  • Used Telegram for reach. The operation’s infrastructure indicates the adversary used a popular Russian bulletproof hosting provider — an internet hosting service providing technical infrastructure resilient to complaints of illicit activities —associated with multiple campaigns.
  • Used fewer delivery mechanisms than other campaigns that have relied on copied or fake news sites, and did not use massive social media campaigns to spread its message.
  • Displayed moderate capabilities with properly formatted messages used to deliver narrative, domain names using proper syntax and Spanish Top Level Domains, and cloning of the legitimate website layout.
			<img alt="Fake Spanish Government Website" height="244" src="https://quointelligence.eu/wp-content/uploads/2023/10/Fake_MAD_Ayuntamiento_Website.png" title="Fake_MAD_Ayuntamiento_Website" width="642" />
		</div><div>
			
			
			
			
			<div><h4><em>Malicious website impersonating the Comunidad de Madrid site</em></h4></div>
		</div><div><div></div></div><div>
			
			
			
			
			<div><h2>Implications for CISOs and CIOs</h2>

The use of Telegram messages and fake websites shows that the threat actors were willing to dedicate resources to reach even niche populations. The limited delivery mechanisms used by the campaign and its focus on a specific demographic likely resulted in minimal impact.

However, the campaign is part of an effort to target directly selected populations to increase the effectiveness of operations. CISOs and CIOs should be aware of the prevalence of information operations aimed at interfering with the election process in Europe and ensure that their organizations have robust security measures in place to protect against disinformation campaigns and other types of cyber threats.

			<div><p>Concrete countermeasures include:</p>
  • Be aware of the prevalence of information operations aimed at interfering with the election process in Europe and the potential impact on your organization. These include destabilization through loss of trust in government and institutions, damage to reputation, economic impact, and security risks.
  • Ensure that your organization has robust security measures in place to protect against disinformation campaigns and other types of cyber threats, including social media monitoring and analysis, collaboration with government agencies, and establishing incident response plans.
  • Educate your employees about the risks of disinformation campaigns and how to identify and report suspicious activity.
  • Stay up-to-date with the latest threat intelligence and share this information with your team to ensure that you are prepared to respond to any potential threats.
			<div><h2>Conclusion</h2>

It is not possible to attribute the activity with high confidence to any threat actor, given the limited technical footprint. However, correlation with techniques used earlier in Russian-led campaigns described by Meta, and the specific targeting of the Russian population indicates with low confidence that the operation was linked to the Russian nexus of information operations.

What is almost certain is that information operations aiming to disrupt political processes in EU countries will continue. This is based on the high prevalence of similar efforts seen across Europe, the low cost of carrying out such operations, and the continuous political tensions driving the national goals that are behind these operations.

CISOs and CIOs must be vigilant and proactive in protecting their organizations from these threats. While implementing robust security measures, educating employees, and staying informed about the latest threat intelligence are essential, it’s important to recognize that no company is completely secure all the time.

			<div><h3>QuoIntelligence</h3>

We provide the cyber and geopolitical intelligence critical for organizations to maximise security and minimize risk, with a specific focus on Europe. If you would like to have an informal discussion with one of our Threat Advisory experts, please book a call here: Talk to an Expert

			<div><h3>Keep up to date</h3>

To keep up with the latest cyber and geopolitical threats, subscribe to QuoIntelligence’s Weekly Intelligence Newsletter, published every Thursday around 1900 CET.

		</div>
		</div>
			
			
			
			
		</div>
			
			
		</div>

The post Decoding Disinformation: The Spanish Election Information Operation Targeting Russian-Speakers appeared first on QuoIntelligence.

Article Link: Decoding Disinformation: The Spanish Election Information Operation Targeting Russian-Speakers - QuoIntelligence