MWW: Paradise by the Telegram Dashboard Light
Welcome to Memetic Warfare Weekly!
My name is Ari Ben Am, and I’m the founder of Glowstick Intelligence Enablement. Memetic Warfare Weekly is where I share my opinions on the influence/CTI industry, as well as share the occasional contrarian opinion or practical investigation tip.
I provide consulting, training, integration and research services, so if relevant - feel free to reach out via LinkedIn or ari@glowstickintel.com.
I’ve also recently begun accepting paid subscriptions, so if you want to support me while I write this blog and also receive access to:
Proprietary datasets that I curate
Specialized Tool repositories
Consulting time with me
And more!
Then subscribe and support MWW!
Let’s kick this week off.
Paradise by the Telegram Dashboard Light
The German Marshall Fund is a great example of an organization that does the automation and scripting work for us! I’m ever grateful for their work, including their most recent project shining a light on Russian military bloggers active on Telegram via an accessible dashboard.
This exemplifies what I believe is best for OSINT in terms of tooling. Graphical interfaces are critical to having the end-user understand and actually utilize the data s/he collects and analyzes, and the more ambitious the need - the more development resources are needed.
On that note - let’s see Chinese military bloggers on Weibo next!
Wayback Tweets
One of the most useful and unfortunately, most underutilized, OSINT tools is the Wayback Machine. Commonly used to “just” check archived domains, the Wayback Machine has tons of other utility - a topic I teach often.
One of the keys to using the Wayback Machine effectively is knowing what it can and can’t archive. It can, and has, archived many, many Twitter accounts. One can manually check accounts in the archive, or utilize fun tools such as Wayback Tweets to do so more effectively - check it out!
Little Pinks
One of the best outlets today for those interested in following Chinese state media and propaganda is the China Media Project. Following the NYT’s expansion on New Lines’ expose of Singham and his global pro-China network, the China Media Project has published an article exploring one specific organization: Code Pink.
Code Pink epitomizes the tankie, “anti-imperialist” left, and has many overt ties to far-left groups in the US and abroad. Code Pink’s founding member Medea Benjamin in fact ran for the US Senate as a candidate for the Green Party.
The China Media Project delves into Code Pink’s recent activity in the US, including uncritically promoting Chinese state media programs and documentaries in the US. The specific story centers around the airing of a “documentary” titled “Voices from the Frontline: China’s War on Poverty”.
The documentary, aired on a Californian PBS affiliate, was directed and produced by Peter Getzels and Robert Kuhn, and allegedly co-produced by CGTN, China’s flagship external state media outlet. PBS later regretted airing the film, cancelling future airings of it due to “failing to meet its editorial standards”, as per the archived article provided by the China Media Project.
Code Pink, unsurprisingly, dashed into the breach once more and jumped to the defense of the film:
Both Getzels and Kuhn have direct ties to CGTN; both have worked, as per China Media Group’s claims, on projects for CGTN.
What’s the lesson here? In my opinion, it’s that friendly, “useful idiot” organizations are still key - especially if they can be covertly funded, as claimed by the NYT and New Lines. Additionally, TV is still a key medium, as those investigating IO often tend to focus almost exclusively on social media. Lastly, organizations are a great vector for investigation - they serve as great starting points for online investigation, corporate and non-profit records can be treasure troves, and their general activity can often be investigated via a number of other vectors.
We’ve Been Ontario-ed!
The Canadian government’s “Rapid Response Mechanism” has identified a suspected Chinese influence operation active in May of 2023. The operation targeted Michael Chong, Member of Parliament for Wellington-Halton Hills, and was active on WeChat (Weixin).
I’ll quote the report directly below to describe its activity:
“Between May 4 and 13, 2023, a coordinated network of WeChat’s news accounts featured, shared and amplified a large volume of false or misleading narratives about Mr. Chong. Most of the activity was targeted at spreading false narratives about his identity, including commentary and claims about his background, political stances and family’s heritage. It is the assessment of GAC that nothing observed represents a threat to the safety of Mr. Chong or his family.
“The network displayed several indicators of foreign information manipulation and interference, including:
coordinated content and timing
highly suspicious and abnormal shifts in the volume and scope of engagement
the concealment of state involvement”
One third of the network included known state-media outlets and accounts that are likely linked to China’s state apparatus but whose linkages may be opaque. Two thirds of those accounts were anonymous and had not previously published any news stories on Canadian politics. Moreover, these accounts published or interacted with content at similar times and dates, increasing the likelihood WeChat users would see the false narratives by creating an increased volume of content on this topic.”
There are a few points here to make.
Firstly, investigating WeChat at scale is hard, especially via open-source methods and tools. While the Canadian government I’m sure has the capabilities to do so, it’s definitely not easy.
It’s also possible that the inconclusive attribution - despite being comparatively strong in wording - is an attempt to cover for the use of SIGINT or other closed sources that actually exposed, perhaps with conclusive attribution, this operation.
I won’t delve into Canadian politics, as frankly I don’t follow it closely, but it also appears that this report is an escalation of Canadian efforts against alleged Chinese interference. We may see more of this soon.
Defensive Kiwi
New Zealand isn’t far behind Canada, with a new government report indicating that - gasp - China, Russia and Iran are all strategic threats. The report also has some strong aesthetic choices: no capitalization for some bullets, a jaunty green colorscheme, fully leaning in to the Kiwi motif - I approve. Defensive Kiwi would be a great APT name also, just saying.
The report is pretty long and unfortunately doesn’t go into much specifics, even referring to numerous cases covered in the news with unindicative information and bland titles, but still - better than nothing.
One of These Things is Just Like the Other
The Twitter account “Stop Wagner”, which posts a lot of great content on online Wagner activity, exposed an interesting Wagner information operation in Africa.
We won’t dive deep into the details of the operation, but I wanted to point out one of their methods of attribution - shared design elements. Here they went beyond the typical level of attribution - for example, domains using the same design format template, and looked at font colors, banners and buttons to provide even more evidence that the given domains are in fact tied to each other.
We’ve discussed attribution on a number of occasions in this blog and will continue to do so, but the lesson here is simple. Technical, quality attribution to a reasonable degree is often more feasible than is often thought, but we absolutely can’t neglect qualitative elements in our attribution efforts.
That’ll be it for this week! Have any questions, comments, jokes, memes or hate mail? Send it to ari@glowstickintel.com