Cyber Incident Victim: Ministry of Defense (Iran)
Date:
Apr 2019
Location:
Lithuania
Summary
A coordinated cyber disinformation campaign targeted a national defense ministry through spear-phishing emails impersonating officials, spreading false corruption allegations against the defense minister. The attack aimed to discredit leadership and erode public trust in the defense infrastructure. Fake news was disseminated via compromised regional media portals and social platforms, with content falsely implicating financial misconduct. The incident, attributed to a foreign state actor by cybersecurity authorities, mirrored previous tactics used to undermine institutional credibility through manipulated information and malicious cyber operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the night of April 10, 2019, threat actors initiated a coordinated cyber-enabled disinformation campaign targeting Lithuanian Defense Minister Raimundas Karoblis and national defense institutions. Attackers deployed spear phishing emails spoofed to appear from a Ministry of Defense employee, distributing fabricated allegations of corruption involving Minister Karoblis. These messages claimed the minister accepted a $586,000 bribe during weapons procurement processes, falsely asserting documentary proof existed at a Lithuanian bank. The phishing campaign targeted high-level government recipients including the President’s Office, the Government, and the Seimas (Lithuanian parliament), incorporating links potentially directing to malicious addresses. Concurrently, attackers compromised regional media infrastructure to plant false content. They inserted a Lithuanian-language article containing the corruption allegations into the 'Kas vyksta Kaune' news portal and manipulated content in the Riga-based 'Baltic Times' English-language outlet. A separate fabricated article appeared on the U.S.-based 'OpEdNews' platform under the forged byline of Vytautas Benokraitis, CEO of Delfi Lithuania, who had no affiliation with the piece.
The Lithuanian Ministry of Defense publicly confirmed the multi-vector attack on April 14, characterizing it as a foreign government-sponsored operation designed to undermine confidence in national defense structures. The National Cyber Security Centre (NCSC) classified the incident as a social engineering campaign employing email spoofing and media manipulation tactics. Minister Karoblis stated the attacks sought to damage public trust in both his leadership and Lithuania’s armed forces. Disinformation spread through social media platforms following initial compromises of media outlets and phishing distribution. The NCSC issued public advisories urging citizens to critically evaluate online content while investigating technical indicators and attack methodologies. Historical analysis revealed parallels with January 2018 incidents where Lithuanian media outlets were hacked to distribute malicious emails to senior officials. Media outlet Delfi documented similarities in tactics, techniques, and procedures across these events, noting recurrent targeting of platforms like 'OpEdNews' for previous disinformation efforts including false NATO invasion narratives. The NCSC maintained an active investigation into the campaign’s infrastructure and attribution at the time of reporting.