This week I followed Arabic language Tweets around 9/11 and noticed disinformation around Qatar. A look at this topic shows the use of hacked verified Twitter accounts for coordinated inauthentic activity is still prevalent. #disinfo #OSINT (thread)
Initially I noticed several angry Saudi accounts subtweeting a verified account that had posted a video about Saudi Arabia being behind the attacks. This account appears to be hijacked (and has since changed its handle), so I looked into it further. 
@FernStrategy was a verified account out of Silicon Valley. Look at the timeline it is clear that whoever hacked this account deleted all previous tweets and removed all accounts in the following list.
Using the WayBack Machine and Google, we know this account originally belonged to a Michael Fern. His LinkedIn and Crunchbase profiles also link to this handle. (I’ve reached out to him for comment).
When we look at who FernStrategy is interacting with, we get an idea of their coordinated inauthentic behavior network. The account that they interact with the most is another verified account. We can see them quote tweeting @X24Europe here, along with many retweets.
It is clear @X24Europe is another highjacked, verified account. We see the same scrubbing as FernStrategy. All of the previous tweets from this account have been deleted and all follows have been removed.
Both accounts reply to prominent Saudi and Emirati figures in politics or religion. Often lampooning them.
Ironically, X24 was a research project by San Diego State to see the utility of Twitter for disaster recovery in an ad-hoc manner. #X24Europe is one of the hashtags for this research project (vizcenter.sdsu.edu/exercise-24-eu…)
So, Attribution? Who is behind this? In a previous thread by @marcowenjones taking over verified accounts to spread propaganda has been a tactic by Pro-Saudi hackers. However, account high jacking is not sophisticated hacking, and I have another theory.
https://twitter.com/marcowenjones/status/1260825157939212288?s=09
Without technical selectors and just looking at behavior and content, I believe that these are pro-Qatari hackers. According to a third-party analytics site, the X24Europe account temporarily changed its location to “Doha, Qatar” (it has since been switched back to Switzerland).
Additionally, X24Europe has posted pro-Qatari media/video. I have not seen pro-Iranian, Yemeni or other threat actors do the same and praise Qatar before. They also show Turkish/Qatari solidarity.
It is not surprising that multiple countries within the Gulf and MENA are operating in the disinfo space. This has been well documented by researchers on all sides along with official take down notices from FB. about.fb.com/news/2019/08/c…
I am however surprised that Twitter does not have better controls over verified accounts. Both X24Europe and FernStrategy first tweeted August 24, 2020. The latter lost verification in the past days presumably by changing its handle to @X24video. @X24Europe is still active.
How can we stop this? @verified @policy can enforce 2FA/MFA for Verified accounts by default. This should stop the majority of unsophisticated actors. Tactics always evolve however, and this is just one idea.
Any other thoughts are welcome! I kept the thread short for brevity although there was more noteworthy behavior from these accounts.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
