Welcome to Memetic Warfare Weekly.

My name is Ari Ben Am, and I’m the founder of Telemetry Data Labs - a Telegram search engine and analytics platform available at Telemetryapp.io. I also do training, consulting and research so if you have any specific needs - feel free to reach out on LinkedIn.

This week’s post will focus on a fun little research project that I and a few others published this week on China-linked IO targeting the US. As someone active in posting furiously online about IO, I had to fulfill my legal obligation to investigate and post about a Spamouflage network at length.

I worked with some great people on the report: Max Lesser, Margot Fulde-Hardy of fellow IO Substack Covertly Yours (with a similar post on the same report here), Saman Nazari and Paul J. Malcomb, and it’s available here.

The New York Times’ Steven Lee Myers and Tiffany Hsu also referred to the paper in their recent article on Chinese influence/interference and the US elections, available here.

The network is Facebook centric with hundreds of accounts and pages, and has a few specific points that I’d like to bring up beyond the traditional stuff (see requisite GAN images below):

The first interesting and - as far as I’m aware - new finding, was the use of Getty’s “Unsplash” API to pull profile pictures.

This tool lets users pull stock images in an automated fashion, the utility of which should be readily apparent. Always fun to get some insight into how operators automate their processes, and shows that Getty should probably invest in a Trust and Safety team.

We also came across some evidence that may be indicative of the exploitation of hacked or purchased accounts. Some accounts appeared to belong to authentic individuals for years, until eventually, after a certain period of time -

In late 2023, the account appears to have suddenly joined the WoS network by posting similar content and beginning to receive comments and engagement from other network accounts:

Does this example, and some others, show that this account was necessarily hijacked, breached and sold or otherwise? Not necessarily, but it is a suspicious phenomena that could potentially be answered by such activity. The barrier to entry is certainly low; examples of Telegram-based vendors selling accounts abound and are easily identifiable for researchers on Telemetryapp.io:

The next new TTP that we saw was the apparent use of ChatGPT to generate text content. We identified this by noting the quotations around blocks of text, showing in some cases double quotations - see below posts. We believe this to be indicative of the use of machine translation/AI tools, quite possibly ChatGPT or others.

In the world of boring/rehashed TTPs, we found that the network liked to generate funny issues of Guo Wengui:

We did the working hours meme by looking at the post times of the network accounts:

The meme is accurate but if done over time and super consistently, it’s a nice bit of data to add - see below:

We even had some recommendations, and I couldn’t agree with this one more - especially regarding using Telegram to mitigate ATO and data breaches:

So, what does this tell us about Spamouflage?

Well, we got some insight into automation, the probable use of ChatGPT and potential use of hacked accounts - all of which are interesting, but I wouldn’t say are necessarily huge signs of sophistication. Using ChatGPT does not a sophisticated operation make, per se. The possible use of hacked accounts is arguably more interesting as that’s more impactful for various reasons - impersonation of key individuals, harder to action/take down, ready-made audiences and so on.

Well, it’ll be with us for the foreseeable future and will continue to be the “entry-level” Chinese influence operation, which I don’t mean in a bad way per se. Engagement and influence will be continue to be low as there is no real way to make it effective at this scale.

All of the other points on Spamouflage you’ve heard before, and on that note - I have now fulfilled my obligation to publish about it!

See you next week, Spam Cowboy…