Vulnerability Management, Security Program Controls/Technologies

Russian ‘pranksters’ target Moscow critics, Ukraine war opponents

Aleksei Stolyarov

A pair of Russian entertainers have been targeting European and U.S. government officials, CEOs and celebrities over the past year in an attempt to obtain phone recordings that can be used against opponents of Moscow’s invasion of Ukraine or critics of President Vladimir Putin.

The campaign, detailed by cybersecurity company Proofpoint in research released March 7, has been ongoing since at least 2021 and became even more aggressive following the February 2022 invasion by Russian troops across Ukrainian borders. Since then, the actors — which Proofpoint tracks as TA499 but who are also known public figures in Russia that go by the stage names "Vovan" (Vladimir Kuznetsov) and "Lexus" (Aleksei Stolyarov) — have increasingly targeted Western businesses, executives and prominent individuals who have donated money to Ukrainian humanitarian efforts or publicly called out Russian-government disinformation campaigns and tactics.

“These messages try to solicit information from the targeted individuals and entice them into further contact via phone calls or remote video,” writes author Zydeca Cass from Proofpoint’s threat research team. “The emails have not contained malware, only communications or invitations purporting to be from an embassy of Ukraine, Ukraine’s Prime Minister, a Ukrainian parliamentarian, or their assistants.”

The pair first reach out through email, using email provider and pretending to be from either “the Embassy of Ukraine to the US” or “the Embassy of Ukraine in the US:” embassy.usa@ukr[.]net and[.]net. They have pretended to be Ukrainian Prime Minister Denys Shmyhal and his aides; Oleksandr Merezhko, a Ukrainian Member of Parliament (MP) and vice president of the Parliamentary Assembly of the Council of Europe (PACE); and Leonid Volkov, chief of staff for Russian opposition leader Alexei Navalny.

A sample email of TA499 email impersonating the chief of staff to Russian opposition leader Alexei Nalvany. (Source: Proofpoint)

The pair's YouTube channel was suspended and removed last year after posting video clips of conversations with UK Secretary of Defense Ben Wallace and Home Secretary Priti Patel while posing as Shmyhal. They are known for using extensive makeup and other tricks to take on the likeness of others. There were even early reports that the pair were utilizing AI to create deepfake versions of their impersonations (claims they denied later to tech news outlet The Verge.)

Alexis Dorais-Joncas, manager of APT threat research at Proofpoint, told SC Media the goal throughout the campaign has been to obtain embarrassing or negative audio recordings that can then be leveraged in broader Russian information operations to either drive a wedge between Ukraine and its allies or embarrass high-profile Western critics of the Russian government.

Vovan and Lexus are often described as “pranksters” in media reports, and their efforts to use impersonation to trick well-known politicians or celebrities into embarrassing recorded conversations pre-dates the Russian invasion. However, Dorais-Joncas, senior manager for APT threat research, told SC Media that since 2021 their work has been almost exclusively political in nature, aimed at critics of the Russian government and more lately supporters of the Ukraine war effort.

“The victims have one thing in common in [post]-2021 events: they made a public statement or took sides against Russia,” he said.

A sample email of TA499 impersonating a Ukrainian member of Parliament. (Source: Proofpoint)

Dorais-Joncas said that while Proofpoint isn’t connecting their activity to Moscow-directed information operations, many of their impersonations and targeted victims of late lean heavily into larger Russian government narratives about the war. That includes supporters of arms transfers to the Ukrainian military, those who spoke in favor of sanctions on the Nord Stream II Pipeline and other issues of geopolitical interest to Moscow.

Dorais-Joncas declined to offer details on the specific victims they’ve tracked through the campaign, but news reports over the years have identified numerous high-profile politicians and celebrities who have fallen victim to the antics of Vovan and Lexus.

Last year, they reportedly posed as French President Emmanuel Macron in a conversation with Polish President Andrzej Duda after a missile strike from the Russia-Ukraine war landed inside Poland, killing two. They’ve also tricked U.S. Rep. Maxine Waters, D-Calif., Sen. Bernie Sanders, I-Vt., the UK’s Prince Harry and other well-known figures.

Dorian-Joncas said the pair’s objective is to get their subject to say “anything that could embarrass them.”

“TA499, they’re actors, they’re pranksters. Their goal is to kind of make fun of their targets however they can,” he said.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.