JUST OUT: Adversarial threat report on brigading, mass reporting and coordinated inauthentic behaviour.

With a deep dive into the Chinese operation that created a fake “Swiss biologist” back in July.

I think of that one as Operation Swiss Rôle.

about.fb.com/news/2021/12/m…
There’s a lot here:

* Expanding Crowdtangle IO archive to more researchers
* First public takedowns of brigading & mass reporting networks
* CIB takedown from Palestine (Hamas)
* Two CIB ops focused on Poland / Belarus migrant crisis (one from Belarus KGB)
* Op Swiss Rôle
First, deep dive: in July, a fake “Swiss biologist” persona on FB and Twitter accused the US of bullying the WHO over COVID origins, and was picked up by Chinese state media with amazing speed.

H/t @mradamtaylor and @BBCTrending for their reports.

washingtonpost.com/world/2021/08/…
Hundreds of coordinated accounts - mostly fake - amplified the persona.

We found links to individuals in mainland China, including employees of Sichuan Silence IT Co, Ltd, and individuals associated with Chinese state infrastructure companies located around the world.
The authentic amplifiers had the same behaviour pattern: sharing distinctive pairs of URLs as text strings without further comment. They did this for months. A few slipped up and posted instructions on how to share and report back.
Interestingly, once you strip out the operation’s amplifiers, the fake persona got nearly zero real engagement. But, it was picked up by Chinese state media in less than a week.
We don’t know exactly how the op coordinated, but we know it was cross-platform. So we’re publishing a list of the link pairs, plus behavioral indicators, to enable further research.

This one’s for all my old friends in the #OSINT world.

about.fb.com/wp-content/upl…
Next up, two ops focused on the Poland/Belarus migrant crisis.

One had high operational security, but we believe it originated in Poland. The other was less high security, and came courtesy of the Belarusian KGB.
Both ops were recent. Both were based on fake personas. Each included negative content about the other’s country.

Given the situation on the ground, we took them both down fast.
Also on the CIB front, an operation run from Gaza that we linked to Hamas. It mostly focused on domestic politics, but had minor focus of Israel and Egypt.

It tried hard to look authentic - fake news outlets, backed by fake personas.
Finally, the first public disruptions of a brigading network and a mass-reporting network.

Brigading: the V_V network in Italy / France
Mass reporting from Vietnam.

Details in the report, and watch the inimitable @jc_stubbs and the @graphika_nyc team for more.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Ben Nimmo

Ben Nimmo Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @benimmo

20 Nov
I appreciate this discussion bc it helps shine a light on the complexity of these problems. Two things to note as we all work to tackle inauthentic behavior & deception. 🧵

1. There’s a big behavioral difference between spammy amplification and complex IO;

2. Platforms traditionally approach each differently for a reason — each represents different behaviours and has different incentive structure.
Boosting shares and likes is a numbers game to make content look more popular than it is. It can be used on political content or fake sunglasses (or both).

Either way, it’s on the simpler end of the spectrum.
@markhansontoo discussed it last year about.fb.com/wp-content/upl…
Read 9 tweets
1 Nov
🚨 JUST OUT: We took down a troll farm in Nicaragua, run by the Nicaraguan government and the FSLN party.
Our team’s research here:
about.fb.com/news/2021/11/o…
Important terminology point: over the years, I’ve seen some confusion over what constitutes a “troll farm”, as opposed to clickbait/content farms.

Here’s how we understand it.
Two things to note on this operation:

1) This was the closest thing to a “whole-of-government” operation we’ve seen.

2) The troll farm lived across the internet: own media websites built on wordpress, blogspot, amplified on FB, IG, TikTok, Twitter, Telegram, YouTube, etc.
Read 8 tweets
10 Aug
JUST OUT: In-depth report on the #Fazze case — a campaign from Russia targeting primarily India and LATAM, and to a lesser extent the US.
It was focused on the Pfizer and AstraZeneca COVID-19 vaccines, but got close to zero traction across the internet.
about.fb.com/news/2021/08/j…
There’s already been reporting on the Pfizer phase, in May (h/t @daniellaufer, @toniodaoust, @FloraCarmichael, @charliehtweets, @arawnsley).

Our investigation uncovered that in December, the same op targeted AstraZeneca.
We attributed this operation to Fazze, a marketing firm primarily operating from Russia.
Read 11 tweets
8 Jul
JUST OUT: Our monthly report on Coordinated Inauthentic Behaviour takedowns - June 2021 edition.

Eight networks, seven countries.

about.fb.com/news/2021/07/j…
Full details in the report, but a couple of thoughts here.

All but one of the networks focused on domestic targets. That’s not unusual: influence operations so often start at home — remember our recent IO Threat Report?
Historically, even some operations that became (in)famous for foreign interference started domestically.

E.g. the early Russian IRA posted critical commentary about Navalny back in 2013, often on LiveJournal (h/t @soshnikoff)

mr-7.ru/articles/90769/
Read 11 tweets
6 May
JUST OUT: 9 takedowns in our April CIB report. Primarily domestic ops:

👉Palestine, linked to Fatah;
👉Azerbaijan, linked to individuals associated with defence ministry;
👉Central African Republic, linked to local NGO;

(More in next tweet...)

about.fb.com/news/2021/05/a…
👉Mexico, 1 network linked to local election campaigns, 1 linked to a local politician and a PR firm;
👉Peru, 1 linked to a local party and an advertising firm, 1 linked to a marketing entity;
👉Ukraine, 1 linked to people associated with the Sluha Narodu party,

And...
👉Ukraine, 1 network linked to individuals and entities sanctioned by the US Treasury — Andrii Derkach, Petro Zhuravel, and Begemot-linked media + political consultants associated with Volodymyr Groysman and Oleg Kulinich.

Deep dive in the report. about.fb.com/news/2021/05/a…
Read 10 tweets
3 Mar
Five takedowns for CIB from the @Facebook investigative team last month.

Thai military, domestic targeting
Iran, targeting Iraq, Israel, Afghanistan, UK
Iran, domestic + regional
Morocco, domestic focus
Russia, targeting the Navalny protests

Link: about.fb.com/news/2021/03/f…
A range of behaviours here. Influence ops take many forms.

Fake a/cs posting to multiple pages to make content look popular
In-depth personas to seed geopolitical content
Large numbers of fakes to spam hashtags and geotags
GAN-generated faces, in bulk, but sloppily done.
First, the Thai Military’s Internal Security Operations Command.

About 180 assets, esp. active in 2020, posting news, current events, pro-military and pro-monarchy content, anti-separatist.

Stock profile pics, some posing as young women.

Found by internal investigation.
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(