A Russian duo notorious for pranking numerous high-profile individuals, including Canadian Prime Minister Trudeau, is at it again — this time seeking to embarrass public figures that have expressed support for Ukraine in its war with Russia.
Over the past year, the two individuals — known publicly as Vovan and Lexus — have targeted high-ranking government officials and CEOs at large companies in North America and Europe, according to Proofpoint researchers, in a campaign to lure them into saying potentially volatile things on video and phone calls. The effort seems to be in retaliation for the targets’ support for Ukraine in the war with Russia.
An Elaborate Impersonation Con
In a blog post this week, Proofpoint said it had observed a sharp increase in activity from the pair following Russia’s invasion of Ukraine last February. Since then, Vovan and Lexus have contacted numerous prominent business leaders and politicians that have either made public statements against the war or have donated to Ukrainian humanitarian programs.
In emails to the targeted individuals, the pair have variously presented themselves as Ukrainian Prime Minister Denys Shmyhal, Ukrainian Member of Parliament Oleksandr Merezhko, and Russian opposition leader Alexei Navalny’s Chief of Staff Leonid Volkov. Other emails have purported to be from the “Embassy of Ukraine to the US” and the “Embassy of Ukraine in the US,” and were sent from plausible-looking, embassy-themed email addresses.
The emails have attempted to convince recipients into participating in recorded video chats and phone calls, where they are encouraged to speak on various matters associated with the war in Ukraine. In some of the video conversations, the two individuals have worn heavy makeup and likely used deepfake technology to take on the appearance of figures they were impersonating. Edited versions of the recordings have later appeared on YouTube, Telegram, Twitter, and Russian-video platform Rutube.
“Once the target makes a statement on the matter, the video devolves into antics, attempting to catch the target in embarrassing comments or acts,” Proofpoint’s report said. “The recordings are then edited for emphasis and placed on YouTube and Twitter for Russian and English-speaking audiences.”
A Who’s Who of Victims
Proofpoint’s report did not name any specific individuals that might have fallen for Lexus and Vovan’s tricks. But researchers from the company pointed Dark Reading to publicly known examples of their work.
In one instance, the pair posed as Ukrainian Prime Minister Shmyhal and tricked former UK Home Secretary Priti Patel into a 15-minute conversation with them on the war and the related refugee crisis. The hoaxers later posted a video of them duping Patel on YouTube and other social media channels. In another campaign last June, Vovan and Lexus tricked the mayors of Warsaw, Berlin, Vienna, and Budapest into making video calls with an individual they believed was Vitaliy Klychko, the mayor of Kyiv.
Vovan and Lexus, whose real names are Vladimir Kuznetsova and Aleksei Stolyarov, have also, as mentioned, tricked Canadian Prime Minister Trudeau (into thinking he was speaking with climate change activist Greta Thunberg). Last year, they posted a video on YouTube that purported to show former US President George Bush speaking with an individual he assumed was Ukrainian President Volodymyr Zelenskyy. In May 2021, the pair tricked multiple European members of Parliament into video meetings using deepfake technology to impersonate Russian opposition leaders, including Navalny.
A Russian State-Backed Threat?
Researchers at Proofpoint have been tracking the two individuals since 2021 under the threat actor designation “TA499.” This week, they cautioned against dismissing them merely as pranksters, as some have previously. “While Vovan and Lexus brand themselves as ‘pranksters and comedians,’ multiple governments and officials deem the pair to be Russian, state-funded bad actors,” Alexis Dorais-Joncas, senior manager for threat research at Proofpoint, tells Dark Reading.
Proofpoint has not been able to confirm the level of government involvement with the pair, but the company has determined from open source intelligence that the two actors are likely state encouraged and patriotically motivated. “It’s fair to consider Vovan and Lexus as ‘influencers’ or ‘propagandists,’ as they deem to influence the political nature of Russia as a whole and reach an English audience through various methods,” Dorais-Joncas says.
“TA499’s elevation to state-aligned activity is due to the targeted nature of its campaigns, utilization of actor-controlled domain infrastructure, [and] multiple VoIP fake phone numbers for separate recipients,” he notes.
The two individuals perform reconnaissance to target both directly and via the close contacts of selected targets, and presents a risk to organizations, the researcher says. “These things combined with their specific focus on Russia-aligned propaganda, make them a state-aligned threat.”
Proofpoint assessed with high confidence that TA499 will continue with its influence campaign, and likely reuse old or additional infrastructure to do so. The primary target continues to be C-level executives or those at the highest-profile positions at their respective organizations.
The security vendor posted a list of email addresses that the duo has used so far in their campaigns and advised anyone who has reason to believe they could be targeted to verify the identities of people inviting them to discuss political topics.
Dark Reading
