Welcome to Memetic Warfare.

There’s a ton of activity this week so it’s good to be back. The biggest story of the week is the State Department’s work on exposing RT covert influence work, and apparently its work on supporting Russian military procurement and general espionage and intelligence.

Some specific cases of covert RT-led activity include “direct support” for Ilan Shor as part of an attempt to interfere in the Moldovan elections. Margarita Simonyan, the Editor-in-Chief of RT, and others are claimed to have “directly coordinated” with the Russian government to influence the Moldovan elections as well.

The State Department thus designated RT and affiliated entities such as TV-Novosti.

There are some other designations, but it gets more interesting after that. From here, the statement describes RT’s cyber and other capabilities and activity: including a specific “Cyber” unit. Notably this includes not just “cyber” as a term for IO as it’s commonly used, but also apparently actual intelligence operations (presumably cyber espionage).

Military procurement is also mentioned as part of crowdfunding efforts for the Russian military led by RT. While certainly interesting, I’ve noticed that some people have gotten a bit carried away with this part - using a large media outlet to crowdfund, even covertly, is a bit more mundane than traditional covert procurement.

The last section covers RT’s “covert influence”. This section makes some things official that anyone in the IO space kind of already knew - African Stream was well known by many as being overtly pro-Russia and highly suspicious. I was unaware of Red Stream but Redfish was one of the earlier exposed Russian operations acting in a similar vein. I’d love to see more about activity in Argentina and France as well as mentioned.

So, this is a big deal and a further escalation in American counter-IO efforts targeting Russia. This is encouraging and shows that:

• Counter-IO efforts are being taken seriously and handled by multiple agencies for maximum effect

• Countermeasures are being utilized systematically and increasingly employ covert methods of collection for the “smoking guns” needed alongside overt methods such as naming and shaming and sanctions designations

• IO is, as always, one part of the threat actor repertoire and is often used in conjunction with other threat vectors

What remains to be seen is how effectively this activity is mitigated internationally outside of the borders of the US, where the FBI and DOJ can investigate and prosecute effectively. Naming and shaming and sanctioning is great, as is working with partners and platforms, but that may well not be sufficient as is. I’m looking forward to the firsthand evidence and documentation being released sometime soon.

Let’s move on to the next topic.

Viginum has published a new report on IO targeting the Olympics, see the tweet about it here. The English-language version isn’t out yet, so I’m using a copy machine translated into English.

The introduction section is straightforward, let’s skip to the content.

The report continues to lay down some evergreen statements: that these operations are (usually) not super effective in of themselves, and that the sharing and amplification of the operations themselves often contributes to their success.

The trend continues, with the Matryoshka operation being mentioned as an operation that specifically exploits this as we know from past reporting.

From here we get to TTPs. The Olympics, unsurprisingly, exhibited known TTPs from threat actors that we’ve seen recently, such as the use of false flag maneuvers, physical influence operations and others. Two Russian operations are called out - one targeting Israeli athletes by apparently claiming to be part of the Turkish ultranationalist “Grey Wolves”, and the other being the now infamous case of claiming to be a Hamas member to target Israeli athletes. Microsoft attributed the Hamas case to Russian actors.

Interestingly, the Iranian “Zeusistalking” and RGUD false flag operation (arguably more on the RGUD side as Zeusistalking is an unattributed hacktivist front, but still) doesn’t appear here. Zeusistalking is later referred to indirectly.

From here, the report discusses the next big trend: physical IO. Physical influence operations targeting the Olympics included posting advertisements as well as graffiti tags, and then amplifying those online - either directly or by utilizing extant online ecosystems.

Graffiti was commonly used as an IO vector, and was amplified by seemingly Doppelganger accounts. Matryoshka also utilized similar imagery in the past.

Doxxing gets its own section, in which the Zeusistalking network gets indirectly referred to without its name having been brought up or any direct attribution to Iran. See the Memetic Warfare investigation into Zeusistalking here.

Other TTPs such as creating content, impersonating official organizations and others are discussed, though these are straightforward so we won’t spend much time on them:

There are others - nontransparent use of influencers, inauthentic accounts and so on including a few references to Chinese activity, but nothing worth spending too much time on. Overall, a solid report put out in a reasonable timeframe following the Olympics, although I (as always) would like more investigative depth as we’ve seen from Viginum in the past.

We’ll conclude with a joint announcement from the FBI and CISA. The announcement warns the American public about the possibility of potential future perception hacking attempts targeting the US elections by threat actors claiming to have compromised US election infrastructure.

This is an interesting topic to specifically prebunk, and is probably happening due to signals of future activity. This announcement could be the result of closed-source data on Russia-aligned operators, who have carried out similar attacks in the past in Ukraine. It could also be due to the serious uptick in Iranian activity and indicators of future activity, as Iranian cyber operators probably wouldn’t be capable of successfully targeting election infrastructure and may settle for perception hacking.

Hopefully we’ll receive more specific information in the coming weeks and months leading up to the elections.

We’ll conclude with a shoutout for Google TAG’s latest transparency report. It’s a page long and straight to the point with little detail, so give it a read - focuses mainly on Russian activity, and it’s available here. The most notable finding was the direct cooperation between Google TAG and Open AI, showing that they do collaborate on IO.

That’s it for this week! Thanks for reading, and check out Telemetryapp.io if you haven’t already.