MWW: The Great Botnet off Kanagawa
Welcome to Memetic Warfare Weekly!
My name is Ari Ben Am, and I’m the founder of Glowstick Intelligence Enablement. Memetic Warfare Weekly is where I share my opinions on the influence/CTI industry, as well as share the occasional contrarian opinion or practical investigation tip.
I also provide consulting, training, integration and research services, so if relevant - feel free to reach out via LinkedIn or ari@glowstickintel.com.
I’ve been busy this week, so the blog will be a little shorter than usually.
Anyway, let’s discuss this weeks events:
The Great Botnet off Kanagawa
ASPI’s Albert Zhang is back at it again, this time reporting on a suspected-Chinese Twitter operation targeting Japan.
My feelings on Twitter botnet-analysis should be well-known to the readers of the blog by now. Having said that, it’s still important for someone to cover them when they pop up - especially when they target countries that we see less frequently, or utilize new content or narratives.
This network promotes some narratives that those who follow Chinese diplomats should be used to hearing at this point: nuclear power, Fukushima and the negligence of the Japanese government.
Guo Wengui and Yan Limeng also make an appearance - I always say that for those interested in finding Chinese IO online, just put in “Guo Wengui” into the search bar of any platform, and there is a 90+ percent chance that you will find something of interest.
Going back to the network, the main account interestingly utilized another TTP we’ve seen from Chinese networks: impersonation. The central account, “EcoSupport Ltd” - as described below by ASPI - was a case of both impersonation and artificial follower and engagement boosting:
Notably, the account also maintained a Telegram cryptocurrency-focused channel, which ASPI presumes may have been used to build an audience prior to being potentially purchased and repurposed.
There are some more details that are great in the report, and I recommend reading it, but the main takeaway is that IO often amplifies narratives and statements from overt comms.
Big Trouble in Little Israel:
Israel has become an IO battleground recently, with suspected Iranian and Russian operations targeting the Israeli public in Hebrew. I’ve discussed these efforts in recent posts, but will link to some reporting on them here, here and here.
The surprising amount of IO activity in Israel isn’t historically surprising; Israel often attracts this sort of grayzone warfare from its adversaries.
What is interesting is that this activity exploits current issues in Israel, such as the pro and anti-protest movement Iranian operations and the Russian operations targeting the average Israeli’s perspective on his/her wallet, but it isn’t necessarily tied to any given geopolitical or unironically offline activity - Israel has been ramping up aid to Ukraine slowly for months, and Iran’s long-running enmity to Israel is of course well-known.
My point being, many researchers and organizations often try to tie IO to specific events and activity in the Real World™, which should be considered a cardinal sin of IO investigation.
Searching for specific activity in a specific context will lead to, in the best case - finding something that you expected to find, but missing other vectors that are usually far more meaningful. Don’t try to assume what threat actors will do! They will do whatever they want, our job is to find “whatever” it is they’re doing, and not what we think or want them to do.
Additionally, IO is arguably one of the lowest-impact forms of hybrid warfare, especially when compared to intrusive cyberattacks or even cyberespionage. It’s hard to attribute and track, and almost always takes place over a period of time and isn’t a one-off. Trying to match most IO to specific events is a fool’s errand, and it should always be viewed at the macro-level. That’s not to say there isn’t tactical IO, but rather that tactical, targeted IO resulting from a specific geopolitical event is comparatively rare.
You’ve Got Mail
Creating and maintaining online infrastructure is a huge issue for investigators and analysts, let alone IO operators. Creating e-mail addresses en-masse is no easy feat, and many analysts such as yours truly have their own preferred methods for bypassing this limitation.
Cybercriminals and IO operators suffer from similar issues but at an industrial scale. Krebs on Security has reported on a new email address rental service utilized by cybercriminals, and presumably ripe for exploitation in IO or for phishing.
Source: https://krebsonsecurity.com/2023/06/service-rents-email-addresses-for-account-signups/
The service utilizes email addresses used by real people who rent them out for registration on a variety of platforms. The kicker is that the addresses aren’t purchased by the end-user, but rather simply used to receive the confirmation code - so the operator at no point has access to the email address itself.
Krebs’ article refers to a Mastodon-focused crypto scam utilizing this service, and others are presumably on the way.
Like I said - that’s it for this week, it’s a short one. We should be back to your regularly scheduled programming in the coming weeks.