At a glance.
- Update on Ghostwriter.
- Jerusalem Day alert.
- Zoom prankers and deepfake goofs.
- Secrecy as friction.
- Inadvertent tweets.
Ghostwriter, and signs of a broader campaign.
FireEye’s Mandiant unit this morning updated its research into Ghostwriter, an influence-operator that came to attention last year as it sought to affect public opinion in Latvia, Lithuania, and Poland. Its messaging then was anti-NATO. The campaigns of 2020 relied upon artlessly crude forgeries and implausible rumor-mongering, but of course disinformation doesn’t need to be art, as long as it can get the right amplification, which Ghostwriter worked to accomplish.
It was easy for officials to quickly debunk such hogwash as the claim that Canadian soldiers were spreading COVID-19, or that an internal memo circulating in the Polish Ministry of Defense called for resistance against an American “army of occupation” (forged memo helpfully provided, hijacked social media accounts used to lend plausibility to a very implausible narrative). CyberScoop offered a useful account of these efforts at the end of last July. But of course lies can have a bit of a run if they’re provided with a headstart.
In any case, Ghostwriter has now expanded its thematic content to include disruption of domestic Polish politics and also (according to Tagesschau) credential theft attacks on German political figures. FireEye believes the threat actor it tracks as UNC1151 operates some portions of Ghostwriter. The firm characterizes UNC1151 as "a suspected state-sponsored cyber espionage actor that engages in credential harvesting and malware campaigns."
Taggeschau calls the attackers “chaos troops,” which is apt enough for an operation that aims at disruption. At least seven members of Germany’s Bundestag have received phishing emails, as have some thirty members of the Länder assemblies, that is, the state-level legislatures. German authorities are taking activity seriously. The Bundesamt für Verfassungsschutz (the BfV, the Federal Office for the Protection of the Constitution) und the Bundesamt für die Sicherheit in der Informationstechnik (the BSI, the Federal Officer for Information Security) are investigating, and have warned lawmakers that they’re being prospected in a phishing campaign. The BfV and BSI regard the activity with particular concern, given the German elections coming this September.
FireEye, as is its practice, doesn’t attribute Ghostwriter explicitly to any government, but the firm does note that its activities are “aligned with Russian security interests.” This isn’t, it appears, just prim policy on the company’s part, but rather a recognition of the inherent challenges of attribution. “At this time,” FireEye writes in their full report, “we do not attribute the Ghostwriter campaign to a specific actor or group of actors. Instead, we refer to Ghostwriter as an ‘activity set,’ with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself.”
The report goes on to say, “It appears, based on the limited public information available regarding the website compromises we have tied to Ghostwriter, that the actors behind the campaign are relatively well-resourced, either directly possessing traditional cyber threat capabilities themselves or having ready access to operational support from others who do. It is plausible that Ghostwriter operations are conducted by overlapping actors or groups that are also behind other influence campaigns or incidents of cyber threat activity.”
FireEye doesn’t say as much, but the Ghostwriter actors do prowl and growl like Bears. But their study is interesting as a case study in careful study of espionage and influence campaigns. Attribution is inherently difficult; operational style rarely amounts to dispositive evidence. In American targeting jargon, this sort of evidence amounts to a set of possibly related “target indicators,” not clearly discerned “targets.”
Observances as occasion for disinformation.
May 7th is Quds Day, Jerusalem Day, observed by the Islamic Republic of Iran. By coincidence this year it falls near Israel's own Jerusalem Day, May 10th, which commemorates Israel's unification of the city during the Six-Day War. The Times of Israel reports that Israel's National Cyber Directorate has issued an alert to expect Iran-associated cyberattacks in connection with the observances. The Directorate expects any cyberattacks this year to be more ambitious than the customary website defacements, and specifically warns of the possibility that any attacks might aim at destruction or disruption of data and systems. But the prospect of impersonation, use of inauthentic accounts, and amplification to spread disinformation cannot be discounted.
Zoom prankers and deepfake goofs.
Someone impersonating a spokesman for imprisoned Russian opposition figure Alexandr Navalny conducted Zoom meetings with European Parliament members. The sessions featured what the Guardian and NL Times called a deepfake video call purporting to be Navalny associate Leonid Volkov, which Volkov himself said looked pretty convincing. Speculation about responsibility for the incident has focused on Vovan and Lexus, two well-known Russian prank callers, “prankers,” as such nuisance humorists are known.
The incident is of course troubling for coming at a time when Navalny is imprisoned and on a life-threatening hunger strike, and it’s worth noting that relatively senior political officials were taken in by the scam, but to place it in perspective this is more shock-jock stuff than it is the spoor of a new and devilishly nefarious approach to disinformation. Technically it’s a cut above the kind of jerk who called the live news coverage to holler “bababooie” during the slow-motion chase of O.J. Simpson’s Bronco down the 405 in Los Angeles, but let’s keep it in perspective. The lesson is that video that appears genuine in a live call need not be, and that some authentication beyond look and feel is necessary. But we already knew that: it’s even become a trope in gag insurance commercials where there’s a guy videoconferencing with his emu colleague and so forth.
But, on balance, not funny.
And Vovan and Lexus themselves aren’t novices, either, we note. They’ve pranked, to name just three, Sir Elton John, the Duke of Sussex, and Senator Bernie Sanders. But many of their targets have been critics of the Russian regime. Mr. Putin himself has not been pranked, and seems unlikely to be. But for others, it's as if morning drive-time FM radio has found a niche in cyberspace.
Secrecy as friction.
There’s a sense, communicated in a memo to the Office of the Director of National Intelligence from nine of the eleven US Combatant Commanders (US Central Command and US Cyber Command didn’t sign), that more declassification would render important assistance to US efforts to counter hostile information campaigns. These are often, although not exclusively, disinformation efforts, and the memo is thought to express concern that the US is losing an information war, and that excessive secrecy and overclassification are an important reason why.
POLITICO, which says it’s seen a copy of the memo, quotes it in part as saying:
“We request this help to better enable the US, and by extension its allies and partners, to win without fighting, to fight now in so-called gray zones, and to supply ammunition in the ongoing war of narrative…. Unfortunately, we continue to miss opportunities to clarify truth, counter distortions, puncture false narratives, and influence events in time to make a difference.”
Toward a hermeneutic of inadvertent tweets.
Tip: Twitter isn't a search engine. But in truth we all make mistakes, even US Special Operations Command, which, Task & Purpose points out, didn't have its social media accounts hacked. It was just operator headspace that induced someone to tweet the baffling "'Afghanistan' 'Islamic State'" Saturday.