Full Report
This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q4 2023. It was last updated on January 19, 2024.OctoberWe terminated 8 Y…
Analysis Summary
This analysis summarizes information regarding state-sponsored and coordinated influence operations observed and terminated by the reporting entity during Q4 2023, based on the provided context. Since the article reports on *multiple* distinct operations conducted by various state actors, the summary will group findings by the attributed threat actor/nation-state where possible.
# Threat Actor: Iran-linked Influence Operations
## Attribution & Identity
Attributed to the government of Iran. Associated with multiple, distinct influence operations detected in Q4 2023.
## Activity Summary
Conducted influence operations in October sharing anti-Israel narratives (Hindi/Arabic) and in November sharing pro-Islamic Republic of Iran content (Arabic) and content supportive of Iran’s government while criticizing Israel and the US (Azerbaijani/Farsi).
## Tactics, Techniques & Procedures
- Content distribution via Twitter and Blogger.
- Primarily focused on information dissemination through platform manipulation.
- **Note:** No specific TTPs with MITRE ATT&CK IDs were provided in the source text for these influence operations.
## Targeting
- Sectors: Not explicitly specified beyond general political/narrative targeting.
- Geography: Content primarily targeted audiences speaking Hindi, Arabic, Azerbaijani, and Farsi.
- Victims: General public audiences in regions corresponding to language distribution (Middle East, South Asia, etc.).
## Tools & Infrastructure
- Terminated 8 YouTube channels (Oct) and 39 YouTube channels + 1 Blogger blog (Nov).
- Blocked 2 domains from eligibility on Google News surfaces and Discover (Nov).
## Implications
Iran continues to use coordinated influence operations to push geopolitical narratives, specifically focusing on anti-Israel messaging and bolstering support for the Iranian government.
## Mitigations
- Monitoring and removal of coordinated inauthentic behavior across video sharing and blogging platforms.
---
# Threat Actor: Russia-linked Influence Operations
## Attribution & Identity
Attributed to Russia, with one operation linked specifically to a Russian consulting firm and another linked to state-funded media.
## Activity Summary
Multiple campaigns active in October and November:
1. Sharing content supportive of Russia and critical of Ukraine/the West (Russian language).
2. Sharing content critical of Ukraine and the West (English language).
3. Sharing pro-Russia content in English, Italian, Spanish, and Polish.
4. Sharing content supporting Azerbaijani interests in Nagorno-Karabakh while criticizing Russia and Armenia (Russian, Azerbaijani, Turkish).
5. Sharing pro-Russia content in Spanish (November).
## Tactics, Techniques & Procedures
- Content distribution primarily via YouTube channels.
- Use of regional languages (Russian, English, Italian, Spanish, Polish, Azerbaijani, Turkish) tailored to specific narratives.
- **Note:** No specific TTPs with MITRE ATT&CK IDs were provided in the source text.
## Targeting
- Sectors: Political commentary/influence.
- Geography: Broad, targeting Western audiences, specific regional conflicts (Nagorno-Karabakh).
- Victims: General public audiences consuming news and political content.
## Tools & Infrastructure
- Terminated a total of 430+ YouTube channels across various operations in October/November.
- Blocked 4 domains from eligibility on Google News surfaces and Discover (Oct).
- Disabled 1 AdSense account (Oct).
## Implications
Russia utilizes a wide array of state-affiliated and proxy entities (consulting firms, state media) to disseminate narratives supporting its geopolitical aims across multiple language groups.
## Mitigations
- Robust platform monitoring for inauthentic coordination using state-funded media accounts or tied to known consulting entities.
---
# Threat Actor: People’s Republic of China (PRC)-linked Influence Operations
## Attribution & Identity
Attributed to the People’s Republic of China (PRC). These findings are consistent with previous reports.
## Activity Summary
Ongoing, large-scale influence operations observed in October and November. The vast majority of content was spammy (music, entertainment, lifestyle). A small subset focused on commentary regarding China and U.S. foreign affairs.
## Tactics, Techniques & Procedures
- Dissemination across vast networks of linked accounts.
- **Primary activity:** Spam content (music/lifestyle).
- **Secondary activity:** Political commentary on China/US foreign affairs.
- **Note:** No specific TTPs with MITRE ATT&CK IDs were provided in the source text.
## Targeting
- Sectors: Primarily general consumer content spam; a small portion targeting political awareness.
- Geography: Audiences accessing content in Chinese and English.
- Victims: General users of YouTube.
## Tools & Infrastructure
- Terminated 3,785 YouTube channels and 52 Blogger blogs in October (ongoing investigation).
- Terminated 1,953 YouTube channels and 52 Blogger blogs in November (ongoing investigation).
## Implications
The PRC maintains one of the largest ongoing coordinated influence operations, leveraging massive scale, primarily for noise/spam, but retaining capability for targeted political messaging.
## Mitigations
- Detection and removal of extensive spam networks that mask the smaller, politically motivated components.
---
# Other Identified Influence Operations (Q4 2023)
This section summarizes smaller, nation-state attributed influence operations described in the source material:
| Actor | Activity Summary (Narrative & Language) | Terminated Assets (Examples) |
| :--- | :--- | :--- |
| **Ukraine-linked (Donbass Region)** | Sharing pro-Russia content critical of the West (Russian language). | 41 YouTube channels (Oct) |
| **Azerbaijan-linked** | Sharing pro-Azerbaijan content, critical of Armenia/critics of Azerbaijani government (Azerbaijani language). | 90 YouTube channels (Oct) |
| **Ethiopia-linked** | Sharing content on Ethiopian political topics (Amharic). | 21 YouTube channels, 8 AdSense Accounts (Oct) |
| **Sudan-linked** | Sharing content on Sudanese news and politics (Arabic). | 40 YouTube channels, 1 Domain (Oct) |
| **Turkey-linked** | Sharing content supportive of a Turkish political party (Turkish language). | 317 YouTube channels (Oct) |
| **Pakistan-linked** | *Campaign 1:* Supportive of the Pakistan People's Party (Urdu). *Campaign 2:* Supportive of the Pakistan Army, critical of India (Urdu/English). | 2 YouTube channels, 68 YouTube channels, multiple Blogger blogs/AdSense accounts (Nov) |
| **Togo-linked** | Linked to a Togo-based marketing company; sharing African news/politics. | 21 domains blocked (Nov) |
| **Thailand-linked** | Sharing content about Thai politicians and the royal family (Thai language). | 7 YouTube channels (Nov) |
**Note on APT/TTPs:** The context describes *Influence Operations (IOs)*/Coordinated Inauthentic Behavior (CIB) detected on social media platforms, not traditional cyber espionage or malware-focused Advanced Persistent Threat (APT) activity. Therefore, TTPs are described in terms of platform exploitation and narrative themes rather than common cyber attack methodologies (e.g., no specific malware or C2 infrastructure was provided).