Discover multinational #InfluenceOperations at work. See how #Iran and #Venezuela can use state-sponsored media outlets, social media influencers, proxies, surrogates, and political activists in the #AlexSaab influence campaign. Read full report: bit.ly/3EPYPhv 1/8
Insikt Group® identifies four phases of a multiyear influence campaign centered around indicted Alex Saab, the alleged financier and special agent to Iran for the Nicolás #Maduro regime. The Alex Saab timeline shows significant events from indictment to postponed trial. 2/8
Saab, an alleged conduit of Hezbollah operations extending into Latin America, is a Colombian and Venezuelan businessman wanted by Colombian law enforcement since 2018. Maduro appointed him a special envoy to Iran after a corruption designation (by OFAC). 3/8
Initial misinformation campaigns likely began in Nigeria and amplified with #astroturfing by a firm in Ghana. Venezuela then hosted a concert to support Saab that provided psychological action by social media users and traditional media, pushing the disinformation narrative. 4/8
On August 16, 2021, Iranian Foreign Ministry Spokesman Saeed Khatibzadeh denounced the US extradition of Saab. The following day, Venezuela’s teleSUR published a disinformation article titled “Venezuelan Diplomat Alex Saab Is a Prisoner of War, Iran Says” 5/8
The misinformation narrative propagated through proxies, surrogates, and political activists with the central nodes for analyses pictured in this map of Iranian and Venezuelan media organizations involved in the Saab #disinformation narrative. 6/8
Influence efforts expand beyond the Saab influence campaign. We identified 4 identical disinformation articles authored by Pablo Jofre Leal, published by Al Mayadeen, SANA, hispanTV, and SegundoPaso on “Washington and its destructive obsession with Venezuela”. 7/8
The Saab disinformation campaign will likely continue with the purpose to pressure the US to negotiate an exchange for Saab, as well as amplify anti-US messaging to Latin American audiences. Read the report that details the four phases: bit.ly/3EPYPhv 8/8
• • •
Missing some Tweet in this thread? You can try to
force a refresh
In H1 2024, threat actors refined their tactics and introduced new techniques to evade detection and disrupt defenses. Zero-day exploits & sophisticated malware dominated the landscape. Here's what we observed 👇
Newly disclosed vulnerabilities in Ivanti, PAN-OS, and Windows SmartScreen were heavily exploited, even after patches were released. The availability of proof-of-concept (PoC) exploit code fueled persistent targeting.
Infostealers like LummaC2 led the malware landscape, while ransomware strains such as Fog & RansomHub introduced passwords to validate payload execution, hindering detection.
At peace and war, China’s #cyber activities alter its target’s actions with threats to punish unwanted behaviors and apply pressure to coerce. Insikt Group® analyzes the 2 elements of #weishe theory in its application against Taiwan and more. 1/5 Read: bit.ly/3VjLQd1
In weishe, coercion comprises two distinct theories of action to change the behavior of a target: #Deterrence and #Compellence. Deterrence uses the threat of punishment to prevent undesirable actions, and compellence wields punishment to motivate desirable behavior. 2/5
An instance of cyber coercion might be the #defacement attack on public TV screens in #Taiwan in response to the Taiwan visit of the US Speaker of the House of Representatives Nancy Pelosi in August 2022. 3/5
The #Russophobia theme emerged on a #RussiaTimes interview with #DmitryBabich and in June 2022 with FSB-directed #Southfront. This appeal to ethnic Russians could drive tension between them and US govt, possibly motivating a hack-and-leak or hack-and-fake #OctoberSurprise. 2/7
Russian state-controlled media are diversifying existing infrastructure through registration of alternative website domains – website “mirrors” – and are increasingly using country code Top Level Domains within existing infrastructure. Chart shows mirror mentions for #Sputnik 3/7
Recorded Future analysts monitor targeting of ethnic and religious minorities by Chinese state-sponsored groups. In the first half of 2022, #TA413 exploited zero-days #Follina and CVE-2022-1040 with new custom backdoor #LOWZERO in Tibetan targeting. 1/9 bit.ly/3LwzoDf
#MalDoc lures, in Tibetan language, pose as applications for compensation, contest... This one sent from tibet[.]bet was weaponized with #RoyalRoad SHA 028e07fa88736f405d24f0d465bc789c3bcbbc9278effb3b1b73653847e86cf8, drops #LOWZERO and contacts hardcoded C2 45.77.19[.]75. 2/9
Sent from the same domain, this lure has #phishing email links to tibet-gov.web[.]app posing as the Tibetan government-in-exile. Sent in 2 waves, the 1st email links to .docx attachment hosted on Google Firebase which attempts #Follina via the ms-msdt MSProtocol URI scheme. 3/9