At a glance.
- Deepfakes, detection, and data poisoning.
- Candor in Rossiya.
- Russian information operations surrounding the invasion of Ukraine.
Deepfakes, detection, and data poisoning.
Deepfakes have normally been thought of as a deception technique: you fake a plausible image, video, or audio, and you persuade people to believe a lie. That's undeniably one of the risks, and it's generally addressed through fact-checking, rumor control, and other forms of debunking. There are also technical adjuncts in place or under development that can assist in the detection of deepfakes. Researchers at the University of Tokyo this week announced work on a technique they call "self-blended images," which they argue offers a superior way of training algorithms better to recognized deepfakes. For now the technique works better on images than video. “Naturally, we wish to improve upon this idea. At present, it works best on still images, but videos can have temporal artefacts we cannot yet detect. Also, deepfakes are usually only partially synthesised. We might also explore ways to detect entirely synthetic images, too,” Engineering & Technology quotes the principal investigator, Toshihiko Yamasaki, as explaining.
There are other considerations in detecting and debunking deepfakes. Carey O’Connor Kolaja, CEO of AU10TIX, discussed deepfakes with the CyberWire recently, and she described ways in which organizations might cooperate to fight this threat. Some of her suggestions will sound familiar, like the best practices advocated in other, more general cybersecurity contexts. “To combat disinformation and misrepresentation, we need to unify and create consortiums to safely and legally share signals within ecosystems,” she said. “Technology allows us to do this with zero-trust architectures and cryptographic signatures but commercially we have to find a way forward. If CNN misrepresents something, then it is bad for all media agencies. If GoFundMe misrepresents then it is bad for all crowdfunding platforms."
Cross-referencing data from diverse sources could clear up some claims, especially as each institution bolsters its own security posture. “We should also bring together unexpected data signals to determine what is authentic and what is not,” Kolaja said, “[c]ombining social signals, with local signals, with deepfake technology for example. Organizations should also be looking to institute new policies, standards and interoperability while embracing [Coalition for Content Provenance and Authenticity (C2PA)] tools, and new approaches to maintaining trust in our digital/physical world.”
She pointed out other areas in which deepfakes constituted a problem. “Deepfakes will become more common and will penetrate unexpected areas,” she said. “The expected uses will continue to be media, in all forms including political campaigns, social campaigns, even commercial campaigns. Other forms of impersonation that can prove to be even more problematic can range from a fraudulent person taking exams to fake doctors providing fraudulent online services.”
“In the identity space,” she continued, “fraudsters will try to fool authentication systems using synthetic images [or] videos of someone other than themselves. Fraudsters could also create videos of family relatives to try and obtain ransom money.”
The countermeasures suggest another problem with deepfakes: the prospect of data poisoning, the introduction of false data into databases where they might long persist undetected.
Candor in Rossiya.
That Russia's war against Ukraine has so far been less than fully successful received an unusually candid acknowledgement on Russian television. “The situation for us will clearly get worse,” the New York Times quotes Mikhail M. Khodaryonok as saying on Rossiya's widely watched "60 Minutes" news talk show. Khodaryonok is a retired colonel and "a conservative columnist on military affairs." He went on to say “We are in total geopolitical isolation and the whole world is against us, even if we don’t want to admit it." The Times and other outlets are carrying a link to the program. English subtitles have been added, and it's worth watching (and listening to) in full.
Russian information operations surrounding the invasion of Ukraine.
Mandiant this morning published an overview of the Russian information operations it's tracked during the run-up to Russia's war against Ukraine, through the actual invasion, and continuing until now. Senior Analyst Alden Wahlstrom, one of lead authors of this report, said that the research sought to exhibit "how known actors and campaigns can be leveraged or otherwise refocused to support emerging security interests, including large-scale conflict. For years, analysts have documented that Ukraine, a key strategic interest of Russia's, is a testing ground for Russian cyber threat activity that they may subsequently deploy elsewhere. Now, we witness how pro-Russia actors have leveraged the assets and campaign infrastructure developed over time (in whole or part) to target Ukraine.”
The operations exhibit a mixture of disinformation and disruptive attacks (mostly ransomware, wiper malware disguised as ransomware, and nuisance-level distributed denial-of-service attacks). Defacement of Ukrainian government websites began as early as January 14th of this year, with messages claiming theft and subsequent deletion of data. "The defacements likely coincided with the January deployment of destructive tools PAYWIPE, an MBR wiper disguised as ransomware, and the SHADYLOOK file corrupter against Ukrainian government and other targets." February 23rd, the eve of the invasion proper, saw a repetition of this style of attack. In this case the defacements "coincided with destructive attacks against Ukrainian government targets using the NEARMISS master boot record (MBR) wiper and PARTYTICKET wiper disguised as ransomware." And during the war itself, on March 16th a deepfake video of Ukrainian President Zelenskyy appearing to announce surrender to Russia was distributed over compromised Ukrainian news sites. This incident coincided with another wiper attack: "On the same day, Mandiant identified the JUNKMAIL wiper targeting a Ukrainian organization. The malware was configured via a scheduled task to execute approximately three hours before Zelenskyy was scheduled to deliver a speech to the U.S. Congress."
Some familiar threat actors have been in evidence. APT28 (Fancy Bear, the GRU) has been behind much of the Russian activity, and the allied Ghostwriter operators of Belarus's satellite intelligence and security services have also been active in the Russian interest. The Internet Research Agency, well-known as an election-meddling troll farm, seems also to have resurfaced as "Kiber [that is, Cyber] Force Z," and resumed influence and amplification operations. And there have been the usual covert media outlets working under inauthentic personae. Kiber Force Z's style is as familiar as it is tasteless, featuring a Russian-uniformed Pepe the Frog (an Orthodox cross blasphemously around his neck, a "Z" patch in the place of honor on his left shoulder) calling in an airstrike on Azovstal, occupied by three Azov Battalion soldiers with pig faces. (The Azov troopers look better-uniformed and better-equipped than Russian comrade soldier Pepe, who seems a bit slack and devil-may-care in his turnout. Maybe Kiber Force Z realized that President Zelenskyy's casual presentation of self played better than President Putin's expensive clothes, long tables, and Ruritanian guards.)
There's also been some nominally hacktivist activity conducted in support of Russia. "Established hacktivist personas JokerDNR and Beregini have remained active in their targeting of Ukraine in the leadup to and since Russia’s invasion, including through their publication of allegedly leaked documents featuring possible personally identifiable information (PII) of Ukrainian military members.," Mandiant notes, and goes on to observe cautiously, "Additionally, newly established 'hacktivist' groups, whose degrees of affiliation to the Russian state are yet unknown, like Killnet, Xaknet, and RahDit, have engaged in hacktivist-style threat activity in support of Russia, including distributed denial-of-service (DDoS) attacks, hack-and-leak operations, and defacements." There is, we think, a strong likelihood that these hacktivist personae are operating under the control or at least direction of Moscow's intelligence services.
Russian disinformation has had two sides. One, for foreign consumption, has been in the familiar, tabloidesque, entropic style, intended to darken counsel more than to persuade, that's been a staple of Russian election meddling for the past decade. This line has featured such claims as the discovery of US biowar labs in Ukraine, Poland's systematic harvesting of Ukrainian refugees' organs for sale on the transplant black market, etc. The other has been aimed primarily at domestic audiences, and has emphasized the foreign threat to Russia, Ukrainian atrocities against ethnic Russian enclaves, and, above all, the alleged Nazi cabal that's got to be running Kyiv. These lines of disinformation have been intended to persuade. They've also been closely followed, with little deviation, which makes Colonel Khodaryonok's remarks on Rossiya's 60 Minutes all the more remarkable.
The report concludes by offering its take on the outlook for influence campaigns aligned with Russian goals. Russian operators can be expected to continue to push disinformation, with a probable assist from their satellite services in Belarus. China and Iran serve as allies of convenience, retailing Russian themes when it serves those regimes' longstanding anti-Western strategic goals:
"Information operations observed in the context of Russia’s invasion of Ukraine have exhibited both tactical aims responding to, or seeking to shape, events on the ground and strategic objectives attempting to influence the shifting geopolitical landscape. While these operations have presented an outsized threat to Ukraine, they have also threatened the U.S. and other Western countries. As a result, we anticipate that such operations, including those involving cyber threat activity and potentially other disruptive and destructive attacks, will continue as the conflict progresses.
"One notable feature of operations attributed to known actors thus far is their apparent consistency with the respective campaign’s established motives. Russia-aligned operations, including those attributed to Russian, Belarusian, and pro-Russia actors, have thus far employed the widest array of tactics, techniques, and procedures (TTPs) to support tactical and strategic objectives, directly linked to the conflict itself. This is especially beneficial when the facts on the ground shape Russia’s need to influence events in Ukraine, marshal domestic Russian support, and manage global perceptions of Russia’s actions. Meanwhile, pro-PRC and pro-Iran campaigns have leveraged the Russian invasion opportunistically to further progress long-held strategic objectives. We likewise expect this dynamic to continue, and are actively monitoring for expansions in their scope of information operations activity surrounding the conflict."