Analytical Tradecraft – Page 2

A Deadpool Of Bots

Yesterday in chat someone pointed out a small set of accounts that followed this Dirty Dozen of known harassment artists.

The accounts all had the format <first name><last name><two digits>. We extracted two dozen from the followers of these twelve accounts, then ran their followers and found a total of 112 accessible accounts that had this same format. Suspecting a botnet, we created a mention map to see how they have been spending their time.

This image is immediately telling for those used to examining mention maps. There are too many communities (denoted by different colors) present for such a small group and the isolated or nearly isolated islands just don’t look like a human interaction pattern.

Adjusting from outbound degree to Eigenvector centrality, it was immediately clear what the focus of this group of accounts was. The next level of zoom in the names revealed two other cryptocurency news sites and a leader in the field as being the targets of the these accounts.

Thinking that 112 was a small number, we extracted their 7,029 unique followers’ IDs and got their names. Nearly 600 matched the first/last/digits format, but there were other similarities as well. We placed all 7,029 in our “slow cooker”, set to capture all of their tweets.

We were expecting to find signs of a botnet, but it appears the entire set of accounts are part of the same effort. The 6,897 we managed to collect were all created in the same twelve week period. The gap between creation times and the steady production of about eighty accounts per day seems to indicate a small hand run operation in a country with cheap labor.

The network is transparently focused on cryptocurrency over the long haul. Adjusting the timeframe to the last thirty days moved the keywords around a bit but the word cloud is largely the same. The clue to how these accounts got into the mix is there in the lower right quadrant – #followme and #followback indicate a willingness to engage whomever from the world at large, in addition to their siblings.

Why we have pursued this so far when it looks like just a cryptocurrency botnet is due to this clue.

Here are five bad actors with two other accounts created right in between them time wise. This is the most striking example, but there are others like it. And understand the HUMINT that triggered this – a group of people who do nothing but take down racist hate talkers all day feel besieged by a group that manages to immediately regenerate after losing an account.

Our Working Theory

What we think we are seeing here is a pool of low end crypto pump and dump accounts that were either created for or later sold to a ringleader in this radicalized right wing group.

Now that we have roughly 7,000 of them on record, we have to decide what to do. This is just such a blatant example of automation that Twitter might immediately take it down if they notice. The 6.5 million tweets we collected are utterly dull – the prize here is the user profile dataset. We’d need some mods to our software, but maybe we need to collect all the followers for this group of 7,000 and figure out what the actual boundaries of this botnet truly are.

This has been a tiresome encounter for those who make it their business to drive hate speech from Twitter, but this may be the light at the end of the tunnel. If one group is using pools of purchased accounts to put their foot soldiers back in play the minute they get suspended, others are doing this, too. No effort was made to conceal this one from even moderate analysis efforts. If we demonstrate this is a pattern and Twitter is forced to act, we may well find that a lot of the heat will go out of political discourse on that platform.

Exploring Conversation Spaces

Earlier today we captured seventy one Twitter accounts that we classified into three groups. These are Durant’s Dullards (21), Team Pillow Forts (23), and TheShed (27). The first are associated with RowdyPolitics[.]com, the second group are associated with CitJourno[.]org and Patribotics[.]blog, while the last group are unified by being stable, long term personas who are often forced to replace accounts due to suspension.

Visually, the Fortress of Pillowtude is on the left, the cluster of red accounts are the RowdyPolitics people, and The Shed’s frequent reincarnations leave them scattered around the perimeter on the right with fewer mentions.

This particular graphic has been filtered to remove 934 ‘CMP’ accounts – Celebrities, Media, and Politicians. The working theory behind this is that those accounts are ubiquitous, they cross group boundaries, and thus are not terribly useful for diagnostics. That thinly populated space in the middle are less notable CMP figures that haven’t been removed yet … but more importantly, some of those are ‘weak ties’, as covered in Mark Granovetter‘s 1973 classic social network analysis paper The Strength of Weak Ties.

Seeing The Whole Forest

While these groups lead in the creation, curation, and elevation of content, we want to be able to see them in the context of their operating environment. Graphs like this are useful for discerning structure, for identifying certain types of relationships, but those accounts generated over 262,000 mentions and over 12,000 others were mentioned twice or more. This is where we set aside Gephi and take up Elasticsearch.

Selecting the 2,739 accounts mentioned ten or more times is a good balance between getting what is important and not overrunning out available resources. Recent performance tuning means our collection system can now handle forty eight accounts in parallel. This run took 70 minutes to collect 6.48M tweets from 2,235 accounts that were actually available, an average of 32 accounts/minute. The 504 missing accounts are mostly those from The Shed that have been banned.

We want to see both overall features as well as group specifics, so JSON filters were created for each group. Applying them, we can see the top hashtags in use by each group over the last week. The fourth cloud is the overall set of hashtags employed by every account they mentioned. Here we begin to see what each group’s contribution to the overall conversation may have been.

Durant's Dullards Top 25 Hashtags — Durant’s Dullards Top 25 Hashtags

Top 25 Hashtags From All Accounts Mentioned

Temporal Matters

6.5 million lines of text is a lot to digest. When we employ Kibana we have powerful ways to search, filter, and abstract content, coupled with fine grained control of time. If we want to know the top hashtags over the prior seven days, limited to those that occurred with #MAGA or #Anonyous, and see how they compare volume wise, that’s easily done.

What if we want to see who first noticed the news of Elena Khusyaynova’s indictment on Friday? A few mouse clicks and we have the data from when the story broke. Long term observations are just as smooth – if we set the system up to spool content, it’ll just continuously capture the accounts that we decide are interesting.

Future Explorations

We are just getting started with the Kibana interface to Elasticsearch, using it as an advanced text search engine, and doing some simple infographics in the spirit of descriptive statistics. There are complex, powerful tools out there, such as Timesketch and Wazuh, that are built on the Elasticsearch foundation. If we find just the right person, we may start branching in that direction.

NPC Bot Wave

Earlier today Josh Russell published a list of “NPC” accounts on Twitter. Nominally this seems to be tied to a “New Progressive Coalition”, but there are several humorous takes on the meaning of the acronym.

While a deadly accurate send up of Progressive sensibilities this election cycle, there were 450+ very similar accounts on the list when we started the profiling process, so it might have begun as a human wave of image board kids, but there is some sort automation at work here, which makes it interesting.

One of the strengths of our system is the ability to rapidly snapshot a group like this. We quickly collected 425 of them before they began to rename or self-suspend. We collect up to 3,200 tweets, up to 5,000 of those they follow as well as accounts following them, and we extract all mentions. Making a mention map with Gephi is typically our first step; social networks can be voluminous, while mentions are both bounded by the maximum tweet count as well as time stamped. This lets us see what activity the accounts are involved in, as well as slicing by time when appropriate.

These 425 sources mentioned 7,687 other accounts – a network motif we refer to as a “monkey pile”. Filtering out individual mentions left 2,333 other accounts, a 66% reduction in complexity. Sizing names by Eigenvector centrality permits us to see who they are messaging.

The @NPC691 account is key in this network and examining its timeline we see they are an early adopter of this particular meme – 72 hours before it became this general outburst.

@NPC691's First Tweet — @NPC691’s First Tweet

Collection on this took less than half an hour. If this were anything other than a harmless bit of fun, the 9,230 unique followers of these accounts are preserved, as are the 12,008 accounts they follow. We can see there are 4,793 accounts that are mutually following, so our 425 account sample may only be 10% of this total network.

Trying to do this by eye would be an impossible task. The ability to collect large amounts of information quickly and then rapidly analyze the take is key in an age of cyborgs and botnets mixing with a human operated account population.

Puzzling Over Boundaries

Much like the breakdown of Westphalian Sovereignty in the face of a well connected, easily traversed world, we are pondering just where the boundaries are on what we publish.

Best practices advice regarding Adversary Resistant Computing and Networking is broadly available, but highly variable in quality, and often not conditioned by real world experience. Communications Security advice is even more uneven. We might be educating bad actors by openly publishing, but the good guys are under the gun, and no white hat from inception thinks the way those of us who wear faded gray do. We’re going to put this content out there and count on the nonstop situational awareness required to truly excel keeping a lid on proliferation.

We publish studies on various groups, which can educate them in their failings, if they take the time to read. This is also conditioned on situational awareness and with information operations in particular, characterization is sterilizing sunlight. We use OSINT methods and release collected data in a form that facilitates others using it, but at this time the collection methods and software we use are not freely available.

Analytical Tradecraft is a matter of good systems and the right mindset to get teams using it effectively. There are guides out there, the CIA’s Psychology of Intelligence Analysis being a well known example. There is no substitute for real world experience when it comes to Sanctioned Irregulars, and that is where we are strongest.

And Field Operations Tradecraft seems to be a bridge too far – we’re not in the business of teaching bad actors how to caper.

The you have it. @NetwarSystem provides a feed of posts here, from LinkedIn, and selected content from other sources. The contact page has advice on who is qualified as a customer and how to reach us. We look forward to hearing from those of you who truly need what we do.