Welcome to Memetic Warfare Weekly.

My name is Ari Ben Am, and I’m the founder of Telemetry Data Labs - a Telegram search engine and analytics platform available at Telemetryapp.io. I also do training, consulting and research so if you have any specific needs - feel free to reach out on LinkedIn.

Memetic Warfare Weekly is where I share my opinions on the OSINT/IO/CTI space, as well as share the occasional contrarian opinion or practical investigation tip.

This week we’re going to focus on something we don’t usually discuss too in-depth: an academic article behind a paywall. I recently received access via a friend, and figured that it would be worth covering despite the paywall to share the insights and memes derived.

The article was written by the veritable אדמו”ר (google it) of the cyber-IO space, one Dr. Thomas Rid, and a PhD candidate at JHU, Simin Kargar. Kargar has a talk at Cyberwarcon’s 2022 conference on this topic for further context, available here.

For the uninitiated, Rid is the author of “Active Measures”, one of the best books written on the history of IO, and is one of the few leading academics active in the field. Unfortunately, the academic study of covert action, IO/cyber and so on is still comparatively underdeveloped, so it’s always good to see some new stuff published.

The article focuses on the now ancient and forgotten pre-Corona time of the mid 2010s, 2015 to be exact.

The article raises many questions in the tradition of academia, and I encourage my readers to ask around for access, it’s worth reading in its entirety and we absolutely will not cover most of the points brought up.

First - some background. As per the article, in 2015, a domain came online which published classified cables from the Saudi MoFA. Following some time, the proprietors of the site handed over the files to WikiLeaks, which published them as well, thus leading to major media coverage. The suspected hack-and-leak, like many others, has yet to be conclusively attributed.

An overview of the incident is provided by the authors:

The authors bring up the fact that the IO/CTI was still nascent back then (and arguably still is). This event took place, as per the authors, only two years after Mandiant’s groundbreaking APT 1 report and was roughly adjacent to the Russian hack of the DNC.

Moving on from the background, the authors propose an attribution method: “breaking down” the operation into components, “limited” attribution becomes feasible. I’ll spoil the seemingly obvious conclusion for attribution - Iran is attributed by the authors to be responsible for at least part of the operation.

We’ll discuss a few of the key points then below:

Amplification

As part of the broader discussion of hack and leaks, historical examples are brought up. State media amplification of the hack and leak, especially “broadcaster zero”, or the first outlet to actually publish a story on the hack and leak, can be a key indicator for potential attribution:

This is relevant to this day, as we see threat actors utilizing state media, influencers, diplomats and covert operations synergistically. Having a strong grasp of state media awareness is critical for any IO and even CTI analyst.

Hacktivist Fronts

Hacktivists were, are and will be a convenient front for greyzone warfare.

The above text could be easily be published today and people wouldn’t think about it twice.

Leaving that aside, Fars news had deep, in-depth coverage of the new Yemen Cyber Army group almost immediately. There are similar dynamics with hacktivists groups across the spectrum; a RAND report on Chinese IO showed that the Chinese “Diba” hacktivist/brigading group received positive coverage in Chinese media and “tacit” approval from the state.

Back to Yemen Cyber Army, their amplification efforts themselves are similar to what’s done nowadays, just without Telegram. Twitter accounts announce the activity, data is uploaded to Pastebin and so on. Could fit right in today.

Notably, the site used has past ties to Iranian hacktivist groups, which is interesting in of itself. Many Iranian APT operators (remember, they’re a comparatively young TA still) cut their teeth in grassroots hacktivist organizations. If you’re interested in this, check out Crowdstrike’s “Adversary Universe” podcast in which they discuss this dynamic in-depth in a November 2023 episode.

Linguistic Analysis/OpSec

Linguistic analysis of content is always relevant. There’s a psychological element here - operators often have a hard time freeing themselves from their own speech patterns. See the below use of the term “Persian Gulf”.

Chain Impacts

A later Iranian operation targeting a UN rapporteur on Iranian human rights violations, referring to files exposed in the WikiSaudiLeaks, emerged. This operation eventually led to takedowns of infrastructure by Twitter and Facebook and even an eventual DOJ takedown of the “Liberty Front Press” network.

The authors then raise the requisite questions that this two-stage operation brings up:

There’s some technical analysis done in the article, mainly referring to analysis done by private CTI firms:

While this is nice and arguably required, I’d love to see the authors really take the technical analysis to the next level. Vendor reports are great springboards for further investigation and analysis, and who knows what a new pair of eyes could find by looking into the identified infrastructure. Visualization even would be great here.

This becomes increasingly apparent when a possible Russian connection to at least part of the operation is brought up. Basic visualization of the below connections, let alone investigating further, would contribute greatly to the reader understanding of the operation.

The article does so when discussing competing hypotheses for the network intrusion itself:

I’ll also give the authors credit for emphasizing the history, motivation and messaging of the operation for attribution - these are still underutilized in much attribution when technical evidence isn’t conclusive.

As the authors state, this appears to be the first case of state sponsored actor using WikiLeaks as an “amplifying platform”, and raises questions about the efficacy of not publishing attribution on this op.

The conclusion is absolutely based, with some lines that are an ode to the IO analyst:

Definitely going to get some shirts with the first sentence made up while of course giving credit to the authors:

In all seriousness, that above finding is absolutely correct and describes why I enjoy IO investigation so much and view it as the zenith of open-source investigation.

It’s great to see some deep, academic research on IO that asks real, biting questions beyond the typical Twitter-centric mis/disinformation studies with Gephi graphs and social science approaches. Looking forward to whatever books either author publishes in the future.

The above is especially relevant as Iran continues to be a leading hacktivist-front threat actor, with seemingly no signs of slowing down as shown by the ongoing Israel-Hamas war. Just a few days ago, OFAC designated 6 Iranian IRGC officers and agents for malign cyber activity:

Alexander Leslie pointed out that these are the individuals behind “CyberAv3ngers” based upon their attack of Unitronics:

No question that we’ll only see more of this in the near to medium term from Iran, as shown by the latest Microsoft report - more on this in a week or two - and it’s also truly excellent to see quality academic research on these topics that don’t avoid technical and operational thinking and discussion.

That’s it for this week!