Analytical Tradecraft – Page 2

Profound Tradecraft Failure: Wohl v. Mueller

Manchild scammer extraordinaire @JacobAWohl has been the center of a vortex of public attention for the last day or so, but it isn’t working out quite as he had envisioned. The scheme as revealed thus far has involved:

A front agency, Surefire Intelligence, with a claimed global footprint, based entirely on virtual office spaces.
A staff, several of whom had stock photos from A list celebrities, but only two of which had any contacts.
A second front agency, Atrium Private Intelligence, with a domain registered after Surefire’s, apparently existing to provide depth to the legend for the first agency.
Domains registered by proxy, but configured with a web site construction kit that included Wohl’s personal email in the SOA (Start Of Authority) for the domain.
Google Voice phone numbers, one of which Wohl validated with a real number belonging to his mother.

We are obviously publishing Analytical Tradecraft here, but Field Operations Tradecraft is another story entirely. One can not learn to tease things apart without gaining some sense of what not to do, but providing the affirmative defenses is a step we are not willing to take, at least not in the open. When we address Adversary Resistant Computing and Adversary Resistant Networking, the aim is to keep you safe in your pursuits. You will notice there is no Adversary Resistant Hosting category.

That being said, the failures can be summarized as “youthful enthusiasm”. Hertz will not rent to anyone under twenty five, our society’s firmest recognition that the neurological stuff that starts with the teen years doesn’t at high school graduation. Whatever role Jack Burkman and Jim Hoft played in this scheme, the execution was left in the hands of a lad that won’t be able to drink legally for another six weeks.

The primary reason you are reading this site (we think) is not for our slick production quality or our mastery of algorithms. You are here because we have been there. We try to keep what we do simple, rugged, and recoverable, because we are used to having too few resources, too many tasks, and not nearly enough time.

Making America Grey Again

The initial wave of NPCs were taken out by Twitter, about 1,500 all together according to reporting. A small number lingered, somehow slipping past the filter, and now they are regrouping. A tweet regarding the initial outbreak collected several new likes, among them this group of five:

And their 740 closest friends are all pretty homogenous:

A fast serial collection of these 740 accounts they follow was undertaken. Their mentions reveal some accounts that are early adopters, survivors of the first purge, or otherwise influential. 735 of them came through collection, the missing were empty, locked, or suspended.

These accounts made 469,889 mentions of others. First we’ll look at 285,102 mentions of normal accounts, then we’ll see 184,787 mentions of Celebrity, Media, and Political accounts. Given that there are 67,000 accounts involved in this mention map, we’ll employ some methods we don’t normally use. This layout was done with OpenOrd rather than Force Atlas 2 and the name size denotes volume of mentions produced.

The large names here are based on Eigenvector centrality – they are likely popular members of the group, or in the case of Yotsublast, a popular content creator aligned with NPC messaging.

Usually we filter CMP – Celebrities, Media, and Politicians. These accounts are actively seeking attention so it is interesting to see who they reach out to in order to achieve that in these 184,787 mentions to about 18,500 others.

Attempting different splines with Eigenvector centrality leads to, after several tries, this mess.

Beyond the core at the bottom, Kathy Griffin, Alexandra Ocasio-Cortez, and Hillary Clinton are singled out for attention.

K-brace Filter Level 4 — KBrace Filter Level 4

Mentions are directed but the best way to handle them at this scale seems to be treating them as undirected and using the KBrace filter. This is a manageable set of accounts to examine and the groupings make intuitive sense.

The 742 accounts were placed into our “slow cooker” but only 397 were visible. It isn’t clear why 350 were missed, but Twitter’s quality filter may have something to do with that.

Unlike the group of accounts in yesterday’s A Deadpool Of Bots, this wake/sleep cycle over the last ten days looks like humans making their own accounts to join in the fun. Given a good sized sample of tweets, an average adult will only consistently be inactive from 0200 – 0500, so those empty three hour windows, except for the first day, are a pretty convincing sign.

Their hashtag usage is entirely what one would expect.

Given the tight timeframe it was interesting to look at an area graph of their daily hashtag use for the last ten days.

As a society we have barely begun to adapt to automated propaganda, and now we’re facing a human wave playing at being automation. This is an interesting, helpful thing, as it provides a perfect contrast to what we explored in A Deadpool Of Bots.

A Deadpool Of Bots

Yesterday in chat someone pointed out a small set of accounts that followed this Dirty Dozen of known harassment artists.

The accounts all had the format <first name><last name><two digits>. We extracted two dozen from the followers of these twelve accounts, then ran their followers and found a total of 112 accessible accounts that had this same format. Suspecting a botnet, we created a mention map to see how they have been spending their time.

This image is immediately telling for those used to examining mention maps. There are too many communities (denoted by different colors) present for such a small group and the isolated or nearly isolated islands just don’t look like a human interaction pattern.

Adjusting from outbound degree to Eigenvector centrality, it was immediately clear what the focus of this group of accounts was. The next level of zoom in the names revealed two other cryptocurency news sites and a leader in the field as being the targets of the these accounts.

Thinking that 112 was a small number, we extracted their 7,029 unique followers’ IDs and got their names. Nearly 600 matched the first/last/digits format, but there were other similarities as well. We placed all 7,029 in our “slow cooker”, set to capture all of their tweets.

We were expecting to find signs of a botnet, but it appears the entire set of accounts are part of the same effort. The 6,897 we managed to collect were all created in the same twelve week period. The gap between creation times and the steady production of about eighty accounts per day seems to indicate a small hand run operation in a country with cheap labor.

The network is transparently focused on cryptocurrency over the long haul. Adjusting the timeframe to the last thirty days moved the keywords around a bit but the word cloud is largely the same. The clue to how these accounts got into the mix is there in the lower right quadrant – #followme and #followback indicate a willingness to engage whomever from the world at large, in addition to their siblings.

Why we have pursued this so far when it looks like just a cryptocurrency botnet is due to this clue.

Here are five bad actors with two other accounts created right in between them time wise. This is the most striking example, but there are others like it. And understand the HUMINT that triggered this – a group of people who do nothing but take down racist hate talkers all day feel besieged by a group that manages to immediately regenerate after losing an account.

Our Working Theory

What we think we are seeing here is a pool of low end crypto pump and dump accounts that were either created for or later sold to a ringleader in this radicalized right wing group.

Now that we have roughly 7,000 of them on record, we have to decide what to do. This is just such a blatant example of automation that Twitter might immediately take it down if they notice. The 6.5 million tweets we collected are utterly dull – the prize here is the user profile dataset. We’d need some mods to our software, but maybe we need to collect all the followers for this group of 7,000 and figure out what the actual boundaries of this botnet truly are.

This has been a tiresome encounter for those who make it their business to drive hate speech from Twitter, but this may be the light at the end of the tunnel. If one group is using pools of purchased accounts to put their foot soldiers back in play the minute they get suspended, others are doing this, too. No effort was made to conceal this one from even moderate analysis efforts. If we demonstrate this is a pattern and Twitter is forced to act, we may well find that a lot of the heat will go out of political discourse on that platform.

Exploring Conversation Spaces

Earlier today we captured seventy one Twitter accounts that we classified into three groups. These are Durant’s Dullards (21), Team Pillow Forts (23), and TheShed (27). The first are associated with RowdyPolitics[.]com, the second group are associated with CitJourno[.]org and Patribotics[.]blog, while the last group are unified by being stable, long term personas who are often forced to replace accounts due to suspension.

Visually, the Fortress of Pillowtude is on the left, the cluster of red accounts are the RowdyPolitics people, and The Shed’s frequent reincarnations leave them scattered around the perimeter on the right with fewer mentions.

This particular graphic has been filtered to remove 934 ‘CMP’ accounts – Celebrities, Media, and Politicians. The working theory behind this is that those accounts are ubiquitous, they cross group boundaries, and thus are not terribly useful for diagnostics. That thinly populated space in the middle are less notable CMP figures that haven’t been removed yet … but more importantly, some of those are ‘weak ties’, as covered in Mark Granovetter‘s 1973 classic social network analysis paper The Strength of Weak Ties.

Seeing The Whole Forest

While these groups lead in the creation, curation, and elevation of content, we want to be able to see them in the context of their operating environment. Graphs like this are useful for discerning structure, for identifying certain types of relationships, but those accounts generated over 262,000 mentions and over 12,000 others were mentioned twice or more. This is where we set aside Gephi and take up Elasticsearch.

Selecting the 2,739 accounts mentioned ten or more times is a good balance between getting what is important and not overrunning out available resources. Recent performance tuning means our collection system can now handle forty eight accounts in parallel. This run took 70 minutes to collect 6.48M tweets from 2,235 accounts that were actually available, an average of 32 accounts/minute. The 504 missing accounts are mostly those from The Shed that have been banned.

We want to see both overall features as well as group specifics, so JSON filters were created for each group. Applying them, we can see the top hashtags in use by each group over the last week. The fourth cloud is the overall set of hashtags employed by every account they mentioned. Here we begin to see what each group’s contribution to the overall conversation may have been.

Durant's Dullards Top 25 Hashtags — Durant’s Dullards Top 25 Hashtags

Top 25 Hashtags From All Accounts Mentioned

Temporal Matters

6.5 million lines of text is a lot to digest. When we employ Kibana we have powerful ways to search, filter, and abstract content, coupled with fine grained control of time. If we want to know the top hashtags over the prior seven days, limited to those that occurred with #MAGA or #Anonyous, and see how they compare volume wise, that’s easily done.

What if we want to see who first noticed the news of Elena Khusyaynova’s indictment on Friday? A few mouse clicks and we have the data from when the story broke. Long term observations are just as smooth – if we set the system up to spool content, it’ll just continuously capture the accounts that we decide are interesting.

Future Explorations

We are just getting started with the Kibana interface to Elasticsearch, using it as an advanced text search engine, and doing some simple infographics in the spirit of descriptive statistics. There are complex, powerful tools out there, such as Timesketch and Wazuh, that are built on the Elasticsearch foundation. If we find just the right person, we may start branching in that direction.

NPC Bot Wave

Earlier today Josh Russell published a list of “NPC” accounts on Twitter. Nominally this seems to be tied to a “New Progressive Coalition”, but there are several humorous takes on the meaning of the acronym.

While a deadly accurate send up of Progressive sensibilities this election cycle, there were 450+ very similar accounts on the list when we started the profiling process, so it might have begun as a human wave of image board kids, but there is some sort automation at work here, which makes it interesting.

One of the strengths of our system is the ability to rapidly snapshot a group like this. We quickly collected 425 of them before they began to rename or self-suspend. We collect up to 3,200 tweets, up to 5,000 of those they follow as well as accounts following them, and we extract all mentions. Making a mention map with Gephi is typically our first step; social networks can be voluminous, while mentions are both bounded by the maximum tweet count as well as time stamped. This lets us see what activity the accounts are involved in, as well as slicing by time when appropriate.

These 425 sources mentioned 7,687 other accounts – a network motif we refer to as a “monkey pile”. Filtering out individual mentions left 2,333 other accounts, a 66% reduction in complexity. Sizing names by Eigenvector centrality permits us to see who they are messaging.

The @NPC691 account is key in this network and examining its timeline we see they are an early adopter of this particular meme – 72 hours before it became this general outburst.

@NPC691's First Tweet — @NPC691’s First Tweet

Collection on this took less than half an hour. If this were anything other than a harmless bit of fun, the 9,230 unique followers of these accounts are preserved, as are the 12,008 accounts they follow. We can see there are 4,793 accounts that are mutually following, so our 425 account sample may only be 10% of this total network.

Trying to do this by eye would be an impossible task. The ability to collect large amounts of information quickly and then rapidly analyze the take is key in an age of cyborgs and botnets mixing with a human operated account population.

Puzzling Over Boundaries

Much like the breakdown of Westphalian Sovereignty in the face of a well connected, easily traversed world, we are pondering just where the boundaries are on what we publish.

Best practices advice regarding Adversary Resistant Computing and Networking is broadly available, but highly variable in quality, and often not conditioned by real world experience. Communications Security advice is even more uneven. We might be educating bad actors by openly publishing, but the good guys are under the gun, and no white hat from inception thinks the way those of us who wear faded gray do. We’re going to put this content out there and count on the nonstop situational awareness required to truly excel keeping a lid on proliferation.

We publish studies on various groups, which can educate them in their failings, if they take the time to read. This is also conditioned on situational awareness and with information operations in particular, characterization is sterilizing sunlight. We use OSINT methods and release collected data in a form that facilitates others using it, but at this time the collection methods and software we use are not freely available.

Analytical Tradecraft is a matter of good systems and the right mindset to get teams using it effectively. There are guides out there, the CIA’s Psychology of Intelligence Analysis being a well known example. There is no substitute for real world experience when it comes to Sanctioned Irregulars, and that is where we are strongest.

And Field Operations Tradecraft seems to be a bridge too far – we’re not in the business of teaching bad actors how to caper.

The you have it. @NetwarSystem provides a feed of posts here, from LinkedIn, and selected content from other sources. The contact page has advice on who is qualified as a customer and how to reach us. We look forward to hearing from those of you who truly need what we do.

Category: Analytical Tradecraft