At a glance.
- Narrative laundering.
- GRU fronts and information operations: Sandworm (a.k.a. FROZENBARENTS).
- Poland describes current Belarusian information operations.
Narrative laundering.
The UK's Ministry of Defence on Wednesday looked at Russian information operations. "Since the start of its full-scale invasion of Ukraine, the Russian state has systematically used information operations as a major element of its strategy. It has cultivated multiple channels and proxies to spread disinformation: the intentional creation and sharing of false or manipulated information. One component of Russia’s disinformation is ‘narrative laundering’, whereby Russia promotes information from proxies, or unverified social media sources, which then permeates to more mainstream or state-run media. This aims to cloud the source of the information, making it easier for the Russian state to distance itself from the message. It then promotes misleading fragments of the narrative, while masking its vested interest. Russian state actors present manipulated narratives in both orchestrated and opportunistic ways. Their current priorities almost certainly include discrediting the Ukrainian government and reducing international support for Ukraine."
Thus the goal is to insinuate a misleading message while affording the state the cover of deniability. It's a tactic that in general isn't confined Russia. Many intelligence services have long used front groups and agents of influence. Russia's present tactics represent an update of such longstanding techniques for an online environment.
GRU fronts and information operations: Sandworm (a.k.a. FROZENBARENTS).
Google's Threat Analysis Group this morning published an update on what it's observed recently from Russia's Sandworm (or, as Google calls it, FROZENBARENTS) a well-known group associated with the GRU's Unit 74455. Its activities continue to include intelligence collection, information operations, and leaks of stolen data over Telegram. "As we described in the Fog of War report, FROZENBARENTS remains the most versatile GRU cyber actor with offensive capabilities including credential phishing, mobile activity, malware, external exploitation of services, and beyond."
Among the information operations Google describes are those mounted by the CyberArmyofRussia and the CyberArmyofRussia_Reborn, both of which are now clearly identifiable as front groups, fictitious identities created, operated, and maintained by the GRU. "The CyberArmyofRussia_Reborn Telegram channel has primarily been used for posting stolen data and DDoS targets. In several recent incidents, FROZENBARENTS compromised a webserver of the target organization and uploaded a webshell to maintain persistent access to the compromised system. The attackers then deployed Adminer, a single file PHP script for managing databases, to exfiltrate data of interest. Shortly after exfiltration, the data appeared on the CyberArmyofRussia_Reborn Telegram channel." Among the favored narratives boosted by the GRU fronts has been the long-running false claim that biological weapons have been used in Ukraine, and that this has been done at the instigation of the US, which is (falsely) claimed to be responsible for the proliferation of biological warfare agents around the world.
Poland describes current Belarusian information operations.
Ghostwriter is back. Polish authorities say that a major propaganda campaign by the Belarusian group Ghostwriter was detected on April 18th. Attribution was unusually quick, and Poland has taken steps to control any damage. "The group's goal in Poland is to disrupt the country's relations with its allies," the Record reports, "including Ukraine, the U.S., and NATO countries, according to Poland’s Ministry of National Defense. The group’s campaigns have also aimed to foment social unrest among Polish citizens." It’s that old familiar mischief making–don’t worry about persuasion; just go for confusion.