The ongoing US-Iranian confrontation in cyberspace.
The pro-Iranian hackers who left their mark on a variety of lightly defended sites over the past week (including one belonging to a California dentist and another run by the University of Maryland) increasingly look more like angry script kiddies sympathetic to Tehran than they do Iranian cyber operators, the Verge reports. Beyond last week's minor website defacements by sympathetic hacktivists, however, active attacks have yet to materialize. Proofpoint has a useful rundown of the major threat groups working for Tehran and their preferred activities, none of which directly relate to disinformation, but which could easily support various influence campaigns should Iran decide to turn in that direction.
Little new has developed in social media following the death of General Soleimani, but within Iran at least social posts about the late Quds Force commander would be difficult to share. Facebook, Twitter, and Telegram are all blocked in the country by the government and are accessible only through relatively furtive VPNs. But Instagram has been permitted to continue to operate. It's believed to have some twenty-four-million active users, which the Financial Tribune says puts Iran seventh worldwide among Instagram users. Last week, however, .coda reports, Instagram itself began deleting posts about Soleimani's killing (the posts were for the most part memorial in nature), and cancelled certain accounts that were posting on the topic. Instagram said it's doing so because it's following US law and enforcing its own community standards: the Islamic Revolutionary Guard Corps is designated a terrorist organization, and thus accounts maintained by the IRGC or posts supporting it violate Instagram's own guidelines that ban terrorist content.
For the moment, however, Forbes suggests that Iran seems to be “on the back foot.” Protests in that country currently preoccupy its security forces, Reuters reports, with the immediate cause of the street demonstrations being the shootdown of Ukraine International Airlines Flight 752 on January 8th, for which Tehran eventually acknowledged responsibility Saturday. The shootdown appears to have been a case of mistaken identity. Two missiles were fired and both hit the aircraft, which exploded as it was turning in an apparent attempt at an emergency landing. The New York Times published video of the missile shots and the explosion, which it authenticated after an Iranian user posted it to YouTube. Tehran has since said many of the right things about the incident, calling it "a great tragedy" and "an unforgivable error" that Iran "deeply regrets." Some of the air defense personnel responsible have been arrested, as has, the BBC notes, the person who published the video. As tempting as it may be to regard Tehran's initial categorical denials that its missiles shot the airliner down, that's probably an unwarranted conclusion: accidents under stress are always difficult to sort out.
Disinformation falls short in Taiwan's elections.
An eleventh-hour surge of Chinese propaganda and disinformation fell short of determining the results of Taiwan's presidential elections this Saturday. The New York Times reports that Tsai Ing-wen won reelection on the strength of support for continued independence, suggesting that Beijing's influence campaign (and the example of Hong Kong) backfired. The Hong Kong example is significant insofar as Beijing's repression of dissent and the city's qualified autonomy are generally taken to have given the lie to China's contention that one-state, two-system arrangements are realistic terms of reunification. President Tsai's reelection had until a few months ago been considered a longshot.
Some of the credit for the failure of Chinese influence operations is being given to Taipei's aggressive, official rumor-control efforts. But Foreign Policy warns that the campaign took a domestic toll: it grew increasingly difficult over the course of the campaign to distinguish counter-propaganda work from partisan messaging.
Front organizations can provide deniability. They can also provide plausibility.
ZDNet reports that the anonymous security analysts of Intrusion Truth have uncovered some thirteen companies, operating for the most part from Hainan, that serve as fronts for APT40, a threat group associated with the Chinese government and best known for espionage on behalf of the People’s Liberation Army Navy. Intrusion Truth posted its findings this past Thursday and Friday. The cut-outs so far appear mostly to have been used to scout talent for APT40, but it's worth remembering that front groups can also be used to lend credibility to otherwise implausible propaganda.
And legitimate companies can also do the bidding of governments.
Instagram's choking off posts about General Soleimani and the IRGC is surely not unwelcome to Washington--that's what sanctions are for, after all. But companies are also willing to knuckle under to other regimes. Witness Google, which ZDNet says has removed WhatsGap from the Play Store. WhatsGap is a mapping application widely used by pro-democracy protesters in Hong Kong, and ZDNet calls Mountain View's decision "a backflip on the company's 2010 decision to stand up to the Chinese government" over censorship. Google's own statement resembles the one Instagram offered concerning Iran. "We have a long-standing policy prohibiting apps that lack reasonable sensitivity towards or capitalise on serious ongoing conflicts or tragedies. After careful review, we found this app to be violating that particular policy and suspended it, as we have done with similar attempts to profit from other high-profile events such as earthquakes, crises, suicides and conflicts."
Burisma and influence operations.
Area 1 has released research indicating that Russia’s GRU in November of 2019 began a phishing campaign against the Ukrainian energy company Burisma Holdings. The goal was to obtain email credentials from Burisma, its subsidiaries, and its partners. Burisma is the company whose connections to former US Vice President Biden’s son, Hunter Biden, were at the center of the impeachment inquiry directed at US President Trump, who wanted a Ukrainian investigation of those connections. Phishing is a common method of attack, and as the New York Times and Wall Street Journal point out, it’s how Fancy Bear (the GRU) accessed Democratic Party accounts in 2016. What were they after? Well, probably whatever Burisma had on American politicians.
At midweek Moscow delivered its customary informational counterfire. Sputnik, the news agency that's a Kremlin mouthpiece, led with a story that's more about the 2016 and 2020 US elections than it is about Burisma. The whole Burisma story is, Sputnik suggests, a self-serving conspiracy theory launched by Hillary Clinton, still stung by electoral defeat and plotting some unspecified political move. The evidence Sputnik offers is worth looking at, from a stylistic point-of-view at least. They repeat what they represent as social media posts by Americans who see through Ms Clinton and have tired of her whole act--the posts are zingers, one-liners, not evidence. Sputnik also brackets the Area 1 research on Burisma with CrowdStrike's work on Fancy Bear's operations against the Democratic Party in 2016, both of which Sputnik dismisses as laughably circumstantial.
Congressional Democrats are saying they view the Burisma incident as the first major move by Russia to influence the 2020 US elections. Their concerns, The Hill says, mostly surround the use of phishing, the Bears' most publicly effective tool in 2016. WIRED offers a suggestion about possible motives in the Burisma hack that go beyond intelligence collection: planting fake documents. That suggestion is based on a priori probability, but it will nonetheless induce many to regard anything emerging from Burisma as a put-up job, which of course it may be. Or not. Sometimes the possibility of fraud can accomplish much of what actual fraud might have. But if you bet on form, bet on there being some deception planted somewhere.
In any case, Reuters reports that Ukraine's Interior Ministry has asked for the assistance of the US FBI in investigating the Burisma hack.
Cybersecurity in presidential campaigns.
The Wall Street Journal reports that Democratic Presidential candidate Pete Buttigieg’s campaign cybersecurity chief, CISO Mick Baccio, resigned over "philosophical differences" in how to handle security. Neither the campaign nor Baccio would elaborate further. The campaign has retained the services of an unnamed security firm to replace him. In a November profile of Baccio, CyberScoop said that the campaign CISO was particularly concerned about deepfakes, and was working toward being able to rebut them as soon as they were detected.
So are politicians getting serious about campaign security, or are the concerns they're voicing mostly hot air? While it's cheap and easy to bet on hot air, in this case there's some empirical basis for doing so. MIT Technology Review reports the conclusions of a study indicating that, really, about 60% of American pols haven't done anything to improve their campaign's security.