For those of you who know me, Henry was my basset hound, and the fictitious name used during (ahem) special research. I'm a former intelligence officer, a professional analyst, and a blogger since 2004 writing about my experiences on the journey --information security, cyber intelligence, education, thoughts. Some love my writings others hate it. If you like it, follow me!
-->Tweeters from a Russian-based troll farm have slipped into
sleep mode after proving how easily the media and public perception can be
manipulated using social media. But analysts at Wapack Labs have been
monitoring the troll farm’s movements on the internet to try and identify the
potential targets of future attacks.
A Russian-based troll farm called the Internet Research
Agency, the focus of a recent New York Times Magazine article by Adrian Chen,
is suspected to be behind three social media attacks in the US in 2014.
According to Chen, troll farms like the Internet Research
Agency employ hundreds of people who sit at desks with computers and flood the
internet with comments designed to sway public opinion and manipulate the
media. The trolls infiltrate chat rooms and trigger conflict between members,
and leave comments on stories posted on the web by newspapers and television
networks. But one of the most effective means of spreading the Internet Research
Agency’s messages is through Twitter.
The trolls at the Internet Research Agency are able to
create hundreds of Twitter accounts and launch coordinated tweeting assaults.
They have shown that they’re able instill fear in the American people and manipulate
news outlets into reporting false stories with an arsenal of hashtags and some
carefully chosen words.
On September 11, 2014, according to Chen, the Internet
Research Agency hit the Twitter-sphere with news that there had been an
explosion at a Louisiana chemical plant. Tweets and text messages were also
sent to specific members of the media and targeted local and national
politicians. Once news of the explosion hit the general public and media
outlets, the trolls began using carefully crafted videos to give credibility to
tweets. From there the trolls began attempting to elicit fear from the public
by placing blame for the alleged disaster on terrorist groups like ISIS. Though
Columbian Chemicals was able to debunk the explosion hoax within a few hours,
the Internet Research Agency revealed just how powerful they were in
manipulating the media and the American public.
The troll farm continued to poke at the vulnerabilities of
those who rely on social media for information by again using Twitter to spread
a rumor about an outbreak of Ebola in Atlanta, complete with corroborating
videos like those used to validate the tweets about the explosion hoax. That
day, Atlanta was targeted for a second attack. The trolls took the fear
stemming from the phony Ebola outbreak, and mixed it with the racial tension
being felt nationwide as the result of the shooting of an unarmed black man by
police in Ferguson, Missouri. With the community already on edge, the trolls
hit Twitter with reports that an unarmed black woman had been fatally shot by
An analyst for Wapack Labs who specializes in tracking cyber
criminals in Russia and Ukraine, has been watching the moves of the trolls very
carefully by tracking their online personas and linking them to the websites
and domains they use. The analyst looks for patterns in millions of hashtags
and commonalities in language or messaging within social media. Fluent in
Russian, and a student of geopolitics in Eastern Europe, the analyst is able to
piece together timelines and narratives that reveal the activities of troll
farms and their henchmen.
Following the 2014 tweeting assaults in Louisiana and
Atlanta, the analyst honed in on the perpetrators of the attacks and has been
following their movements ever since and has traced them back to the Internet
Research Agency.Some of the Twitter accounts, including @DanyRoseee,
@AndrewMonsonn, and @jessebrannan8, “went to sleep” or were deleted immediately
following the September 11, 2014 explosion hoax.
According to Jeffery Stutzman, co-founder and CEO of Wapack
Labs, Twitter accounts go to sleep when they aren’t being used regularly or
were deleted. If they’re unused or deleted, beyond a certain amount of time,
another person can assume that name, thus the sleeping Twitter ID of a soccer
mom from Toledo could be commandeered by a Russian hacker in St. Petersburg and
used to spread misinformation.
One of the Twitter IDs that particularly caught the Wapack
analyst’s attention was @JasonJL100. This user made his first tweet, “Hello Twitter! #myfirstTweet,”
on August 25, 2014. On the day of the reported Louisiana explosion, @JasonJL100
joined the noise on the internet by propagating news about Columbian Chemicals.
On the surface, he was just a local guy sharing breaking news via Twitter. But
something about @JasonJL100 caught the attention of the Wapack analyst, who
continued to monitor him long after the explosion story was debunked. The
analyst watched as the presumed local guy suddenly began communicating on
Twitter in Russian.
@JasonJL100 has been asleep since December 2014, but
@zaplatovaalena, @georgiostr, and @GlebushkaGleb, all Russian tweeters,
converted to English on the day of the explosion, and back to Russian tweets
soon after, are still active but have since deleted any references to the
explosions in their twitter history.
The analyst at Wapack Labs will continue to monitor the
activity of the Internet Research Agency as the troll farm trains it sights on
its next target, whatever it may be.
I'm on a bit of a diversion this year. My goal is to not attend any security conferences during the year. I've blown that of course, but so far, I've attended conferences for insurance, litigation, and yesterday, manufacturing. Why? Well, first, security conferences are becoming just to crowded. There's a boatload of noise out there, and even the best conferences are becoming overrun. Second, I really want to see how other industries are dealing with cyber, and there's not a better way than to sit in on meetings, attend a conference, or smoke a couple'a cigars with someone you've never met before in another industry.
So yesterday I spent two hours in a session with the Research Triangle Park Institute (RTI) in Manchester, NH. They've partnered with NIST's Manufacturing Extension Program (I'm not sure the parallel is correct, but I likened it to the Agriculture's Cooperative Extension Service but for Manufacturing companies). Anyway, RTI partnered with NIST MEP to produce market intelligence for companies who are considering moving into other products, expanding what they currently sell, etc.
Essentially what RTI offered was an analysis framed by Porter's five forces. Porter authored a model that framed five competitive forces that every business should (must?) consider when devising strategy. I'm a believer. I used this model in nearly every job and start-up that I've been involved with in the last 15 years --including (especially) my government position as the Director of the DCISE. RTI offers a simplified view of Porter --something for manufacturers. They work with the company, mind-map the forces, using free software, exchange the mind map with the manufacturers, and in the end, offer a report --how best to build, position, and market this new R&D or technology.
I was a bit taken aback however... do they realize that that newtech that they're researching is probably highly sought after by others? And that the reason the mind mapping software is free is because someone else is reading your stuff? Do they consider that in this new normal, someone will steal that newtech if they're not careful?
So I asked the question (you knew I would!) "Do you consider who will want to steal that technology?" "How do you protect it during R&D?" "How long can you hold that market if the tech gets stolen during early stage strategy development?" I've written hundreds of pieces over the years. Many describe stolen R&D. Manufacturing companies aren't the target because they make cool stuff, they're targeted for efficiencies, processes, and industrial engineering techniques. Wouldn't it be nice if it could be stolen during development of those processes?
OK NIST, if you're going to send an FFRDC out to see small and medium sized manufacturing companies, eat your own dogfood and talk to them about protecting their IP. RTI is your FFRDC. Check their messaging before sending them into the field..