Podcasts
The Microsoft Threat Intelligence Podcast
Ep 12
The Microsoft Threat Intelligence Podcast 2.14.24
Ep 12 | 2.14.24

Iran’s Influence Operations

Show Notes
Transcript

Sherrod DeGrippo: Welcome to the "Microsoft Threat Intelligence Podcast." I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cyber crime, social engineering, fraud? Well, each week dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry. I'm your guide to the back alleys of the threat landscape. Hey, everybody. Welcome to the "Microsoft Threat Intelligence Podcast." We have something a little different today. I've got two guests here who are from the Microsoft Threat Analysis Center, and they're going to be talking to us about Iranian influence operations. I have my first guest, Bryan Prior, intelligence analyst director at Microsoft, and Nirit Hinkis, threat context analyst at Microsoft. Thanks for joining me, guys.

Bryan Prior: Thanks for having us.

Nirit Hinkis: Thanks, Sherrod.

Sherrod DeGrippo: So I said this was something a little different, and it's different because I don't normally work on influence operations and I know very little about it. So there's this big report coming out from your group about Iranian influence operations that will be released in February. People can pull it down, take a quick read of it, but I'd like to start just kind of understanding what is influence operations. What does that mean?

Nirit Hinkis: Yeah. Sure. So influence operations are activities that aim to influence the perceptions or attitudes or behavior of a target audience. So that could be through overt means, covert means, or you know something in between.

Sherrod DeGrippo: Okay. And we were talking earlier and you told me that there's a difference between influence operations and information operations. I was using them interchangeably because this is not my area of expertise. So what's the difference between influence and information when we're talking about this?

Nirit Hinkis: Yeah. And I should say a lot of people do use them interchangeably, and I think a lot of the terms that we use kind of in this field are a little bit squishy and kind of evolving. So it's okay if you use them interchangeably. We don't at MTAC. The way we distinguish them is information operations are employed as part of -- specifically as part of military operations generally to impact the adversary's strategic decision making. Whereas influence operations don't necessarily happen within the context of military operations. They could include things like propaganda or things that are kind of outside of specific military issues.

Sherrod DeGrippo: Okay. Got it. And I want to ask you both. I'll start with Bryan. Bryan, this is an Iranian focused report and I know in the APT world when we talk about threat actors people focus on a particular region or a particular country's threat actors in the landscape. And so are you focused on Iran? It seems like you are. What's the angle there in terms of expertise for you?

Bryan Prior: Yeah. So our team does focus on Iran. We also focus on the Middle East more broadly, particularly when it comes to groups that Iran is associated with or works alongside. So that would include groups like Hezbollah in Lebanon, Hamas, other Palestinian militant groups like the Palestinian Islamic Jihad. So we cover that set of activity. And the report -- in this case we focused very heavily on Iran and the influence operations as well as the -- some of their cyber operations. And most specifically a lot of their cyber enabled influence operations in the Israel Hamas war.

Sherrod DeGrippo: Okay. Got it. And, Nirit, what about you? Is Iran your primary focus?

Nirit Hinkis: Yeah. Iran is my primary focus. More specifically within that I tend to look at Iranian influence operations that are targeting Israel.

Sherrod DeGrippo: Okay. Got it. That is really specific and niche. And I think -- so to give some background to our listeners, I've worked in information security roles for it will 20 years in April. I've worked at pretty much the gambit of the large security vendors. And I feel like Microsoft has so many people focused on nation sponsored threat whether that's the influence operation side like MTAC where you're both working or the cyber side which is what we typically would think of as Microsoft threat intelligence community side. It's so big, the teams of people, and it's so big that Nirit actually focuses specifically on that one particular area. So let's talk a little bit about Iran when it comes to cyber enabled influence operations and how those are evolving. I think what we should start with, though, is is there a simple example we could use for the audience of what an influence operation is? Like Bryan, do you have an influence operation that would be easy to understand?

Bryan Prior: Yeah. For sure. And I think specifically with cyber enabled influence operation one that a lot of -- comes to mind for a lot of folks is what Iran did ahead of the 2020 U.S presidential elections. So in that case a group that we track is cotton sandstorm. It's known as Emennet Pasargad. They spoofed as the Proud Boys, pushed out a video that suggested that they had managed to get into a voting website, FVAP, for essentially military officials or other civilian officials overseas. Managed to get into that website and cast ballots. The truth of the matter is the group never actually cast those ballots. What they simply did was they leveraged a cyber operation. So the cyber operation itself they managed to gain access into voter -- certain states' voter registries. They showed that in the video. Some of that information which they managed to exfiltrate from a U.S state. So they gave the appearance using some level of truth of some data that they did access through a cyber operation to enhance what is otherwise an influence operation to demonstrate that they had had some type of impact or interference on the U.S elections when they in fact did not.

Sherrod DeGrippo: That's pretty clever. Like you have to kind of give some credit to the creativity of doing something like that. And so kind of give us an example of in that particular scenario how do you know that they didn't cast those ballots. It sounds like there's some kind of indicator. How do we know that that didn't happen?

Bryan Prior: Yeah. So that specific investigation entailed a lot of interest from the U.S government as well as Microsoft and others in the community. And so where we sit at Microsoft our visibility would have been twofold. One. On examining the goals and intent of the influence operations as well as the potential level of success of those influence operations. And then on the cyber side in terms of what mystic is doing is being able to find an attribution to cotton sandstorm based on the activity that was seen in the video. And -- and Microsoft had quite a bit of success in that. Now in terms of the fact that it did not impact actual cast ballots, that is something that the U.S government has said and we take them at their word or their assessment on that.

Sherrod DeGrippo: Okay. And that's really similar to I think how nation state, you know, once federal government does an indictment or releases charges or something like that, at that point attribution is pretty much considered concrete. It's pretty hard for somebody at security and threat intelligence vendors to say, "Actually no. The federal government is wrong on this." You don't usually win those fights. So that's interesting that influence operations are kind of handled in the same attribution confirmation way with the confidence levels. So Nirit, I want to ask you we've seen kind of what Bryan said. There's this Iranian influence operation capability that has been seen I imagine for quite a few years. What is the evolution looking like since the course of the Israel Hamas war since that's where you focused? And that would be October 7. Right? So what's different? What's changed?

Nirit Hinkis: Yeah. I think we're seeing a lot of influence trends that started before the war, but we're kind of seeing them increase and maybe also increase in sophistication since this war has stared sort of coming out of Iran. I would say that the big one is the use of impersonation. So we're seeing a lot of impersonation by the Iranians of Israeli activist groups, but also of Iranian partners. Impersonation really is a common and longstanding technique of the Iranians, but it seems to have become increasingly more convincing. Their Hebrew is better. Things like that. They've -- they've found ways to really almost infiltrate Israeli activist communities. And then not only infiltrating Israeli activist communities, but they've also gone further in masquerading as their friends too. So, for example, one operation used the name and logo of Hamas' military wing, the al-Qassam Brigades, to spread false messaging about hostages targeting the Israelis. And we don't know whether they used that name kind of with Hamas' blessing or not. But that's been really interesting in terms of one of the big trends that we're seeing. We're also seeing the Iranians be able to activate Israelis on the ground to do actions on the ground. So, for example, they recruited unwitting Israelis to hang branded posters, to participate in rallies, things like that. Their most recent operation in which they did this was in November in an operation that was related to the war. And we're also seeing them increasingly leverage email and text messages for amplification. And we're seeing them use this with increasing frequency and sophistication.

Sherrod DeGrippo: Okay. So that's really interesting. I -- I wasn't aware of all of these and I feel like this report that's coming out now is really in depth for a lot of things that I wasn't super familiar with. So we know from the report that Iran has a pretty extensive influence operations program capability. They're focused on this. They're doing it. So the question naturally is what are the objectives. What are they trying to make happen either that they haven't tried before or what's the objective? What's the goal here?

Nirit Hinkis: Yeah. So I think they've got four objectives that we can really see based on our own assessments. The first one would be destabilization mainly through polarization of sort of Israeli domestic audiences mainly by touching on like really sensitive issues that cause sort of conflict within Israel. They are also probably doing this as a form of retaliation. We've seen them use cyber persona. So, for example, a persona called cyber avengers which we assess to be linked to the IRGC has targeted Israeli water infrastructure likely in retaliation for Israel limiting water and other necessities to Gaza. We're also seeing them attempt intimidation of Israeli citizens and Israeli soldiers. This is most likely an attempt to convince Israelis that the costs of the war are so high that they should kind of withdraw from the war and go home. And then finally we're also seeing them attempt to undermine international support for Israel. So a lot of messaging that highlights the damage caused by Israeli attacks on Gaza. For example, cotton sandstorm which Bryan mentioned ran an influence operation called for Palestinians. And then another one called for humanity that called on the international community to condemn Israel's attacks in Gaza.

Sherrod DeGrippo: That's really interesting. I didn't know like the extent of a lot of this stuff. So, Bryan, I want to ask you too. There's lots of different groups mentioned in this report. They're all groups based out of Iran. How do these groups overlap, intersect? Do they collaborate? Do they talk to each other? What is the situation in terms of how these different groups interact with each other?

Bryan Prior: I'm glad you asked, Sherrod. Another notable trend that really jumped out in our research was a burgeoning collaboration among Iranian groups. And in some cases even some collaboration between Iranian groups and Hezbollah. On the Iranian front, there's a couple things we saw. There were some cases where we would see multiple IRGC groups or multiple MOIS groups targeting a single target for cyber -- you know, a single target for a certain operation whether it was a cyber operation or cyber enabled influence operation. We also saw in the case of Israel in late October we saw a set of MOIS actors employing a similar playbook that we had seen them use in Albania in 2022. So there was one group that we tracked, a storm 861, which we assessed is linked to the MOIS that gained access months in advance to an organization that was later targeted by storm 842, another MOIS group, with a wiper malware in October. And if we rewind to Albania and the report that Microsoft threat intelligence put out on the impact of Iranian destructive attacks there in 2022, they used the same playbook. One actor, 861, gained access. And then we later saw 842 conduct a destructive attack using wiper malware. And what was interesting is we saw that done in Israel in the middle of the war in October, and then we saw it again this year, what I sort of dub as the -- Iran's Christmas attacks on Albania. These two actors we saw the same type of playbook where 861 likely gained access, probably provided some type of hand off to this other group before they conducted a wiper attack.

Sherrod DeGrippo: And we've seen wipers deployed now in the majority of the situations that have cyber and kinetic operations combined. One of my colleagues just sort of said like wipers are the new normal and we should come to expect them when things become kinetic.

Bryan Prior: Yeah.

Sherrod DeGrippo: Again I'm looking at this report. It's so good with the graphics. Figure two. Iranian propaganda consumption by country. Canada is number one and has a big spike at the very end of October. Any comment on why Canada rises above the rest in terms of consumption of Iranian propaganda?

Bryan Prior: So after the outbreak of the war we saw that consumption of Iranian propaganda spike worldwide. We dug into the data. A lot of that consumption was driven by consumption in English speaking countries, particularly, like you mentioned, Canada, the U.K, Australia. And I don't know why Canada in particular had the most pronounced level of activity, but I would say there was -- I do know that there were certain outlets that drove a lot of this spike. But the articles they were putting out were very focused on the same types of themes that we saw from Iran's influence operations and its cyber enabled influence operations that were very supportive of Hamas and very targeted and critical of Israel.

Sherrod DeGrippo: So I'm looking at this report and I just want to understand. I know these come out every six months. What time period does this cover? How recent does this go?

Bryan Prior: So this specific report we focused on Iranian influence and cyber enabled influence operations from the outbreak of the Israel Hamas war on the seventh of October until the end of 2023. That said, we're looking at certain trends and certain operations and lessons learned. We accounted for activity dating back through going back to early 2023.

Sherrod DeGrippo: Got it. If you've been following this sort of the influence operation capability out of Iran, what would you say are some of the things that are unique, that are new? What are some things that have caught your eye and you've been sort of, oh wow, that's interesting? Have you seen anything like that?

Bryan Prior: Yeah. No. That's a great question, Sherrod. And I think one of the benefits of this report is that it allows us to take a step back and look at Iranian activity against Israel in particular over the last several months. And so there's a few things from the report that really jump out. And I think the first thing is just the sheer volume of Iranian influence operation activity targeted most specifically against Israel. And in October I think we saw -- we probably came pretty close to seeing what Iran would look like all in on its -- both its influence and its cyber enabled influence operations. And just to kind of give you a couple examples of what that looked like scale wise, so in the month of October alone -- and essentially it's from the breakout of the war on the seventh until the end of the month. So in a matter of weeks we saw more operations coming out of Iran, more cyber enabled influence operations coming out of Iran, than we've seen in any other month since we've been tracking these activities going back to 2020. And there's been past months where there's been, you know, half the number we saw in those number of weeks. But it was typically spread out among several different countries, between Israel, Saudi Arabia, other Iranian adversaries in the region, as well as the U.S. Whereas in the month of October all of its -- all of Iran's influence operations were all hyper focused on Israel and undermining -- either undermining support for Israel or bolstering Hamas' own influence operations. The other thing is when you look at it from a -- this sort of scale of Iran's focus and how focused they were on Israel, a couple of things jump out. One. This is something we saw across a whole wide gamut of Iranian groups, both from their MOIS, their ministry of intelligence and security, and the IRGC, the Islamic Revolutionary Guard Corps. So just to put a number on that, from what we're tracking at Microsoft the first week of the war we saw nine Iranian groups active and targeting Israel which is already a -- quite a high number in any given week if we look back at our numbers on this activity. And that number grew, you know, two weeks into the war to 15 -- excuse me. To 14 different groups. So that was one sort of trend that really jumps out was the sort of sheer volume. The second one I would point out sort of lesson learned for us was Iran's agility. And this sort of ties into some of the points I was just making now which again so many of these Iranian groups very quickly shifted to targeting Israel. And they did so within days. So there were a handful of operations, influence operations, that started either on October 7th, the day the war broke out, or some others that started within a day or two after October 8th or 9th. And so what really -- so again this speaks to the fact that Iranian actors were able to very quickly jump on to the conflict seemingly without any form of precoordination with Hamas.

Sherrod DeGrippo: Without any precoordination with Hamas.

Bryan Prior: Correct. Yeah. I mean as we have pointed out and as Microsoft -- as some of our colleagues at Microsoft have pointed out in a blog back in November linked to the cyber war con conference, the data that we see at Microsoft does not indicate -- there's not clear evidence that there was collaboration between Iran and Hamas prior to the outbreak of the war on October 7th. And, in fact, in the early days, and this is something we talk about in the report, we talk about multiple different phases that the Iranians went through in their operations against Israel in this war. The first phase, you know, the first week or so of the war, Iranian -- Iran's operations were highly reactive. They were often quite opportunistic. So even though it was able to stand up some of those operations and run those operations within days of the war breaking out, it was likely that they were being -- they were using access that they already had to certain companies to then leak some of that data. Or they were probably leveraging other preplanned operations and then adjusting them slightly to fit a new narrative that aligned with the war.

Sherrod DeGrippo: I think that's, you know, immediately the natural question which is if -- if you see that happen immediately, like day one you see Iran pivot day one to working influence operations associated with the war, the first thing I think most people would say is, "Well, oh. Then this is collaborative. This is -- this is a heads up. This is they had information there." But the data's showing you that they didn't. So the only other answer to that is that they can move really, really quickly and change instantly.

Bryan Prior: Yes. I think that's right. And a really good example of that, Sherrod, and this -- I don't think the Iranians intended to mislead from an intelligence perspective in the U.S, but the Iranians ran an op, you know, we would refer to as a cyber enabled influence operation that -- in which they conducted -- claimed to conduct. A group called cyber avengers claimed to conduct cyber attacks against Israeli targets on October 6. And they made the announcements on the sixth. But on October 7th, the day -- you know, at the outbreak of the war, IRGC affiliated news outlets, Tasnim news, reported. They specifically said this operation was run at the same time as the al-Aqsa -- Hamas' al-Aqsa operation. And so I don't think Tasnim news wanted -- had necessarily thought this through, this potential implication that this might give the perception of coordination between Iran and Hamas. But they were likely trying to play up how quickly and how effective their operations were. And this is really a sort of a core component of a lot of Iran cyber enabled influence operations. They'll conduct some type of minor low sophistication, low effort cyber attack, and then use influence operations to exaggerate what actually happened. Very similar to the previous example I mentioned of Iran proving as the Proud Boys ahead of the U.S elections.

Sherrod DeGrippo: That's very creative. Let me ask you both. Would you consider Iran kind of in that scope of influence operations? Because I'm sure you speak with your fellow coworkers that work on the various other countries. Would you say that Iran and their influence operations is relatively creative, is relatively agile? Or across that spectrum when we think, you know, Russia, North Korea, all that, their influence operations, where do you feel like Iran falls? Nirit, I'll give that to you.

Nirit Hinkis: Sure. Yeah. So I think that on one hand they are quite agile and quite creative. On the other hand, we do see them sort of learning from what the Russians do. So we'll see them sometimes creating spoof websites of Israeli news sites in order to pump out false information under the guise of, you know, a popular Israeli news website. Things like that which we know the Russians have done in the past. So I think it's a combination. It's some recycling and kind of learning from others, and then some of it is bringing their own creativity into it.

Sherrod DeGrippo: Bryan, how creative is Iran?

Bryan Prior: I agree with that. And on the creativity side part of what's going on here is Iran is trying to figure out a way to try and punch above their weight. And what I mean by that is Iran doesn't quite have the level of sophistication when it comes to its cyber attacks as Russia or China or certainly not those that are conducting cyber enabled influence operations against Iran. Which is important. Right? So Iran has faced cyber attacks that have set fire to steel factories, that have delayed trains, that have taken down 60 to 70% of fueling stations or gas stations in its country. And so Iran wants to retaliate. It wants to respond to those incidents. But it probably lacks the capability to do so. And so the way in which it can try to appear as if it's responding in a proportional manner is by -- is by conducting these types of cyber enabled influence operations. And that requires quite a bit of creativity on their part to make it appear as if their cyber attacks had a greater impact than they actually did. And part of that creativity from what we've detected appears to entail, as I implied earlier, the use of state media to actually amplify and exaggerate some of their claims as well as a whole set of other, you know, sets of inauthentic personas on social media which we can get into later.

Sherrod DeGrippo: That is so -- this is so interesting because for anybody listening I want you to go back in the podcast and listen to the North Korea episode because I feel like there is such an interesting set of compare and contrast and parallels to some of the things that you're saying about Iran really also apply to North Korea. I think that I would pull out a highlight there being they don't quite got what they need so they're getting creative. Like it's very much the resources and availability and capability aren't to the level that they would like and so those two nation state sponsored threat actors seem to love to have some creative license to be a little bit different. Take a little bit of a different path. And I think that that's really interesting too, especially when you look, you know, geopolitically from the perspective of different sanctions and things like that. How Iran and North Korea have some similarities. So this is what you've seen so far. My next question is -- I'll start with Nirit. I don't want to put you, you know, in a crystal ball situation, but what would you expect to see going forward over the rest of this year or next year?

Nirit Hinkis: Yeah. I think that really depends on a few factors. The first factor is what the Israel Hamas war is going to look like over the next year. And then the other factor, of course, is the U.S elections of 2024. So in terms of the first factor I do think that we will continue to see them pushing influence, sort of pure influence and cyber enabled influence operations, continuously targeting Israel very much in the same way that they have over the last couple of months. And then I think we will also see them start to shift or add attention to the U.S arena to try and influence the U.S elections in part by messaging about what's happening in Israel and Gaza, but also kind of messaging targeting the U.S population on internal U.S issues like race, economic issues, things like that as well.

Sherrod DeGrippo: Bryan, anything you want to mention that you think might be coming up?

Bryan Prior: So we talked earlier about how Iran's operations in the early days of the war were quite reactive. And what we saw -- what we saw, though, as the phase of Iran's involvement progressed is that their operations became more targeted, more collaborative among the different Iranian groups, and in some cases more destructive. And so as the Israel Hamas war drags on, and as the potential for a widening war plays out, you know involving Houthis, the U.S, Iran backed Shia militant groups in the region, the potential for that widening war continues. The potential for more impactful and more destructive Iranian cyber attacks and cyber enabled influence operations is certainly on the table both for -- most specifically for Israel, but also the potential for the U.S particularly if the war does widen. So in one case, and this was in some ways -- this was actually related to the Israel Hamas war itself. The group we mentioned earlier, cyber avengers, the group that runs them that we track as storm 784 conducted a -- we assess conducted a cyber attack against control systems in the U.S at water authorities. Right? So CISA had put out an advisory about this, that there were -- there was a water authority that was impacted through the program logic controller. And this was likely very opportunistic on their part, but it's these types of operations that Iran may look to in the future. In that specific case Iran claimed it targeted those what we refer to as PLCs, those controllers, because they were made in Israel. And so Iran will -- was probably testing the waters a bit. And it will probably continue to do so maybe not in the short term given the recent events of U.S soldiers having been killed in Jordan, but as things drag on and as conflict between the U.S and Iranian proxies potentially escalate it's these types of attacks that we're going to want to be on the lookout for.

Sherrod DeGrippo: Storm 0784 is fascinating to me. I'm looking at this report at this graphic. And if you're listening and you have not downloaded this report, you need to go get it because this graphic is fantastic. I want to talk about the webcams or the security cameras. So storm 0784 which is a group Microsoft tracks that looks like it's an IRGC group, they also go by the moniker soldiers of Solomon on X or Twitter. So they have this persona. They did some attacks against security cameras in Israel. And then they claimed to have ransom security cameras at an Israeli air force base. Is that right?

Bryan Prior: Yes.

Sherrod DeGrippo: But they didn't. So it's fascinating to me as an old school troll from the beginnings of the internet seeing overreach boasting and bragging in a way about things they didn't quite do. So can you tell me a little bit more about their sort of doing some puffing up of their actual capabilities?

Bryan Prior: Yeah. I think what the Iranians were trying to do -- and so yes. So storm 784 is the group that we track, the set of cyber actors. And that group has stood up multiple personas, one being cyber avengers, another being soldiers of Solomon, but we assess both of those personas are run by the same group. And that actor, storm 784, is highly focused on accessing industrial control systems and internet of things devices. In this case what appears to have happened is, like you said, they managed to have some type of impact, but they misled on the actual precision. So they appeared to impact certain sets of -- gain access to and impact certain sets of webcams throughout Israel. But none of them were anywhere near the air force base that they claimed to target in southern Israel. And the footage they released, Nirit conducted very close examination of this leveraging her Hebrew language skills and it turned out the footage was not from the base itself. And so we have graphic going into detail on this in the report, but essentially what appears to be happening is these Iranian groups, these [inaudible 00:33:37] groups, were probably directed to target these military bases in Israel, and yet they didn't hit them. And what's not clear is did they exaggerate and actually intend to confuse their own leadership? And is their own --

Sherrod DeGrippo: They're lying to their boss.

Bryan Prior: Yes. Does -- are they exaggerating? You know, part of it is they're probably exaggerating to have a greater impact when it comes to say sowing chaos and panic in Israel and in -- for the intimidation angle that Nirit spoke about earlier as one of their objectives. But the question is did their bosses know about this.

Sherrod DeGrippo: Does your boss know about this? For anybody listening, you need to pull down this report and look at figure five. It's got a map of where all of the security cameras are. It's got a map of the claim. And it's got a map of the security cameras that were actually compromised as well as footage pictures. So, Nirit, anything you want to add to that? You watched this webcam footage?

Nirit Hinkis: Yeah. I went through all of the webcam footage that soldiers of Solomon had leaked and I was like, ha, this doesn't really look like a military base to me. You know, let's see if I can find out where this is actually from. So using just some sort of true location type OSINT skills was able to actually locate those images to a town that is quite far away from the military base that they claimed to hit. That town happened to have a street that is by the same name of the military base, but that's really the only -- the only, only overlap that we're seeing there. So, you know, it's possible that they intentionally were trying to mislead and that they knew that they had not hit the military base. It's also possible that they, you know, found this street name and they were like, ah ha. Like we got the military base. Like let's put this out there. Yeah. Hard to know.

Sherrod DeGrippo: That's really interesting, and I think that's something to always keep in mind when you're dealing with nation state. Right? Like with cyber crime which is the thing that I really prefer to focus on because I feel like I understand it so much better, with cyber crime if they got the money, that's it. There's no need to exaggerate really or convince a boss of it. Like if the money's in the account, it's in the account and that's pretty much the objective and they're done. When you think of some of these nation state actors whether it's influence operations or anything else, they kind of have an incentive to make their boss happy because that's their job as an employee of their respective military or government or intelligence agency. And so the potential for fibbing around that might be there. That's very interesting. So I want to talk terms really quickly. Again I am an old school troll of the internet and I see that we have in the report a term which is sock puppet. So, Nirit, what is a sock puppet?

Nirit Hinkis: Yeah. So a sock puppet. Let me actually first start by explaining what a bot is because I think that might be the term that more people are familiar with. So a bot is an online persona or account that is fully automated generally. Now by contrast a sock puppet is quite similar in the sense that it is this online persona that's used to hide, you know, whoever is behind it, but it's generally not automated. So we imagine that there's a person or people sitting behind that sock puppet and, you know, typing out their message or whatever it is. And trying to hide their true identity. So we see Iran using sock puppets very frequently.

Sherrod DeGrippo: For anyone listening, if you have a sock puppet on Twitter, please tweet at me with your sock puppet which I assume are much more benign sock puppets than those operated by Iran. So let's talk about attribution and let's talk about telemetry because one of the first things that I started thinking when I, you know, heard that I could get somebody from the MTAC team to join us was we think about telemetry in typical threat actor TTP style as overlapping indicators such as IP addresses, little snippets of code, infrastructure, style. All of these different little attribution points that we can kind of use like a Venn diagram to sort of divine out, okay, the similarities are here. There's enough points of contact that make it this actor. We have a high level of confidence that this is the actor. How does it work for something like influence operations when you don't have malware to look at or a [inaudible 00:38:20] page or some of those things that we kind of take for granted?

Nirit Hinkis: Yeah. So we look at a lot of the same types of things, just in a little bit of a different way. So we do look at technical evidence. So things like telemetry. We look at web infrastructure. So if the actor has set up a website to, you know -- to put out their leaked data or a fake website that is spoofing as a news website or something like that, so we look at their web infrastructure and IP addresses and things like that to see if we can find any overlap. We also look at things like financial and business relationships through sort of corporate records and things like that. But in addition to that we look at things like behavioral evidence. So social media posting patterns is really interesting to us. Social networking in general. So who's connected to who? And then we also look at linguistic and sort of visual output markers like, oh, like this persona is putting out posters or images that look really, really similar to something we've seen in the past. Is it possible that these two personas are connected? And then finally we also look at contextual evidence. So that would be geopolitical context. We look at the narratives and the messaging that -- that these actors are putting out. And we look at the possible beneficiaries of this type of messaging. So, you know, is this messaging pro Iran? Is this stuff that we've heard Iranian leadership talk about frequently? Things like that.

Sherrod DeGrippo: That's so interesting. Bryan, is there any other points you want to bring up about how you do attribution with influence operations?

Bryan Prior: I think Nirit did a great job covering what we're focused on our team in particular. One thing I would emphasize, though, as someone who covered, you know, prior to joining MTAC -- someone who covered cyber operations more broadly with Microsoft is that the real benefit the MTAC team has sitting at Microsoft is that we can -- we work alongside very closely with other folks at Microsoft threat intelligence who are working on the more traditional forms of telemetry you were speaking about, Sherrod. Right? And so when we look at a lot of these actors, we spoke about cotton sandstorm, we spoke about storm 784, those groups are both conducting your traditional forms of cyber operations at the same time that they're running these influence operations. And so this allows us to keep tabs on these actors from two different directions. And the real benefit for us is when an actor changes some of its TTPs on the influence side we can keep track of it in terms of its cyber operations and vice versa. If there's suddenly a drop off from telemetry of its cyber operations, we can sometimes try and keep tabs through a common set of behavioral evidence in its influence operations.

Sherrod DeGrippo: That is so fascinating. And I've worked pretty closely with our -- some of our Iran experts on the cyber threat side here. And we have a full peach sandstorm episode of the podcast if people want to check that out. We'll go ahead and wrap up now, but I want to tell anyone listening you have got to get this report. It's actually not that long, in fact. It's not that many pages. But the graphics are amazing. I mean they are so good. You've got maps. You've got the security camera screenshot footage. You've got so many timelines, so many icons of all the different groups broken down with all kinds of information, volumes, all kinds of really great graphics and things like that that I really suggest people check out. Nirit, thank you so much for joining us. Bryan, it was awesome having you both on. I look forward to talking to you again because we'll do this again in six months. Right? Another report?

Nirit Hinkis: Love to.

Bryan Prior: Yeah. Thanks, Sherrod. Yeah. We put these reports out every six months so we'll keep them coming.

Sherrod DeGrippo: Great. Thank you so much, and thanks for listening to the "Microsoft Threat Intelligence Podcast." Thanks for listening to the "Microsoft Threat Intelligence Podcast." We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out. Msthreatintelpodcast.com for more. And subscribe on your favorite podcast app.

The Microsoft Threat Intelligence Podcast
Podcast Info
HOST(S):
Sherrod DeGrippo
Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, is a frequently cited threat intelligence expert with a 19-year career leading global threat research and analyst teams. She was named Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Sherrod has provided expert commentary for BBC News, Wall Street Journal, CNN, and New York Times and has presented extensively at conferences including Black Hat, RSA Conference, RMISC, SleuthCon, and others.
Schedule: Bi-Weekly
Credits: Executive Producer is Bruce Bracken, Producer is Rob Petrillo, Production Manager is Max Solomon, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft