🕵️‍♂️ Emoji Investigator ™

questionable content, possibly linked 🔎 👣 💡

Category: Quote

Identical messages in name order (botnets)

Computerworld, Sept. 2017:

“Many of the phony accounts fired off “identical messages seconds apart – and in the exact alphabetical order of their made-up names.””

Good quote:

“In the very near future, it’s likely that the focus of IT security will be forced to shift from keeping information safe to keeping information true.”

 

Shepherds & Sheepdogs (Botnets)

Good Rolling Stone November 2016 article on Medium with this description of how botnets may operate:

“To explain how they work, Ben Nimmo, a fellow at the Atlantic Council’s Digital Forensic Research Lab, uses a shepherding analogy. “A message that someone or some organization wants to ‘trend’ is typically sent out by ‘shepherd’ accounts,” he says, which often have large followings and are controlled by humans. The shepherds’ messages are amplified by ‘sheepdog’ accounts, which are also run by humans but can be default-set “to boost the signal and harass critics.” At times, the shepherds personally steer conversations, but they also deploy automation, using a kind of Twitter cruise control to retweet particular keywords and hashtags. Together, Nimmo says, the shepherds and sheepdogs guide a herd of bots, which “mindlessly repost content in the digital equivalent of sheep rushing in the same direction and bleating loudly.””

Overall description bears similarity to the description of LOIC/Low Orbit Ion Cannon, as described in this February 2011 Wired article about the guy who brought the HB Gary leaks down on himself:

“The report that came back focused on the Low Orbit Ion Cannon, a tool originally coded by a private security firm in order to test website defenses. The code was open-sourced and then abandoned, but someone later dusted it off and added “hivemind mode” that let LOIC users “opt in” to centralized control of the tool. With hundreds or thousands of machines running the stress-test tool at once, even major sites could be dropped quickly.”

Volodin’s Prism

Continuing a branch from Internet Research Agency source reference sheet.

Chen, 2015, NYT article:

“Volodin, a lawyer who studied engineering in college, approached the problem as if it were a design flaw in a heating system. Forbes Russia reported that Volodin installed in his office a custom-designed computer terminal loaded with a system called Prism, which monitored public sentiment online using 60 million sources. According to the website of its manufacturer, Prism “actively tracks the social media activities that result in increased social tension, disorderly conduct, protest sentiments and extremism.” Or, as Forbes put it, “Prism sees social media as a battlefield.””

Difficult to find other sources on the subject of Volodin’s Prism. NYT is plenty canonical for present purposes, but seems like Forbes source should be easier to trace.

I don’t trust 4chan as a source, but on /pol/ May 2014 there is what may be an auto-translated paragraph, which reads:

“At present, the Russian special services have no control over these sites , however, conduct external monitoring events, and look for the ” holes” in the protection of resources to deal with the political opposition , they can already .Note , some media reported earlier to establish a system to monitor social media developed by “Medialogia” . Program “Prism” supposedly allows you to track detached blog sites and social networks by scanning 60 million sources and tracking key statements users. Under the “eye” of the program were blogs users «LiveJournal», «Twitter», «YouTube», other portals . One of the alleged instances of the program installed in the office of the first deputy head of the department of internal policy of the presidential administration Vyacheslav Volodin , RBC reports “

RBC has the recent famous IRA article, so perhaps I can find whatever the source might be here (if real).

Medialogia is a new entity here.

Searching more turns up this January 2014 piece from globalvoices.org (not sure who/what that is).

“The Russian Federal Protective Service (FSO) is asking software developers to design a system that automatically monitors the country’s news and social media, producing reports that study netizens’ political attitudes. The state is prepared to pay nearly one million dollars over two years to the company that wins the state tender, applications for which were due January 9, 2014.”

Link to the site where the tender is listed. Name, auto-translated from Russian:

“Providing services for providing the results of automatic selection of media information, studying the information field, monitoring blogs and social media”

Organization:
Special communication of the FSO of Russia

Mailing address
Russian Federation, 107031, Moscow, Bolshoy Kiselny lane, house 4,

[…]

The contact person
Karygin Mikhail Yakovlevich”

Globalvoices also links out to iz.ru January 2014 article (auto-translated).

“Professionals, using specialized systems, will have to provide FSO with a personal compilation of messages from bloggers, which will allow daily monitoring of significant events on specific topics and regions. In addition, monitor negative or positive color of events. Information materials will be preliminarily processed, they will be grouped on specific topics: the president, the administration of the president’s administration, the prime minister, opposition protests, governors, negative events in the country, incidents, criticism of the authorities.”

Advox / Globalvoices (supported by Ford Foundation), which I’m starting to agree with, also says, in regards to the above iz.ru article:

“Izvestia’s coverage of the story bears all the hallmarks of Kremlin-friendly reportage, sandwiching comments by one critic of the FSO between two supporters of monitoring the Internet.”

Globalvoices links to this as the Medialogia website.

This text from their corporate site seems to match pretty well the Prism NYT description at top:

Blog monitoring and analysis reports

Medialogia offers regular blogosphere monitoring and analysis for companies. Monitoring sources: more than 40,000 social media, including LiveJournal, Twitter, VKontakte, Blogi@Mail.ru, Ya.ru, industry blogs and forums.”

Is this a real company and product? Hard to really tell.

Tacking this on here, though not strictly related – it came up in similar searches and seems worth saving: Russia Beyond, December 2016 on new Russian cyber-security doctrine.

In his words, Russia’s government has paid special attention to countering new “Twitter revolutions,” those similar to the ones that occurred in the Middle East in the beginning of the decade.

“The Arab Spring demonstrated that Facebook, Twitter and other instant messaging services allow a lot of content that threatens social and political stability. The main thing is that we don’t have an effective model for blocking such processes,” said Demidov.

 

 

Internet Research Agency Overview

This June 2015 Adrian Chen NY Times piece is kinda the ‘canonical’ source with regards to the alleged Russian-government-linked Internet Research Agency.

  • Address: 55 Savushkina Street, St. Petersburg

“The Columbian Chemicals hoax was not some simple prank by a bored sadist. It was a highly coordinated disinformation campaign, involving dozens of fake accounts that posted hundreds of tweets for hours, targeting a list of figures precisely chosen to generate maximum attention. The perpetrators didn’t just doctor screenshots from CNN; they also created fully functional clones of the websites of Louisiana TV stations and newspapers. The YouTube video of the man watching TV had been tailor-made for the project. A Wikipedia page was even created for the Columbian Chemicals disaster, which cited the fake YouTube video. As the virtual assault unfolded, it was complemented by text messages to actual residents in St. Mary Parish. It must have taken a team of programmers and content producers to pull off.”

  • Informant, supposed former employee: Ludmila Savchuk

“The first thing employees did upon arriving at their desks was to switch on an Internet proxy service, which hid their I.P. addresses from the places they posted; those digital addresses can sometimes be used to reveal the real identity of the poster. Savchuk would be given a list of the opinions she was responsible for promulgating that day. Workers received a constant stream of “technical tasks” — point-by-point exegeses of the themes they were to address, all pegged to the latest news.”

“The point was to weave propaganda seamlessly into what appeared to be the nonpolitical musings of an everyday person.”

“Management was obsessed with statistics — page views, number of posts, a blog’s place on LiveJournal’s traffic charts — and team leaders compelled hard work through a system of bonuses and fines. “It was a very strong corporate feeling,” Savchuk says. Her schedule gave her two 12-hour days in a row, followed by two days off. Over those two shifts she had to meet a quota of five political posts, 10 nonpolitical posts and 150 to 200 comments on other workers’ posts. “

Savchuk:

“While employed there, she copied dozens of documents to her personal email account and also plied her co-workers for information. She made a clandestine video of the office. In February, she leaked it all to a reporter for Moi Raion, a local newspaper known for its independent reporting. The documents, together with her story, offered the most detailed look yet into the daily life of a pro-Kremlin troll. “

  • Russian media claims IRA is funded by restaurater Evgeny Prigozhin
  • Prigozhin –> Concord (holding company)
  • An employee of Concord was spotted as IRA team leader
  • Concord approves payments to IRA (leaked emails)

“The boom in pro-Kremlin trolling can be traced to the antigovernment protests of 2011, when tens of thousands of people took to the streets after evidence of fraud in the recent Parliamentary election emerged. The protests were organized largely over Facebook and Twitter and spearheaded by leaders, like the anticorruption crusader Alexei Navalny, who used LiveJournal blogs to mobilize support. The following year, when Vyascheslav Volodin, the new deputy head of Putin’s administration and architect of his domestic policy, came into office, one of his main tasks was to rein in the Internet. Volodin, a lawyer who studied engineering in college, approached the problem as if it were a design flaw in a heating system. Forbes Russia reported that Volodin installed in his office a custom-designed computer terminal loaded with a system called Prism, which monitored public sentiment online using 60 million sources. According to the website of its manufacturer, Prism “actively tracks the social media activities that result in increased social tension, disorderly conduct, protest sentiments and extremism.” Or, as Forbes put it, “Prism sees social media as a battlefield.””

[Note: unable to find original source on Forbes mention. Also, is there some link to PRISM (surveillance program)?]

Russian crackdowns on internet (same NYT source):

“Laws were passed requiring bloggers to register with the state. A blacklist allowed the government to censor websites without a court order. Internet platforms like Yandex were subjected to political pressure, while others, like VKontakte, were brought under the control of Kremlin allies. Putin gave ideological cover to the crackdown by calling the entire Internet a “C.I.A. project,” one that Russia needed to be protected from.”

Columbian Chemicals hoax:

“The chain that links the Columbian Chemicals hoax to the Internet Research Agency begins with an act of digital subterfuge perpetrated by its online enemies. Last summer, a group called Anonymous International — believed to be unaffiliated with the well-known hacktivist group Anonymous — published a cache of hundreds of emails said to have been stolen from employees at the agency.”

… “The emails indicated that the Internet Research Agency had begun to troll in English. One document outlined a project called “World Translation”; the problem, it explained, was that the foreign Internet was biased four to one against Russia, and the project aimed to change the ratio. Another email contained a spreadsheet that listed some of the troll accounts the agency was using on the English-language web. After BuzzFeed reported on the leak, I used the spreadsheet to start mapping the network of accounts on Facebook and Twitter, trying to draw connections.”

[Note: I believe this is the Buzzfeed reporting from June 2014.

Trying to locate a copy of the actual leaks (presumably in Russian?), and the described spreadsheet.

Independent Russian newspaper account of infiltrating the agency.]

“Soshnikov showed me how he used a service called Yomapic, which maps the locations of social-media users, to determine that photos posted to Infosurfing’s Instagram account came from 55 Savushkina. He had been monitoring all of the content posted from 55 Savushkina for weeks and had assembled a huge database of troll content.”

  • FAN – Federal News Agency shares same address / building.
  • People’s News, same address

I can see now why that 2015 Chen NYT article is the canonical source for all this stuff.

Jumping to Buzzfeed’s 2014 reporting on the Internet Research Agency leaked emails from Anonymous International:

“The documents show instructions provided to the commenters that detail the workload expected of them. On an average working day, the Russians are to post on news articles 50 times. Each blogger is to maintain six Facebook accounts publishing at least three posts a day and discussing the news in groups at least twice a day. By the end of the first month, they are expected to have won 500 subscribers and get at least five posts on each item a day. On Twitter, the bloggers are expected to manage 10 accounts with up to 2,000 followers and tweet 50 times a day.”

  • Names as IRA leader: Igor Osadchy
  • Possibly founded in April 2014

Buzzfeed article links to this Russian site as holding the leaked emails. I clicked the link at the site and was re-directed to a mega.nz page reading telling me the file was unavailable because the account had multiple Terms of Service violations.

[Note: immediately after that, I experienced an unusual glitch on my self-hosted WordPress site telling me my session had expired and to log back in. Suspicious!]

Still can’t find the Buzzfeed 2014 Anonymous leaked spreadsheet of account names. But in November 2017, Recode published the House Intelligence committee blocked Twitter account list. Perhaps there is some cross-over?

Meduza 2015 article about Shaltai Boltai (Humpty Dumpty), the hacker group responsible for IRA leaks.

“Shaltai also released documents about how Concord, a company owned by Kremlin-connected restaurant owner Evgeny Prigozhin, apparently coordinates an army of pro-Putin “Internet trolls” through an outfit called the Internet Research Agency.

Igor Osadchy, whom the leaked emails name as the director of Translator, a project at the Internet Research Agency tasked with placing comments in foreign news media, later sued Shaltai for personal data theft. A representative at Roskomnadzor, Russia’s federal agency for media oversight, then announced, “A court has determined that the information [published by Shaltai] must be deleted, but the website’s hosting provider has not responded to our notification. Therefore, our agency has ordered Internet Service Providers to block this blog.” On July 27, 2014, acting on orders from Roskomnadzor, Russian ISPs blocked access to the domain b0ltai.org. The group’s main Twitter account, @b0ltai, was also blocked. Today, Shaltai’s website is accessible in Russia only via VPN or a mirror site. The group also runs @b0ltai2, a duplicate Twitter account, still unblocked in Russia, that reproduces all the first account’s posts, down to its retweets.”

… “In August 2014, Anonymous International released archives from three different email accounts allegedly belonging to Dmitri Medvedev, as well as correspondence from Duma deputy and United Russia member Robert Shlegel about an organized “troll” attack on the websites of major American and British news media (including The New York Times, CNN, the BBC, USA Today, and The Huffington Post).”

The Atlantic, October 2013 article about online Russian propaganda trolls.

  • Article lists St. Petersburg address: 131 Lakhtinsky Prospekt
  • 8 hr not 12 hr days
  • Free lunch
  • Uncertain name of above outfit. IRA mentioned seemingly separately. Other Google searches for this address point to same source text.

Adrian Chen, New Yorker July 2016 article about Russian hacks.

RBC.ru Russian language article about Internet Research Agency, October 2017. [Quotes via Google Translate Chrome extension]

“[The IRA ran] at least 118 communities and accounts on Facebook, Instagram and Twitter […] In August-September 2017, all identified communities with a combined audience of 6 million people were blocked by Facebook and Twitter.”

… “Communities associated with the “troll factory” for two years initiated about 40 offline events in the US cities, said a source close to the leadership of the organization. ”

… ”

Assistance in their conduct was provided by approximately 100 local activists who, according to the interlocutors of RBC magazine, did not know who they were dealing with: all communication was on the Internet, in English and from fake accounts.”

RBC.ru source is probably another “canonical”-ish source, which many other news articles refer to.

Guardian, April 2015 article on Russian troll factory.

“The Guardian spoke to two former employees of the troll enterprise, one of whom was in a department running fake blogs on the social network LiveJournal, and one who was part of a team that spammed municipal chat forums around Russia with pro-Kremlin posts. Both said they were employed unofficially and paid cash-in-hand. ”

… ““We had to write ‘ordinary posts’, about making cakes or music tracks we liked, but then every now and then throw in a political post about how the Kiev government is fascist, or that sort of thing,” she said.

Scrolling through one of the LiveJournal accounts she ran, the pattern is clear. There are posts about “Europe’s 20 most beautiful castles” and “signs that show you are dating the wrong girl”, interspersed with political posts about Ukraine or suggesting that the Russian opposition leader Alexei Navalny is corrupt.”

… “Instructions for the political posts would come in “technical tasks” that the trolls received each morning, while the non-political posts had to be thought up personally.”

… “The trolls worked in teams of three. The first one would leave a complaint about some problem or other, or simply post a link, then the other two would wade in, using links to articles on Kremlin-friendly websites and “comedy” photographs lampooning western or Ukrainian leaders with abusive captions.

Marat shared six of his technical task sheets from his time in the office with the Guardian. Each of them has a news line, some information about it, and a “conclusion” that the commenters should reach.”

“Leaked documents have linked the opaque company running the troll factory to structures close to the Kremlin, but there has been no hard evidence. “

Buzzfeed June 2014 about how IRA targeted Harry Potter fans, and other topics.

Guardian November 2016 article on government manipulation of social media.

” In 2011 the PR firm Bell Pottinger told undercover journalists that they could “create and maintain third-party blogs”, and spruce up Wikipedia profiles and Google search rankings. “

Links out to BBC March 2012 article about Bell Pottinger Wikipedia scandal.

Telegraph June 2015 article on Savchuk:

“She was put in the so-called Special Projects department using the LiveJournal blogging platform, where, she says, “people pretending to be individual bloggers– a fortune teller, a soldier, a Ukrainian man – had to, between posts about daily life or interesting facts, insert political reflections”. “

New York Times, May 2016 about Finnish activist exposing Russian trolls:

““They fill the information space with so much abuse and conspiracy talk that even sane people start to lose their minds,” she added.”

… “Pro-Russian activists insist that they are merely exercising their right to free speech, and that they do not take money or instructions from Moscow.”

Newsweek, October 2017 article on trolls, bots and fake news.

Regarding Azerbaijan:

“Social media has been a part of his presidential strategy since at least 2010, when members of the country’s main youth group, IRELI, were instructed to proliferate pro-government opinions online. As troll training-centers multiplied across the country—one source says there were 52 in different towns and cities, funded with government money…”

Article compares pro-government troll efforts around the world ^.

“It is estimated that 45% of Twitter activity in Russia is managed by such accounts.”

Estimated how, and by whom?

Independent, October 2017, accounts of IRA from a supposed former employee.

[Note, WordPress won’t accept article link: http://www.independent.co.uk/news/world/americas/us-politics/hillary-clinton-sex-tape-russia-body-double-troll-farm-employee-claims-a8023901.html ]

“He worked at the company from November 2014 to April 2015 and said he would impersonate “Kentucky rednecks” and African-Americans online on a regular basis.”

Daily Beast, Oct. 2017, version of same story.

“And Baskaev fingered Putin pal Yevgeny Prigozhin as his former “boss,” or “our guy who gives us money.” But the real head of the American department, he said, was the Azerbaijani-born Dzheykhun Aslanov—known simply as “Jay.””

Wired, September 2017 article discussing switch from IRA name to Glavset:

[Link problem continuing: https://www.wired.com/story/facebook-may-have-more-russian-troll-farms-to-worry-about/ ]

“The IRA, which was the subject of a 2015 New York Times Magazine investigation, may have been behind many of the bogus Facebook ads, the company says.

Of course, things aren’t as simple as that. Russian corporate records indicate Internet Research Agency has been inactive since December 2016. But that doesn’t mean that Russians no longer engage in such activity. According to Russia researchers at the liberal advocacy group Center for American Progress, there’s reason to believe the Internet Research Agency is operating under a new name: Glavset.

A Russian tax filing reveals that Glavset, which launched in February 2015, operates out of the same office building—55 Savushkin Street in St. Petersburg—that once housed the Internet Research Agency. The filing lists Mikhail Ivanovich Bystrov, former head of the Internet Research Agency, as its general director.”

… “It’s not clear whether Glavset purchased political ads on Facebook, or any other platform. A Facebook spokesman could not immediately say whether Facebook uncovered any ads placed by Glavset in the investigation it revealed Wednesday. That probe found 470 inauthentic pages and accounts affiliated with Internet Research Agency; Facebook turned that information over to special counsel Robert Mueller.”

NY Times September 2017 fake Russian accounts bought $100,000 ads on Facebook.

“Facebook officials said the fake accounts were created by a Russian company called the Internet Research Agency, which is known for using “troll” accounts to post on social media and comment on news websites.”

Is there a link to a blog post or other official testimony of them linking these accounts and ad buys to IRA?

Same source:

“Mr. Stamos wrote that while some of the ads specifically mentioned the two candidates, most focused instead on issues that were polarizing the electorate: “divisive social and political messages across the ideological spectrum — touching on topics from LGBT matters to race issues to immigration to gun rights.””

Ah, here we go, looks like the NYT source for the Stamos Facebook account quotes–a September 2017 Facebook security post.

Describes multiple sets of review data:

“In reviewing the ads buys, we have found approximately $100,000 in ad spending from June of 2015 to May of 2017 — associated with roughly 3,000 ads — that was connected to about 470 inauthentic accounts and Pages in violation of our policies. Our analysis suggests these accounts and Pages were affiliated with one another and likely operated out of Russia.”

The second more broad:

“In this latest review, we also looked for ads that might have originated in Russia — even those with very weak signals of a connection and not associated with any known organized effort. This was a broad search, including, for instance, ads bought from accounts with US IP addresses but with the language set to Russian — even though they didn’t necessarily violate any policy or law. In this part of our review, we found approximately $50,000 in potentially politically related ad spending on roughly 2,200 ads.”

August 2017 announcement by Facebook they will not allow advertising by pages that repeatedly share fake news.

Jumping back for a second to NYT Sept. 2017 article linked above:

“One question underlying the investigation of possible collusion between the Trump campaign and Russia is whether Russia-sponsored operators would have needed any guidance from American political experts. Facebook said that some of the ads linked to Russian accounts had targeted particular geographic areas, which may raise questions about whether anyone had helped direct such targeting.”

Wikipedia Web brigades article.

Linked off the Wikipedia page: November 2017, Washington Post.

“President Trump retweeted content from a fake account affiliated with Russia, a member of a Senate Judiciary Subcommittee revealed this week.

The account in question, @10_gop, tweeted “We love you, Mr. President,” and Trump retweeted the post saying “So nice, thank you!” on Sept. 19.”

“FOLLOW THE MEMES…”

Wikipedia web brigades page continuing:

“Any blog post written by an agency employee, according to the leaked files, must contain “no fewer than 700 characters” during day shifts and “no fewer than 1,000 characters” on night shifts. Use of graphics and keywords in the post’s body and headline is also mandatory. In addition to general guidelines, bloggers are also provided with “technical tasks” – keywords and talking points on specific issues, such as Ukraine, Russia’s internal opposition and relations with the West.[21]”

… “In 2015 Lawrence Alexander disclosed a network of propaganda websites sharing the same Google Analytics identifier and domain registration details, allegedly run by Nikita Podgorny from Internet Research Agency. The websites were mostly meme repositories focused on attacking Ukraine, Euromaidan, Russian opposition and Western policies. Other websites from this cluster promoted president Putin and Russian nationalism, and spread alleged news from Syria presenting anti-Western viewpoints.[37]”

… “In August 2015 Russian researchers correlated Google search statistics of specific phrases with their geographic origin, observing increases in specific politically loaded phrases (such as “Poroshenko”, “Maidan”, “sanctions”) starting from 2013 and originating from very small, peripheral locations in Russia, such as Olgino, which also happens to be the headquarters of the Internet Research Agency company.[38]”

Wikipedia Internet Research Agency page:

Wikipedia, re: Trolls from Olgino:

“The group’s office in Olgino, a historical district of Saint Petersburg, was exposed by Novaya Gazeta newspaper in 2013.[3]”

… “According to journalists’ investigations, the office in Olgino was named as Internet Research Agency Ltd. (Russian: ООО «Агентство интернет-исследований»).[3][8] The company was founded in the summer of 2013.[6]

Below citations link out to Russian language sites (for possible use to establish time-line):

“In 2014, according to Russian media, Internet Research Ltd. (Russian: ООО «Интернет исследования»), founded in March 2014, joined the agency’s activity. Novaya Gazeta newspaper claim this company to be a successor of Internet Research Agency Ltd.[10] Internet Research Ltd. is considered to be linked to Yevgeny Prigozhin, head of the holding company Concord. The “Trolls of Olgino” from Saint Petersburg are considered to be his project. As of October 2014, the company belonged to Mikhail Bystrov, who had been the head of the police station at Moscow district of Saint Petersburg.[11]”

… “Russian media point out that according to documents, published by hackers from Anonymous International, Concord is directly involved with trolling administration through the agency. Researchers cite e-mail correspondence, in which Concord gives instructions to trolls and receives reports on accomplished work.[5] ”

… “59°59′03.5″N 30°16′19.1″E

According to Russian online newspaper DP.ru, several months before October 2014 the office moved from Olgino to a four-story building at 55 Savushkina Street.[11][12][17]”

… “Novaya Gazeta newspaper reported that, according to Alexey Soskovets, head of the office in Olgino, North-Western Service Agency was hiring employees for similar projects in Moscow and other cities in 2013.[3]

From Novaya Gazeta September 2013 article (Google Translate from Russian):

“From the data of the Unified State Register of Legal Entities, it follows that the organization was registered on July 26, 2013. The founder is Mikhail Kurkin, the general director is Nikolai Chumakov.”

… “

Whew, well I think that’s a fairly exhaustive round-up of top links and quotes relative to the subject. Will try to condense this down into a more human-readable format in coming days.

 

HB Gary leaks

HBGary company description on Wikipedia. (Current November 2017)

“It has been reported that HBGary Federal was contracted by the US government to develop astroturfing software which could create an “army” of multiple fake social media profiles.[38][39]

Later it was reported that while data security firm HBGary Federal was among the “Persona Management Software” contract’s bidders listed on a government website, the job was ultimately awarded to a firm that did not appear on the FedBizOpps.gov page of interested vendors. “This contract was awarded to a firm called Ntrepid,” Speaks wrote to Raw Story.[40]”

[Link to technical spec and project overview from Federal project site above]

Ars Technica, February 2011 article on Anonymous hack:

“HBGary Federal CEO Aaron Barr thought he had unmasked the hacker hordes of Anonymous and was preparing to name and shame those responsible for co-ordinating the group’s actions, including the denial-of-service attacks that hit MasterCard, Visa, and other perceived enemies of WikiLeaks late last year.

When Barr told one of those he believed to be an Anonymous ringleader about his forthcoming exposé, the Anonymous response was swift and humiliating. HBGary’s servers were broken into, its e-mails pillaged and published to the world, its data destroyed, and its website defaced.”

SQL injection through their custom third party content management system, apparently. Above article is mainly technical description of how Anonymous perpetrated attack.

Wired, February 2011 focused on HBGary side of the tale:

“Barr would do things like correlate timestamps; a user in IRC would post something, and then a Twitter post on the same topic might appear a second later. Find a few of these links and you might conclude that the IRC user and the Twitter user were the same person.”

Rawstory, February 2011:

“HBGary, which conspired with Bank of America and the Chamber of Commerce to attack WikiLeaks, spy on progressive writers and use malware against progressive organizations, was also revealed to have constructed software eerily similar to what the Air Force sought. “

Paragraph above links out to another February 2011 Rawstory piece with more details about the Chamber of Commerce story.

Cory Doctorow BoingBoing piece from February 2011 about the persona management proposal. Quotes from one of the leaked emails:

“For this purpose we custom developed either virtual machines or thumb drives for each persona. This allowed the human actor to open a virtual machine or thumb drive with an associated persona and have all the appropriate email accounts, associations, web pages, social media accounts, etc. pre-established and configured with visual cues to remind the actor which persona he/she is using so as not to accidentally cross-contaminate personas during use…”

Tracking the source email on Wikileaks for the above, but this is referenced on an archive.is page as being another PDF related to persona management and development system. (email ID 359)

Quote from email 359 PDF attachment:

“These accounts are maintained and updated automatically through RSS feeds, retweets, and linking together social media commenting between platforms. With a pool of these accounts to choose from, once you have a real name persona you create a Facebook and LinkedIn account using the given name, lock those accounts down and link these accounts to a selected # of previously created social media accounts, automatically pre-aging the real accounts.”

Okay, so it looks like the BoingBoing quote comes from the Word document attached to email 2142, some kind of white paper/project proposal for a new client.

Section of interest: “Persona and Content Development”. Text on Wikileaks’ docx file seems to agree with the text here at Archive.is.

Excerpted quotes from the section about “Character levels”:

Level 0 Character: Used mostly for quick and temporal communication. No persona description required. These characters have specific user accounts or email addresses that are used for quick communications or to satisfy very specific mission requirements that do not require any more in-depth use. […]

Level 1 Character: These accounts have slightly more depth with created generic names that generate significant hits when the name is queried on search engine and other social media platforms. These accounts are meant to provide slightly more depth for use in establishing contact with individuals and at a glance appearing to be real. Any accounts established for this type of a character would have the most strict privacy settings so as to hide the lack of detail associated with these accounts. As an example, an established level 1 persona might have an associated gmail address with a Facebook, twitter, and or linkedin account. All of the associated social media accounts would be set to the highest privacy settings so no details would be visible other than an account exists and may or may not be associated with a specific email address. […]

Level 2 Character: Level 2 characters are similar to level 1 characters except they provide slightly more detail on the personas background and may require some paid services to set up creative content pages for more in-depth exercise engagements. This requires more upfront character development so as to make a persona that will be viewed as plausible throughout the engagement. […] This means automated content generation mixed with human generated content related to the persona at a frequency that would be consistent with the personas background. […] HBGary Federal has devised a set of techniques that can make personas appear real, such as manipulating GPS coordinates and using location based services to checkin to specific locations, or using twitter hashtags and specific tweets to make it appear as if a persona is attending a specific conference. […]

Level 3 Character: The most detailed character. These personas are required to conduct human-to-human direct contact likely in-person to satisfy some more advanced exercise requirements. This character must look, smell, and feel 100% real at the most detailed level. […] Using some of our micro-blogging techniques for auto-generating content we can manage many of these types of accounts automatically and age them. Then when a real persona is created for a particular exercise we can associate a twitter, YouTube, and blog account that has been aging and link it to a LinkedIn and Facebook profile that was just created. This gives the perception that this person has been around in this space for a while. HBGary Federal also has experience in developing LLCs, phone services, websites, etc. to establish the corporate bonafides. There are also other tricks we can use to build friends lists quickly so as to give the perception the persona is social or professionally active.”

Ars Technica, March 2012 follow-up:

“The HBGary hackers collectively called themselves Internet Feds. They then started working under the name LulzSec, rapidly achieving infamy for a series of high-profile break-ins (victims including PBS, Sony, and Nintendo) and denial-of-service attacks. But by late September 2011, everyone in LulzSec except one member, avunit, had been identified, and every identified member except pwnsauce had been arrested.”

 

Buzzfeed, Nov. 2017: Citibank transfers to Russian embassies to finance election campaigns

Many marked with memo: “to finance election campaign of 2016.”

“The transactions, which moved through Citibank accounts and totaled more than $380,000, each came from the Russian foreign ministry and most contained a memo line referencing the financing of the 2016 election.

The money wound up at Russian embassies in almost 60 countries from Afghanistan to Nigeria between Aug. 3 and Sept. 20, 2016. It is not clear how the funds were used.”

 

Technical spec for internet sockpuppet system

Operation Earnest Voice, Wikipedia page (current as of November 2017), describes a request for proposal put out by a branch of the federal government to create an application whereby agents could put on persistant created personas in order to engage in propaganda and intelligence operations online. In other words, it’s a system for astroturfing, sock-puppets and shills.

Linking out to Archive.org version of the June 2010 fbo.gov  proposal, we can see the technical specifications for the desired application. Essential components include:

  • 50 User Licenses, 10 Personas per user.
  • Personas include “background , history, supporting details, and cyber presences that are technically, culturally and geographically consistent.”
  • Personas must be able to appear to be from any part of the world.
  • Personas must be able to interact and operate on social media services.
  • VPN option enabling daily, automatic randomized IP addressing.
  • Ability to blend traffic with outside sources for cover.
  • Static, persistent and identity-protected IP option.
  • Unique servers in each part of the world to direct traffic through.
  • Remote access through a secure desktop environment. “Every session uses a clean Virtual Machine (VM) image. […] Upon session termination, the VM is deleted and any virus, worm, or malicious software that the user inadvertently downloaded is destroyed.”

It appears to be a complete solution, enabling 50 agents to appear to be at least 500 unique actors online.

I’m still a little unclear as to what the current restrictions such a program would face where individuals in domestic United States might be exposed, at least in terms of propaganda efforts. Wikipedia quote, which sounds technically probably true:

“Isaac R. Porche, a researcher at the RAND corporation, claims it would not be easy to exclude US audiences when dealing with internet communications.[5]”

Washington Times in March 2011 states:

“The software is used for what the military calls “information operations” that use “classified social media activities outside the United States to counter violent extremist ideology and enemy propaganda,” Centcom spokesman Cmdr. Bill Speaks told The Washington Times.

Information operations include activities designed “to influence, disrupt, corrupt or usurp adversarial human and automated decision-making while protecting our own,” according to Pentagon documents. Such activities include disinformation campaigns, or military deception; computer network operations, or hacking; and what used to be called psychological warfare operations or “psy-ops,” but is now referred to as “military information support operations.””

That article (2011) also claims:

“Cmdr. Speaks said the Central Command program operates only on overseas social media sites.

“We do not target U.S. audiences, and we do not conduct these activities on sites owned by U.S. companies,” he said.”

It’s possible the 2012 Smith-Mundt Modernization Act changed their operating parameters, but I’m still verifying that…

I don’t trust Huffington Post too much as a source, but there is an interesting quote by them on the private sector equivalents of the Earnest Voice software in also a March 2011 article:

“Last month, hacker group Anonymous unloaded a batch of 50,000 emails from security firm HBGary, where documents indicated that the firm was in the process of developing their own persona management software. The document outlined some of the proposed strategies for creating verisimilitude:

“Using hashtags and gaming some location based check-in services we can make it appear as if a persona was actually at a conference and introduce himself/herself to key individuals as part of the exercise, as one example. There are a variety of social media tricks we can use to add a level of realness to all fictitious personas.”

I will try to follow up on this HBGary reference in a separate article.

Malicious actors infiltrating social movements in US

Buzzfeed, October 2017, Native Americans, Instagram, Standing Rock, #noDAPL:

“But for Russian trolls, the protests were another opportunity to sow discord in America — one of a series of social movements, from Black Lives Matter activism to pro-Trump populism, on which trolls appear to have seized.”

CNN, September 2017, suspension of Blacktivist accounts.

“A social media campaign calling itself “Blacktivist” and linked to the Russian government used both Facebook and Twitter in an apparent attempt to amplify racial tensions during the U.S. presidential election, two sources with knowledge of the matter told CNN.”

Gizmodo, October 2017, Black Matters & Black Fist:

“The RBC investigation uncovered that the two sites, BlackMatters US and Black Fist, were linked to the Internet Research Agency, a Russian state-affiliated troll farm at the center of the disinformation campaign that pushed fake news sites and troll posts on Facebook, Twitter, YouTube and even Google News and Gmail. Both sites are still online, though their Facebook, Instagram, and Twitter accounts have been suspended.”

… “At least three activists were paid for activities that ended up on the BlackMatter US and Black Fist sites. Conrad James, a rally organizer, was contacted via a Facebook message from BlackMatters US last September and paid to organize two rallies in North Carolina.”

NPR, October 2017.

“In New York and elsewhere, agents paid personal trainers to lead self-defense classes aimed at black activists with the message that they might need to “protect your rights,” as part of the Black Lives Matter movement. In Florida, they used Facebook and fraudulent websites to organize black rights protest rallies.

In Texas, scamsters organized at least one armed, anti-Muslim protest in Houston. And in Idaho, they helped organize anti-immigrant rallies.”

NY Times, September 2017 article about Twin Falls, Idaho Fawnbrook incident.

The Twin Falls story aligned perfectly with the ideology that Stephen Bannon, then the head of Breitbart News, had been developing for years, about the havoc brought on by unchecked immigration and Islamism, all of it backed by big-business interests and establishment politicians. Bannon latched onto the Fawnbrook case and used his influence to expand its reach.”

… “For months, the reporters covered protests around town, which were widely hyped on social media but, for the most part, sparsely attended. At least once the Police Department deployed plainclothes officers into the crowds, with instructions to look after the journalists. Later, it turned out that fake Facebook accounts linked to the Russian government helped to spread stories about Twin Falls and even organized one of the rallies there. The event was also poorly attended but is the first known Russian attempt to spark a demonstration on American soil.”

… “Stranahan now works out of a trendy shared workspace in Washington, across the street from the White House. He quit his job at Breitbart, which he said was being mismanaged in Bannon’s absence, to host a drive-time FM radio show with Sputnik, a state-run Russian news outlet. He told me that he jumped at the chance to transition to a Kremlin-funded outfit and, knowing that it would be controversial, spoke to every media outlet that inquired about it, in order to draw even more people to his work.”

October 2017, CNN article about Heart of Texas false Russian-run secessionist group.

“Generating anti-Muslim sentiment in the US was one of the goals of the Russian campaign. CNN reported Tuesday that some ads bought on Facebook were aimed at reaching voters who might be susceptible to anti-Muslim messages, even suggesting that Muslims were a threat to the American way of life.

A source familiar with the matter tells CNN that Heart of Texas was among the 470 accounts and pages that Facebook turned over to Congress, following its investigation into ads generated by the Internet Research Agency.”

See also: micro-targeting. (Conjecture: Cambridge Analytica? OCEAN model?)

NY Times, September 2017: “Fake Russian Facebook Accounts Bought $100,000 in Political Ads”

“Providing new evidence of Russian interference in the 2016 election, Facebook disclosed on Wednesday that it had identified more than $100,000 worth of divisive ads on hot-button issues purchased by a shadowy Russian company linked to the Kremlin.

Most of the 3,000 ads did not refer to particular candidates but instead focused on divisive social issues such as race, gay rights, gun control and immigration, according to a post on Facebook by Alex Stamos, the company’s chief security officer. The ads, which ran between June 2015 and May 2017, were linked to some 470 fake accounts and pages the company said it had shut down.

Facebook officials said the fake accounts were created by a Russian company called the Internet Research Agency, which is known for using “troll” accounts to post on social media and comment on news websites.”

BBC, November 2017, Russian links to California secessionist groups.

#calexit

“Social media accounts with ties to Russia pushed a huge Twitter trend in favour of an independent California on US election night 2016, BBC Trending has learned. The campaign was one of at least two popular online independence drives with links to the Kremlin.”

This has been mainly a US-based information thread, but here is one out of Spain for good measure, Politico, September 2017. Including to prove a pattern:

“In recent weeks, Russian state-backed news organizations and automated social network accounts, known as bots, have aggressively promoted digital misinformation and outright fake news about the politically charged vote planned for Sunday, according to an analysis of recent online activity.

The efforts — aimed at discrediting Spanish political and legal authorities that are trying to clamp down on the Catalan government’s attempt to hold the outlawed referendum — follows similar digital misinformation campaigns during Europe’s season of elections in 2017.”

 

Prohibitions against domestic propaganda in the United States

Washington Post, July 2013 article about Somali-American’s website caught in counter-intelligence operation:

“The Pentagon is legally prohibited from conducting psychological operations at home or targeting U.S. audiences with propaganda, except during “domestic emergencies.” Defense Department rules also forbid the military from using psychological operations to “target U.S. citizens at any time, in any location globally, or under any circumstances.””

… ““We don’t deal with domestic. End of issue,” Andrew Black, Navanti’s chief executive, said in an interview. “We turned it over to the cognizant authorities. That’s where we stopped. That’s really important that that is where we stopped.” The firm “followed the law,” he added.”

May 2012, Buzzfeed article about a Bill to lift the domestic propaganda ban being introduced with some more details.

July 2013 article from Foreignpolicy.com:

“For decades, a so-called anti-propaganda law prevented the U.S. government’s mammoth broadcasting arm from delivering programming to American audiences. But on July 2, that came silently to an end with the implementation of a new reform passed in January. The result: an unleashing of thousands of hours per week of government-funded radio and TV programs for domestic U.S. consumption in a reform initially criticized as a green light for U.S. domestic propaganda efforts.”

February 2012, independent history of Smith-Mudt Act and implications of amending.

Wikipedia article (current as of November 2017) about Propaganda in the United States, stating: “The Smith-Mundt Act prohibits the Voice of America from disseminating information to US citizens that was produced specifically for a foreign audience.”

Foreignpolicy.com article linked above states the provisions only apply to select branches of the State Department.

Wikipedia US propaganda article seems to confirm later:

“However, Emma L Briant points out that this is a common confusion – The Smith-Mundt Act only ever applied to the State Department, not the Department of Defense and military PSYOP, which are governed by Article 10 of the US Code.[18]”

So, seems to be at least some public confusion around this.

Wikipedia article (current Nov. 2017) about Smith-Mundt Act, states:

“Section 1462 requires “reducing Government information activities whenever corresponding private information dissemination is found to be adequate” and prohibits the State Department from having monopoly in any “medium of information” (a prescient phrase). “

Continuing from article above, regarding Voice of America:

“”This means that VOA is forbidden to broadcast within the United States.” In reality, of course, any American with a shortwave receiver or an Internet connection can listen to VOA. This is incidental, however. VOA cannot direct or intend its programs to be “for” Americans. “

Here is what appears to be text of the Smith-Mundt Modernization Act of 2012. I have not read it in its entirety, but a relevant excerpt:

“Sec. 208. Clarification on domestic distribution of program material

(a)In general

No funds authorized to be appropriated to the Department of State or the Broadcasting Board of Governors shall be used to influence public opinion in the United States.” […]

(b)Rule of construction

Nothing in this section shall be construed to prohibit the Department of State or the Broadcasting Board of Governors from engaging in any medium or form of communication, either directly or indirectly, because a United States domestic audience is or may be thereby exposed to program material, or based on a presumption of such exposure. Such material may be made available within the United States and disseminated, when appropriate, pursuant to sections 502 and 1005 of the United States Information and Educational Exchange Act of 1948 (22 U.S.C. 1462 and 1437), except that nothing in this section may be construed to authorize the Department of State or the Broadcasting Board of Governors to disseminate within the United States any program material prepared for dissemination abroad on or before the effective date of the Smith-Mundt Modernization Act of 2012.”

I don’t know quite how to interpret that, having not read the rest, combined with my incomplete knowledge of linked items in US Code.

Wikipedia article Operation Earnest Voice (current to Nov. 2017) cites the above act with this statement:

“According to CENTCOM, the US-based Facebook and Twitter networks are not targeted by the program because US laws prohibit state agencies from spreading propaganda among US citizens as according to the Smith-Mundt Modernization Act of 2012.[6] However, according to the Smith-Mundt Modernization Act of 2012, dissemination of foreign propaganda to domestic audiences is expressly allowed over the internet including social media networks.[7]”

Nashi manipulation of social media around Ukraine

February 2012, The Guardian: hacked emails released allegedly to and from a director of the Nashi youth organization, discussing manipulation of social media around Ukraine conflict.

Wikipedia entry on Nashi:

Nashi’s close ties with the Kremlin have been emphasised by Vladislav Surkov (Deputy Presidential Chief of Staff during 1999-2011), who has met the movement’s activists on numerous occasions, delivering speeches and holding private talks. It has been speculated that the Kremlin’s primary goal was to create a paramilitary force to harass and attack Vladimir Putin’s critics as “enemies of the State”.

March 2015, Geopoliticalmonitor.com:

“Beyond the indisputable fact of its existence, few details are known of the Russian government’s program to manipulate Internet opinion. It seems to have evolved in some way from the Nashi, a Kremlin-funded anti-fascist youth group that was founded in 2007 and folded in 2012. Hackers broke into the email account of a Nashi spokesperson in 2012 and discovered that the group had paid out hundreds of thousands of pounds to a network of bloggers, journalists, and freelance commenters to provide flattering coverage of Vladimir Putin and criticize his opponents. A year later, Russian journalists evidently stumbled across another arm of the program while investigating a St. Petersburg company called the Internet Research Agency.”

Links to more information in source article are broken. ^

Wikipedia page on Web brigades:

“In January 2012, a hacktivist group calling itself the Russian arm of Anonymous published a massive collection of email allegedly belonging to former and present leaders of the pro-Kremlin youth organization Nashi (including a number of government officials).[14] Journalists who investigated the leaked information found that the pro-Kremlin movement had engaged in a range of activities including paying commentators to post content and hijacking blog ratings in the fall of 2011.[15][16] The e-mails indicated that members of the “brigades” were paid 85 rubles (about 3 US dollars) or more per comment, depending on whether the comment received replies. Some were paid as much as 600,000 roubles (about US $21,000) for leaving hundreds of comments on negative press articles on the internet, and were presented with iPads. A number of high-profile bloggers were also mentioned as being paid for promoting Nashi and government activities. The Federal Youth Agency, whose head (and the former leader of Nashi) Vasily Yakemenko was the highest-ranking individual targeted by the leaks, refused to comment on authenticity of the e-mails.”

“In fairness there is no conclusive evidence about who is behind the trolling, although Guardian moderators, who deal with 40,000 comments a day, believe there is an orchestrated campaign. Harding, who is inured to the abuse, would simply like better systems to deal with it, as would the moderation and community teams.

A senior moderator said: “We can look at the suspicious tone of certain users, combined with the date they signed up, the time they post and the subjects they post on. Zealous pro-separatist comments in broken English claiming to be from western counties are very common, and there’s a list of tropes we’ve learnt to look out for.”

 

Powered by WordPress & Theme by Anders Norén