At a glance.
- China suggests the US Army's responsible for COVID-19.
- Pakistan, China, and Russia make opportunistic use of the COVID-19 pandemic.
- EU calls out Russia for disinformation campaign.
- No prosecution of Concord Management for 2016 influence ops.
- Russia offshores trolling to Ghana, Nigeria.
COVID-19 disinformation out of China.
An ongoing Chinese disinformation effort blames the COVID-19 coronavirus strain on a US biological warfare program. With insinuation and implausible insistence, Foreign Ministry spokesman Zhao Lijian tweeted last Friday that the US Centers for Disease Control’s inability to unambiguously identify a US patient-zero suggested (for unclear reasons) that the US Army brought the disease to Wuhan, the city where the outbreak was first noticed. CNN reports that the US State Department summoned the Chinese ambassador to Washington for a dressing down over the Foreign Ministry’s remarks.
In this case the probable goal is opportunistic: deflect blame and discredit an international rival. An epidemic traceable to Wuhan is embarrassing to Beijing, calling into question public health and perhaps sanitation policies and practices.
What’s the US Army got to do with Wuhan? This: the last Military World Games, an international athletic competition designed to foster good will among the world’s military services, was held in Wuhan during October of last year. There was a US team there, and that’s the small bodyguard of truth that’s escorting this particular lie. It's a slicker approach than is always seen in Beijing's disinformation ops, relying as it does more on innuendo and absence of evidence than on outright fabrication.
This particular conspiracy theory really hasn’t had legs, but Russia Today is enjoying the diplomatic dust-up.
Other COVID-19 disinformation.
The US National Security Council warns that foreign influence operations are also using fear of coronavirus to push the line that the US is under a national lockdown that’s tantamount to martial law, black helicopters and the whole nine yards. Because corroborative detail gives artistic verisimilitude to an otherwise bald and unconvincing narrative, the specific authority for the coming national jackboot is the Stafford Act. The Stafford Act, under which the President declared a state of emergency, has nothing to do with national quarantines or martial law. It facilitates Federal delivery of assistance to the states, and to others, during times of emergency.
And, one US Federal action that hasn't yet made a big splash in the world of disinformation is President Trump's invocation of authority granted by the Defense Production Act. It's also not a declaration of martial law, but rather use of seventy-year-old legislation that empowers the President to establish certain production goals for industry. In this case what's being ordered into accelerated production are certain medical supplies like, the San Diego Union-Tribune points out, masks and hospital gowns.
Mother Jones and US News, two publications that tend to see the news from markedly different perspectives, have both reported on the false news, and they reach much the same conclusion--it’s bogus. Much of the disinformation is being disseminated by email, text, WhatsApp, and TikTok, the Washington Post writes, noting that these are harder to track than similar campaigns over Twitter or Facebook would be. Much of the messaging is delivered as an image file, which also makes them more difficult to screen.
Text messages may be an unusually convincing way of disseminating false rumors. Graham Brookie, who directs the Atlantic Council’s Digital Forensic Research Lab, told the Washington Post that text messages are effective persuaders because of their homey familiarity--its the same technology friends and families use to stay in touch, so the news reported by text just strikes people as sounding right.
Some of the disinformation is probably state-run (like the Chinese claims discussed above that COVID-19 started in the US Army) but much of it is no doubt spontaneously generated. And it’s certainly not confined to the US--a great deal of fake news about mobs, rioting, and panic is circulating elsewhere, particularly in Europe.
In other respects, the COVID-19 pandemic continues to provide raw material for both state-directed and criminal campaigns. The technique has generally been to couple spoofing with coronavirus-themed phishbait, as BAE Systems noted this weekend in an infographic display of recent activity. Some of the threat groups BAE calls out include Transparent Tribe, Gamaredon, Mustang Panda, Operation Lagtime IT, and Sandworm/Olympic Destroyer.
- Pakistan. Transparent Tribe is a Pakistani operation going after Indian targets using malicious XLS files to deliver the Crimson remote access Trojan, all the while posing as an Indian training company. Malwarebytes has also seen a surge in coronavirus-themed phishing by Pakistan’s APT36, and they too report that it's pushing the Crimson RAT at Indian targets.
- Russia. The Russian operators behind Gamaredon are impersonating the Ukrainian Foreign Ministry with the Pterado backdoor, delivered via malicious docx files. And the GRU’s Sandworm is not to be left out--it’s spoofing Ukraine’s Ministry of Health to distribute a .NET backdoor.
- China. Mustang Panda, a Chinese operation, is using bogus news articles to push the Cobalt Strike stager. Operation Lagtime IT, also a Chinese APT, is spoofing the Mongolian Ministry of Health to distribute a Poison Ivy stager.
NBC News summarizes some of the operations FireEye and CrowdStrike are seeing: Russian services working against Ukraine, North Korea against South Korea, and Chinese services against targets in Southeast Asia, especially Vietnam.
Some of the phishing is unusually persuasive, researchers at Recorded Future told NBC: “These lures have really authentic branding, like they pretend to be from the CDC or the WHO or other really credible groups, and then target people based on ‘this seems like a really interesting thing offering me more information in a time that has so much information’.”
Speaking of Russia and disinformation...
The EU’s foreign policy body, the European External Action Service, has called out Russia for systematically pushing disinformation about the coronavirus. “A significant disinformation campaign by Russian state media and pro-Kremlin outlets regarding COVID-19 is ongoing,” a document dated March 16 and obtained by Reuters said. “The overarching aim of Kremlin disinformation is to aggravate the public health crisis in Western countries...in line with the Kremlin’s broader strategy of attempting to subvert European societies.”
The document said that there had been more than eighty cases of disinformation about coronavirus emanating from Russian sources since the 22nd of January. Among the more noxious themes is Russian amplification of debunked Iranian charges that COVID-19 is really a US biowar project, and charges that US military personnel in what Moscow refers to as the Near Abroad, the non-Russian former Soviet Republics, have been carrying the coronavirus.
The general consensus on the origins of COVID-19 is that this strain of coronavirus is a zoonotic disease that jumped from bats to humans in China.
Russia’s Foreign Ministry has harrumphed that the EU’s charges are “unfounded” and “lack common sense.” Spokesman Dmitry Peskov [duh-MEE-tree PESS-koff] thinks the examples aren’t specific enough, and that as usual Moscow is more sinned against than sinning. “We’re talking again about some unfounded allegations which in the current situation are probably the result of an anti-Russian obsession,” Mr. Peskov complained.
No prosecution of Concord Management.
The US Justice Department has decided not to continue its prosecution of Concord Management and Consulting, a company which, despite its very American-sounding name, is a Russian firm that does no business in the US. The company had been indicted for influence operations as a result of Special Counsel Mueller’s investigation of Russian operations during the US 2016 elections. The Washington Post reports that prosecutors cited a “change in the balance of the government’s proof due to a classification determination” in their filing for dismissal. This led them to conclude that proceeding would no longer be in the interest of either justice or national security. The prosecutors’ filing essentially argues that Concord would use discovery and the trial itself to further its own ends, and that the company was essentially beyond the reach of US punitive measures.
Concord Management was in Russia, as was the Internet Research Agency. But Russian influence operations have recently apparently been offshored, in part at least, to operators in Ghana and Nigeria, CNN reports. Researchers at Clemson University told CNN they’re seeing election-season influence, and it's very much in the Russian style: disruptive and racially themed. And CNN says some of the operators--many of them nationals of Ghana or Nigeria--tell them that indeed they’re working for Russia.
A number of the trolls are organized by a front organization, Eliminating Barriers for the Liberation of Africa (or EBLA, for short). Russian oligarch Yevgeny Prigozhin, familiarly known as “Putin’s chef” and regarded as the organizing spirit behind St. Petersburg’s Internet Research Agency, is believed to be behind EBLA, too. But he didn’t respond to CNN’s request for comment.
This week, according to the Hill, several members of the US Congress called upon the European Union to sanction Mr. Prigozhin for his activities.