CyberWire Daily - Information operations during a war. [Research Saturday]
Episode Date: July 9, 2022Alden Wahlstrom, senior analyst on Mandiant's Information Operations Team, shares a comprehensive overview and analysis of the various information operations activities they’ve seen while responding... to the Russian invasion. While the full extent of the Russia-Ukraine war has yet to come to light, more than two months after the start of the invasion, Mandiant has identified activity that they believed to be information operations campaigns conducted by actors possibly in support of the political interests of nation-states such as Russia, Belarus, China, and Iran. The research shares a chart with all of the known information operations events that have taken place so far dating back to January of 2022. It also states that following the beginning of the Russian attack they have seen concerning signs, including "incidents involving the deployment of wiper malware disguised as ransomware." The research can be found here: The IO Offensive: Information Operations Surrounding the Russian Invasion of Ukraine Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
We have been working sort of full steam responding and tracking information operations surrounding
the Russian invasion of Ukraine.
So part of the reason we wanted to put something out,
capturing some of our work,
is just to take a moment to reflect on what we've seen,
see if we can gain some ground truth,
while also understanding that things are still very much in motion.
That's Alden Wallstrom.
He's a senior analyst on Mandiant's information operations team.
The research we're discussing today is titled
The I.O. Offensive – Information Operations Surrounding the Russian Invasion of Ukraine.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink
your security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Well, let's go through it together.
I mean, can you walk us through what are some of the key things here that caught the eye of you and your colleagues?
As we've been monitoring I.O. surrounding the Russian invasion, one thing that we would know is that what we've observed is probably best described as a proliferation of information operations activity involving a
full spectrum of actors that have leveraged a range of TTPs. Operations that we've observed,
we've been able to capture some that we assess to be operating in support of the political interests
of Russia, Belarus, China, and Iran, some of which we have also been able to attribute to
actors and campaigns that we've been tracking for years.
A couple of general notes about what we've been seeing.
First is that in instances where we have been able to attribute an operation to a known activity set,
these operations have largely tracked with an actor or campaign's established motives
as observed through their longer activity history
extending before this conflict. And second is that though the range of TTPs that we've observed
employed is notable, on an individual level, the actual TTPs have largely met expectations,
meaning that we've either seen them generally employed in different
operations over the years, or we have specifically seen them in operations that have previously
targeted Ukraine. Can we take a little step back and just for the folks in our audience who might
be unclear, how exactly do you at Mandiant define information operations themselves?
Influence activity has a spectrum.
And there's an overt side, which can even include things like, say, state-backed media,
where media is used to promote narratives that are aligned with the state's interests.
But there's also a covert side of that spectrum, which is more along the side that we focus on. And that is information operations,
which we would define our focus as tracking activity that is a politically motivated efforts
to manipulate the information environment using deceptive tactics or coordinated and inauthentic
online assets. And specifically, as an information
operations team at Mandiant, we have an emphasis on cyber-enabled information operations,
which means these are information operations that additionally leverage tactics associated
with more traditional cyber threat activity, which allows us to take advantage of the visibility that we
can gain through working with our colleagues at Mandiant who work on other more traditional
cyber threat activity. So the research that you all have published here breaks the activity down
into a number of different categories. Can we go through those and have you describe some of the
things that you all are tracking? So I think a good place to start is the Russia-aligned activity,
which for that, operations that we've observed from Russia-aligned activity sets
have employed the greatest range of TTPs.
They have targeted audiences in Ukraine and Western countries and Russian domestic audiences as well,
with narratives that appear intended either to demoralize the Ukrainian population, to divide Ukraine from its allies and partners, or to bolster perceptions of Russia and its actions.
So I think a good place to start in that is operations that have targeted Ukraine specifically,
which has been the outsized proportion of that activity.
We have seen, for example, campaigns that we've been tracking for years,
such as the secondary infection campaign, promote various narratives around the conflict.
One example is an operation that we observed earlier this year in which the promoted narrative claimed that President Zelensky had committed suicide in a bunker
hiding out during a military operation. That particular operation is a limited run in terms
of narrative promotion, and we've seen other narratives promoted by secondary infection, but it's just one of many actors that we've been observing. So
another example of activity that we've seen is what we would assess to be a coordinated network
of pro-Russian telegram accounts that have targeted the Ukrainian population.
Something interesting about them from the top
is that the Ukrainian government has assessed them
to be information operations assets
run by Russian military intelligence, so the GRU.
And we cannot independently confirm from that attribution,
but it's certainly interesting
when looking at their timeline of activity.
These accounts have been promoting narratives related to regional and national issues in Ukraine for a number of years. And as soon as the invasion happened, they almost immediately refocused to promote narratives related to the Russian invasion.
And the way in which they do this is sort of
interesting. So it is distinctly pro-Russian in what they're saying, but in a bit of a more
nuanced manner. So instead of actively promoting the arrival of Russian troops per se, they work
a little bit more sneakily in what they do. And they say things like, do you really have confidence in the
government's response to the Russian invasion? Look how they're mishandling it or highlighting
allegations of corruption in government activity surrounding their response to the Russian invasion. So it's a bit more focused on perhaps attempting to undercut citizens' confidence in the government,
but it still is working in Russian interests.
Yeah, that's fascinating, kind of sowing those seeds of doubt.
Yeah, and that's a key possible motive of some of the operations we've been seeing,
which is really just expanding fear and uncertainty, exploiting that amongst the population. And another good example of that is
we've had multiple instances, multiple operations where fake messages of Ukraine's
capitulation to Russia have been promoted. Now, that's something that is pretty easily
disprovable, right? If one has access to the news or is able to check in on what's been going on.
But these have included defacements of government, regional and local websites,
as well as a defacement of a Ukrainian news organization. So the fact that these messages are being displayed or promoted,
even if it is mitigated quickly,
on what would otherwise be considered verified sources of information
is definitely something to be concerned about
when you talk about spreading fear or uncertainty.
You know, I think it's fair to say Russia has a limited number of allies
in this invasion of Ukraine, but the Belarusians seem to have their back.
And that's something that you all have tracked here.
What sort of things are you seeing from them?
So we have tracked for a number of years the Ghostwriter information operations campaign, which we attribute at least partially to Belarus.
And we have observed some activity from the campaign related to the Russian invasion. So
at the end of April, we identified an operation that was promoting the narrative that there was a
criminal ring in Poland that was dealing in the illegal trade of human organs and targeting Ukrainian
refugees in that. It's a sort of a pernicious narrative that you can see rather quickly why
it would be concerning, right? It both has the potential to undermine the confidence of Ukrainians
who are fleeing to Poland and their trust in the Polish government, and also potentially to
raise tensions between Poland and Ukraine, which Ukraine Polish government, and also potentially to raise tensions between
Poland and Ukraine, which Ukraine is obviously monitoring that situation as well of where
Ukrainian citizens have fled to. But fortunately, it seems to have been engaged rather quickly.
And I mean, in terms of an operation, it exhibited classic tendencies of ghostwriter operations. So they tend to try to
piggyback on recent news events or discussions in the way that they build their narratives. And
a real discussion that has been playing out in the media is concerns about the safety of
refugees and possible human trafficking. So it's possible this disinformation narrative
promoted by the campaign was an attempt to piggyback on that real and important discussion.
One of the other elements that you all highlight here is information that may be coming from Iran
and pro-Iranian information, you know, dealing with some of the players in the Middle East.
What are you seeing there?
We've observed a number of operations that we've assessed to be in Iran's interest,
including some linked to campaigns that we have tracked, such as the Liberty Front Press,
and one that we've dubbed Roaming Mayfly.
And something interesting about this is that it appears to be
a somewhat opportunistic leveraging of the Ukraine invasion narrative. So they are taking
the narrative and spinning it in a way that sort of continues to pursue established Iranian
interests or specific interests of the campaign. One example is, say, a narrative that highlights or alleges that the West has ignored suffering in Arab countries and conflicts that have played out in Arab countries for, say, for example, Yemen, and suddenly has given significant attention to the situation in Ukraine. So there's a bit of an implied statement
of maybe discrimination or racism
on the side of the West,
but also a narrative like that
allows these operations to target
classic targets of pro-Iran information operations.
They take a shot at the West
with a mention of something like a conflict in Yemen.
They're also able to take aim at Saudi Arabia as well. So it sort of appropriates the narratives that we've been seeing
and then just applies it for their established uses. To what degree are these sorts of information
operations efforts a standard part of war? in this case, Russia invading Ukraine.
Is it happening in the other direction?
Is Ukraine using their own information operations in the other direction?
I think certainly, I mean, psychological operations and various iterations of that
are definitely a standard component of war.
iterations of that are definitely a standard component of war. We haven't tracked necessarily information operations targeted in the other direction just based on what we've been observing.
But one example is that we have seen hacktivist activity sort of going in both directions
and claims of hacktivist activity targeting Russia and claims of hacktivist activity targeting Russia
and likewise in hacktivist activity targeting Ukraine.
So there does seem to at least be a duality in the information operations activity,
whether or not it can be attributed to a specific source or actual hacktivist groups.
What are the take-homes for you and your colleagues on this report?
I mean, it seems as though, you know though with the internet, with the cyber age, that we're in a different type of warfare than perhaps we were in in the past. that one could expect in terms of activity that you would imagine happening
related to information operations in a conflict.
You have parties to the conflict, such as Russia,
that are conducting operations that appear intended to influence events on the ground
and bolster their own actions.
And then also you have the attractive nature of an important global event itself
to bring in third-party actors
to promote their own interests. So this certainly seems as though it is at least a demonstration of
what we can come to expect in future, even if to a certain extent it has met some expectations for
what we would have thought would happen. Our thanks to Alden Wallstrom from Mandiant for joining us. The research is titled
The I.O. Offensive, Information Operations Surrounding the Russian Invasion of Ukraine.
We'll have a link in the show notes.
invasion of Ukraine. We'll have a link in the show notes. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs safe and compliant.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand,
Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karpf,
Eliana White, Puru Prakash, Justin Sabey, Thanks for listening. We'll see you back here next week.