My name is Ari Ben Am, and I’m the founder of Glowstick Intelligence Enablement. I’ve worked in the open-source and cyber threat investigative space for a number of years now in a variety of capacities, and have finally decided that it is time to subject the internet to my hot takes on all things internet.

I post primarily on two topics : Information Operations/Disinformation and CTI (cyber threat intelligence) with an emphasis on APAC and China in particular. Occasionally I’ll delve into the online far-right out of a desire to engage in some top-kekery.

I aspire to be able to publish weekly (or biweekly on slow weeks), but this will vary based upon my own schedule as well as industry events. This Substack won’t serve (just) as a newsletter, and instead will be a platform for me to express opinions - especially contrarian and “spicy” ones - as well as provide some commentary on relevant topics and affairs and even the occasional explanation of tools and techniques for those interested in investigation. For those interested in a newsletter - I highly recommend Disinfo Docket.

Additionally - anyone interested in reaching out is more than welcome to add me on LinkedIn as well as follow my page, Glowstick Intelligence Enablement.

There are three main reasons why I’ve decided to open this Substack that will serve as the guiding principles of everything practical/technical that I post:

1. There is a strong overlap between open-source investigation and CTI/technical investigation that currently is underutilized in the industry, and I want to bring that to light.

   This cuts both ways - plenty of technical CTI investigators don’t also know how to effectively utilize “simple” OSINT tools and techniques for their own technical investigations. Non-technical OSINT analysts can also utilize a number of “technical” investigation techniques and tools as well without completely understanding TCP/IP or other models.

2. Most covert information/influence operation investigations are done poorly. There, I’ve said it. This isn’t the fault of most investigators and analysts, but rather one major, and in my opinion faulty, assumption by most of industry on the field: that big data analysis of social media, powered by AI/ML, is the key to countering IO/disinformation.

   AI is going to be key in the disinformation/IO space in coming years, but primarily for offensive content generation purposes. AI will also aid investigators - be it via OCR, audio transcription, machine translation, text-to-code powered by GPT and more - but we are a ways off from AI itself being capable of analyzing networks independently. Even if AI were to be truly capable of analyzing networks and so on independently, disinformation content is inherently a difficult thing to assess and gauge.

   Let’s assume even that AI works effectively as promoted. Relying on it as a fundamental approach is insufficient: it is reactive at the latest stage of network activity (content dissemination) and reliant on inauthentic assets. Most effective IO is the result of targeted networks of authentic or combined authentic/inauthentic assets and is often undetected by most platforms and investigators.

   Investigators historically have investigated networks - usually on Twitter, but of course not exclusively. This has usually been done by utilizing data analysis techniques occasionally enhanced with deeper investigation powered by OSINT techniques - verification via reverse image searching, username resolution and a few others. This can only take us so far as it limits the investigation to the social media sphere. IO investigations must move to targeted network analysis techniques that utilize deeper investigations on network domains as well as authentic actors in networks - this both enables better and deeper investigation as well as attribution and potential legal or other methods of recourse and countering.

3. Lack of coverage on APAC/China. The IO field is heavily biased towards covering Russia and to some extent the US and other regions. There has been more coverage of China in recent years but we’re still lacking quality and deep coverage, as well as expertise on China. This is especially relevant considering that China will almost certainly be the dominant actor in the field in the coming decades.

With no further ado, let’s discuss the developments of the past week:

Another Podcast?

I don’t always recommend podcasts, but there have been two notable episodes recently that have value, and also focus on different elements of influence. Both are worth listening to in full by any influence enthusiasts.

The first is Foreign Office with Michael Weiss, in which Weiss interviews Renee diResta of the Stanford Internet Observatory - one of the few academic organizations that frequently publishes investigations. There are a lot of interesting insights from this episode, which focuses on covert Russian operations - in particular those emanating from Prigozhin- some standouts include:

• The actual impact of social media assets, in particular the difference between Facebook ad views and the actual impact of Facebook pages. Small ad view/ad spend on a given network does not necessarily mean that it was ineffective, especially when the central assets are in fact quite popular and exposed to tens or hundreds of thousands of others.

• The history of Prigozhin and the impact of the IRA. In my opinion, the IRA is one of the most effective examples of coordinated operations and other exposed Russian operations affiliated directly with state organs often pale in comparison.

The second is the Cognitive Crucible’s recent episode with Vic Garcia and Mike Berger. This episode focuses on influence at the strategy, messaging apparatus and narrative level (with some interesting examples of the confluence of influence, intelligence and military affairs later on in the counterextremism sphere). Definitely an interesting episode for those interested in the high-level messaging, messaging apparatuses - such as state media outlets, diplomatic corps etc - and overt elements of influence.

Some highlights:

• US messaging capabilities are weak, and it functionally has given up the information environment to China, Russia and Iran. Looking at numbers quoted - US spends approximately 1b USD on messaging in contrast to China and Russia, both of which spend significantly more - in some cases, exponentially.

• Perspectives of the US

• Russia/Iranian use of the information environment is generally in support and as part of their asymmetric warfare efforts with an emphasis on covert networks, whereas Chinese influence efforts are better integrated with the wider spectrum of DIME (Diplomacy, Information, Military, Economic) efforts.

• Messaging apparatuses can often overlap with each other. Shared Iranian and Russian support for the al-Assad regime in 2011 is one of the earlier examples of such confluence. The coronavirus pandemic is an additional example of this, with Chinese outlets directly borrowing anti-US military disinformation content (i.e. the US military created the Coronavirus) from Russian media outlets, and in some cases Iran-affiliated terrorist groups in the Middle East then leveraging that content against the US military presence in the region.

There was a lot of food for thought in this one. Researchers in the field often choose to focus on either covert (IO networks) or overt (media/propaganda) efforts, when in reality influence often is the implementation of the two of these. The US and other partners shouldn’t surrender the information environment as they have done so far, but also shouldn’t engage in the same tactics utilized by China/Russia/Iran. Investing heavily in overt messaging while only utilizing covert activity when required tactically may be one avenue for this.

Tweeting in the Name

Bellingcat’s Christo Grozev recently tweeted about how a Russian diplomat consistently refers to GRU and troll farm accounts, thus “burning” them. While Grozev is right, there are a few things to consider here as well as utilize:

Christo Grozev @christogrozev

I have often said this is one of Russia's least intelligent "diplomats". He keeps quoting GRU and troll farm troll account, apparently oblivious he is burning them as he goes along. This one is a perfect exemplar.

Dmitry Polyanskiy @Dpol_un

It is very reassuring to see that common Germans have not lost their mind like their leaders in Russophobic delirium. I know that many other Europeans also understand correctly the root-causes of Ukrainian crisis. Thank you for writing to me and expressing your support! https://t.co/krkFDUl5t4

12:19 AM ∙ Feb 27, 2023

---

1,383Likes156Retweets

1. The diplomatic corps of states such as Russia and China have become prime vectors of disinformation and propaganda content in recent years. As tensions between the West and Russia/China continue to worsen, there’s no real reason for them to not promote such overt troll content to wider audiences.

   Effective disinformation is coordinated, networked and full-spectrum, so the amplification of an inauthentic troll account by an authentic and even “official” actor makes sense and is in many ways effective to target audiences.

   Analysts and researchers in this field also often forget that they themselves are not necessarily the target of such “oblivious” cases of low-energy disinformation. This diplomat’s activity may in fact be effective in promoting pro-Russian sentiment in certain regions - be they in Germany as the tweet refers to (which itself has a sizable pro-Russian minority), as well as to audiences in Africa, LATAM and others that may hold entirely different perspectives than any European on Russia.

2. This is quite useful for us as it serves as an effective form of source development. Most disinformation research and investigation focuses on specific keywords or hashtags and not on quality entities that create and/or amplify indicative content. Following individuals such as Polyanskiy and others can help researchers develop a passive, quality pipeline of actively promoted disinformation content in close to real time - better enabling analysts to identify what’s actually being promoted and not simply investigate whatever keywords/hashtags they think may be relevant on a given day.

3. Something to keep in mind also when developing sources is utilizing the Twitter recommendation algorithm. If we were to follow Polyanskiy with a burner account, we would receive recommendations of similar accounts from Twitter to follow - these can then also be expanded upon by following them and so on and so forth.

Further Chinese investment in propaganda and United Front work

Here we have a paywalled article, uploaded by Intelligence Online, claiming that the Chinese government has invested in a hiring drive for overt influence in propaganda departments as well as covert influence via the United Front Work Department. I won’t post too much information from the article so as to not to infringe upon the paywall, but the general points brought up (while unconfirmed) are interesting as far as their implications on Chinese influence strategy.