Welcome to Memetic Warfare Weekly!

My name is Ari Ben Am, and I’m the founder of Glowstick Intelligence Enablement. Memetic Warfare Weekly is where I share my opinions on the influence/CTI industry, as well as share the occasional contrarian opinion or practical investigation tip.

Thanks for reading Memetic Warfare (bi)Weekly! Subscribe for free to receive new posts and support my work.

I also provide consulting, training, integration and research services, so if relevant - feel free to reach out via LinkedIn or ari@glowstickintel.com.

This week we’ll go over:

• A new hacking forum CSE that I whipped up the other day

• Further Russian-Israel antics on Facebook

• The “Shut Down Shein” Campaign

• Intrusion Truth and investigating firms via customs data

My CSE Brings all the Analysts To the Yard

Hacking forums have been in the news recently, most notably due to the leak of the Raidforums database. For those not in the know, Raidforums was perhaps one of the most impactful clearweb hacking forums until it was taken down by the FBI and DOJ about a year ago.

Raidforums was a crucial source for CTI analysts, breach monitoring and #investigations of all kinds, and it appears to be the gift that keeps on giving as the data of its almost 500,000 users has been leaked and posted on one of its successor forums, Exposed.

This data, already available to American and presumably many other international law enforcement agencies, will now be exploitable by security researchers, CTI analysts and others to better investigate threat actors.

On that note, I'll take a moment to promote my latest Google CSE, available here, dedicated to searching approximately 100 hacking forums in a variety of languages and regions, ranging from English to Russian to Persian to Chinese and beyond.

Keep in mind that many of these forums are invite-only and access-controlled, so cached Google results will be partial at best - but still, better than nothing. Have any forums or sites that you want to add to the CSE? Just message me here and I'll get on it.

Shut Down Shein

Shein is one of the most popular and simultaneously controversial fast-fashion clothing brands in the West nowadays. Shein also has been embroiled in a number of scandals following accusations of employee abuse and exploitation, as well as claims that its clothing is both bad for the wearer and the environment.

Leaving all of the above aside, Shein is now the target of a somewhat uncommon case of an overt, commercially-driven influence campaign promoted by Actum, an American political consulting firm, presumably because of the threat it poses to commercial interests. Chapin Fay, a managing director at Actum, is the executive director of Shut Down Shein and has been quoted on a number of occasions.

The campaign, alliteratively titled “Shut Down Shein”, has quite the anonymous, Cloudflare-hosted website:

The framing here is pretty clear:

Apparently, these high production values don’t include proofreading - that apostrophe in “Rival’s” kills me.

Some of the site’s more speculative claims have been debunked by others:

I talk a lot about Chinese activity internationally on this blog, but let’s be real: the cyber/IO activity that I discuss are things (with a few exceptions, such as the more overt cases of transnational repression) that are done by every state to varying degrees, and that’s ok.

Far be it from me to ever state that America or other states haven’t engaged in potentially or “anti-competitive” trade practices, even if done for the right reasons as per one’s opinion.

This campaign appears to be an attempt by corporate interests in the US to use overblown, national security-adjacent talking points to lobby the US government to pass legislation to the detriment of Shein and to the benefit of the campaign’s proprietors.

Showing the assumed DC Beltway insider bonafides of Actum, the campaign has taken to advertising in the Washington Post and Politico:

Investigating this campaign deeply is a little more difficult, unfortunately. The domain is anonymized effectively via Cloudflare, and their only other social media asset is a Twitter account which underperforms in terms of followers/following:

The followers provide some clear insight into the presumed goals of the Twitter account: influencing Congressmen/women.

Interestingly, Fay has decided to register Shut Down Shein as a company in Arlington, Virginia as per OpenCorporates:

The organization’s registered address is in this nondescript office building, surely humming with the buzz of a well-oiled grassroots movement solely interested in preserving the sanctity of American national security, and even more importantly - America’s national fashion sense:

The current officers are Cogency Global Inc, a registration firm, and of course Chapin D. Fay. Most notably, as per the registration, the legal entity was previously titled “Campaign for Civil Debate”. It’s not super clear what the deal is with this entity, but we can assume that it was a legal entity for past campaigns orchestrated by Fay.

The organization also clearly has some money, as shortly after being founded it was able to spring for paid coverage in PR newswire services:

Further Russia-Israel Antics:

Arieh Kovler seems to be the man blessed with the golden Facebook ad algorithm, as it feeds him presumably Russian information operations on a somewhat frequent basis.

There are two domains promoted by this anonymous Facebook page with suspicious ads:

• Cartflower(.)net

• Theliberal(.)net

Theliberal(.) net provides a 403 notice for those attempting to connect to the root domain, and only permits those to access a specific article on the site, archived here.

As noted by Kovler, the site impersonates the Israeli site “theliberal.co.il”, even linking to it while also impersonating an author on the site for the attribution of this anti-Ukraine article. The article’s content itself is written in overall reasonable Hebrew, but as per zerogpt.com it’s almost certainly AI-generated.

As an interesting but probably unrelated aside, the “theliberal(.)net” domain has been used in the distant past in the context of geopolitics and Israel. While probably unrelated as there are years and different domain ownership between these two incidents, it’s still a notable occurrence.

Customs Data Investigation:

Intrusion Truth has published even more on their investigation into alleged Chinese APT activity, diving even deeper into Wuhan Xiaoruizhi (武汉晓睿智).

The articles are available here, here and here.

I won’t dive in-depth into their findings as in my opinion it’s worthwhile for those interested to dive deep into the articles themselves.

In Intrusion Truth’s posts, they refer to some laser-related cooperation efforts between Wuhan Xiaoruizhi and Russian entities - this is what we’ll focus on by looking at trade and customs data. Intrusion Truth has stated that they plan on publishing an additional article dedicated to this topic, so I won’t steal their thunder by spending hours, days or weeks on a deep dive.

Tools that utilize trade and customs data are underutilized in OSINT research and investigation. A great example of this is the WSJ’s investigation into the flow of Chinese equipment to Russia, analyzed via trade data available here.

Let’s take a look at the import/export data for Wuhan Xiaoruizhi by looking it up in ImportGenius.

We can see that in recent years they’ve had a total of 14 shipments exported, exclusively to Russian companies.

These exports include laser and optical equipment, as well as “digital wired communication” systems

There are two firms that are the main importers of equipment from Wuhan Xiaoruizhi, “Ооо Нпц Элс-94”, which appears to focus on importing optical equipment from Chinese firms, including another registered entity belonging to Xiaoruizhi.

I haven’t had the time to dive into the increasingly large number of Chinese and Russian entities here to parse out what’s happening, but this is a great starting point for any investigation. I’d recommend looking up any firm one is investigating by looking at customs and trade data, and perhaps in the future I’ll revisit this once I have more time.