The People’s Republic of China and the Islamic Republics of Iran and Pakistan are bringing in new playbooks to undermine their enemies within and outside their borders – low-cost cyber-enabled influence operations.
Microsoft and Facebook’s latest threat assessment underlines the evolution of threats posed by state-sanctioned tactics like creating fake personas, honey trapping, creating a phony media company in the West, hiring freelance writers around the world, offering to recruit protesters, and co-opting an NGO in Africa.
While the Microsoft report talks about only Iranian operations, Facebook talks about the sophistry in cyber operations conducted by China, Iran, and Pakistan.
While Iran’s target remains its arch nemesis Israel and the US, China has expanded the geographical limits of its operations to target its enemies within the border and other countries in Asia-Pacific and South Asia.
Pakistan was found to be carrying out an elaborate cyber-espionage operation against its arch nemesis – India, to target people across the internet to collect intelligence and manipulate them into revealing compromising information.
The Rise Of China-Origin Cyber Influence Ops
There has been a change in threat actors, novel geographic targeting, and new adversarial tactics. China is also taking a leaf from the playbook of other actors who have started creating troll farms and using marketing and PR firms to lend credibility to its operations.
The coordinated inauthentic behavior (CIB) originating from China means coordinated efforts to manipulate public debate for a strategic goal, in which fake accounts are central to the operation.
In each case, the Facebook authorities found that these fake accounts coordinate with one another and use fake accounts to mislead others about who they are and what they are doing.
China devoted most of its concerted efforts to targeting many regions worldwide, like Taiwan, Sub-Saharan Africa, Japan, Central Asia, and the Uyghur community. Meta removed 107 Facebook accounts, 36 pages, six groups, and 35 accounts on Instagram, violating its policy of CIB.
“This operation targeted multiple internet services including Facebook, Instagram, YouTube, Twitter, Telegram, PayPal, cryptocurrency, Blogspot, Reddit, WordPress, and freelancer[.]com. They also ran a front entity called London New Europe Media Ltd — a media representation service registered in the UK — which attempted to recruit content creators and translators worldwide,” highlights the report.
These pages and communities tried to engage individuals to record English-language videos scripted by the network. In at least one case, recorded videos were posted on a YouTube channel criticizing the United States.
Meta removed 50 Facebook accounts, 46 Pages, 31 Groups, and ten accounts on Instagram for violating their policy against coordinated inauthentic behavior. This activity originated in China and targeted India and the Tibet region. This operation ran across multiple internet services, including Facebook, Twitter, and YouTube, where they operated several fictitious brands focused on the areas they each targeted.
“These brands posed as independent media outlets, cultural associations, or human-rights groups dedicated to issues related to Tibet or particular states on the border between China and India. We removed this network before it could build an audience on our apps,” the Meta Quarterly Adversarial Threat Report said. The pages use Artificial Intelligence-generated profile photos.
“This network posted in English and Tibetan about news and current events in India and Tibet, including articles and memes that criticized the Indian government and military, questioned claims of human-rights abuses in Tibet raised by Western journalists, and accused Western countries of human rights abuses.
“The operation also posted news articles by legitimate news outlets from the region, likely to make its fake brands appear more authentic,” the report added. This campaign was running on a shift schedule — nine-to-five, Monday-to-Friday during working hours in China — “with a dip in activity for lunch and much less activity on weekends.”
Pakistan – Perfecting Cyber Espionage Through Social Engineering
Pakistan’s state-backed groups, namely GravityRAT and Patchwork, targeted people in India, including military personnel, activists, and minority groups, to collect intelligence, manipulate them into revealing information, and compromise their devices and accounts by sending their malware through apps.
“While this group’s activity was relatively low in sophistication, it was persistent and targeted many services across the internet. They relied heavily on a web of attacker-controlled websites to distribute malware through highly targeted campaigns aimed to trick targets into clicking on malicious links and downloading Android or Windows malware,” the Meta report read.
Recently, an Indian scientist involved in India’s missile program was arrested for allegedly sharing confidential information over the internet. Underlining the tactics used in the espionage, the report says: “The group used fictitious personas posing as recruiters for both legitimate and fake defense companies and governments, military personnel, journalists and women looking to make a romantic connection — in an attempt to build trust with the people they targeted.”
The US is among the leading targets of Iran’s cyber-enabled influence operations.
The Islamic Republic of Iran also leverages cyber-enabled influence operations to further its geo-political goals. This also stems from Iran’s inability to match the sophisticated cyber-attacks targeted against the country.
The country has been creating a false persona or specifically curated persona to further its goals. The tactics might be new for Iran, but its target remains the same – its number one target is Israel, followed by the US.
Cyber-enabled influence operations combine offensive computer network operations with messaging and amplification in “a coordinated and manipulative fashion to shift perceptions, behaviors, or decisions by target audiences to further a group or a nation’s interests and objectives.”
The Microsoft report says that Iranian state groups have combined cyber-attacks with “multi-pronged influence operations” to bolster Palestinian resistance, foment Shi’ite unrest in Bahrain, and counter the normalization of Arab-Israeli ties.
Iran’s cyber-enabled influence operations have grown numerically and in terms of sophistication since June 2022.
Iranian cyberattacks and influence operations will likely remain focused on retaliating against foreign cyberattacks and perceived incitement of protests inside Iran. Israel, followed by the United States, will probably be at the highest risk from such future operations, particularly in the near term, given Iran’s rapprochement with Saudi Arabia and diplomatic blitz of other Arab Gulf nations in March.
The other tactics used by Iran are creating a ‘Cyber persona’ and ‘sockpuppet.’ A cyber persona is a manufactured public-facing group or individual that takes responsibility for a cyber operation while providing plausible deniability for the underlying group or nation responsible.
‘Sockpuppet,’ a false online persona employing a fictitious or stolen identity for deception, has also been used by Iran.
Microsoft linked 24 unique cyber-enabled influence operations to the Iranian government in 2022—including 17 since mid-June—compared to seven in 2021. The rise in these operations has corresponded with a decline in ransomware or wiper attacks by groups linked to Iran’s military, notably the Islamic Revolutionary Guard Corps (IRGC).
According to the Microsoft assessment report, most of Iran’s cyber-enabled influence operations are being run by Emennet Pasargad—which were tracked down to a group called Cotton Sandstorm—an Iranian state actor sanctioned by the US Treasury Department for their attempts to undermine the integrity of the 2020 US Presidential Elections.
“We (Microsoft) assess that Cotton Sandstorm has run or been involved in all eight of these fictitious cyber group personas since 2022,” the Microsoft report adds.
The primary target of its attacks remains Israel and the US. The United Arab Emirates and Saudi Arabia also bear the brunt of these efforts.
On the home front, Iran has also adopted cyber-enabled ops to discredit the nationwide protests by leaking information that aims to embarrass prominent regime opposition figures or to expose their “corrupt” relationships.
- Ritu Sharma has been a journalist for over a decade, writing on defense, foreign affairs, and nuclear technology.
- She can be reached at ritu.sharma (at) mail.com