Memetic Warfare and it's the same but there're three more election reports so it's not
This week’s Memetic Warfare covers a spate of election-focused reporting, which probably will consume most of the blog’s content for the next few weeks. We’ll start off with Microsoft.
Microsoft has been putting out a flurry of reports lately (which is great) - check out their fifth MTAC report. We’ll review a few select parts.
The first section focuses on the dark horse of these elections: Iran. The first finding is great, focusing on “Bushnell’s Men”, a hacktivist front apparently claiming to be Americans online (although they do overtly claim that they’re a hacktivist group). They promote a boycott of the US elections and of course anti-Israel protests:
The group also actively defaces domains for whatever reason:
Interestingly, this isn’t the first Bushnell-themed hacktivist group either - see below. The Aaron Bushnell Hackers group has been around since February and rents out a stresser service:
But wait, there’s more!
Cotton Sandstorm (and I thank Microsoft for adding the AKA below) is also busy probing and prodding where possible, but Microsoft’s prediction that they’ll get busy towards the final stretch or even after the elections seems on the money. Their high operational tempo as well (see below) is also notable and something that I’ve seen in other Iranian operations which I’ll discuss more in the future.
Traditional influence also gets a shoutout, as I’m sick of the AI discussion - we all know by now that it’s a thing. We can move on. The below Storm-1516 case shows how “traditional and rudimentary influence techniques have much more impact and reach than AI…”:
Also, describing the specific style of video (interview-based) as a TTP is solid. There’s a China section on Spamouflage that focuses on downballot activity, for more on that see here.
The ODNI has also put out a very solid report on threats to the US elections. This report focuses on threats AFTER voting ends, which is a refreshing and important approach, albeit arguably much more critical in the US compared to anywhere else due to the snail’s pace at which the US counts votes.
Check out the Key Takeaways:
There’s a lot to review, so we’ll do it in points.
Firstly, we all (now) understand the IO/Cyber nexus. At this stage, we’re starting to understand the IO/Cyber/Physical operations nexus, including kinetic operations. It seems that the USG is finally viewing IO/cyber as its adversaries view it: one part of a merged toolkit of hybrid warfare.
I could be wrong also, but it seems that the claims re the protests below were in fact unreported prior. The second bullet about the “Enemy of the People” domain was well-publicized. Protests are but one vector of physical IO as well - doxxing could arguably be included.
Next - hacktivist fronts. Hacktivist fronts are a wild card. Nation-state actors may be restrained for the reasons below, but loosely-affiliated coalitions may still attack US infrastructure. The case of the Austrian elections may be informative.
Lastly, mitigation:
This part is the most critical, and interestingly the most classified/redacted section (look at the report to see what I mean). USG responses seem to be shaping up well, but some more specifics and offensive action seems to be warranted, and based on the redactions that may be what happens.
One new development regarding US responses that’s worth shouting out is a rapid-response debunk from the ODNI, FBI and CISA which shows that the USG is in fact acting nimbly:
The above debunk refers to a Russia-produced video of an individual “ripping up ballots in Pennsylvania”, and impressively the USG was able to identify and debunk it within seemingly just a few days. While not feasible at scale, considering that these reasonably high-investment videos (while still looking bad) take some time to create, tactical debunking for high-value content can still make sense.
The next report is Recorded Future’s on Operation Overload, available here. Recorded Future always puts out great IO content and you can and should follow them closely.
The report’s three main findings are on the title page below:
Key Findings below as usual:
The most interesting claim is that Overload’s main objective, or at least one of them, is to “overwhelm the target’s research resources”.
Overload does this by using emails to directly contact journalists and fact-checkers, which frankly is a great idea. It’s fascinating to see how the IO/counter-IO dynamic develops and expands beyond investigation and takedowns into other vectors.
The use of Instagram story-style content is also a great TTP catch:
The use of QR codes is also a fascinating TTP
There’s a lot more here, so read the full article if interested.
That’s it for this week, check out Telemetryapp.io and let me know in the comments if you have any questions, comments or complaints.