Welcome to Memetic Warfare Weekly!
My name is Ari Ben Am, and I’m the founder of Glowstick Intelligence Enablement. Memetic Warfare Weekly is where I share my opinions on the influence/CTI industry, as well as share the occasional contrarian opinion or practical investigation tip.
Thanks for reading Memetic Warfare (bi)Weekly! Subscribe for free to receive new posts and support my work.
I also provide consulting, training, integration and research services, so if relevant - feel free to reach out via LinkedIn or ari@glowstickintel.com.
Before we begin, a request to all of my readers. I read a lot of articles and posts on IO and disinformation on a daily basis, and there are a few things that at this point simply have to stop:
If you ever decide to publish articles on IO, influence or any topic - please, I beg of you - stop:
Recycling the claim that China just imitates Russia and God forbid, copying the Russian “playbook”.
Using the phrase “playbook” in any context, ever. It is worn out, tired and cliché.
Taking the field too seriously. 95+ percent of online disinformation is never seen by anyone of note, and we should focus on the impactful, multiplatform and even offline (gasp) activity more.
I’d have added something above about being overly Twitter-centric, but it seems that Musk’s decision to limit Twitter API access to the rich and famous has done that for me.
Now that I’ve gotten those complaints off of my chest, let’s start with this week’s content, beginning with a suspected Iranian IO targeting Israel.
Telegram Traitor Trials?
There’s been much ado about nothing recently in Israel, following the far-right “National Security” Minister’s grandiose - and almost certainly false - claims about an alleged pro-democracy movement Telegram channel doxxing Israeli police officers - see below:
I won’t go into the details to save time, but for those unaware - the current Israeli coalition has pushed to promote anti-democratic legislation targeted at weakening the Supreme Court and democratic institutions in Israel in a general sense (in my opinion). What isn’t my opinion is that the planned “reform” has been met with an incredibly powerful protest movement, which is ripe territory for exploitation by Iran or other hostile actors.
Anyway, following the above news, I decided to take a look.
In this case, a Telegram channel called “משפט בוגדים”, poor phrasing in Hebrew which can be translated to “Traitor Trials”, has been doxxing Israeli police officers. The channel also maintains a sister Whatsapp channel:
The channel has been promoted online by inauthentic Twitter accounts and even a Drove.com page:
The text from the petition also is almost certainly ChatGPT-generated as per ZeroGPT - this at least results in mostly grammatically-correct if stilted Hebrew, unlike the rest of the campaign:
The Drove page has been signed by over 11,000 people - a large number considering the size of the Telegram channel. The signatures are almost certainly inauthentic, as the vast majority are signed anonymously, with the occasional non-Hebrew name showing up:
I’ve checked maybe 500 or so signatures, 99 percent of which are signed anonymously and occurring in sequential minutes on April 12th, and since then - no new signatures.
Amazingly, that also was the day (or the day after, depending on the time zone) that the campaign launched, what a coincidence! We can pretty safely assume that this petition was exploited via a script as part of the operation.
As an aside, this is a great low-cost and somewhat uncommon (although by no means unseen) TTP, that I imagine we’ll see even more in the future. Using Drove is a great move also in that it’s an Israeli provider, and not a more general, international service
The Telegram channel has also called out for anyone skilled in OSINT (in broken Hebrew, of course) to reach out - not recommended of course:
This also raises the question - is the data used for doxxing in the channel taken from hacking or breached data, or exclusively via OSINT - such as facial recognition tools used on publicly available videos? Currently I’m leaning more towards the latter, but could be a combination of both.
The Twitter accounts promoting the channel also use the same phrase, again in poor Hebrew:
The accounts also all have a similar username convention: three English letters, underscore, then 2-3 more letters. The names themselves are also common names in Hebrew, but misspelled - in this case, adding an extra “י” for example:
The accounts also use repurposed or stolen images:
I’ll save you the images, but many also post anime-related spam content.
I’ve taken a look at the image and video metadata as well, but they seem to be wiped - if anyone has access to them please let me know!
While we can’t necessarily say conclusively who did this, we can pretty safely attribute it to Iran. I haven’t had the time to look into this and map out all of the online entities (who knows, maybe there are others on other platforms).
The Counteroffensive Will Be Televised
We've seen some great cases of old-meeting-new from suspected Ukrainian military psyops, even more so in the period leading up to the much-vaunted coming Ukrainian counteroffensive.
The best example of these may be the very recent hacking of Russian radio and TV stations to broadcast deepfake videos and audio clips of Putin are unprecedented.
Source: https://twitter.com/HannaLiubakova/status/1665690283776802818
These psyops are, as far as I'm aware - and please correct me if I'm wrong - the first cases of deepfake technology being used effectively in a legitimate military context as part of cyber-enabled information operations. Note that I'm excluding the use of low energy efforts to impersonate Zelensky or generate fake newscasters.
The goal of these information operations isn't to actually convince Russians that Putin is declaring martial law, or surrendering, or whatever the claim may be. The real goal is perception hacking - to show Russians that their regime is incompetent, weak and vulnerable.
To that effect, Ukrainian operations - be they raids on Russian border cities, amplifying propaganda videos online, or even suspected drone bombing raids on Moscow - are much more effective than their immediate impact.
The other lesson to draw here is that cyber - like IO - is primarily a shaping tool, and that we should probably dispense with all of the forced comparisons to kinetic warfare.
The last lesson is that the future of cyber threat intelligence is not limited to traditional cyberattacks targeting computer networks. Other forms of network penetration and exploitation, as well as even non-penetration based attack vectors, are the future. CTI analysts looking forward must be able to adopt a holistic view of the changing world and the dynamic threat landscape.
Das Bootlicker
The Grayzone has taken it upon themselves to make me laugh with their antics, in this case - finding an alleged US Navy diver boot at the site of the Nordstream explosions.
Unfortunately, boot-based forensic technologies and techniques are not my forte, so I’ll have to leave this highly-implausible claim to the experts to debunk.
The Pen is Weaker than the Cross-Parliamentary Inquiry
Continuing the trend of Russia-adjacent antics, Le Pen’s National Rally party was served with a self-own of national proportions.
National Rally requested that the French parliament form an inquiry committee in an attempt to clear its own name of alleged ties to Russia, only for that cross-parliament committee to in fact confirm the suspicions that Le Pen served as a “mouthpiece” for Russia.
That’s it really here, just some pretty unimpressive efforts from National Rally.
学无止境
Recorded Future published a solid overview of the Chinese military’s “embrace” of open-source data and intelligence, including most importantly information on Chinese military and intelligence contractors.
I and others have written in the past at-length about the difficulties of investigating Chinese entities nowadays. Recorded Future’s analysts in this case are aware of the difficulties and smartly chose to utilize Chinese tender databases, which in most cases are still publicly accessible, to find data on specific providers.
The report itself is worth reading in its entirety, but I’ll cover a few of the influence/IO related elements below:
The first is Knowfar, a great Anglicization of “Beijing Nuofang Zhiyuan”. According to RF, Knowfar is a “private Chinese defense contractor” providing OSINT data.
Interestingly, a PLASSF psychological warfare base has been observed by RF as having described Knowfar as an excellent provider. We can thus infer the obvious: Chinese psyops teams are, of course, exploiting publicly-available data for their workflows.
The specific unit mentioned is Unit 61716, which is believed to in fact be a PLASSF psyops team responsible for Taiwanese operations. Unsurprisingly, the base wanted to install Knowfar’s defense translation on-premises to access translated material from foreign major militaries in all domains.
None of this should really surprise anyone, but always good to have it confirmed and better understand where certain units get at least part of their information.
But wait, there’s more!
The report also discussed the use of satellite imagery and maritime transponder data in the service of influence and information operations.
Interesting reference to use of maritime sensor/GIS data as part of propaganda etc
Balkan Gossip Girl
Lastly, the DFRLab’s Givi Gigitashvili, a friend of MWW as well, published a great look at a Telegram-centric suspected Russian information operation available here. The operation deserves praise for having some great names for its channels - Balkan Gossip Girl being my personal favorite.
That’s it for this week! Feel free to reach out via ari@glowstickintel.com with any questions, comments or memes.