Dawn of the Thirtieth Day:720 Hours Remain
Welcome to Memetic Warfare.
This week is big for me personally: I’m thrilled to announce that I’ll be speaking at Cyberwarcon! My lightning talk will cover Iranian cyber-enabled influence operations targeting Israel and even beyond. If you’re planning on being there, let me know!
This week Max Lesser of the FDD and I also published on “IDFLeaks” - a suspected Iranian cyber-enabled influence operation amplifying Hamas case files on Israeli soldiers. We published it at the Cipher Brief after really paring it down to the essentials, so I’d recommend that you check it out there for the full story.
I’ll just bring up the recurring trends below. The first is the use of onion hosting and Telegram for the main domain hosting the case files (although at this stage that arguably should be par for the course):
The case files themselves are frankly a bit underwhelming but are certainly lengthy - see some examples below:
So, if the case files were apparently created by Hamas, how is Iran involved? There are a few reasons, but it seems that Iran is the actor behind the broader network amplifying the files - creating the site, seeding the case files on hacking forums, and so on.
Additionally, two other points came up. The first is the consistent and serial amplification and sharing of the full case files on Telegram by a hacktivist group called Hunt3r Kill3rs. Hunt3r Kill3rs posts primarily in Russian, but mainly targets Israel, although they do occasionally attack Ukrainian targets.
All well and good so far, but Hunt3r Kill3rs also tends to attack critical infrastructure in Israel, primarily Unitronics PLCs in a similar fashion to other known Iranian threat actors. I’m inclined to believe that Hunt3r Kill3rs is an Iranian false flag, contributing to the broader efforts to amplify the network online.
The next is the use of Eitaa. Eitaa is an Iranian Telegram clone, used domestically in Iran as Telegram is banned. A pro-IRGC channel was one of the first to actively amplify the network domain and its activity, and the network itself (IDFLeaks) has its own Eitaa account.
Check out the full article for more information.
Let’s move on to some other topics this week that are deserving of shout-outs.
The first is research on from Clemson an Iranian bot network targeting Scotland. The network is overtly pro-Scottish independence. I don’t usually comment on Twitter-exclusive research, but I wanted to in this case as it shows how Iran still has that dog in them and don’t give up.
Iran first started pushing Scottish independence in 2014, and we’ve seen it pop up in other operations, including one that I recently investigated with Max Lesser at the FDD, available here - see screenshot below.
I’ll share the key findings of the Clemson report below:
I like the stat re total percent of discourse on Twitter, hard to gauge but considering that this is a niche topic I think that one could view it as being feasible.
The accounts themselves are often overtly inauthentic, with the one on the far left below being an obvious GAN account. Many pictures weren’t though, and most seem to have been stolen as per the report.
There are some other interesting points re attribution, so check out the report.
The ODNI released their 30-days election update this week as well. Not much to add here in terms of the general assessment, but I do appreciate the shoutout to under-rated IO actor Cuba.
That’s it for this week! Thanks for reading, and check out telemetryapp.io.