Full Report
Threat Analysis Group shares their Q2 2023 bulletin.
Analysis Summary
The provided article is a summary of coordinated influence operation (IO) campaigns terminated across various platforms, focusing on platform policy enforcement rather than deep-dive threat actor analysis with traditional TTPs (like malware or specific exploits). Therefore, the summary below reflects the information available, which heavily leans toward influence operations and attribution rather than kinetic cyber attacks.
# Threat Actor: Various State and Politically Aligned Influence Operators (Q2 2023)
## Attribution & Identity
This analysis covers multiple state-aligned or politically motivated influence operations originating from approximately 10 different countries during Q2 2023.
**Known Aliases and Associated Groups:**
* **Russia-linked:** One operation was associated with the **FROZENBARENTS** persona, specifically identifying the **Cyber Army of Russia**. Another was linked to the **Internet Research Agency (IRA)**. A third operation involved a **Russian consulting firm**.
## Activity Summary
The article details the termination of numerous coordinated influence operations on YouTube (and associated ad/Blogger accounts) discovered between April and June 2023. These campaigns primarily focused on political messaging, conflicts, and state support.
**Key Campaigns/Findings:**
* **Russia/Ukraine Conflict:** Multiple Russian-linked groups pushed content supportive of Russia and critical of Ukraine, NATO, and the West. Conversely, a Ukraine-linked campaign shared content supportive of Russia and Kazakhstan's President.
* **Support for Specific Entities:** Operations supported the Iran government, the Turkish AK Party, Turkey's Nationalist Movement Party (MHP) and Victory Party, Mexico's Morena party and Senator Ricardo Monreal, and Uzbekistan's President Shavkat Mirziyoyev.
* **Cyber-focused Russian Activity:** The FROZENBARENTS persona (Cyber Army of Russia) shared content focusing on **hacking techniques**.
* **Iranian Hack-and-Leak:** Iran-linked IOs shared content related to **Iranian hack-and-leak operations** (corroborated by Meta findings).
* **China-linked Activity:** The largest volume of terminated accounts (primarily spam/lifestyle content) was linked to China, with a small subset focusing on US/China foreign affairs.
## Tactics, Techniques & Procedures
Since this analysis focuses on Influence Operations (IO) rather than traditional cyber exploits, the TTPs relate to content distribution and platform abuse. No specific MITRE ATT&CK IDs were mentioned.
* Spamming content across YouTube channels/Blogger blogs.
* Coordinated posting to support specific political narratives (pro-Russia, pro-government, anti-opposition).
* Sharing content related to hacking techniques (Russia/FROZENBARENTS).
* Disseminating hack-and-leak results (Iran).
## Targeting
Targeting is defined based on the language used, the intended audience, and the geopolitical focus of the content:
* **Sectors:** Primarily political, geopolitical, and conflict-related discourse. Some activity was financially motivated (Turkey).
* **Geography:** Global scope, as inferred by the languages and topics.
* **Russia-linked targets:** Ukraine, NATO, the West.
* **Lithuania-linked targets:** Criticizing Ukraine, NATO, and the EU while supporting Russia.
* **Azerbaijan-linked targets:** Armenia and Azerbaijani government critics.
* **Iran-linked targets:** Israel (in one set of operations).
* **Spain/Mexico:** Domestic political figures/parties.
* **Victims:** No specific enterprise or government victims mentioned, as the focus is on public account termination related to information operations.
## Tools & Infrastructure
The infrastructure primarily involves social media and advertising platforms, rather than traditional malware/C2 infrastructure.
* **Malware families used:** None explicitly mentioned.
* **Infrastructure:** YouTube channels, Ads accounts, AdSense accounts, and Blogger blogs were the primary infrastructure used for dissemination.
## Implications
These operations demonstrate the breadth of state influence efforts spanning geopolitical conflicts (Ukraine), domestic politics (Spain, Mexico), and attempts to promote government narratives abroad (Iran, Azerbaijan). The diversity shows that Influence Operations remain a low-cost, high-volume tactic used by numerous global actors across different strategic goals, ranging from cyber advocacy (Russia) to financial gain (Turkey).
## Mitigations
Mitigations are focused on platform protection and detecting coordinated inauthentic behavior:
* Continuous monitoring and termination of coordinated inauthentic campaigns across platform services (YouTube, Blogger).
* Focusing detection efforts on specific personas or groups associated with known state actors (e.g., FROZENBARENTS, IRA).
* Investigating leads provided by external partners (LinkedIn, Graphika, Meta).