Threat Research

Decoding Disinformation: The Spanish Election Information Operation Targeting Russian-Speakers

Securonix

A targeted disinformation operation aimed at Spanish Russian-speaking residents during the 2023 general elections used a fake website impersonating the Community of Madrid and Telegram messaging to discourage voting. The campaign demonstrates niche demographic targeting, domain impersonation, and bulletproof hosting infrastructure analyzed under the DISARM framework. #CommunityOfMadrid #MinistryOfInterior

Keypoints

  • Disinformation campaigns continue to target elections in Europe, including niche demographic groups.
  • The Spanish operation specifically targeted Russian-speaking residents in Spain to influence information sharing and voting behavior.
  • The attackers used Telegram for reach and relied on a bulletproof hosting provider to host a fake site impersonating a legitimate Madrid site.
  • The campaign used a cloning approach (inauthentic news sites) and created inauthentic news articles about ETA attacks to push a narrative.
  • Domain names were constructed with proper ES language cues and top-level domains, with typosquatting elements and cloning of legitimate layouts.
  • Implicated infrastructure and domains suggest a coordinated, multi-domain approach with limited delivery mechanisms, aiming to remain under detection for a short window.
  • Implications for CISOs/CIOs include monitoring, threat intelligence sharing, and employee education to defend against disinformation campaigns.

MITRE Techniques

  • [T0043.001] Use Encrypted Chat Apps – Telegram messaging application used to deliver message to targets. Quote: ‘Telegram messaging application used to deliver message to targets’
  • [T0072.002] Demographic Segmentation – Russian-speaking population in Spain targeted. Quote: ‘Russian-speaking population in Spain targeted’
  • [T0130.002] Utilize Bulletproof Hosting – Disinformation website hosted on Sprinthost, a provider. Quote: ‘Disinformation website hosted on Sprinthost, a provider’
  • [T0098.001] Create Inauthentic News Sites – Legitimate news sites of the community of Madrid copied to create inauthentic version of it. Quote: ‘Legitimate news sites of the community of Madrid copied to create inauthentic version of it’
  • [T0085.003] Develop Inauthentic News Articles – Fake news from the Ministry of Interior created warning of coming ETA attacks. Quote: ‘Fake news from the Ministry of Interior created warning of coming ETA attacks’
  • [T0003] Leverage Existing Narratives – Campaign narrative used history of ETA terrorist activity. Quote: ‘Campaign narrative used history of ETA terrorist activity’

Indicators of Compromise

  • [Domain] Impersonation domains observed – interior-gov.es, comunidad-madrid.es, and 2 more domains
  • [IP] 185.251.88.12 – hosting IP used for the malicious domain
  • [URL] http://comunidad-madrid.es/ – impersonated site URL used in the campaign

Read more: https://quointelligence.eu/2023/11/spanish-election-information-operation-targeting-russian-speakers/?utm_campaign=Weekly%20Intelligence%20Summary&utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz-_7IVfdWrapH88ypcmqt1GlAB6-Aw2QyyVIghA-QflovrbBHnc-z-J3_JrlkimvWQiWsYTY