Mandiant updates research on Ukraine invasion

As the war in Ukraine continues, Mandiant has published new, comprehensive research on the IO activity surrounding the invasion, showcasing how known threat actors and cyber campaigns can be leveraged to support emerging security interests – including large-scale conflict.

The report states:

The recent phase of Russian aggression toward Ukraine, manifested by Russia’s full-scale invasion, has flooded the information environment with disinformation promoted by a full spectrum of actors. Concerted information operations have proliferated, ranging from cyber-enabled information operations, including those that coincided with disruptive and destructive cyber threat activity, to campaigns leveraging coordinated and inauthentic networks of accounts to promote fabricated content and desired narratives across various social media platforms, websites, and forums.

While the full extent of this activity has yet to be seen, more than two months after the start of the invasion, Mandiant has identified activity that we attributed to information operations campaigns conducted by actors we judge to be operating in support of the political interests of nation-states such as Russia, Belarus, China, and Iran, including ongoing campaigns that we have tracked for years. This report examines a slice of this activity, highlighting significant information operations Mandiant has observed in our work responding to the invasion and presenting our early analysis of those events.


Key highlights and new revelations include:

  • The Russian-influence campaign, known widely as Secondary Infektion, which started prior to the invasion, continued operating to spread misinformation about President Zelenskyy (all Secondary Infektion campaigns in the research as new).
  • A new Ghostwriter operation, which Mandiant is attributing publicly for the first time, used compromised assets to publish fabricated content, promoting the narrative that a Polish criminal ring was harvesting organs from Ukrainian refugees to illegally traffic in the European Union.
  • DRAGONBRIDGE, a Pro-PRC campaign that’s comprised of thousands of inauthentic accounts across numerous social media platforms, websites, and forums, shifted its messaging to produce content in English and Chinese that echoes narratives promoted by Russian state media and influence campaigns.
  • A pro-Iran campaign that Mandiant has not previously named is now being dubbed “Roaming Mayfly”, due to its potential links to the Iran-aligned Endless Mayfly influence campaign that Citizen Lab reported on in 2019.