Welcome to Memetic Warfare Weekly!

My name is Ari Ben Am, and I’m the founder of Glowstick Intelligence Enablement. Memetic Warfare Weekly is where I share my opinions on the influence/CTI industry, as well as share the occasional contrarian opinion or practical investigation tip.

I also provide consulting, training, integration and research services, so if relevant - feel free to reach out via LinkedIn or ari@glowstickintel.com.

I’ll be running a Cyber Threat Intelligence training course in Singapore in early August. The course will focus on non and less-technical analysts and the integration of creative uses of OSINT into CTI. If interested, feel free to let me know at ari@glowstickintel.com and I’ll connect you to the right people.

Additionally, if any readers are based in Singapore and interested in meeting up, reach out and let’s try to make it happen!

Let’s get this week’s post going with a look at Mandiant reporting on hacktivism, the GRU and what connects them.

Return of the Mack(tivists)

Mandiant’s Dan Black posted a thread on Twitter highlighting a new Mandiant report on GRU hacking activity. Leaving aside the more technical elements and TTPs used by GRU-affiliated APTs, the report (and thread) emphasize a few points - chief among them the use of hacktivist organizations as fronts by the GRU.

The utilization of front groups for cyber-enabled IO, or cyber operations in general, is nothing new. However, the report covers the historical use of hacktivist groups and personas used by the GRU, providing some useful context.

This evolution over time also shows how this specific modus operandi has developed over the years, with perhaps the most recent being Anonymous Sudan.

Other cases, such as hacktivist organizations believed to be affiliated with Russian agencies, including one written by yours truly on Beregini, are also extant and can be used for context.

The final point is the use of Telegram - be it by Beregini or other hacktivist fronts such as Xaknet, Killnet and others. I’ve harped on this topic in the past, but the point remains: Telegram is arguably the single most important platform today for cyber and IO investigations.

Crouching Twitter, Hidden Malware

Sandra Quincoses, among others at Nisos, published a great report on Chinese influence activities in Latin America.

The real draw of the report isn’t just the investigation of covert Twitter accounts but rather their findings regarding the promoted Android applications and domains promoted by the Twitter accounts.

These Android applications have also some indicators that they may be infostealers, stealing account credentials from those who download them for later potential account takeover - an interesting example of some underrepresented elements of the IO-Cyber dynamic.

You’ll have to download it to read it in its entirety, but the utilization of malware analysis tools (presumably VirusTotal here) in the context of OSINT and IO is great and should be encouraged. Domains and online infrastructure can interact with known files and applications, further providing information for pivoting and investigation.

Similarly, this case exemplifies the need for a diverse skillset in investigating IO, ranging from those with marketing backgrounds to psychology to geopolitics to OSINT, CTI and even in some cases reverse engineering, as shown here.

Domain Expertise

Digital Investigations

What the rollout of Google Analytics 4 means for website investigations

In 2011, writer and technologist Andy Baio published an article in Wired that explained how he uncovered the identity of an anonymous blogger. “The unlucky blogger slipped up and was ratted out by an unlikely source: Google Analytics,” he wrote. Google Analytics is a free and popular service that measures the audience of an…

Read more

2 years ago · 4 likes · Craig Silverman

Craig Silverman recently wrote a great post on the future of Google Analytics codes and domain analysis. I won’t go into the weeds of what Craig describes, if you’re interested you should do so yourself (and trust me, you should).

Charlotte’s Web Check

On that note, let’s talk about this week’s tool: Web Check, developed by Alicia Sykes.

Web Check does what it sounds like it does: it checks domains.

While above we only see a sample of the information gathered and visualized by Web Check when querying a given domain, there are some great elements about this tool that I’d like to point out:

• Integration. The tool integrates a number of lookups into one, saving time while also visualizing disparate results effectively and in an organized fashion.

• Clarity. The tool has little explainers (note the question mark logos over each query type) that explain what is being queried, as well as providing a basic use case and general information about the lookup.

I’m a big believer in the democratization of technical investigation, and this tool does a great job of it, so kudos to Alicia Sykes on taking the time to develop this and host it!

The WeChat Channels Will Not be Televised

Beijing Channel has posted a list of more than 300 Chinese government WeChat accounts, available at the link here:

Beijing Channel

Most complete collection of Chinese gov't WeChat accounts (more than 300!)

One feature of the Chinese internet is that mobile portals are now favored, if not the sole channel for the release of official information. Many official statements would appear on WeChat before they are put up on the official website of government agencies…

Read more

2 years ago · 10 likes · 8 comments · Sirui Jin and Liao Hongqing

For those with the time and means to set up an anonymous WeChat account - have at it! This resource is definitely a great place to start for those interested in following Chinese affairs.

Darth Vadar

Correctiv has published an investigation into a subset of the much-discussed Operation Doppelganger. This subset of activity promotes AfD politicians, known for their far-right and pro-Russia views, so no surprise there.

The investigation focuses on Facebook activity in line with previously discussed and exposed Doppelganger activity, such as the use of burner pages and advertisements. Additionally, a YouTube channel titled (translated) “Axis of Truth” is part of the wider network.

As everyone knows, the use of the word “Axis” has no other affiliated meanings or historical context to it, and only organizations that contribute positively to society use it in their name.

Leaving aside their presumable, thinly-disguised reference to the Axis powers of WWII, the network also interacts with a series of front organizations active in Germany.

Some of these names just roll off of the tongue in the way that only German can, such as “Vereinigung zur Abwehr der Diskriminierung und der Ausgrenzung Russlanddeutscher sowie russischsprachiger Mitbürger in Deutschland”, or “Vadar”, with the name meaning “Union for the defense against the discrimination and the exclusion of Russian-Germans as well as Russian-speaking fellow citizens in Germany” as per the article.

Squad Goals

The organization itself has ties to Russia as per reporting, and is under investigation by the German domestic security agency.

There’s more to the article, but to summarize - Operation Doppelganger is very much not dead. This underscores some of the issues that platforms have in combatting IO, as well as the limitation of remediation and classification efforts outside of blocking specific identifiers or indicators.

Even if we know the TTPs and so on of threat actors, hermetically preventing or blocking their on-platform presence is still difficult, to say the least, as much of this activity is still very hard to distinguish at-scale from normal activity.

Frens, Ukrainians, Countrymemes

Not often is it that we are blessed with memetic warfare of such a high level.

After identifying the jogging route of a senior Russian military officer by finding his Strava account (easily done by searching his name/identifiers, such as querying his email address in Epieos.com), the assassin shot and killed the officer.

Several days after, an individual named Sergei Desnisenko was arrested and detained with a silenced pistol by Russian forces.

But wait, there’s more! This isn’t only a fantastic example of how to use OSINT for targeting or any sort of focused investigation (and military action).

Later, a burner account named Kyrylo Budanov, sporting a picture of Patron, the Ukrainian bomb sniffing dog as its profile picture, liked the route taken by the Russian military officer. For those not closely following Russia/Ukraine, Budanov is the head of Ukraine’s military intelligence directorate.

While obviously not the sort of thing that Budanov would himself do, this trolling really takes it to 11 - be it done by the Ukrainian military or a NAFO member or some other person online. This is some intense, wartime trolling only really suitable in such morally extreme black and white scenarios, but considering the circumstances - I’m in favor.