Full Report
Our bulletin covering coordinated influence operation campaigns terminated on our platforms in Q2 2024.
Analysis Summary
This analysis is derived from a bulletin detailing Coordinated Influence Operations (IO) terminated in Q2 2024. Since the article reports on multiple, distinct influence operations linked to various actors/sponsors, the summary below aggregates the findings for each identified state or clear activity cluster.
# Threat Actor: Multiple Coordinated Influence Operation Groups (Q2 2024)
## Attribution & Identity
The summary details multiple, distinct influence operations attributed to sponsors in: Indonesia, Myanmar, Philippines/India (shared link), Pakistan, Russia, France, People's Republic of China (PRC), India (multiple distinct operations), Mexico, Argentina, and Bangladesh. These are primarily information operations (IO) rather than traditional cyber-espionage or ransomware groups.
## Activity Summary
The activities detailed span across Q2 2024 (April and May) and focus exclusively on deploying Coordinated Inauthentic Behavior (CIB) across digital platforms to influence political discourse or generate financial gain.
Key identified operations include:
* **Russia-linked operations:** Sharing content supportive of Russia and critical of Ukraine and the West, sometimes linked to a Russian consulting firm.
* **PRC-linked operations:** Uploading content about China and U.S. foreign affairs, consistent with previous reports.
* **India-linked operations:** Multiple campaigns supporting specific state politicians (Maharashtra, Rajasthan, Odisha, Andhra Pradesh) or an activist in Bihar.
* **Mexico-linked operations:** Campaigns either supporting or criticizing the Mexican ruling party.
* **Indonesia-linked operations:** Sharing content supportive of the ruling party in Bahasa Indonesia.
## Tactics, Techniques & Procedures
The TTPs observed are centered on content dissemination via inauthentic networks:
- **Platform Manipulation:** Mass termination of accounts across multiple platforms (YouTube, Blogger, AdSense).
- **Content Dissemination:** Primarily sharing content via YouTube channels (including Shorts) and Blogger blogs.
- **Language Targeting:** Tailoring content languages to specific regional audiences (e.g., Urdu, Burmese, Bahasa Indonesia, Norwegian, Russian, French, etc.).
- **Financial Manipulation:** At least one operation (Philippines/India) appeared to be financially motivated, using lifestyle/sports content as a cover.
* *(No specific MITRE ATT&CK IDs were provided in the source text.)*
## Targeting
Targeting is primarily focused on political narratives and domestic issues within the originating or target countries.
- **Sectors:** Political discourse/figures, foreign policy commentary. One operation targeted general lifestyle/sport/food topics for financial motive.
- **Geography:** Indonesia, Myanmar, Pakistan, Russia/Ukraine conflict sphere, France, India (various states), Mexico, Bangladesh, Portugal (by an Argentinian operation).
- **Victims:** Specific political figures, ruling parties/opposition parties, or geopolitical opponents (e.g., Ukraine, the West).
## Tools & Infrastructure
The primary infrastructure identified involves the state/actor-controlled or rented accounts on major platforms:
- **Malware families used:** None identified (Focus is on influence operations, not malware deployment).
- **Infrastructure (C2, domains, IPs):** Accounts terminated included: 1,320 YouTube channels and 1,177 Blogger blogs (PRC, ongoing); 378 YouTube channels (Russia, consulting firm link); 2,357 YouTube channels (Russia, consulting firm link). Specific domains blocked were 10 domains related to an operation linked to the Philippines/India.
## Implications
The Q2 2024 report highlights a highly active global threat landscape dominated by state-backed information operations, particularly from Russia and the PRC, focusing on geopolitical conflicts and domestic political interference. Furthermore, the proliferation of political IOs linked to specific domestic elections or political figures within India and Mexico suggests influence operations are becoming a common tactic in both established and emerging democracies.
## Mitigations
The mitigation strategies implied by the actions taken focus on proactive detection and removal of inauthentic networks:
- Continuous monitoring and proactive takedowns of Coordinated Inauthentic Behavior (CIB) across video and blogging platforms.
- Improved detection across diverse language sets relevant to ongoing geopolitical conflicts (e.g., Russian/Ukrainian, China/US foreign affairs).
- Monitoring for financially motivated influence operations using general content topics as cover.
- Leveraging industry collaboration (e.g., leads from OpenAI and Meta) to identify and dismantle complex networks.