The Case Against Covert Western Propaganda

PLUS: How the Belarusian Cyber Partisans burned a GRU illegal

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.

Liberal democracies shouldn't run covert social media influence campaigns, but apparently someone didn't get the memo.

The Stanford Internet Observatory and Graphika, a social media analytics company, produced a joint report on a pro-Western social media influence campaign that was detected and dismantled by Meta and Twitter:

Our joint investigation found an interconnected web of accounts on Twitter, Facebook, Instagram, and five other social media platforms that used deceptive tactics to promote pro-Western narratives in the Middle East and Central Asia. The platforms’ datasets appear to cover a series of covert campaigns over a period of almost five years rather than one homogeneous operation.

These campaigns consistently advanced narratives promoting the interests of the United States and its allies while opposing countries including Russia, China, and Iran. The accounts heavily criticized Russia in particular for the deaths of innocent civilians and other atrocities its soldiers committed in pursuit of the Kremlin’s “imperial ambitions” following its invasion of Ukraine in February this year. A portion of the activity also promoted anti-extremism messaging.

Neither Twitter nor Meta publicly attributed the activity to any particular entity. Twitter thought activities it identified might be from the US and Great Britain, while Meta thinks the activity originated from the US.

The report found part of the data set that Twitter released was linked to an overt messaging campaign, the Trans-Regional Web Initiative (TRWI), a publicly acknowledged propaganda campaign run by the US's Special Operations Command. The rest of the Twitter data is "behaviorally distinct", although there were some limited links between the TRWI activity and the covert activity.

Although the goals of the campaigns appear to be pro-Western, the techniques used were much the same as in previously examined influence campaigns from other actors. These techniques included the use of conjured personas with artificially generated faces, the creation of fake media outlets, and using memes and short-form videos.

Alicia Wanless, director of the Partnership for Countering Influence Operations at the Carnegie Endowment, told Seriously Risky Business she was not surprised that pro-Western influence operations had been discovered.

"There have been many calls to respond in kind to Russian efforts in democracies, it's not surprising that there might be elements inside those countries that try. Part of the problem is that there is no coordination in most democracies around who is doing what in the information environment, leaving a lot of scope for parts of the military or intelligence community to run clandestine operations."

Should liberal democracies be running these kinds of covert influence campaigns? Wanless thinks it is an "open question, because democracies haven't exactly done a great job of articulating lines around what's acceptable in operations within the information environment and what isn't".

"That's the problem. We need to have a conversation around what that entails and draw objective lines and then stick to them ourselves," she says.

Dr. Jacob Wallis, head of disinformation research at the Australian Strategic Policy Institute (ASPI), told Seriously Risky Business that he broadly agreed with Wanless, and although democracies had been "reluctant to exploit the information domain in the post-war period", times had changed.

"We are moving from the golden era of globalisation to a return of great power competition where some competitors have consistently engaged in political warfare that includes influence operations… There are now a range of actors willing to exploit the information domain to achieve strategic gain… [They are] integrating influence operations into their toolkit and aligning it with other instruments of state power", he said.

Wallis thinks that democracies have to think about where their thresholds lie, and if they do decide to engage in influence operations, "we need clear mandates and lines of responsibility to do it without undermining our values".

The fundamental problem with covert influence operations — from a human rights point of view — is that these campaigns deny individuals the freedom to make their own choices. The information they receive is covertly manipulated to serve a state's interests, whereas ideally liberal democracies should be promoting information transparently to empower individuals to make their own choices. When liberal democracies are caught doing this sort of thing it undermines the state's moral authority.

Wanless pointed out that Meta had previously identified a smaller France-based operation with links to the French military that actively contested a Russian influence operation in the Central African Republic. In its announcement of the takedown Meta stated "our team found two campaigns — from France and Russia — actively engaging with one another, including by befriending, commenting, and criticizing the opposing side for being fake".

It's possible to come up with reasons that the pro-France operation was justifiable from a democratic point of view. For example, it didn't undermine France's democracy because it wasn't targeting French citizens. It promoted truth by spruiking France's policies in Francophone Africa rather than promoting lies. It was also perhaps in response to a malign Russian operation. Does that mean that under the right conditions countering a malign influence operation with a benign one is ok?

We think not. In our view, the strategic imperative to live up to democratic values outweighs whatever tactical benefits governments could gain with an influence campaign.

For a start, the gains from conducting covert influence operations do not seem very large. Neither the pro-France and pro-Western influence campaigns seem to have been very effective. Last week's report from Stanford and Graphika states the "vast majority of posts and tweets we reviewed received no more than a handful of likes or retweets, and only 19% of the covert assets we identified had more than 1,000 followers". It seems likely that reporting on the campaign was more impactful than the campaign itself.

Liberal democracies also have other options for countering covert influence campaigns. One option is to encourage greater transparency.

Most directly this could involve providing support for institutions which research influence operations such as the Stanford Internet Observatory and the Australian Strategic Policy Institute. Their work puts data releases from platforms into context so people and the mass media are armed with the information they need to draw their own conclusions (Disclosure: this author was previously employed at ASPI).

Stepping back a bit to the platform level, Meta and Twitter release information on influence campaigns voluntarily, but laws or regulations that require platforms to search for and release information about these campaigns would be better. In the case of TikTok, for example, it announced in July that it is developing a research API "to improve ease of access to public and anonymized data about content and activity on our platform". This is great, but is actually an example of the power of legislation. Some believe it was motivated by the European Digital Services Act, which contains a provision for researcher access to platform data.

Wallis thinks that increasing transparency is a must-do first step in tackling covert influence campaigns, but that in the broader context of geopolitical competition transparency is more than just analysis of influence operations. He pointed to Bellingcat, the online investigative research group, as an organisation that was exposing unacceptable behaviour by authoritarian states including Russia (see our next story).

Wallis is also a fan of section 402 in the draft 2023 US Intelligence Authorization Act. It requires "an unclassified report on the wealth and corrupt activities of the leadership of the Chinese Communist Party, including the General Secretary of the Chinese Communist Party and senior leadership officials in the Central Committee, the Politburo, the Politburo Standing Committee, and any other regional Party Secretaries".

In essence, this is an information campaign that serves US interests, but it's overt and transparent. Even if the report is slanted, at least people will know who's preparing it and what their biases are. Overt propaganda is fine!

Beyond transparency, governments also have options to more directly disrupt influence operations. During the 2018 US midterm elections, for example, US Cyber Command disrupted the Internet access of the Internet Research Agency (IRA), the organisation that was responsible for manipulating US social media in the lead-up to the 2016 US Presidential election. The operation — described as a single-day denial-of-service attack on the IRA — is probably not particularly significant on its own, but we believe an ongoing mission to identify and disrupt covert influence campaigns would be effective.

Still, despite other options available, the experts we consulted agreed that covert influence campaigns were a tool that liberal democracies could use. But the discussion as to whether we should use them, and how to do so without compromising our values has not yet taken place.

Bellingcat and Cyber Partisans Burn GRU Illegal

If you think you have problems, try creating a "legend" and convincing digital footprint for a spy these days.

Bellingcat, the online investigations organisation, used a hacked database provided by the Belarusian Cyber Partisans, a hacktivist organisation, to identify 'Maria Adela Kuhfeldt Rivera' as a Russian so-called 'illegal' deep-cover spy apparently attempting to infiltrate a NATO command centre in Naples.

The entire investigation, which took 10 months and was conducted jointly by Bellingcat, Der Spiegel, The Insider and La Repubblica is fascinating, but we can't help wondering whether Western intelligence agencies are poised to take advantage of open source information in this way. Bellingcat describes in the investigation as using:

data from open sources, publicly accessible archives, FOIA data from Peru, leaked Russian databases and interviews with people who had unsuspectingly befriended the Russian spy.

The initial seed for the investigation was provided by a Belarus border crossing database that the Cyber Partisans provided to Bellingcat. Taking advantage of a spectacularly bad OPSEC lapse — the GRU (a Russian military intelligence agency) issued its spies with sequentially numbered passports — Bellingcat was able to identify Maria Adela as potentially a person of interest based on her passport number being in the range issued to other GRU spies. (The Grugq discussed the Cyber Partisans with yours truly in this podcast.)

Using a combination of sources, the investigation was able to trace Maria Adela from her 'creation myth' through to her current location in Moscow living as Olga Kolobova.

Kolobova's return to Moscow was triggered by a late-2018 Bellingcat publication that revealed the GRU's massive passport lapse — passport data from two suspects in the Skripal poisoning revealed links to Russian security services. Amazingly, Bellingcat has call data records that show a web of phone calls sparked by this revelation, including from the head of the GRU's illegals program to the GRU's chief.

It's not clear how successful her espionage efforts were, but prior to her return to Moscow Kolobova, aka Maria Adela, had infiltrated the social circles of NATO officers linked to the Allied Joint Force Command in Naples, Italy. She was secretary of the Lions Club branch next to NATO Command, which happened to be full of NATO staff.

This is a fantastic example of how leaked, hacked and publicly available data can be aggregated and analysed to develop intelligence with real impact. Bellingcat queried a number of leaked Russian databases it had to build evidence. For some of these, the absence of information is the signal — part of the evidence linking Olga Kolobova to Maria Adela is that:

Olga Kolobova had no digital footprint in Moscow prior to 2018. Not a single address registration, traffic violation, or phone number registration were discovered in any of dozens of leaked Moscow databases. However, this person had a very active digital presence that began in November 2018 – just about the time when “Maria Adela” would have returned to Moscow.

Her Peruvian citizenship documents fell apart under scrutiny, too. The church she claimed to be baptised in wasn't established until nine years later.

The Russians probably aren't making the same mistake with passport numbers lately, but another Bellingcat post points out that when it comes to leaked databases the Internet is forever:

While Russia is able to change its records for its own internal records and databases, the widespread proliferation of leaked Russian databases serves a continuing threat to the secrecy of Russia’s security service operatives. Russia can modify its internal, active records, but once a database is scraped and leaked online, it is fossilised at the point of leaking — in other words, Russia cannot modify the thousands of offline copies of databases floating around on torrents, leaving any potentially dangerous information out of reach of the state.

Bellingcat's investigation highlights the tremendous opportunity intelligence agencies have to harvest publicly available information to not only enrich classified sources, but also be central to the analysis process.

There are huge organisational, cultural, and legislative barriers here though.

For a start, current organisational structures deliberately separate the intelligence disciplines into separate organisations — in the Five Eyes SIGINT and HUMINT functions are typically housed in separate organisations such as NSA and GCHQ for SIGINT and CIA and the UK's SIS (MI6) for HUMINT. These organisations specialise in their own discipline and then tend to sprinkle some open source pixie dust on top.

But OSINT should be much more than that. The opportunity in open source intelligence is huge. Hopefully, someone, somewhere is squirrelling away all those unsecured Chinese databases…

Three Reasons to be Cheerful this Week:

  1. FTC sues data broker: The US Federal Trade Commission is suing data broker Kochava for "for selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations". The FTC claims in its complaint that even in the free sample data that Kochava provided it was possible to "identify a mobile device that visited a women's reproductive health clinic and trace that mobile device to a single-family residence". Ars Technica has a good write up.
  2. Google announces new reward program for Google open source software (OSS): This week Google announced a rewards program for vulnerabilities in Google's open source software projects. Happily, the program also covers flaws in the third party dependencies that Google OSS relies on.
  3. Ciphr plans to shut down: The encrypted phone company Ciphr is reportedly planning to shut down. The service is used by organised crime groups but according to Vice Motherboard "not enough resellers took up Ciphr on its plan to shift the responsibility for Mobile Device Management (MDM) away from the company itself to individual resellers". We are curious to see what communication channels organised criminals migrate to.

Proofpoint is our founding corporate sponsor, and its work with PWC on Chinese APT attacks on organisations operating in the South China Sea is excellent reading. You can find it below:



Last week we wrote about a phishing campaign targeting Twilio that was leveraged to hijack a journalist's Signal account. The entirety of the campaign is coming into view and it has targeted, with limited success, hundreds of organisations. Brian Krebs has an excellent account of the affair.

The message is pretty clear — One Time Password-based MFA is not particularly effective any more. Cloudflare, one of the organisations targeted, was unaffected because it uses hardware security keys.

Ransomware Interview

Recorded Future analyst and product manager Dmitry Smilyanets has an interview with prolific cybercriminal Mikhail Matveev (aka Wazawaka) at The Record.

The bad news: Matveev says "there is no such money anywhere as there is in ransomware… at the moment, ransomware remains the leader in monetization. There are no other schemes on the internet that would carry more monetization. Or I don’t know about them yet."

The good news, which directly and weirdly contradicts the bad news: "ransomware will soon die — not in three years, but sooner. Literally, everything has changed over the last six months. Since the beginning of the special operation in Ukraine, almost everyone has refused to pay."

Risky Biz Talks

In addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed  (RSS, iTunesor Spotify) also publishes interviews.

In the last "Between Two Nerds" discussion Tom Uren and The Grugq discuss why they hate the term 'cyberwar' and the role cyber operations play in warfare.

And Catalin Cimpanu interviews Vitali Kremez, CEO of Advanced Intelligence, about the impending downfall of the Ransomware-as-a-Service ecosystem.

From Risky Biz News:

Getting bored of cyberwar: an academic study published last week puts numbers and research behind the theory that most of the hacktivist activity that surrounds the Russian-Ukrainian conflict was and is poorly coordinated and had no real impact on the "cyberwar" that actually takes place between the two countries.

The paper—entitled "Getting Bored of Cyberwar: Exploring the Role of the Cybercrime Underground in the Russia-Ukraine Conflict"—looked at data from two months before and four months after the war's start

The participants mostly used off-the-shelf tools, which suggested that most were low-skilled actors, at best. As time went by, the activity subsided, and the researchers said they didn't find any hard evidence to suggest that the cybercrime underground was making any meaningful impact on the cyberwar compared to the damage caused in the actual kinetic war. (continued)

Tykelab linked to SS7 attacks: Investigative journalism group Lighthouse Reports says Italian company Tykelab appears to be in possession of a global telecommunications tracking system that allows it to track mobile devices by abusing the SS7 telephony protocol. The news comes after Tykelab was linked to a powerful Android and iOS spyware strain named Hermit back in June by cybersecurity firm Lookout. Now, Lighthouse Reports says that Tykelab, which appears to be a front for known Italian surveillance vendor RCS Lab, has also been abusing "dozens of phone networks, often on remote Pacific islands" to spy on targets across the world, in countries such as Italy, Libya, Nicaragua, Malaysia, Costa Rica, Iraq, Mali, Greece, and Portugal.

Chinese actors target the Australian Government and Wind Turbine Fleets in South China Sea: As we mentioned in the sponsor section, Proofpoint and PwC researchers said they identified a suspected Chinese cyber-espionage operation active from April 2022 through June, delivering the ScanBox exploitation framework to targets who visit a malicious domain posing as an Australian news website. The targets and focus of this TA423/Red Ladon operation were Australian domestic organisations, as well as entities involved with offshore energy exploration in the South China Sea.