russian cyborgs and trolls - alqimi · russian cyborgs and trolls october 27, 2017 unclassified...
TRANSCRIPT
Russian Cyborgs and TrollsOctober 27, 2017
Unclassified ALQIMI Proprietary
TextText
TextText
Getting Started• Given challenge scenario• Determined following course of action
• Perform collection surrounding scenario• Expand collection to include historical data since, updating all the way to
today• Analyze and find other similar instances perpetuated by same group; build a
timeline• Identify entities behind issue (attached in brief)• Assess purpose• Identify and test methods to gain persistent collection of target entities to
annotate and monitor in NRT• Analyze and annotate potentials for further collection• Note any counterintelligence or cyber security issues of importance
2UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
ColumbianChemicals Hoax• Fake story propagated as an
explosion at Columbian Chemicals in Louisiana on 11 September 2014
• Used photoshopped graphics/pictures
• English accounts could not ramp up the trending of the hashtag
• Thousands of Russian accounts were used to force the hashtag to trend
• Spread from Twitter to Wikipedia to Facebook
• Forced local governance and companies to respond and confirm no disaster
3UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
ColumbianChemicals Hoax• Started to examine English accounts• Observed most to have simple claim of being in USA (method to get
trends going in US)• Accounts use a lot of quotes (bio information and in Tweets)• Use European grammar
• ` instead of ‘ for apostrophe• <<>> instead of “” for quotes
• Very little Retweets/Favorites (if any)• Fake news accounts• Friends and followers with each other
4UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
Tracing the Hoax 5UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
Mikhail Burchik 6
SupportMassVKPosting
Mass, Scheduled Social Media
Posting Application
UNCL
ASSI
FIED
/ALQ
IMI P
ROPR
IETA
RY
Mikhail Burchik• Mikhail Burchik (Михаил Бурчик)• Age: 29 (DoB: June 2, 1986)• Facebook ID:100000001807290
• Skype: bolt2k5• Livejournal: burchik (offline)• Vkontakte (VK): vk.com/burchik• Google+: 111289198648921478169• Odnoklassiki (Ok.ru): 88281015079
• Website: burchik.ru• Email: [email protected]• Phone number: +79219479926• Address: Poss Kommunarov 188-2-36, Saint Petersburg, Russia• Occupation: “Web Developer”, known as executive director at Internet Research Agency
• Married to Renata Burchik (Рената Бурчик)• Personality: Egotistical, confident• Susceptibility: Pro-Russia, money may be motivator provided it doesn’t do irreparable harm to mother Russia
7UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
Mikhail Burchik 8UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
Mikhail Burchik 9
Mikhail Burchik
Personal Chef
Vladimir Putin
Yevgeny Prigohzin
Owner of
Internet Research(Agency)
Owned by
Executive Director
Federal NewsAgency (FAN)Same Address
Owner of
UNCL
ASSI
FIED
/ALQ
IMI P
ROPR
IETA
RY
MovingAheadinTime• Toward end of #ColumbianChemicals,
started using new tagso #MaterialEvidenceo #DeadHorse
• #DeadHorse was discontinued• #MaterialEvidence was mass projected
on three separate occasions by accounts associated with the #ColumbianChemicals Hoaxo October 2, 2014 (NYC)o January 16, 2015 (Moscow)o April 7, 2015 (Moscow)
10UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
AttemptingtoHoaxAgain 11UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
#PhosphorusDisaster• March 10, 2015 accounts affiliated with
the previous #MaterialEvidence and/or #ColumbianChemicals hoaxes started new hashtag #PhosphorusDisaster
• Claimed mass spillage of phosphorus into American Falls, Idaho
• No media coverage, no rebuttals from local governance, largely ignored
• Cries of help, anger against government, claims of government coverup
12UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
AnotherHoaxAttempt• Quick fire attempt at #TexasJihad• Purported listing of 26 people in USG
in Irving, Texas associated with ISIS• Purported to be planning attack in US• Troll farm pushed tag on March 26,
2015• Used YouTube video from new account• Posted a blog post on Telegraph site
with the names
13
Sarmed PervaizOmer MuhammadDawoud HermasShaon ShaanAbdullah YusufMalika SaidlyMaria PerachaJehan VallianiAkhror Saidakhmetov
Amreena AhmadShahina KhanAdi ShaikhShannon Maureen ConleyMufid A. ElfgeehAhmad AbousamraMoner Mohammad Abu-SalhaAbdi NurTariq ElFauriAbdurasul JuraboevMohammed Hamzah KhanMohamoud Egalemail: [email protected]
Names
UNCL
ASSI
FIED
/ALQ
IMI P
ROPR
IETA
RY
#TexasJihad 14UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
BuildingaTimeline 15
#Columbian Chemicals
• 11 Sept 2014• Focused on hoax disaster/anti-USG
#Material Evidence
• 2 Oct 2014, 16 Jan 2015• Focus on support for exhibit
#Phosphorus Disaster
• 10 Mar 2016• Focused on hoax disaster/anti-USG
UNCL
ASSI
FIED
/ALQ
IMI P
ROPR
IETA
RY
BuildingaTimeline 16
#TexasJihad
• 26 Mar 2015• Focused on hoax ISIS cell in US
#IndianaFedUp
• 29 Mar 2015• Anti-gay/anti-USG
#MaterialEvidence
• 7 Apr 2015• Focused on exhibit
UNCL
ASSI
FIED
/ALQ
IMI P
ROPR
IETA
RY
BuildingaTimeline 17
#Baltimore vsRacism
• 28 Apr 2015• Racist/anti-USG
#Hillary Faildation
• 3 May 2015• Anti-Hillary Clinton/anti-USG
#ISISInGarland
• 6 May 2015• Focused on anti-USG/perceived
failed policy against ISIS
UNCL
ASSI
FIED
/ALQ
IMI P
ROPR
IETA
RY
BuildingaTimeline 18
#SochiTalks
• 12 May 2015• Anti-USG/Pro Russia
#MakeaMovieHillary
• 30 May 2015• Anti-Hillary Clinton/anti-USG
#SurveillanceDay
• 2 June 2015• Anti-USG/Anti-NSA/Anti-Patriot Act
UNCL
ASSI
FIED
/ALQ
IMI P
ROPR
IETA
RY
BuildingaTimeline 19
#TsarnaevsApology
• 25 June 2015• Anti-USG/Pro Russia
#Ferguson Remembers
• 11 August 2015• Racist/Anti-USG
#Trump Because
• 13 August 2015• Anti-USG/Pro-Russia/Pro-Trump
UNCL
ASSI
FIED
/ALQ
IMI P
ROPR
IETA
RY
BuildingaTimeline 20
#BlackPickUpLines
• 16 August 2015• Racist/Anti-USG
#NoGunsFor
Criminals
• 23 September 2015• Racist/anti-USG/anti-#2A
#GunViolenceOregon
• 4 October 2015• Continuance of
NoGunsForCriminals
UNCL
ASSI
FIED
/ALQ
IMI P
ROPR
IETA
RY
NoGunsForCriminals• Most recent hashtag used by
the collective of Russian trolls
• Focuses on anti-black AND anti-2nd Amendment for the black community
• Even built a petition on whitehouse.gov/petition
• Pushed Russian troll farm to propagate on 23 September 2015
21UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
GunViolenceOregon• Latest hashtag, small usage• Used on 4/5 October 2015 in
wake of mass shooting incident in Oregon
• Continuation of the NoGunsForCriminalscampaign
• Network is tightly knit, many of the same involved in NoGunsForCriminals and Ferguson Remembers
22UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
Fake News Accounts• Uses fake news accounts that appear to be in
the US• None are verified
• All tweets contain single headline, no links• Russian troll accounts in English retweet from
these accounts, helps to attempt to solidify validity of account
• Accounts include: phillyonairnow, sandiegopost, norleansdaily, laonlinedaily, goldengatenews, onlinehouston, washdconline, todaypittsburgh, dallasbreaking, chicagoildaily, todaymiami, nyc_everyday, millcitynews, cincinnatidays, todaymemphis, atlantabreaking, bestusatoday
• Best USA Today (BUT) has a website: butthis.com (registered in US with mail server in Russia (same IP as add1.ru MX)
23UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
Typical US Accounts• Posts are in bursts• Non-hashtagged posts focus on
pictures (to assert they are real), videos, and quotes
• Not involved in every hashtag story or hoax
• Started in July/August 2013• Uses “real” photos for profile,
background (most likely from random Facebook accounts)
• First tweets contain “real” pictures• Possibly mimics a real account’s
pictures to show authenticity and consistency
• Mostly uses Tweetbot, Twitter Web Client, or Tweetdeck (varies)
24UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
Typical Russian Accounts• Posts are consistent• Focuses on retweeting and
tweeting out stories and issues that are slanted pro-Russian
• Not involved in every hashtag story or hoax
• Uses stock photos for profile, background
• Mostly uses Rotislav, Bronislav, Iziaslav
25UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
Further Mapping Accounts 26
Newer networks from other hoaxes, mostly
English accounts
Original #ColumbianChemicals
Network
UNCL
ASSI
FIED
/ALQ
IMI P
ROPR
IETA
RY
Further Mapping Accounts 27
Focusing in on an account (@tedconnolly_)
UNCL
ASSI
FIED
/ALQ
IMI P
ROPR
IETA
RY
TedConnolly_• Account Works just like
other accounts
• Lists in USA
• Posts videos, hashtag campaigns, quotes, and retweets news stories
• Posted pictures of himself as first two posts
28UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
TedConnolly_ 29
NCLTravis HinerAutomation Technician
Stole the Pics from…
UNCL
ASSI
FIED
/ALQ
IMI P
ROPR
IETA
RY
TedConnolly_ Core Network 30
Stole the Pics from…
Troll
Troll
Troll
Troll
RealAccount
RealAccount
Suspected Russian"News" Account
SuspectedRussian"News" Account
Claimed RussianPropaganda Account
UNCL
ASSI
FIED
/ALQ
IMI P
ROPR
IETA
RY
OtherInterestingAccounts• Another
Russian Troll Account
• Posts pictures of himself as a US Army soldier
• Found pictures to be taken from Facebook once more
31
US Army Soldier James Garmon
(Possibly stationed in
Hawaii)
UNCL
ASSI
FIED
/ALQ
IMI P
ROPR
IETA
RY
KeepingTabsontheNetwork• Created two methods for
monitoring/finding Russian troll accounts used by this organization
• Method 1: English accounts have a few similarities; however, most are not universal. Persistent tabs on EVERY account is impossible as usage is random and ever changing. Instead, focused on those who rely on and retweet from fake Best USA Today Twitter account (Figure 1)
• Method 2: Russian accounts are easier as they tend to use certain tweet generators: Bronislav, Iviaslav, and Rotislav. Query is combined to search only for tweets recognizes as Russian (Figure 2)
32
Figure 2
Figure 1
UNCL
ASSI
FIED
/ALQ
IMI P
ROPR
IETA
RY
English Accounts 33UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
English Accounts 34
• Focus on Blake_Cline_
• Uses TweetDeck• Low Reach,
Influence and Klout• Generic USA
location
UNCL
ASSI
FIED
/ALQ
IMI P
ROPR
IETA
RY
Russian Accounts Monitoring 35UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
Russian Accounts Monitoring 36UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
Assessment• The Internet Research Agency (probably controlled by the Russian
Government) is most likely the source of these directed messaging campaigns and attempted hoaxes.
• The IRA is most likely conducting an information operations campaign designed to scare the US populace, influence US politics, and assess US reactions to the campaigns.
• This campaign is most likely a probing campaign designed to elicit responses, measure those responses, and learn new methods to propagate their message while obfuscating Russian involvement.
37UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
Assessment• The IRA is still failing to influence reactions amongst the US population
due to its lack of understanding of how social media marketing and metrics work, its usage of Russian accounts, and its failure to understand and properly employ the English language.
• The IRA employs a series of trolls and cyborgs in an effort to create an artificial echo chamber that can add to the noise of the Internet. While these attempts were not able to achieve their assumed goals, they did show an ability to learn, adapt, and grow in their capabilities and methodologies.
38UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
Recommendations• Option 1: Monitor – The current plan is to continue to analyze, assess,
and generally monitor the activities of the various Russian troll networks. This is a minimal risk strategy.
• Option 2: Ping – One intrusive option is to use the analysis and annotation of the massive amount of troll accounts to generate a ‘ping’ list. That list would be used to ‘ping’ every account with a message, attribution to the US, and from an official US account. This would require a parallel PR campaign from the US to include publication of the list, the actions taken, and any further information necessary for publication.
39UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY
Recommendations• Option 3: The Third Party – This option would do the same as Option 2
but would give the pieces to various third parties for publication and ‘pinging.’ Essentially, it is the non-attributable version of Option 2.
• Option 4: Bad Wolf – This would turn the concept of their idea back against them. It would be a machine much like what they have built. Instead of being turned against the West, it would be turned against Russia. It would be non-attributable and would be used as an information operation against the Russians using their tactics against them.
40UN
CLAS
SIFI
ED/A
LQIM
I PRO
PRIE
TARY