DISARMframeworks/generated_pages/techniques/T0143.001.md

Technique T0143.001: Authentic Persona

• Summary: An individual or institution presenting a persona that legitimately matches who or what they are is presenting an authentic persona.
  
  For example, an account which presents as being managed by a member of a country’s military, and is legitimately managed by that person, would be presenting an authentic persona (T0143.001: Authentic Persona, T0097.105: Military Personnel).
  
  Sometimes people can authentically present themselves as who they are while still participating in malicious/inauthentic activity; a legitimate journalist (T0143.001: Authentic Persona, T0097.102: Journalist Persona) may accept bribes to promote products, or they could be tricked by threat actors into sharing an operation’s narrative.

• Belongs to tactic stage: TA16

Incident	Descriptions given for this incident
I00077 Fronts & Friends: An Investigation into Two Twitter Networks Linked to Russian Actors	“The largest account [in the network of inauthentic accounts attributed to Russia] had 11,542 followers but only 8 had over 1,000 followers, and 11 had under ten. The accounts in aggregate had only 79,807 engagements across the entire tweet corpus, and appear to have been linked to the operations primarily via technical indicators rather than amplification or conversation between them. A few of the bios from accounts in the set claim to be journalists. Two profiles, belonging to an American activist and a Russian academic, were definitively real people; we do not have sufficient visibility into the technical indicators that led to their inclusion in the network and thus do not include them in our discussion.” In this example the Stanford Internet Observatory has been provided data on two networks which, according to Twitter, showed signs of being affiliated with Russia’s Internet Research Agency (IRA). Two accounts investigated by Stanford were real people presenting their authentic personas, matching T0143.001: Authentic Persona. Stanford didn’t have access to the technical indicators associating these accounts with the IRA, so they did not include data associated with these accounts for assessment. Analysts with access to platform logs may be able to uncover indicators of suspicious behaviour in accounts presenting authentic personas, using attribution methods unavailable to analysts working with open source data.
I00078 Meta’s September 2020 Removal of Coordinated Inauthentic Behavior	“[Meta has] removed one Page, five Facebook accounts, one Group and three Instagram accounts for foreign or government interference which is coordinated inauthentic behavior on behalf of a foreign or government entity. This small network originated in Russia and focused primarily on Turkey and Europe, and also on the United States. “This operation relied on fake accounts — some of which had been already detected and removed by our automated systems — to manage their Page and their Group, and to drive people to their site purporting to be an independent think-tank based primarily in Turkey. These accounts posed as locals based in Turkey, Canada and the US. They also recruited people to write for their website. This network had almost no following on our platforms when we removed it.” Meta identified that a network of accounts originating in Russia were driving people off platform to a site which presented itself as a think-tank (T0097.204: Think Tank Persona). Meta did not make an attribution about the authenticity of this off-site think tank, so neither T0143.001: Authentic Persona or T0143.002: Fabricated Persona are used here. Meta had access to technical data for accounts on its platform, and asserted that they were fabricated individuals posing as locals who recruited targets to write content for their website (T0097.101: Local Persona, T0097.106: Recruiter Persona, T0143.002: Fabricated Persona).
I00079 Three thousand fake tanks	“On January 4 [2017], a little-known news site based in Donetsk, Ukraine published an article claiming that the United States was sending 3,600 tanks to Europe as part of “the NATO war preparation against Russia”. “Like much fake news, this story started with a grain of truth: the US was about to reinforce its armored units in Europe. However, the article converted literally thousands of other vehicles — including hundreds of Humvees and trailers — into tanks, building the US force into something 20 times more powerful than it actually was. “The story caught on online. Within three days it had been repeated by a dozen websites in the United States, Canada and Europe, and shared some 40,000 times. It was translated into Norwegian; quoted, unchallenged, by Russian state news agency RIA Novosti; and spread among Russian-language websites. “It was also an obvious fake, as any Google news search would have revealed. Yet despite its evident falsehood, it spread widely, and not just in directly Kremlin-run media. Tracking the spread of this fake therefore shines a light on the wider question of how fake stories are dispersed.” Russian state news agency RIA Novosti presents themselves as a news outlet (T0097.202: News Outlet Persona). RIO Novosti is a real news outlet (T0143.001: Authentic Persona), but it did not carry out a basic investigation into the veracity of the narrative they published implicitly expected of institutions presenting themselves as news outlets. We can’t know how or why this narrative ended up being published by RIA Novosti, but we know that it presented a distorted reality as authentic information (T0023: Distort Facts), claiming that the US was sending 3,600 tanks, instead of 3,600 vehicles which included ~180 tanks.
I00084 Russia turns its diplomats into disinformation warriors	“After the European Union banned Kremlin-backed media outlets and social media giants demoted their posts for peddling falsehoods about the war in Ukraine, Moscow has turned to its cadre of diplomats, government spokespeople and ministers — many of whom have extensive followings on social media — to promote disinformation about the conflict in Eastern Europe, according to four EU and United States officials.” In this example authentic Russian government officials used their own accounts to promote false narratives (T0143.001: Authentic Persona, T0097.111: Government Official Persona). The use of accounts managed by authentic Government / Diplomats to spread false narratives makes it harder for platforms to enforce content moderation, because of the political ramifications they may face for censoring elected officials (T0131: Exploit TOS/Content Moderation). For example, Twitter previously argued that official channels of world leaders are not removed due to the high public interest associated with their activities.
I00085 China’s large-scale media push: Attempts to influence Swedish media	“Four media companies – Svenska Dagbladet, Expressen, Sveriges Radio, and Sveriges Television – stated that they had been contacted by the Chinese embassy on several occasions, and that they, for instance, had been criticized on their publications, both by letters and e-mails. The media company Svenska Dagbladet, had been contacted on several occasions in the past two years, including via e-mails directly from the Chinese ambassador to Sweden. Several times, China and the Chinese ambassador had criticized the media company’s publications regarding the conditions in China. Individual reporters also reported having been subjected to criticism. The tabloid Expressen had received several letters and e-mails from the embassy, e-mails containing criticism and threatening formulations regarding the coverage of the Swedish book publisher Gui Minhai, who has been imprisoned in China since 2015. Formulations such as “media tyranny” could be found in the e-mails.” In this case, the Chinese ambassador is using their official role (T0143.001: Authentic Persona, T0097.111: Government Official Persona) to try to influence Swedish press. A government official trying to interfere in other countries' media activities could be a violation of press freedom. In this specific case, the Chinese diplomats are trying to silence criticism against China (T0139.002: Silence).”
I00093 China Falsely Denies Disinformation Campaign Targeting Canada’s Prime Minister	“On October 23, Canada’s Foreign Ministry said it had discovered a disinformation campaign, likely tied to China, aimed at discrediting dozens of Canadian politicians, including Prime Minister Justin Trudeau. “The ministry said the campaign took place in August and September. It used new and hijacked social media accounts to bulk-post messages targeting Canadian politicians (T0141.001: Acquire Compromised Account). “A Chinese Embassy in Canada spokesperson dismissed Canada’s accusation as baseless. ““Canada was a downright liar and disseminator of false information… Beijing has never meddled in another nation’s domestic affairs.” “A Chinese Embassy in Canada spokesperson dismissed Canada’s accusation as baseless. “That is false. “The Canadian government's report is based on an investigation conducted by its Rapid Response Mechanism cyber intelligence unit in cooperation with the social media platforms. “The investigation exposed China’s disinformation campaign dubbed “Spamouflage” -- for its tactic of using “a network of new or hijacked social media accounts that posts and increases the number of propaganda messages across multiple social media platforms – including Facebook, X/Twitter, Instagram, YouTube, Medium, Reddit, TikTok, and LinkedIn.”” In this case a network of accounts attributed to China were identified operating on multiple platforms. The report was dismissed as false information by an official in the Chinese Embassy in Canada (T0143.001: Authentic Persona, T0097.111: Government Official Persona, T0129.006: Deny Involvement).

Counters	Response types

DO NOT EDIT ABOVE THIS LINE - PLEASE ADD NOTES BELOW