New Mandiant Research: IO Activities by Nation-State Actors Surround Invasion of Ukraine


As the war in Ukraine continues, Mandiant published new, comprehensive research today on the IO activity surrounding Ukraine, showcasing how known threat actors and cyber campaigns can be leveraged to support emerging security interests – including large-scale conflict.

Mandiant also sat down with the authors of the research and recorded a podcast to better unpack all the content, which you can listen to here:

Key highlights from the research are listed below, but please let us know if you’d be interested in speaking to Mandiant’s experts on this topic.

Key highlights and new revelations include:

  • The Russian-influence campaign, known widely as Secondary Infektion, which started prior to the invasion, continued operating to spread misinformation about President Zelenskyy (all Secondary Infektion campaigns in the research as new).
  • A new Ghostwriter operation, which Mandiant is attributing publicly for the first time, used compromised assets to publish fabricated content, promoting the narrative that a Polish criminal ring was harvesting organs from Ukrainian refugees to illegally traffic in the European Union.
  • DRAGONBRIDGE, a Pro-PRC campaign that’s comprised of thousands of inauthentic accounts across numerous social media platforms, websites, and forums, shifted its messaging to produce content in English and Chinese that echoes narratives promoted by Russian state media and influence campaigns.
  • A pro-Iran campaign that Mandiant has not previously named is now being dubbed “Roaming Mayfly”, due to its potential links to the Iran-aligned Endless Mayfly influence campaign that Citizen Lab reported on in 2019.
/Public Release. This material from the originating organization/author(s) may be of a point-in-time nature, edited for clarity, style and length. The views and opinions expressed are those of the author(s).