Disinformation for Sale

October 1, 2019 • Monica Todros

Disinformation campaigns are in the news. Starting with the 2016 U.S. election cycle, continuing in 2018, and now looking ahead to 2020, the threat of online influence operations from foreign adversaries has been top of mind — but there’s a different kind of disinformation for sale on the dark web.

Researchers from Recorded Future’s Insikt Group engaged with two threat actors selling their wares on Russian-speaking underground forums. They discovered that disinformation campaigns are readily available, not terribly expensive, and potentially highly effective.

Roman Sannikov is director of analyst services at Recorded Future, and he shares what they found.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 127 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Disinformation campaigns are in the news, starting with the 2016 U.S. election cycle, continuing in 2018, and now looking ahead to 2020, the threat of online influence operations from foreign adversaries has been top of mind — but there’s a different kind of disinformation for sale on the dark web.

Researchers from Recorded Future’s Insikt Group engaged with two threat actors selling their wares on Russian-speaking underground forums. They discovered that disinformation campaigns are readily available, not terribly expensive, and potentially highly effective.

Roman Sannikov is director of analyst services at Recorded Future and he shares what they found. Stay with us.

Roman Sannikov:

This is a topic that we’ve been investigating for some time, but as you can imagine after things that have come to light from 2014, 2016 on a lot of the focus on disinformation and influence operations have been primarily on the public sector, which is certainly warranted. That’s very important to make sure that elections and referendums and things like that are conducted without external influence. But I think that, or we as a company felt that there was not enough focus on the dangers to the private sector of these various operations as well.

That’s where our investigation took us. We looked at some of the threat actors that are currently operating on primarily the Russian-speaking underground forums and they’re just in Eastern Europe in general. And the things that they claim they could do in terms of manipulating things in the private sector as well, both promoting, but even more so, most of the stress is really about taking down and discrediting various entities, companies, organizations. That was the goal of our research, was to see if the claims that these companies are, rather these threat actors, these entities are putting out there, is there any merit to these claims?

I think that our research has borne out that there are threat actors that are willing to run these types of campaigns and it appears that they’re able to do so as well. The scary part is that the whole process took us about six weeks from the beginning of the negotiations to when we got our final result and the cost for both segments of our research, both increasing the visibility, the PR, rather, of the fictitious entity we created and the discrediting of that same entity subsequently, it only cost us about $6,000 U.S.

Dave Bittner:

Let’s walk through it together here step by step. You all had to come up with some clever ways at the outset to establish an organization. Walk us through what you did here.

Roman Sannikov:

Sure. Again, the companies were out there on these dark web forums and the underground forums and they claimed that they were willing to do various services, various disinformation influence campaigns for the private sector. When we reached out to them, we engaged them separately. These are two threat actors that obviously did not know that we were playing both sides of the coin here and we wanted to get a sense of what they claim they could do. Some of the things that really attracted us through these entities was that they have a certain level of reputation on the underground forms. Especially the one that focused on the discrediting, the second part of our investigation, they had I believe approximately four years that they were on this forum, maybe even longer.

But what we did was, we reached out to them and we got a sense of what they claim they could do. One of the things that they said they could do was that they could publish articles in actual traditional media that would support our campaigns. We asked if we could see what those articles were, if they could show us any of their past efforts. Both of these threat actors, they demurred, they cited the client confidentiality. At that point we realized that in order to really assess whether they were able to actually carry out any of these campaigns that we would have to create a dummy entity profile for a dummy entity.

We created a company that we told them was based in the U.K., that it was a new company that we were starting out or had just created depending on which threat actor we were talking to. The company was a temp agency. The reason we based it in the United Kingdom was because we wanted to see whether these threat actors could actually operate outside of Eastern Europe and the Russian language landscape, whether they were able to do the same thing in the West. They claimed they’re willing to do so and that they were able to do so, saying that they had journalists and investigators and people like that on retainer who could write articles and could then promote those articles on social media.

We created this company. Again, it was a temp agency company. We tried to find something that would not actually interfere with any real-world experiences. Obviously we didn’t promote the company ourselves because we didn’t want to get in this situation where anyone who was actually looking for a job was somehow negatively affected by our research. We tried to be as cautious as possible when it came to that. But that’s the entity that we came up with.

Dave Bittner:

Now did you create a web page, any social media presence for this company that you spun up?

Roman Sannikov:

We did create a webpage. We attempted to create some social media because one of the things that the company that did the promotion said was that they could create a profile for us as well, not simply get us likes and shares and tweets and things like that, but that they could create our profile. We decided that we were going to first try to do it ourselves so that we can see how difficult that was. Because obviously if this was something that was relatively easy, we didn’t want to really focus too much attention on that. We found out that it wasn’t as easy as people might think. Social media companies have become more savvy and it actually took us a couple of attempts to create a social media profile and we were not able to do anything lasting. Basically our profile kept getting blocked after a day or two.

Dave Bittner:

Oh interesting.

Roman Sannikov:

At this point we reached back out to the PR company and we told them, “Hey, we’re having some issues, can you go ahead and create the profile for us?” Which they did within a few days. Again, that stressed to us that they have their own methodology and their ability to create these profiles fairly expeditiously.

Dave Bittner:

You reached out to two different suppliers of these services and one of them you asked to do positive reputation work and one you asked to do negative reputation work. Take us through each of those.

Roman Sannikov:

The idea was with the first company, the positive enhancement of our reputation was that we are creating this company, that we were Russian-speaking individuals who were working in the United Kingdom and we were targeting primarily the expat community, other people from Russian language countries or Eastern Europe who may be traveling to the United Kingdom looking for part-time work or temporary work and that it was difficult for us to promote the company legitimately. We wanted their assistance to promote the company, to expedite the growth of our social media profile, et cetera.

One of the things that they offered was, in addition to the various social media services, again, creating the profile, getting us likes, getting us positive reviews and feedback, they said that they could publish positive articles about our company in traditional media sources, which would then be reposted by their network in social media, which would again amplify those efforts. And so that’s something that we did.

It took us a little while. We didn’t direct them to post in any specific traditional media outlet, but our budget for this was relatively small. We told them what the figure we could spend on this was and told them where the company is based and they’re the ones that chose a couple of outlets in the United Kingdom that they promoted, where they placed these articles for which they then promoted in social media, enhancing the reputation of our fictitious company.

Dave Bittner:

How would you rank the effectiveness? Is there any way to do that?

Roman Sannikov:

Well, since we don’t have actual clients, it’s difficult to say for certain how this would have affected the company. Again, we didn’t want to leave it out there for too long because we didn’t want to have any real impact on people in the real world. We were trying to keep this as contained as possible. But we were impressed with the fact of how quick and how easy the process was and the fact that the company, again, this positive reputation enhancement company, they seemed quite professional.

There was some issue with one of the articles that they wrote. They sent it to us to proof read. Initially, we thought that the English was not polished enough. There were too many grammatical mistakes and just the language itself was a little awkward, would not have, I think, passed muster as someone who was a native English speaker. They came back to us within a day or two with an updated version that seemed very passable. The whole process really took us between the end of the negotiation with this company and when they actually showed us the articles and their efforts to promote us, it only took about seven to 10 business days. We were really impressed by that. They seemed to know what they were doing.

Dave Bittner:

Now how about the company that you engaged with for the negative information campaign? What was that experience like?

Roman Sannikov:

Just before we jump to that company, I also want to mention that the company that did the positive PR, they said that they also do negative. I think it’s important to stress that these companies primarily focus on taking down competition. While they do positive as well, their real focus is on digging up dirt, planting dirt, things like that. But because we wanted to check multiple companies, obviously we reached out to this second company saying that we were a competitor of this temp agency and they stole some of our ideas, or clients, or something like that. We had some sort of both professional and personal animosity towards them. We asked this other company to basically discredit and ruin the reputation of this new temp agency before they really got off the ground.

One of the things that really impressed us was the company really, the second company, the one that did the discrediting, damaging our reputation really told us, “Okay, you need to do this, you need to do this, this is the way we’re going to do it.” It really seemed that they had a pretty good idea and understanding of how these things worked, what it took to damage a company’s reputation.

One of the things that they almost pushed on us was that they could file all sorts of fake claims of abuse with local law enforcement claiming that we were engaged in all sorts of unethical and even illegal practices. They even, I think at one point said that they could make claims to local law enforcement that could potentially result in jail time and all sorts of things like that.

Obviously, because we did not want to get law enforcement involved and we did not want to create any legal issues, we certainly told them that we did not want to engage in anything quite that serious, but I think it’s important to put out there that this was something that they felt very comfortable doing and were actually pushing us in that direction because I guess they felt that that would really put the nail in the coffin of the company that we were trying to discredit.

Dave Bittner:

Was there any sense on your side that these companies were doing any vetting of you?

Roman Sannikov:

Not in this case. It was really fairly formulaic. It seemed like they have certain packages and they said, “Okay, this will cost this much, this will cost this much.” I didn’t see a ton of operational security on their part. I think the way they see themselves as operating in a sort of gray market area, they weren’t talking to us about hacking anything. They were really doing something that they probably don’t see a lot of threat to themselves over, I don’t think. It appears that these companies are based primarily in the Russian-speaking world, in the former Soviet Union, and we really got the sense that they didn’t think that law enforcement was going to be banging down their door over any of these operations that they were engaged in.

Dave Bittner:

I’m curious on the differentiation, particularly when it comes to the folks who are doing the positive promotion, how is that different than just hiring a PR company?

Roman Sannikov:

Well, I think what they’re doing is they’re, I guess maybe you could say PR plus plus plus, because they’re doing a lot of things that I think a normal PR company probably would find unethical. For example, I think they were using a lot of the social media promotion that was done by bots or by compromised accounts or by accounts that simply were not under the control of the individuals that they purport it to be under control of. Certainly also planting articles about our company. Some of the articles included fictitious interviews with individuals in our company or individuals who in the case of discrediting our company, the negative reputation takedown, they purportedly interviewed one of our clients who talked about all sorts of terrible experiences that she had with our company, et cetera.

I would think that even in the case of the promotion, I would think, or I would hope that most PR companies aren’t going to go to that level where they’re writing fake articles and placing them in publications and then magnifying those fake articles by citing them and linking them in social media.

Dave Bittner:

Yeah, it really strikes me, looking through this research, just how easy it was to do this and relatively inexpensive. What are some of the take homes for you in terms of companies being on the lookout for this sort of thing and even their ability to defend themselves against it?

Roman Sannikov:

Absolutely. That’s really something that shocked and disturbed us as well. The whole investigation took a little over six weeks for both positive and negative combined and cost a little over $6,000. Once we actually got to the point where we created our company, negotiated with them, et cetera, the actual process took closer to seven to 10 business days. Again, these are companies that, or these are threat actors as we call them, who seem to know what they’re doing. This isn’t something that they had to reinvent the wheel for. Whenever they’re doing this, they literally check the boxes for us in terms of what we wanted to do, how much we wanted to pay.

And I think what … I’ve been talking to my colleagues about this, and to me it reminds me of where DDoS, Distributed Denial of Service was maybe six to eight years ago, where I remember seeing ads for DDoS services on various platforms that had nothing to do with cyber crime. You would have various fan platforms or platforms about certain hobby platforms where these threat actors would be advertising, “Hey, do you want to take down your competitor down the street or the restaurant or this or that? Use our DDoS services.” It was very inexpensive. It was very easy.

This seems to be following the same trajectory where these threat actors now, that there’s been so much news in the West about what can be done with social media manipulation and disinformation and things like that, that to some extent they’re hoping to cash in on this newfound fame that they have and really enter the market where your average store or your average restaurant or a retail establishment can potentially run a campaign against a competitor of theirs for, again, not a lot of money. The positive information campaign cost a little over $2,000 and the negative campaign cost a little over $3,000. Really not a huge amount of investment in that.

In terms of how companies might deal with something like that, I think it really underscores that everybody has to be really laser focused on any erroneous information that may be out there about them and that they have to … Every organization, anytime that they see anything that is not correct, it really behooves them to reach out to the sources. Whether it be mainstream media to address any articles that may not be legitimate articles. I’m not talking about obviously legitimate journalism that they might not like, but talking about articles that are clearly not journalism, but are rather pieces that are out there specifically promoting fake information about a company.

They really have to try to take that down before it gains traction on social media because these companies are specifically using social media to amplify this type of information. The articles that we saw, I think one of them had in fine print, had the word sponsored on it, which was very easy to overlook. I think at least two of the other articles did not have any warning that this had been paid for content in any way.

Certainly someone who sees a post with some sort of either negative or positive content about a company, about an entity, and they see this image that appears to be coming from a legitimate news source, chances are they might not even click on that image because they will assume that the post really summarizes the content of that image. Especially if it is in keeping with the headline that they see from that seemingly legitimate traditional media article. So you have this situation where the social media is really amplifying the fake information and then potentially that information, that social media campaign will then be picked up again by traditional media creating this loop of misinformation.

Dave Bittner:

And it’s worth noting that these organizations are running the way legitimate companies run. I mean throughout this process, you felt as though you were getting a good return on the money you were spending, you were getting good customer service, all those types of things.

Roman Sannikov:

Absolutely. They really appear to be working like legitimate companies as opposed to some threat actors that you’ll send them money, they’ll disappear sometimes for good, sometimes just are very lax in responding. Both of these threat actors, both of these companies were quite responsive. When we had an issue with the one translation that I mentioned, they fixed it within a day or two. And all four of the articles were published, two for the positive, two for the negative in these legitimate news outlets. And in fact they gave us some advice about how we should run these campaigns. It really seems like these are established entities that are doing things that they do well.

Some of the questions we’re getting is again, how do you combat this? How do you deal with this? What we’ve been saying really is that awareness and vigilance is paramount in this instance. Anytime you see something that you believe is a disinformation campaign, that the victims should reach out to wherever they find disinformation. Obviously, hopefully traditional media companies will take this very seriously, will maybe review some of their own practices. I think that reaching out to the social media organizations will help them identify these networks that are helping spread this type of disinformation and help them root out some of these entities that are not legitimate users of their platforms.

Dave Bittner:

Our thanks to Roman Sannikov for joining us. The research is titled “The Price of Influence: Disinformation in the Private Sector.” You can find it on the Recorded Future website.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

Related Posts

Threat Hunting, Mentoring, and Having a Presence

Threat Hunting, Mentoring, and Having a Presence

December 2, 2019 • Monica Todros

Our guest today is O’Shea Bowens He’s CEO of Null Hat Security and a SOC manager for Toast, a...

From Infamous Myspace Wormer to Open Source Advocate

From Infamous Myspace Wormer to Open Source Advocate

November 25, 2019 • Monica Todros

If you are of a certain age — an age where you may have spent a good bit of your time online...

Solving the Business Challenges of Governance, Risk, and Compliance

Solving the Business Challenges of Governance, Risk, and Compliance

November 18, 2019 • Monica Todros

Our guest today is Syra Arif, a senior advisory solutions architect in the security and risk...