DISARMframeworks/generated_pages/incidents/I00077.md
2024-07-27 05:24:28 -04:00

31 lines
8.2 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Incident I00077: Fronts & Friends: An Investigation into Two Twitter Networks Linked to Russian Actors
* **Summary:** <i>“On February 23, 2021 Twitter announced the removal of two networks linked to Russian actors, which it had shared with the Stanford Internet Observatory on February 12. The first network, which we will call Network 1, “can be reliably tied to Russian state actors,” according to Twitter. It consisted of two types of accounts: accounts that claimed to be located in Syria and accounts that spread anti-NATO messaging. Many of these accounts were sockpuppets, claiming to be individuals that did not exist, or fake media fronts.”</I>
* **incident type**:
* **Year started:**
* **Countries:** ,
* **Found via:**
* **Date added:**
| Reference | Pub Date | Authors | Org | Archive |
| --------- | -------- | ------- | --- | ------- |
| [https://stacks.stanford.edu/file/druid:jv674ss6714/russia_twitter_takedown_feb_23_2021.pdf](https://stacks.stanford.edu/file/druid:jv674ss6714/russia_twitter_takedown_feb_23_2021.pdf) | 2021/02/23 | Renée DiResta, Shelby Grossman | Stanford Internet Observatory | [https://web.archive.org/web/20231227044952/https://stacks.stanford.edu/file/druid:jv674ss6714/russia_twitter_takedown_feb_23_2021.pdf](https://web.archive.org/web/20231227044952/https://stacks.stanford.edu/file/druid:jv674ss6714/russia_twitter_takedown_feb_23_2021.pdf) |
| Technique | Description given for this incident |
| --------- | ------------------------- |
| [T0097.103 Activist Persona](../../generated_pages/techniques/T0097.103.md) | IT00000262 <i>“The Syria portion of the network [of inauthentic accounts attributed to Russia] included additional sockpuppet accounts. One of these claimed to be a gay rights defender in Syria. Several said they were Syrian journalists. Another account, @SophiaHammer3, said she was born in Syria but currently lives in London. “Im fond of history and politics. I struggle for justice.” Twitter users had previously observed that Sophia was likely a sockpuppet.”</i><br><br> This behaviour matches T0097.103: Activist Persona because the account presents itself as defending a political cause - in this case gay rights.<br><br> Twitters technical indicators allowed their analysts to assert that these accounts were “reliably tied to Russian state actors”, meaning the presented personas were entirely fabricated (T0143.002: Fabricated Persona); these accounts are not legitimate gay rights defenders or journalists, theyre assets controlled by Russia publishing narratives beneficial to their agenda. |
| [T0097.202 News Outlet Persona](../../generated_pages/techniques/T0097.202.md) | IT00000265 <i>“Two accounts [in the second network of accounts taken down by Twitter] appear to have been operated by Oriental Review and the Strategic Culture Foundation, respectively. Oriental Review bills itself as an “open source site for free thinking”, though it trades in outlandish conspiracy theories and posts content bylined by fake people. Stanford Internet Observatory researchers and investigative journalists have previously noted the presence of content bylined by fake “reporter” personas tied to the GRU-linked front Inside Syria Media Center, posted on Oriental Review.”</i><br><br> In an effort to make the Oriental Reviews stories appear more credible, the threat actors created fake journalists and pretended they wrote the articles on their website (aka “bylined” them).<br><br> In DISARM terms, they fabricated journalists (T0143.002: Fabricated Persona, T0097.003: Journalist Persona), and then used these fabricated journalists to increase perceived legitimacy (T0097.202: News Outlet Persona, T0143.002: Fabricated Persona). |
| [T0143.001 Authentic Persona](../../generated_pages/techniques/T0143.001.md) | IT00000258 <i>“The largest account [in the network of inauthentic accounts attributed to Russia] had 11,542 followers but only 8 had over 1,000 followers, and 11 had under ten. The accounts in aggregate had only 79,807 engagements across the entire tweet corpus, and appear to have been linked to the operations primarily via technical indicators rather than amplification or conversation between them. A few of the bios from accounts in the set claim to be journalists. Two profiles, belonging to an American activist and a Russian academic, were definitively real people; we do not have sufficient visibility into the technical indicators that led to their inclusion in the network and thus do not include them in our discussion.”</i><br><br> In this example the Stanford Internet Observatory has been provided data on two networks which, according to Twitter, showed signs of being affiliated with Russias Internet Research Agency (IRA). Two accounts investigated by Stanford were real people presenting their authentic personas, matching T0143.001: Authentic Persona.<br><br> Stanford didnt have access to the technical indicators associating these accounts with the IRA, so they did not include data associated with these accounts for assessment. Analysts with access to platform logs may be able to uncover indicators of suspicious behaviour in accounts presenting authentic personas, using attribution methods unavailable to analysts working with open source data. |
| [T0143.002 Fabricated Persona](../../generated_pages/techniques/T0143.002.md) | IT00000264 <i>“Two accounts [in the second network of accounts taken down by Twitter] appear to have been operated by Oriental Review and the Strategic Culture Foundation, respectively. Oriental Review bills itself as an “open source site for free thinking”, though it trades in outlandish conspiracy theories and posts content bylined by fake people. Stanford Internet Observatory researchers and investigative journalists have previously noted the presence of content bylined by fake “reporter” personas tied to the GRU-linked front Inside Syria Media Center, posted on Oriental Review.”</i><br><br> In an effort to make the Oriental Reviews stories appear more credible, the threat actors created fake journalists and pretended they wrote the articles on their website (aka “bylined” them).<br><br> In DISARM terms, they fabricated journalists (T0143.002: Fabricated Persona, T0097.003: Journalist Persona), and then used these fabricated journalists to increase perceived legitimacy (T0097.202: News Outlet Persona, T0143.002: Fabricated Persona). |
| [T0144.001 Present Persona across Platforms](../../generated_pages/techniques/T0144.001.md) | IT00000260 <i>“Approximately one-third of the suspended accounts [in the network of inauthentic accounts attributed to Russia] tweeted primarily about Syria, in English, Russian, and Arabic; many accounts tweeted in all three languages. The themes these accounts pushed will be familiar to anyone who has studied Russian overt or covert information operations about Syria: <br> <br>- Praising Russias role in Syria; claiming Russia was killing terrorists in Syria and highlighting Russias humanitarian aid <br>- Criticizing the role of the Turkey and the US in Syria; claiming the US killed civilians in Syria <br>- Criticizing the White Helmets, and claiming that they worked with Westerners to created scenes to make it look like the Syrian government used chemical weapons <br><br> “The two most prominent Syria accounts were @Syria_FreeNews and @PamSpenser. <br><br> “@Syria_FreeNews had 20,505 followers and was created on April 6, 2017. The accounts bio said “Exclusive information about Middle East and Northern Africa countries events. BreaKing news from the scene.””</i><br><br> This behaviour matches T0097.202: News Outlet Persona because the account @Syrira_FreeNews presented itself as a news outlet in its name, bio, and branding, across all websites on which the persona had been established (T0144.001: Persona Presented across Platforms). Twitters technical indicators allowed them to attribute the account “can be reliably tied to Russian state actors”. Because of this we can assert that the persona is entirely fabricated (T0143.002: Fabricated Persona); this is not a legitimate news outlet providing information about Syria, its an asset controlled by Russia publishing narratives beneficial to their agenda. |
DO NOT EDIT ABOVE THIS LINE - PLEASE ADD NOTES BELOW