June 12, 2015 • Matt Kodama
Reporting by Adrian Chen in The New York Times Magazine has shone a fascinating light on “information operations” conducted on the open Web. In usenet days we called it “trolling.” Flash forward thirty years and politically motivated trolling is a full time day job.
The impetus for Adrian Chen’s investigation is a specific hoax, perpetrated on September 11, 2014. The hoax involved a fictitious man-made disaster which did not actually occur in St. Mary Parish, Louisiana, and was not related to ISIS. Chen’s investigation has linked this hoax to a group called the Internet Research Agency. Max Seddon has also reported on the politically-motivated activities of this group, related to events in the Ukraine and Ferguson.
Here’s how reporting of the hoax appears in Recorded Future:
This timeline shows September 11 and 12, 2014 in GMT time zone, which is the daylight hours in US Eastern time. During this period, Recorded Future’s real-time threat intelligence analysis captured nearly five thousand reported events related to #ColumbianChemicals, from nearly a thousand distinct authors.
At a cursory glance, this looks like a bona fide disaster report. Later investigations of #ColumbianChemicals and the Internet Research Agency have confirmed that this was a hoax, executed with hard work through online channels – what intel professionals refer to as an information operation.
From Recorded Future’s perspective – structuring Web intelligence information for threat intelligence – these intriguing investigations beg some questions: Can we apply automation to make this work more efficient? Does forensic analysis of the Web intel data from this incident reveal patterns that can rapidly characterize future incidents as “more likely to be legit” or “more likely to be a hoax,” as a springboard for conclusive review by an analyst? We identify and assess three candidate patterns.
If this incident were legit, we’d expect to see a few voices that are significantly louder than all the rest. These could be a few people who were extremely upset about the incident, or a few people were somewhat upset but are especially active online. That’s what normal looks like.
But in this case, we don’t see this pattern. Instead we see suspiciously smooth patterns in the data. It doesn’t look lumpy like real data – it looks overly produced.
Here is a contrasting example of a normal reporting pattern. When the #Sandworm vulnerability was first disclosed online in October 2014, Recorded Future collected nearly 1,400 reported events from nearly 1,200 different authors. Almost all of those authors tweeted once then moved on with their day.
The tiny bumps in the curve above to the right of “four reports per author” are the top eight authors. They collectively drove about 5% of the entire conversation. When we understand that @securityaffairs, @timwoodsdesign, @symantec, @PhysicalDrive0, @argevise, @jamestaliento, @patchguard, and @bartblaze are the “vocal minority” on this topic, we can immediately have higher confidence that this is no hoax.
Should this pattern be durably useful? Yes. It’s vexingly hard to rapidly engineer realistic data. Ask any engineer who has QA’ed with “test lab data” and then been appalled by results in the wild. “Social” engineering is no different.
And let’s suppose that a hoax perpetrator creates the perfect illusion of realism. This perversely helps incident investigators by shortlisting a few critical false personas that will more rapidly reveal the hoax. Investing those tactics gives the hoax perpetrator diminishing or even negative returns.
The vast majority of the posts on this hashtag are clearly directed at specific Twitter profiles. Here is a representative example:
There are three odd characteristics of this communication pattern.
First, this online discussion doesn’t converge on any individual or group as the target audience. Natural candidates include people who must deal with the incident or the people who should be held responsible. But in this discussion there are no significant “hotspots” among the audience targets.
The posts are broadly directed at 267 different profiles. It’s like the people behind these personas fanned out to lightly touch as many people as possible instead of cooperating to get the attention on a few key audiences.
The second oddity is the appropriateness of the audience targets to the reported event. The top audience targets are Brenda Buttner (Fox News business correspondent) and Ron Paul (former congressman and US presidential candidate) and the rest of the top tier are similarly only tenuously appropriate to a terrorist attack in Louisiana.
The audience targets are national political persons and organizations, both partisan and nonpartisan. This is surprising and inappropriate because the purported event is a terrorist attack (not a purely political event) in a location that is normally covered by regional media rather than national media.
The third oddity is an absence: Some expected communication is missing. There is no tweet aimed at local St Mary Parish authorities like @StMarySO. Louisiana governor @BobbyJindal also doesn’t get a tweet, despite the heavy bipartisan political focus. Or maybe this is not bizarre at all – alerting the directly responsible authorities is a great way to smoke out a hoax!
This second characterization patterns will also be durable. A legit organic discussion should converge on some audience targets and exhibit outliers. These audience targets will be appropriate to the incident, at least from the perspective of the vocal minority. But for a hoax perpetrator, focusing attention on specific audience targets is counterproductive. This attention raises the stakes for that target, and thus increases the odds that the target will look carefully enough to see through the hoax. The perpetrator will likely avoid these actions and accept the cost of exposing a clearly atypical communication pattern.
This third and last pattern involves changes in the data temporally, comparing a baseline observed before the incident starts to data at the observation time. It therefore depends on access to a system that can provide that historic data.
Normally we expect that when a person posts something really hot on social media, it attracts the interest of new followers. (You might say that’s the whole point of social media.) But we don’t see that pattern here.
This looks more legit at a first glance – that one person picked up 145 new followers! But on closer inspection of that profile the hoax is immediately lain bare. This one profile with massive growth is tweeting the same content about the incident, does not have significantly larger existing audience before the incident starts, and is not posting to larger or more active target channels. This profile looks much the same as the rest, so its increased audience size is just a further anomaly, not evidence of authenticity.
For the first two patterns, we proposed that abnormal communication patterns will be durable indicators of likely hoaxes, because manufacturing the expected pattern is counterproductive for the hoax perpetrator in the bigger operational picture. Closer inspection of this third pattern directly illustrates the point. Absent any explanation for why this profile should get a dramatically stronger audience response, we’re left only with an alternate hypothesis: This was an already-existing socially engineered persona, which was added to the hoax team’s toolset for this information operation, and so the team promptly “made friends” with their other avatars. Under this hypothesis, a capture of these 145 new followers makes a great jumpstart for a deeper investigation of the perpetrator’s methods.
Through this deep dive into the #ColumbianChemicals hoax, we have identified three expected patterns in online event reporting that distinguish legitimate incidents from hoaxes.
All three pattern assessments can be assisted using automation. The analysis in this blog post was conducted using the Recorded Future dataset of online event reporting. The baseline collection and processing (annotation) of this public event reporting provided the bulk of the time savings. The three patterns can be evaluated in the Recorded Future Web application. For this analysis, we used the Recorded Future API to provide more quantitatively detail.
Are analytic assessments like these part of your threat intelligence work? Please contact us to learn how Recorded Future can aid you in making faster, more accurate assessments.