Welcome to Memetic Warfare.

It’s been a crazy few weeks so we’re going to use this post to look at some items that I haven’t had time to cover.

I’ll have some more in-depth covering of the ongoing war as it goes on, but in the meantime and before starting with the rest of the blog, I’d recommend checking out:

• This week’s Three Buddy Problem episode, which covers the ongoing cyber shenanigans happening in Iran.

  • I’d add to this also that I agree with the gist of this episode and that we are seeing some of the biggest developments in cyber in warfare in past years, if not all time.

• Max Lesser at the FDD and his reporting on:

  • Iranian outlets making things up.

  • An ongoing look at a very, very large and operation (be it grassroots or state affiliated) of an Iranian outlet guiding Iranians on how to create fake Twitter accounts to impersonate Israelis.

The first topic is the discovery of “Void Blizzard”, a new Russia-affiliated threat actor exposed by Microsoft.

Normally I wouldn’t cover this sort of thing as it was a big item covered in mainstream media. What I do want to bring up, though, is how Void Blizzard operates. They rely on infostealer logs, phishing and abusing legitimate services - this is the kind of activity that a non-nation state APT threat actor could do.

The potential for IO is obvious also, and something that’s not been much discussed lately. ATO is a huge threat vector for IO activity, and infostealer logs enable ATO at scale. Any actor could take cookies and user agent information from logs, use an anti-detect browser with an API and automate account takeover.

Something to consider, considering that we haven’t seen too many cases of this. Just to drive the point home, take a look at Hudson Rock’s look at the latest hack of Nobitex - showing that multiple Nobitex employees had been compromised by infostealers, making this type of operation much more feasible for a broader range of threat actors.

The next topic we’ll look at is Viginum’s latest report, available here, which looks at the “African Initiative”.

See summary here:

So, the African Initiative is a former Prigozhin/Wagner operation now of course run by Russia. It gets long and detailed, which is good:

There’s also some Europe-oriented activity, showing good technical analysis via favicon searching and URLScan:

I also appreciate the WordPress analysis:

Same with source code:

Overall this was a solid report and I especially digged the finding re Wordpress JSON investigation, which is something I’d like to see more of. This is also a great report for more pivoting.

On that note, we’ll end this week. Thanks for reading!