Welcome to Memetic Warfare Weekly!
My name is Ari Ben Am, and I’m the founder of Glowstick Intelligence Enablement. Memetic Warfare Weekly is where I share my opinions on the influence/CTI industry, as well as share the occasional contrarian opinion or practical investigation tip.
I also provide consulting, training, integration and research services, so if relevant - feel free to reach out via LinkedIn or ari@glowstickintel.com.
This week will be especially short as I’m abroad, but we should return to our regularly scheduled programming as of next week.
Ask not for whom the Farm Trolls, it Trolls for Thee (FSB)
I’m not one to usually share news from mainstream outlets here (why read it here when you probably have already read it?), but for historic events I’ll make an exception.
Prigozhin’s Day Off unfortunately didn’t lead to any sort of serious turmoil in Russia, but it has led to his ouster and the seizure of assets, most notably his troll farm, the IRA. As importantly, Wagner’s other media outlets were also seized, including well-known outlets such as RIA FAN.
This is kind of a big deal in the Russian IO space.
Wagner/IRA were arguably more effective on the whole than the Russian state in hybrid and grayzone warfare. Their seizure and integration into the Russian state, in the case of the IRA to the FSB, will impact their quality negatively, as any sort of meritocracy goes right out the window in such organizations.
Vive le France.ltd
Reporting on the suspected continuation of Operation Doppelganger, a sweeping Russian IO targeting France and the rest of the EU is a few weeks old now but haven’t seen much analysis of it online, so I figured - why not.
I’m not going to rehash the whole report, but there are a few things to note:
The operation impersonated well-known news sites throughout France and Europe, in some cases creating fake mirror sits with different top level domains to fool visitors. This tactic, called typosquatting, is a common tactic used in both phishing and increasingly IO.
The operation utilized a large number of purchased domains, and utilizes throwaway Facebook pages and Twitter accounts to take out ads on both platforms.
These vectors also utilize cartoons to get their content across - see below.
As we’ve discussed here multiple times in the past, Russian IO targeting Israel in previous weeks appears to be part of this operation based upon their shared characteristics:
Similarly styled cartoons.
Use of throwaway Facebook and Twitter accounts.
Use of paid ads.
The operation then, it seems, is still ongoing. Enforcement is difficult, what can I say, but I can already say that it’ll be a topic ripe for a blog post soon.
Doublethink Labs
I’m a little late to this one, but DoubleThink labs published a solid overview of Chinese influence on the 2022 Taiwan elections. The report covers main narratives - which I’m usually not a huge fan of as an MO, but I’ll make an exception, because they did it well.
The report serves as a great primer on Sino-Taiwanese interference affairs and media outlets, as well as notably marking some disinformation entities online - a great place to start yourself if interested in checking them out. If you’re going to carry out narrative analysis, this is the way to do it.
The point that I found to be most interesting was the investigation of “hot” searches on Weibo and Chinese platforms. Many of these are, unsurprisingly, presumably promoted by the state, and can serve as another datapoint when checking what narratives are of interest to the Chinese government - see below.
Who Will Investigate the Investigators?
Look out Bellingcat, EU Vs Disinfo and others, GT Investigates is taking over the counter-disinformation investigation market!
Levity aside, this GT article focuses on an old EU Vs Disinfo investigation published several years ago, and attempts to build upon it - in one case by having GT journalists reach out to some of the exposed outlets.
The utilization of investigation reports themselves as part of influence efforts isn’t surprising, and has been utilized by numerous threat actors. In China’s case in particular this is a case of IO copying CTI, with numerous sloppy “CTI” reports being published and promoted by Chinese outlets and then amplified by IO networks.
As the investigative space grows, we can only expect to see other similar efforts.
Anyway, that’s it this week. Thanks for reading, and hope to see you again next week!
I wonder how effective DNStwist could be if you feed it the actual legit news website, analyze the results and use that for proactive identification of typosquatted news domains. You can then investigate the results. Its probably wildly inefficient but an idea nonetheless.