Croissantposting
Welcome to Memetic Warfare.
The first order of business for the blog is Meta’s latest Threat Disruption report, available here under 2024.
We have a fair amount to discuss here. My first concern is the visible trend of declining investment from Meta in their reports. In this quarter’s report there are only two authors listed.
To make it worse, each actual operation only gets one to two pages at best, with each description essentially being a cursory summary with little depth or actual content to review. Just look at the table of contents:
Each operation gets 1-2 pages, but ANOTHER update on Doppelganger gets 5-6.
Guys, Doppelganger in terms of general coverage should be officially cancelled by this point. There is 0 reason to give it the attention that it has received by this stage due to its low impact and constant media coverage.
Don’t take my word for it, take Meta’s. This is their 9th update in just over two years on Doppelganger. I truly and can honestly say that I have had enough.
I’m not opposed to specific coverage of certain elements of Doppelganger, provided that they are:
Significantly novel enough to warrant publication, and that the amount of coverage is proportional to the impact of the novel findings
Cover a new cluster of activity or one of the overlapping operations
Focus on a specific region, country, or other less-covered aspect of Doppelganger
At this point, I feel very confident in saying that Meta and everyone else has better things to do than to keep publishing on every minor new development from Doppelganger, and I wish that Meta would focus on other vectors.
What especially kills me is that Meta is very happy to provide screenshots and specific data on Doppelganger, but not on other operations. Did the croissant-posting efforts of DG really warrant a full page at the expense of other operations?
Now that my rant is over, let’s get to the report itself beyond Doppelganger.
The first two reports that caught my eye were, unsurprisingly, the Lebanese and Iranian operations. The Iranian operation is, of course, the ASA cluster discussed here multiple times in the past, as well as by Microsoft, the FBI/INCD and many others.
There isn’t much new here except the specific mention of WeRedEvils0g, a new front not covered by the advisory or myself, and the Jerusalem Post impersonation site (see the threat indicators for the URL) so good catch by Meta.
This is why platform reporting is so critical: there is often activity that cannot be linked via open-sources only to each other, and that only internal telemetry can expose.
The next Lebanese-origin operation includes two operations discussed months ago here: Dofek and Israel in a Minute. Check out our past posts on these if you want to actually see any content or learn more about them in-depth. Halalom Israel is apparently a previously unreported operation as part of this cluster.
Halalom confuses me a bit as a Hebrew speaker, as I’m not sure whether it’s a misspelling of “HaOlam” (meaning, “The World”), or any other potential word in Hebrew, but as is it doesn’t make sense to me.
Moving on from there, the Meta report refers to the “Open Source” community as having exposed a portion of this activity, which could be a reference to Memetic Warfare (which was the first, to my knowledge, to report on Dofek and Israel in a Minute), or the reporting that came out in various Israeli outlets about a week after Memetic Warfare. Good to see though that Meta follows the community.
Short of the new Halalom operation, there isn’t much new information or even an in-depth look at the operations beyond the total ad spend.
The most interesting development are the ties that Meta has found (without saying what, unfortunately) between the operations and Hizballah-affiliate al-Mayadeen, and more interestingly LuaLua TV in the UK. LuaLua TV is an Iran-linked media outlet targeting Bahrain prior to the US DOJ seizing its domain, as well as several dozen others, as part of enforcement action against Iranian malign influence.
The point I’m trying to make here is that Meta understandably calls this a Lebanese, or at least Lebanon-origin operation, but that isn’t the full story.
Hizballah is an Iranian proxy, and arguably we should treat any Hizballah IO activity as not Lebanese, or at least not “just” Lebanese, but rather as Iran-nexus activity.
The operational ties to LuaLua TV just strengthen this claim, and the same logic applies. It would be silly to call LuaLua TV a British operation simply due to the fact that its activity is geographically based in the UK. When attributing this sort of proxy activity, the attribution should include context on the overall backer.
Beyond these two operations, the rest of the report is fairly lackluster. Two Indian operations were exposed with minimal information, and one suspected Russian operation targeting Moldova operation that Meta had PREVIOUSLY reported on was also included.
On the whole, I was disappointed by this report in almost every way. I hope that Meta:
Expands their total coverage of global activity
Brings more people back onto the counter-IO team
Publishes reports with content and in-depth information
Takes a break from Doppelganger
Otherwise, their reporting will become marginal. One final request for Meta: PLEASE give your reports persistent URLs, it currently is impossible to link directly to the reports themselves as they constantly expire from the Threat Disruption page.
The next item of business is an interesting development in Germany. Germany’s domestic intelligence agency, the Federal Office for the Protection of the Constitution, has announced that they are founding an election-security task force. The full announcement in German is available here.
The announcement itself is quite solid and covers multiple fields of election security, as shown above. I’m pleasantly surprised and glad to see that the BfV (shorthand for the above government office) is viewing election security holistically and beginning to prepare the public:
There are some open questions. The task force only has several months prior to the elections, so they have to cover a lot of ground quickly. Will they be able to? Who knows.
Hierarchically, how will this work? Who is leading it, and which agencies beyond law enforcement are involved? Hierarchy and organization matters, doubly so in Germany. This is especially critical following the precedent-setting cancellation of the first stage of the Romanian presidential elections following Russian IO and cyber interference (see more on that here).
Let’s discuss some additional European affairs. The Cyfluence Research Center (CRC) put out a report worth looking at as well, available here.
The report focuses on Chinese activity and the ongoing Sino-European/Canadian trade war on EVs, and as a topic is quite interesting. We don’t see quite as much discussion of IO targeting economic activity, and on this specific subset of activity I’ve seen no actual reporting.
It’s great to see more coverage of IO and global trade, and also great to see a European think tank put out more investigative work beyond Spamouflage and Doppelganger. China has carried out multiple past operations targeting the EU to promote Chinese firms such as Huawei, so I’m very excited to see this angle be looked at more closely.
Full disclosure, I also occasionally publish at the CRC on IO and European affairs, so if you’re interested in that be sure to give them a follow.
We’ll conclude with a quick recommendation that I won’t go into, Sentinel One’s report on DPRK IT front companies, available here. This report is fascinating and full of relevant information for pivoting and further investigation - check it out.
That’s it for this week! Check out Telemetryapp.io in the meantime.