The cyber intelligence firm GroupSense released the report SHARK20385: A look into automated weaponization of stolen credentials and the impact to Internet forum and social media discourse on 24 July 2018.
GroupSense is a cyber reconnaissance company focused on targeted intelligence for enterprise clients and governments. As a matter of course, GroupSense performs research to identify possible threat actors and indicators affecting their clients. The findings in this report are the result of research related to GroupSense’s election monitoring clients.
GroupSense’s research and the fact-based analysis in their report are important for many reasons. One is that they kickoff this research thread with a known good starting point, they examine information contained in the well documented indictment of 16 Feb 2018, Case 1:18-cr-00032-DLF UNITED STATES OF AMERICA v. INTERNET RESEARCH AGENCY LLC. This is the report which provided extensive detail on Russian intelligence operations around the ramp up to U.S. elections. GroupSense keyed on an email address in that report, “firstname.lastname@example.org” and kicked off research into their own databases as a start to their investigation.
From their report:
The email address “email@example.com” was identified as being “engaged in operations to interfere with elections and political processes.” The email address was found in the GroupSense BreachRecon database along with its password. That password appeared to be computer generated and inspired further investigation, netting 9.5 million addresses with similar seemingly computer generated passwords. The “allforusa@yahoo. com” email address was associated with an active Reddit account used to aggressively push AllforUSA stories. GroupSense research also shows the possible use of compromised addresses to operate Facebook and Twitter accounts that distributed a wide variety of inflammatory memes. Further, some of the addresses are associated with comments posted on the FCC Net Neutrality debate site.
The initial investigation conducted by GroupSense resulted in the following findings:
- Reverse searches matching third-party breached data revealed 9.5 million email accounts apparently related1 to “firstname.lastname@example.org.”
- Hijacked email accounts have been paired with other stolen credential data to carry out campaigns. In addition, there may be examples of new online personas created using additional hijacked email accounts.
- Many of the associated email accounts were used to post potentially fraudulent comments to the FCC Net Neutrality filing site.
- Online activity including a website and social media accounts associated with “AllforUSA.”
- Compromised email accounts promoted biased content in an attempt to influence global issues.
- Compromised email accounts are used in site-for-hire activities.
- Compromised email accounts are being used to influence public opinion on important topics.
- The availability and sheer volume of these compromised accounts enables threat actors to conduct campaigns under the guise of actual citizens.
- Threat actors, including the operators of AllForUSA, are using common tools such as freelancing sites to conduct illicit activity, leveraging search engine optimization (SEO) and other common marketing tools.
For more see: SHARK20385