Bots, Trolls, and Warriors: The Modern Adversary Playbook
Last night, The Washington Post published an article on Russia’s use of Facebook for micro-targeting. According to the article, last summer Facebook’s cyber experts found evidence of APT 28 setting up fake accounts, including Guccifer 2.0. APT 28 has been linked to Russia, and not only consists of hackers but also media operations that can be carried out simultaneously. This is just the latest example of how attackers are integrating offensive cyber operations and (dis)information operations, in conjunction with automation and machine learning to achieve both tactical and strategic impact. This modern adversary playbook was the topic of my talk at Derbycon on Friday. Today’s attackers combine bots, trolls, and warriors in increasingly novel and brazen ways. Defenders must catch up and comprehend this modern adversary playbook, and prepare defenses accordingly.
Today’s Battle for Information Control
For today’s attackers, information security is synonymous with information control – including theft, manipulation, destruction, and disinformation – and they achieve this through a combination of bots, trolls and warriors. First, cyber warriors is the unfortunate term coined for experts in computer network exploitation, both offense and defense. When applied to adversaries, the offense-focused warriors are increasingly brazen and leverage traditional means to compromise (e.g. credential theft used in OPM hack) as well as sophisticated techniques (e.g. Crash Override, customized for energy grids) to achieve strategic surprise. While most think of Russia, China and the US as dominant in this area, smaller countries such as Mexico, Vietnam and Sudan increasingly have their own teams of warriors, who often target domestic populations and corporations. At the same time, anti-government groups are pushing back, such as Venezuela’s Binary Guardians or Ukraine's hactivist network. In short, there is no one size fits all, and thanks to the proliferation of open source capabilities – such as through the Shadow Brokers and Vault 7 dumps – the number of both state and non-state cyber warriors is only growing.
While warriors generally focus on compromising machines, trolls focus on compromising hearts and minds. Trolls reflect the growth of entities largely, but not always, linked to nation-states, who leverage online forums to influence opinions, perspectives, and achieve specific objectives. The Russian trolls are well-known and have had an impact across the globe, but China also has the Fifty Cent Party of government-affiliated workers pushing forth positive narratives about the government. To this end, astroturfing – replacing negative narratives with positive ones about the government – has become a popular tactic within authoritarian regimes. In addition, the use of state media, disinformation, and fake or compromised social media personas also serve as a springboard for diffusing the narrative. Just as with the warriors, smaller countries are similarly copying these tactics. For instance, Philippine President Rodrigo Duterte has a keyboard army aimed to drown out critics of the government. Turkey’s AK Trolls, affiliated with the ruling Justice and Development Party, astroturf critiques of the government, but due to some narratives gone awry, they largely now stick to traditional state outlets to oppose foreign governments. In many of these cases, the governments test out tactics on the domestic population and then use them internationally.
Trolls also migrate from the virtual world to the physical. LinkedIn has recently drawn much attention as a forum for fake profiles to infiltrate networks who then meet in person, or convince targets to download malware. Cobalt Gypsy/OilRig group is notorious for targeting execs in high tech and energy. For instance, they have been linked to the fake persona Mia Ash, who connected with targets through LinkedIn, followed by a rapid progression of Facebook and What’s App connections, eventually convincing targets to download malicious excel spreadsheets with RATs.
To be fair, troll armies and warriors existed before the internet, so it’s no surprise even more sophisticated versions exist in the virtual world. The distinction now is the role of automation in helping warriors and trolls target both tactically and achieve strategic breadth and depth. Bots reflect the implementation of automation and machine learning by the trolls and warriors, and manifest in everything from DDoS to malvertising to ransomware fueled by propagating worms to social bots. By some estimates, bots comprise over half of all web traffic, half of which are malicious bots. At the tactical level, machine learning helps warriors evade defenses, including machine learning-powered defenses (e.g., bot vs bot). Machine learning also helps trolls target very specific sub-sets of the population to optimize the impact. The social media bots are good examples of this, not only to interfere in elections, but also to prop up governments and weaken opposition. Strategically, bots are essential to help trolls attain a strategic impact with widespread diffusion of narratives, and also enables warriors to spread malware globally, as we saw recently with both WannaCry and NotPetya.
An Integrated Strategy
Increasingly, we are seeing this combination of bots, trolls, and warriors to achieve strategic impact. The recent French election demonstrates the integration of bots, trolls, and warriors – disinformation by trolls, warriors dumping data 48 hours prior to the election, and bots to help the diffusion and targeting of both. The Macron Leaks, which were false or doctored documents, photos, and correspondence linked to his campaign, was a late effort to influence the election, but also a continuation of the disinformation leading up to the election. Bots helped proliferate the narrative, with 40% of the #MacronGate tweets coming from just 5% of accounts.
Importantly, this is occurring both in peace and wartime. The annexation of Crimea in 2014 also involved all three, and is noted as one of the first hybrid wars, where these digital activities complimented kinetic attacks. DDoS attacks against Ukrainian government and media sites led to an information blackout, which left an opening for pro-annexation actors to gain information superiority and dominate the narrative. Both hackers and infobots were part of the aggression against Ukraine.
Most recently, this summer’s Qatari tensions is indicative of the geopolitical instability that can arise when these three tactics are integrated. It first involved a hack of a news agency, followed by the posting of false reports of the Qatari emir praising Iran and Hamas. Twitter bot armies spread the disinformation, leading to Saudi Arabia, UAE, Bahrain, and Egypt all banning Qatari media and then enlisting trade and diplomatic boycotts against Qatar. By one report, 20% of Twitter accounts posting anti-Qatari hashtags were bots.
Although these are examples of nation-state attacks on the private sector, the private sector also has adopted some of these tactics. Everyone thinks of Hacking Team, but an article last week in Motherboard describes a leaked catalog that includes services ranging from ‘weaponized information’ to DDoS services to spyware to industrial control system exploits, and is a stark demonstration of the market demand for the range of information-related weapons.
Remember, it wasn’t long ago that Facebook CEO Mark Zuckerburg stated that the use of social media to influence elections was a crazy idea. It also wasn’t long ago that concerns over critical infrastructure attacks were criticized as fearmongering. Then came along this past year’s discoveries of a wave of destructive malware – such as Stonedrill, Shamoon 2.0, BlackEnergy, CrashOverride, and NotPetya – as well as reports over the past few weeks of Iranian linked APT 33 or Dragonfly 2.0 moving from reconnaissance to destructive objectives, and there is a clear expansion and brazenness of objectives and intent.
In short, attackers already view the information/cyber domain holistically, through a socio-technical lens and as a battle for information control. While there are Lithuanian elves combatting the trolls, the defenders generally lag far behind in this battle for information control, and must innovate toward novel, multi-faceted and creative solutions. In a recent testimony submitted to the Commission on Security and Cooperation in Europe, U.S. Helsinki Commission, Molly F. McKew explained the challenge succinctly,“Right now, there are efforts to analyze the war; expose the war; map the war — but very little is being done to fight the war.” In short, defenders must catch up and view the information security landscape through a socio-technical lens, comprehend this modern adversary playbook, and prepare and innovate defenses accordingly.