mirror of
https://github.com/DISARMFoundation/DISARMframeworks.git
synced 2024-12-12 01:14:20 -05:00
13 KiB
13 KiB
Technique T0097.202: News Outlet Persona
-
Summary: An institution with a news outlet persona presents itself as an organisation which delivers new information to its target audience.
While presenting as a news outlet is not an indication of inauthentic behaviour, an influence operation may have its narratives amplified by news organisations. Threat actors can fabricate news organisations (T0143.002: Fabricated Persona, T0097.202: News Outlet Persona), or they can impersonate existing news outlets (T0143.003: Impersonated Persona, T0097.202: News Outlet Persona).
Legitimate news organisations could use their persona for malicious purposes, or be exploited by threat actors (T0143.001: Authentic Persona, T0097.202: News Outlet Persona).
Associated Techniques and Sub-techniques
T0097.102: Journalist Persona: Institutions presenting as news outlets may also present journalists working within the organisation.
T0097.201: Local Institution Persona: Institutions presenting as news outlets may present as being a local news outlet.
T0097.203: Fact Checking Organisation Persona: Institutions presenting as news outlets may also deliver a fact checking service (e.g. The UK’s BBC News has the fact checking service BBC Verify). When an actor presents as the fact checking arm of a news outlet, they are presenting both a News Outlet Persona and a Fact Checking Organisation Persona. -
Belongs to tactic stage: TA16
| Incident | Descriptions given for this incident |
|---|---|
| I00069 Uncharmed: Untangling Iran's APT42 Operations | “Mandiant identified at least three clusters of infrastructure used by [Iranian state-sponsored cyber espionage actor] APT42 to harvest credentials from targets in the policy and government sectors, media organizations and journalists, and NGOs and activists. The three clusters employ similar tactics, techniques and procedures (TTPs) to target victim credentials (spear-phishing emails), but use slightly varied domains, masquerading patterns, decoys, and themes. Cluster A: Posing as News Outlets and NGOs: - Suspected Targeting: credentials of journalists, researchers, and geopolitical entities in regions of interest to Iran. - Masquerading as: The Washington Post (U.S.), The Economist (UK), The Jerusalem Post (IL), Khaleej Times (UAE), Azadliq (Azerbaijan), and more news outlets and NGOs. This often involves the use of typosquatted domains like washinqtonpost[.]press. “Mandiant did not observe APT42 target or compromise these organizations, but rather impersonate them.” In this example APT42, an Iranian state-sponsored cyber espionage actor, impersonated existing news organisations and NGOs (T0097.202 News Outlet Persona, T0097.207: NGO Persona, T00143.004: Impersonated Persona) in attempts to steal credentials from targets (T0141.001: Acquire Compromised Account), using elements of influence operations to facilitate their cyber attacks. |
| I00074 The Tactics & Tropes of the Internet Research Agency | “The Black Matters Facebook Page [operated by Russia’s Internet Research Agency] explored several visual brand identities, moving from a plain logo to a gothic typeface on Jan 19th, 2016. On February 4th, 2016, the person who ran the Facebook Page announced the launch of the website, blackmattersus[.]com, emphasizing media distrust and a desire to build Black independent media; [“I DIDN’T BELIEVE THE MEDIA / SO I BECAME ONE”]” In this example an asset controlled by Russia’s Internet Research Agency began to present itself as a source of “Black independent media”, claiming that the media could not be trusted (T0097.208: Social Cause Persona, T0097.202: News Outlet Persona, T0143.002: Fabricated Persona). |
| I00076 Network of Social Media Accounts Impersonates U.S. Political Candidates, Leverages U.S. and Israeli Media in Support of Iranian Interests | “Accounts in the network [of inauthentic accounts attributed to Iran], under the guise of journalist personas, also solicited various individuals over Twitter for interviews and chats, including real journalists and politicians. The personas appear to have successfully conducted remote video and audio interviews with U.S. and UK-based individuals, including a prominent activist, a radio talk show host, and a former U.S. Government official, and subsequently posted the interviews on social media, showing only the individual being interviewed and not the interviewer. The interviewees expressed views that Iran would likely find favorable, discussing topics such as the February 2019 Warsaw summit, an attack on a military parade in the Iranian city of Ahvaz, and the killing of Jamal Khashoggi. “The provenance of these interviews appear to have been misrepresented on at least one occasion, with one persona appearing to have falsely claimed to be operating on behalf of a mainstream news outlet; a remote video interview with a US-based activist about the Jamal Khashoggi killing was posted by an account adopting the persona of a journalist from the outlet Newsday, with the Newsday logo also appearing in the video. We did not identify any Newsday interview with the activist in question on this topic. In another instance, a persona posing as a journalist directed tweets containing audio of an interview conducted with a former U.S. Government official at real media personalities, calling on them to post about the interview.” In this example actors fabricated journalists (T0097.102: Journalist Persona, T0143.002: Fabricated Persona) who worked at existing news outlets (T0097.202: News Outlet Persona, T0143.003: Impersonated Persona) in order to conduct interviews with targeted individuals. |
| I00077 Fronts & Friends: An Investigation into Two Twitter Networks Linked to Russian Actors | “Approximately one-third of the suspended accounts [in the network of inauthentic accounts attributed to Russia] tweeted primarily about Syria, in English, Russian, and Arabic; many accounts tweeted in all three languages. The themes these accounts pushed will be familiar to anyone who has studied Russian overt or covert information operations about Syria: - Praising Russia’s role in Syria; claiming Russia was killing terrorists in Syria and highlighting Russia’s humanitarian aid - Criticizing the role of the Turkey and the US in Syria; claiming the US killed civilians in Syria - Criticizing the White Helmets, and claiming that they worked with Westerners to created scenes to make it look like the Syrian government used chemical weapons “The two most prominent Syria accounts were @Syria_FreeNews and @PamSpenser. “@Syria_FreeNews had 20,505 followers and was created on April 6, 2017. The account’s bio said “Exclusive information about Middle East and Northern Africa countries events. BreaKing news from the scene.”” This behaviour matches T0097.202: News Outlet Persona because the account @Syrira_FreeNews presented itself as a news outlet in its name, bio, and branding, across all websites on which the persona had been established (T0144.001: Persona Presented across Platforms). Twitter’s technical indicators allowed them to attribute the account “can be reliably tied to Russian state actors”. Because of this we can assert that the persona is entirely fabricated (T0143.002: Fabricated Persona); this is not a legitimate news outlet providing information about Syria, it’s an asset controlled by Russia publishing narratives beneficial to their agenda., “Two accounts [in the second network of accounts taken down by Twitter] appear to have been operated by Oriental Review and the Strategic Culture Foundation, respectively. Oriental Review bills itself as an “open source site for free thinking”, though it trades in outlandish conspiracy theories and posts content bylined by fake people. Stanford Internet Observatory researchers and investigative journalists have previously noted the presence of content bylined by fake “reporter” personas tied to the GRU-linked front Inside Syria Media Center, posted on Oriental Review.” In an effort to make the Oriental Review’s stories appear more credible, the threat actors created fake journalists and pretended they wrote the articles on their website (aka “bylined” them). In DISARM terms, they fabricated journalists (T0143.002: Fabricated Persona, T0097.003: Journalist Persona), and then used these fabricated journalists to increase perceived legitimacy (T0097.202: News Outlet Persona, T0143.002: Fabricated Persona). |
| I00079 Three thousand fake tanks | “On January 4 [2017], a little-known news site based in Donetsk, Ukraine published an article claiming that the United States was sending 3,600 tanks to Europe as part of “the NATO war preparation against Russia”. “Like much fake news, this story started with a grain of truth: the US was about to reinforce its armored units in Europe. However, the article converted literally thousands of other vehicles — including hundreds of Humvees and trailers — into tanks, building the US force into something 20 times more powerful than it actually was. “The story caught on online. Within three days it had been repeated by a dozen websites in the United States, Canada and Europe, and shared some 40,000 times. It was translated into Norwegian; quoted, unchallenged, by Russian state news agency RIA Novosti; and spread among Russian-language websites. “It was also an obvious fake, as any Google news search would have revealed. Yet despite its evident falsehood, it spread widely, and not just in directly Kremlin-run media. Tracking the spread of this fake therefore shines a light on the wider question of how fake stories are dispersed.” Russian state news agency RIA Novosti presents themselves as a news outlet (T0097.202: News Outlet Persona). RIO Novosti is a real news outlet (T0143.001: Authentic Persona), but it did not carry out a basic investigation into the veracity of the narrative they published implicitly expected of institutions presenting themselves as news outlets. We can’t know how or why this narrative ended up being published by RIA Novosti, but we know that it presented a distorted reality as authentic information (T0023: Distort Facts), claiming that the US was sending 3,600 tanks, instead of 3,600 vehicles which included ~180 tanks. |
| I00094 A glimpse inside a Chinese influence campaign: How bogus news websites blur the line between true and false | Researchers identified websites managed by a Chinese marketing firm which presented themselves as news organisations. “On its official website, the Chinese marketing firm boasted that they were in contact with news organizations across the globe, including one in South Korea called the “Chungcheng Times.” According to the joint team, this outlet is a fictional news organization created by the offending company. The Chinese company sought to disguise the site’s true identity and purpose by altering the name attached to it by one character—making it very closely resemble the name of a legitimate outlet operating out of Chungchengbuk-do. “The marketing firm also established a news organization under the Korean name “Gyeonggido Daily,” which closely resembles legitimate news outlets operating out of Gyeonggi province such as “Gyeonggi Daily,” “Daily Gyeonggi Newspaper,” and “Gyeonggi N Daily.” One of the fake news sites was named “Incheon Focus,” a title that could be easily mistaken for the legitimate local news outlet, “Focus Incheon.” Furthermore, the Chinese marketing company operated two fake news sites with names identical to two separate local news organizations, one of which ceased operations in December 2022. “In total, fifteen out of eighteen Chinese fake news sites incorporated the correct names of real regions in their fake company names. “If the operators had created fake news sites similar to major news organizations based in Seoul, however, the intended deception would have easily been uncovered,” explained Song Tae-eun, an assistant professor in the Department of National Security & Unification Studies at the Korea National Diplomatic Academy, to The Readable. “There is also the possibility that they are using the regional areas as an attempt to form ties with the local community; that being the government, the private sector, and religious communities.”” The firm styled their news site to resemble existing local news outlets in their target region (T0097.201: Local Institution Persona, T0097.202: News Outlet Persona, T0143.003: Impersonated Persona). |
| Counters | Response types |
|---|
DO NOT EDIT ABOVE THIS LINE - PLEASE ADD NOTES BELOW