Embracing the Spirit of Aria Sepehr Ayandehsazan
Welcome to Memetic Warfare.
This week’s post will be shorter than usual, and next week’s may be as well as I’ll be preparing for Cyberwarcon so bear with me!
Leading up to that talk as well, I’d highly recommend that my readers check out Security Conversation’s latest episode, available here, which discusses ASA/Emmenet Pasargad and more as well - as always, it’s great stuff and a fantastic podcast, arguably the best on security available. They also cover CISA’s first official statement on Salt Typhoon, available here.
As for the last of the announcements, I’m also super excited to announce that Telemetryapp.io just received a significant update! Read the update blog post here. To make it short, we now support:
Channel/Group scrape requests
Enhanced visualized analytics
More advanced search features
Search in channel
And more!
Let’s move on now.
The first thing we’ll look at this week is the DFRLab’s latest report on Chinese and Russian influence operations in the US elections, available here. So far, all well and good, even though I usually don’t bother writing about Spamouflage anymore because it’s covered to death.
Let’s check out the headline:
So, seems interesting! Chinese and Russian collusion is always a hot topic. Here’s where it the article makes a bombshell claim: that the operation shows “functional overlap or tacit cooperation between Russian and Chinese adjacent actors”.
That’s a big claim to say the least. The article then shows multiple operation Overload accounts as network samples:
These accounts apparently also promote crypto schemes and also post pro-China content - see below:
The same network also targeted Representative Young Kim:
So, we then reach the conclusion - the DFRLab believes that this activity “suggests potential cooperation between entities aligned with these two actors to implement malign influence operations.”. They do, appropriately, state that they have no evidence of both governments being involved.
Let’s take a step back here. I personally do not like this claim and think that even as is, it’s too far. These accounts are almost certainly part of a Twitter bot network available for rent for pumping and dumping or other black hat activity.
It makes sense that Russian and Chinese actors would utilize the same commercial actors for their infra, and there is no reason to believe that the use of the same actors in any way indicates cooperation, even potentially.
Would we be quick to say that this comprises potential cooperation if we saw that they used the same general hosting firm or bought breached data or other infra from the same provider? In my opinion, the answer is no. The probable reason that this is done is that the potential is just TOO big to not say it, even if it’s highly unlikely.
In other DFRLab related news, they have a new foreign interference tracker up at https://interference2024.org where they rank reporting on foreign interference and influence operations. This is certainly an interesting choice, that I’m sure that everyone that has had their stuff covered in is totally cool with it.
I’m all for aggregating data, but there are some funny things here. Ranking USG reporting on parameters such as transparency is funny, and the same goes for other firms even that don’t want to expose their internal telemetry collection, such as Microsoft.
At least they rank their own activity, which I also find quite humorous.
Some stuff that I worked on at the FDD is also here. Not quite sure why it got a 2/5 on transparency, but the Lab works in mysterious ways so who am I to question it.
Levity aside, I’m in favor of aggregation but the ranking system might rankle a few feathers, and not sure how much it truly provides here in terms of added value.
I’ll add some other recommendations for reading:
Sekoia’s new overview of Chinese cyber operators/activity is available here. Sekoia has put out a few of these in the past on other threat actors, and they’re great for those looking to gain a broad understanding of the landscape.
A joint study with Viginum on political advertising on Facebook, available here.
A new report from Checkpoint on ASA’s malware, including some IoCs for pivoting for those interested, available here.
That’s it for this week - if any readers are planning to be at Cyberwarcon, feel free to comment or message me here.