Full Report
This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2023. It was last updated on November 8, 2023.
Analysis Summary
This summary focuses on the various *Coordinated Influence Operations (CIOs)* and loosely associated state-backed activity entities described in the context, rather than focusing on a single traditional threat actor (like malware distributors). The summary structures the findings based on the entity/nation targeted by the activity.
# Threat Actor: Various Coordinated Influence Operations (CIOs) Tracked in Q3 2023
## Attribution & Identity
The article details multiple, distinct influence operations attributed to nation-states and political entities based on the content and geographic focus of the campaigns identified across July, August, and September 2023:
* **Slovakia-linked:** Focused on influence operations sharing content supportive of Russia and critical of the West.
* **Uzbekistan-linked:** Focused on supporting the sitting President Shavkat Mirziyoyev.
* **Togo/Burkina Faso-linked:** Unspecified specific alignment, but coordinated activity was noted.
* **People’s Republic of China (PRC)/China-linked:** Engaged in large-scale spam/lifestyle content, with a small subset focused on China/U.S. foreign affairs.
* **Mexico-linked:** Supportive of the Morena political party and Senator Ricardo Monreal.
* **Iran-linked:** Shared religious content and expressed views supportive of Iran/Palestine and critical of the West/Israel/US.
* **Russia-linked (including IRA):** Shared content supportive of Russia and critical of Ukraine/NATO/US, often linked to the Internet Research Agency (IRA) or Russian consulting firms.
* **Azerbaijan-linked:** Supportive of Azerbaijan and critical of Armenia and government critics.
* **India-linked (Association of Billion Minds):** Unspecified content focus, but linked to the named association.
* **Vietnam-linked:** Supportive of the Vietnamese government and its policies.
* **Poland-linked:** Focused on the Polish election, critical of pro-EU parties/politicians.
## Activity Summary
The report summarizes platform disruptions conducted in Q3 2023 targeting influence operations:
* **Slovakia:** Disrupted campaigns sharing content in Slovak, Czech, and English (pro-Russia/anti-West).
* **Uzbekistan:** Terminated YouTube channels sharing content in Uzbek supporting President Mirziyoyev.
* **Togo/Burkina Faso:** Activity noted, findings consistent with Meta reports.
* **China/PRC:** Massive operations, primarily spam, with a smaller focus on geopolitical narratives (China/US affairs).
* **Mexico:** Targeted support for the Morena party and Senator Monreal in Spanish.
* **Iran:** Conducted operations in Bengali, Pashto, and Arabic (religious content) and later in Turkish (Middle East events, pro-Iran/Palestine, anti-West/Israel/US).
* **Russia:** Multiple nodes disrupted, including IRA activity and activity linked to a Russian consulting firm, focusing on supporting Russia and criticizing Ukraine/the West across multiple languages (Russian, German, French, English, Arabic).
* **Azerbaijan:** Consistent activity across July and September aimed at bolstering domestic narratives and targeting Armenia.
* **India:** Activity linked to the Association of Billion Minds disseminating content in English and Hindi.
* **Vietnam:** Campaigns supportive of the government and its policies.
* **Poland:** Activity focused on influencing the Polish elections against pro-EU elements.
## Tactics, Techniques & Procedures
The TTPs are focused entirely on inauthentic amplification and influence dissemination across content platforms:
* Sharing content supportive of/critical of specified political entities or foreign policy goals.
* Uploading spammy content (music, entertainment, lifestyle).
* Disseminating specific geopolitical narratives (e.g., Russia-Ukraine war).
* Utilizing a mix of local and international languages relevant to the target audience.
* *No specific MITRE ATT&CK IDs were provided in the context.*
## Targeting
* **Sectors:** The targeting is primarily **Political** and **Geopolitical influence**, rather than traditional espionage or financial theft.
* **Geography:** Targeting spans multiple regions, including audiences in **Central Europe (Slovakia, Poland)**, **Central Asia (Uzbekistan, Azerbaijan)**, **West Africa (Togo, Burkina Faso)**, **North Africa/Middle East (Iran operations)**, **South Asia (India)**, **Southeast Asia (Vietnam)**, and broader **Western audiences (U.S./Ukraine critics)**.
* **Victims:** The 'victims' are the platforms themselves (via large-scale disruptions) and the **electorates/public opinion** in the targeted countries (e.g., Polish voters, Uzbek citizens, Western publics).
## Tools & Infrastructure
The primary infrastructure identified relates to content hosting and monetization:
* **Malware families used:** None specified (This report focuses on influence operations, not malware deployment).
* **Infrastructure (C2, domains, IPs):**
* YouTube Channels (Terminated: Totaling over 14,000 channels across all listed campaigns).
* Blogger Blogs (Terminated: 183 in July, 31 in September).
* AdSense Accounts (Disabled for monetization).
* Domains (Blocked from eligibility on Google News surfaces and Discover).
## Implications
These findings illustrate the high volume and multinational scope of Q3 2023 state-sponsored and politically motivated information operations tracked across major platforms. The diversity indicates that various state and non-state actors utilize similar methods (inauthentic amplification) to pursue vastly different, often contradictory, geopolitical interests (e.g., pro-Russia vs. pro-Vietnam vs. pro-Azerbaijan narratives).
## Mitigations
Mitigations noted in the article are platform-side actions rather than end-user advice:
* Termination of YouTube Channels.
* Disabling AdSense accounts used for monetization.
* Blocking domains from appearing on Google News surfaces and Discover.