Ben Nimmo Profile picture
Writer, linguist, diver. Global IO Threat Intel Lead @Meta. Investigating, analysing and exposing influence ops. RT ≠ endorsement.
🌻🌻🌻 Американський хакер 🌻🌻🌻 Profile picture infinity10 Profile picture nadezhda Profile picture 3 added to My Authors
Apr 7 15 tweets 7 min read
🚨JUST OUT🚨
Quarterly threat report from @Meta’s investigative teams.
Much to dig into:
State & non-state actors targeting Ukraine;
Cyber espionage from Iran and Azerbaijan;
Influence ops in Brazil and Costa Rica;
Spammy activity in the Philippines...
about.fb.com/news/2022/04/m… I’ll focus this thread on Ukraine. For more on the rest, see the great @ngleicher and @DavidAgranovich.
Feb 28 6 tweets 2 min read
🚨 TAKEDOWN 🚨
This weekend, we took down a relatively small influence operation that had targeted Ukraine across multiple social media platforms and websites. It was run by people in Russia and Ukraine: about.fb.com/news/2022/02/s… It consisted of approx 40 accounts, Groups and Pages on FB and IG, plus on Twitter, YouTube, VK, OK, Telegram.

It mainly posted links to long-form articles on its websites, without much luck making them engaging. It got very few reactions, and under 4k followers.
Feb 27 10 tweets 6 min read
Personal 🧵 based on years of OSINT research into influence operations since 2014.

Looking at the Russian official messaging on “de-nazification” and “genocide”, it’s worth putting them in context of the many different Russian IO that targeted Ukraine over the years. Way back in 2014, Russian military intel ran a series of fake “hacktivist” personas that targeted Ukraine. Note the “Nazi” theme.

Screenshots from @Graphika_NYC research, based on Facebook takedown.
about.fb.com/news/2020/09/r…
public-assets.graphika.com/reports/graphi… Image
Jan 20 11 tweets 3 min read
JUST OUT: Report on coordinated inauthentic behaviour takedowns in December, and a look back over the past year & more.

Interesting: 2/3 of all ops we removed since 2017 were wholly or partially focused on domestic audiences.

about.fb.com/news/2022/01/d… Image We took down three operations last month:

* Iran, targeting the UK, focusing on Scottish independence;
* Mexico, a PR firm targeting audiences across LATAM;
* Turkey, targeting Libya, and linked to the Libyan Justice and Construction Party (affiliated w/Muslim Brotherhood).
Dec 1, 2021 11 tweets 4 min read
JUST OUT: Adversarial threat report on brigading, mass reporting and coordinated inauthentic behaviour.

With a deep dive into the Chinese operation that created a fake “Swiss biologist” back in July.

I think of that one as Operation Swiss Rôle.

about.fb.com/news/2021/12/m… There’s a lot here:

* Expanding Crowdtangle IO archive to more researchers
* First public takedowns of brigading & mass reporting networks
* CIB takedown from Palestine (Hamas)
* Two CIB ops focused on Poland / Belarus migrant crisis (one from Belarus KGB)
* Op Swiss Rôle
Nov 20, 2021 9 tweets 3 min read
I appreciate this discussion bc it helps shine a light on the complexity of these problems. Two things to note as we all work to tackle inauthentic behavior & deception. 🧵

1. There’s a big behavioral difference between spammy amplification and complex IO;

2. Platforms traditionally approach each differently for a reason — each represents different behaviours and has different incentive structure.
Nov 1, 2021 8 tweets 2 min read
🚨 JUST OUT: We took down a troll farm in Nicaragua, run by the Nicaraguan government and the FSLN party.
Our team’s research here:
about.fb.com/news/2021/11/o… Important terminology point: over the years, I’ve seen some confusion over what constitutes a “troll farm”, as opposed to clickbait/content farms.

Here’s how we understand it.
Aug 10, 2021 11 tweets 5 min read
JUST OUT: In-depth report on the #Fazze case — a campaign from Russia targeting primarily India and LATAM, and to a lesser extent the US.
It was focused on the Pfizer and AstraZeneca COVID-19 vaccines, but got close to zero traction across the internet.
about.fb.com/news/2021/08/j… There’s already been reporting on the Pfizer phase, in May (h/t @daniellaufer, @toniodaoust, @FloraCarmichael, @charliehtweets, @arawnsley).

Our investigation uncovered that in December, the same op targeted AstraZeneca.
Jul 8, 2021 11 tweets 3 min read
JUST OUT: Our monthly report on Coordinated Inauthentic Behaviour takedowns - June 2021 edition.

Eight networks, seven countries.

about.fb.com/news/2021/07/j… Full details in the report, but a couple of thoughts here.

All but one of the networks focused on domestic targets. That’s not unusual: influence operations so often start at home — remember our recent IO Threat Report?
May 6, 2021 10 tweets 3 min read
JUST OUT: 9 takedowns in our April CIB report. Primarily domestic ops:

👉Palestine, linked to Fatah;
👉Azerbaijan, linked to individuals associated with defence ministry;
👉Central African Republic, linked to local NGO;

(More in next tweet...)

about.fb.com/news/2021/05/a… 👉Mexico, 1 network linked to local election campaigns, 1 linked to a local politician and a PR firm;
👉Peru, 1 linked to a local party and an advertising firm, 1 linked to a marketing entity;
👉Ukraine, 1 linked to people associated with the Sluha Narodu party,

And...
Mar 3, 2021 8 tweets 3 min read
Five takedowns for CIB from the @Facebook investigative team last month.

Thai military, domestic targeting
Iran, targeting Iraq, Israel, Afghanistan, UK
Iran, domestic + regional
Morocco, domestic focus
Russia, targeting the Navalny protests

Link: about.fb.com/news/2021/03/f… A range of behaviours here. Influence ops take many forms.

Fake a/cs posting to multiple pages to make content look popular
In-depth personas to seed geopolitical content
Large numbers of fakes to spam hashtags and geotags
GAN-generated faces, in bulk, but sloppily done.
Feb 5, 2021 13 tweets 5 min read
Some personal news: today’s my last day at @Graphika_NYC.

My team did amazing investigative work and research into influence ops from Russia, Iran, China and many other places.

We’ve broken new ground, and I couldn’t be more proud of the team @camillefrancois and I built. Next week, I’m starting at Facebook, where I’ll be helping to lead global threat intelligence strategy against influence operations.

I’m very excited to join one of the best IO teams in the world to study, catch and get ahead of the known players and emerging threats.
Feb 4, 2021 30 tweets 11 min read
JUST OUT: Update on pro-China op Spamouflage Dragon.

Still spammy, but prolific and persistent, and getting some traction for the first time.

Over 1,400 videos in the last year.

Including geopolitical rivalry with the US.

@Graphika_NYC report: graphika.com/reports/spamou… Spamou works on YouTube, Twitter, Facebook.

Mainly videos in Mandarin, Cantonese, or Mandarin + English.

Low quality, high volume, on:

Guo Wengui (from 2018)
Hong Kong protests (2019)
Chinese achievements (Feb 2020)
US crises (early 2020)
US-China rivalry (mid-2020)
Feb 4, 2021 5 tweets 3 min read
Well this is big.

UK telecoms regulator @Ofcom just revoked the licence of Chinese state broadcaster CGTN to broadcast in the UK, arguing the licence is held by an entity which doesn't have editorial control, in breach of UK rules.

ofcom.org.uk/about-ofcom/la… Important to underline this is not about content.

Ofcom found that the company which held the CGTN licence, Star China Media, didn't have editorial control.

CGTN offered to transfer to a different entity, but it's ultimately controlled by the CCP, and therefore disqualified.
Jan 29, 2021 7 tweets 3 min read
And this, just out from @MsHannahMurphy and @SVR13: questions about the hundreds of thousands of followers that the same Huawei Western Europe execs have.

ft.com/content/0411bc… I'll leave it to others to analyse the 800k+ accounts involved in these followings, but one anecdotal sidelight on the fake network of accounts that attacked Belgium: some of its other amplification came from glambots from a network that also boosted Huawei Europe.
Jan 29, 2021 23 tweets 12 min read
Great report by @satariano on a fake network that @Graphika_NYC (and others) found in December.

Twitter accounts with GAN faces, boosting Huawei, boosted by Huawei execs, and attacking Belgium's 5G policies.

Not enough evidence to prove who ran them.

nytimes.com/2021/01/29/tec… We found this network when it was boosted by Spamouflage, a pro-China operation.

Independently, @mvanhulten of @TI_EU and @ArbiterOfTweets of @Knack found it with different methods.

It's not a friendly environment for fake campaigns, folks.

graphika.com/reports/fake-c…
Jan 23, 2021 11 tweets 5 min read
One sidelight on the Russian protests today: #Navalny is probably the single most consistent target of Russian disinfo and influence operations.

He's been a target for at least 8 years, by ops including the Internet Research Agency, Secondary Infektion, and the Kremlin. Way back in September 2013, @Soshnikoff investigated the then newly founded Internet Research Agency, and reported that it had been trolling Navalny when he ran for Mayor of Moscow.

mr-7.ru/articles/90769/
Jan 23, 2021 9 tweets 6 min read
Question for the #OSINT community: can anyone else find TikTok videos about protests for Navalny that become unavailable if you watch via a Russian server?

I’ve got 8 so far on #свободунавальному and #23января2021.

Nearly 2 million likes between them.

#DigitalSherlocks Image Background: the Russian telecoms authority, Roskomnadzor, said it’s got platforms to take down calls for minors to join the protests.

facebook.com/roskomnadzor.o…
Jan 12, 2021 11 tweets 5 min read
Just out: @Facebook's latest update on influence op (IO) takedowns. Fourteen new ones in this report, from nine countries. @Graphika_NYC did a write-up on one of them, from separatist-held Ukraine.

Never a dull week on the IO front...

about.fb.com/news/2021/01/d… Here's the Graphika report.

A cluster of inauthentic assets on FB, boosting a network of fake websites focused on Europe and the former USSR: pro-Kremlin, anti-Ukraine, anti-Navalny, anti-EU.

Also, interestingly, anti-China in Central Asia.

graphika.com/reports/echoes…
Dec 17, 2020 9 tweets 5 min read
Fun read here from @conspirator0 on a botnet that uses clips from Dracula, for that authentic "I'm a human so I write text" look.

Presumably designed to fool algorithms, as it wouldn't fool a human.

At @Graphika_NYC, we call it "Dracula's botnet".

graphika.com/posts/draculas… We came across part this botnet in the summer, when it was boosting the pro-Chinese network "Spamouflage."

This, from @conspirator0, is a typical profile. Note the broken sentence and word in the bio. No human typed that... at least not on that Twitter account.
Dec 15, 2020 23 tweets 9 min read
BREAKING: @Facebook just took down two foreign influence ops that it discovered going head to head in the Central African Republic, as well as targeting other countries.

More-troll Kombat, you might say.

Report by @Graphika_NYC and @stanfordio: graphika.com/reports/more-t… There have been other times when multiple foreign ops have targeted the same country.

But this is the first time we’ve had the chance to watch two foreign operations focused on the same country target *each other*.