an analysis of the political intervention on the internet with the method of attribution tracing -- a practical attempt of facebook

Posted by lipsius at 2020-02-27

Today's official account is given to everyone to watch the hot news on the day. Well, maybe this non-existent social network is not a hot topic in the Chinese network circle^_^

On July 31, 2018 local time, Facebook announced that it had deleted 32 special pages and accounts from Facebook and instagram through the company's official website, because these pages and accounts involve "misleading" other users by using "organized untrue behavior".

Before being deleted, these suspected political intervention related special pages spent about $11000 to purchase and launch 150 promotional advertisements, which attracted more than 290000 fans in total. Since May 2017, they launched about 30 activities, among which the most influential activities attracted 4700 users' attention and about 1400 fans expressed their intention to participate. Just before it was deleted, a special page called "resisters" was launching a protest planned to be held in Washington on August 10-12, 2018, and recruiting offline volunteers for the event.

Special page of recruitment protest

This is the first organized suspected political intervention discovered and announced before this year's US mid-term elections. Before that, Facebook was repeatedly asked by regulators if there was any evidence that foreign institutions were involved in intervening in the mid-term elections, and Facebook never gave a positive response. This time, Facebook successfully proved to the American public the efforts of the social media giant to curb the interference of foreign forces, and Zuckerberg finally pulled back in the public relations offensive for a while.

Zuckerberg attends congressional hearings

Although Facebook said that according to the existing evidence submitted to law enforcement agencies and Congress, it was unable to confirm the person behind the action, but judging from some analysis details provided in the article by Alex Stamos, chief security officer of its official website, Facebook has hinted that the Russian naval agency IRA, which was sued by the U.S. Department of justice in February, may be significantly related to the action.

Facebook stressed in the news that the organizers who set up these pages and accounts spent more energy trying to hide their real identities than the Internet Research Agency (IRA), which also used Facebook to carry out false incitement propaganda in the presidential election two years ago. This may be partly due to the deterrent effect of two prosecutions against Russian citizens and institutional personnel initiated by the Ministry of justice in the "door to Russia" investigation since 2018, and also due to a series of anti abuse policies adopted by Facebook in the face of public accusations and doubts. These efforts have made it more difficult for foreign forces to put in advertisements or organize promotional activities that may affect American voters.

So here's the question: the organizers of these "active political interventions" have raised their awareness of prevention and spent more energy to hide their identities, and how does Facebook analyze valuable clues?

Alex Stamos, chief security officer, Facebook

This is explained in an article by chief security officer Alex Stamos. Of course, first of all, he still stressed that compared with the accusations about the intervention of the Russian naval agency IRA in the 2016 general election investigation, the current analysis conclusions on these accounts are still not accurate and comprehensive enough, so it is also necessary to include research institutions and law enforcement agencies to help further use various resources to dig clues, and finally achieve the attribution of malicious actors 。

Attribution refers to the process of relating observed activities to specific threat actors. Ancient Chinese literature search has very fruitful arguments. In the past years, the debate on cyberspace malicious behavior has been followed by official account. The opinions and methods formed in these debates have also become the standard reference for Facebook security analysts to trace the attribution in this incident.

For the current situation faced by Facebook, the first challenge for Facebook's security analysts is to clarify the types of entities that should ultimately be traced in the attribution traceability process. There is no doubt that simple techniques such as blaming the owner of the IP address used to register a malicious account are unreliable. Instead, security analysts try to:

Associate the suspicious activity with the person or group who is primarily responsible for the malicious action. Subsequently, a group of malicious actors in multiple actions can be linked to analyze how they abuse our system and even take further countermeasures.

Connect the observed malicious actors to a real-world Spooner. Such behind the scenes reference may be a political organization, state entity or non political entity.

After the goal of attribution traceability is made clear, many kinds of analysis methods will be used in the process of real analysis. These analysis methods are also abundant in previous academic works, reports and papers, but in the practice of Facebook, Alex Stamos said that they mainly used four kinds of attribution models:

Political motivation: in this model, the inferred political motivation is measured according to the current known political goals of the nation-state. Alex Stamos believes that Facebook should not publicly comment on the political motives of the nation-state because the company actually lacks the information needed to make such an assessment.

Coordination: it is mainly used to analyze the coordination action association between threat actors who use different ways to act alone, which can be used to analyze the association and purpose of activities between different action groups under the same background.

Tools, techniques, and procedures, a. K.A. TTPS: the process of observing how a threat action organization implements its actions to achieve its goals - including investigation, planning, vulnerability utilization, command and control, data theft and distribution, etc. - can often help infer the relationship between a specific event and a specific threat action organization. TTPS are usually very effective in discovering the relationship between current malicious actions and past historical threats, but we can't rely on TTPS model alone for attribution.

Technical Forensics: by studying the IOCS (indicators of infection) left in the event, we can sometimes trace the activity to a specific threat organization. This is the most simple and effective method of attribution traceability in many cases. In the case of high confidence in technology forensics, defenders usually provide the best attribution traceability index publicly and report the specific information to the corresponding government departments. This is especially accurate when multiple independent organizations provide compatible and consistent IOCS indicators.

Based on the above attribution traceability framework, Facebook conducted attribution traceability analysis on the discovered pages and accounts, and Alex Stamos concluded that:

Facebook does not evaluate the political motivations of the groups behind the event.

Facebook has found that these accounts are linked to the IRA accounts previously identified as the Russian naval agency. For example, a known IRA Account used to be the administrator of a specific page found this time. Facebook believes that this is indeed an important detail, but it is not enough to provide decisive support, as there have been examples of real political groups directly interacting with the IRA in the past.

Facebook confirmed that some of the tools, technologies and processes (TTPS) used by these actors are consistent with what was observed in the IRA in 2016. But this analysis is also not enough to trace the source of IRA attribution. Because this series of TTPS used by IRA has been widely spread and discussed, any malicious actor can copy this whole set of technology.

The technology evidence obtained by Facebook is not enough to provide high reliable IOC attribution. In view of this, Facebook has taken the initiative to report the technical investigation results of the incident to the U.S. judiciary, hoping that the judiciary with more evidence collection resources can give more accurate attribution and traceability conclusions.

Facebook's disclosure of this online political intervention and related attribution traceability analysis are also good examples for us to try to carry out attribution traceability analysis. The article of Alex Stamos introduces the basic framework, model method and case events of attribution traceability. It is not hard to see that the attribution traceability is not so profound and mysterious zenith technology, but a set of analytical system supported by critical thinking methods. In the field of network security and intelligence law enforcement in the United States, this system has been developed for many years and accumulated a lot of practical experience and theoretical achievements. In the future, the official account will also be introduced to readers in the future. Welcome your continuous attention.

To learn more about Alex Stamos, please search "how much can companies know about who's behind cyber threads?".