Overwatch Series: Information Operations Campaigns – Their Influence and Longevity

In last week’s issue of Overwatch, Information Operation campaigns In Plain Sight,” we highlighted our combined efforts with Pangea Group to uncover information operations (IO) surrounding tensions between China and Taiwan. In a combined effort with local analysts, we uncovered a three-pronged approach to China’s IO campaign that frames the problem set at the local level. 

For this week’s Overwatch, we broaden our scope to see how these IO campaigns are surviving the distance and how effective, or ineffective, they are with Americans across several landscapes – the U.S. government, news media outlets, and citizens. As of recent, analysts are seeing an increase in Taiwan mentions across mainstream western/U.S. media, even though tensions between the Democratic Republic of China (DRC/Taiwan) and Mainland China have been on the rise since the elections of the Democratic Progressive Party presidential candidate Tsai Ing-wen in 2016 and 2020

This bipartisan support of helping Taiwan bolster its defenses to counter China has allowed legislation at the Congressional level, and action at the Executive level, to go forward since early August. This bipartisan consensus may be targeted in the future by Chinese information operations to erode the ability of the U.S. government to support Taiwan.  

As with all politics, the U.S. will need to tread lightly as they deal with opposing sovereign nations.  Overwatch and Pangea analysts highlighted in last week’s Overwatch that the good intentions of the U.S. Government can be the fuel that China needs to push their agenda. This specific IO campaign aligns with China’s message that paints the U.S. as the sole party responsible for changing the status quo in the Taiwan Strait and supports the IO message that the U.S. has repeatedly breached its commitments to Beijing with respect to Taiwan.

U.S. News Coverage 

The effects of this bipartisan support to bolster Taiwan’s national defense can be seen in the media’s coverage of the $1.1 billion arms sale to Taiwan, as well as articles about the current state of Taiwan’s military. Articles across media sources such as CNN, Foreign Policy, Insider, and the Financial Times focus on the relative unpreparedness of Taiwan’s military for a conflict with China and the need for further arming Taiwan through the purchase of arms from the United States.  

Perhaps more interesting, though, have been comparisons between increased military spending in Taiwan and the crisis in Ukraine. A Foreign Policy article published on September 8, 2022 notes that “The U.S.-led response to Russia’s war of aggression in Ukraine has been impressive but it is not a model for a similar intervention in Taiwan.” The article goes on to mention the need to arm Taiwan preemptively as geography, and the risk of U.S.-Chinese confrontations, would make arming the island after the fact nearly impossible without risking expanding the war.  

From the articles mentioned above, we can see that the U.S. media’s framing of the increasing tension and potential conflict with China projects bipartisan support for the arming of Taiwan’s military, which is seen as currently lacking the equipment to counter the Chinese. The narratives presented above also paint a picture that the United States will be responsible for arming the country and that this must be carried out for the same reasons the U.S. is currently sending military aid to Ukraine.  

What U.S. Citizens are Saying 

A quick look at Twitter helps lay out some potential avenues through which bipartisan support could begin to be eroded. Starting as early as August 30, 2022, accounts across the platform began tweeting their dissatisfaction with the U.S. spending money on the defense of Ukraine and Taiwan when the city of Jackson, Mississippi was unable to provide clean drinking water for its citizens. 

Tweets about this issue began taking on a similar format and were discovered in English and Spanish

 

 

 

 

 

 

 

 

 

 

 

 

 

While it may be tempting to think that these sentiments are being driven by the Chinese agenda, rather they are opportunities for China to exploit the difference in opinions between the U.S. government and the support of their constituents. It is targeted fractures like this on the digital landscape that create accessible entry points from which disinformation campaigns can be launched to erode the U.S. resolve reflected in western media. These would be avenues to monitor for China’s third line of effort in an IO campaign; seize the opportunity to highlight discord in others to serve their own self-interest.  

While the narrative of the bipartisan push to arm and support Taiwan in the face of Chinese aggression has been the dominant conversation surrounding the ongoing tension, other topics have been essential to open-source intelligence analysts. These include the specific economic ramifications of increased tension or war over Taiwan, the logistics of a Chinese Invasion of the island, the perspective of mainland Chinese citizens, and the views of those in Taiwan.  

While doing research for this brief over the last month, analysts found an article from a tech magazine published on September 12, 2022 that went into detail about the need to diversify semiconductor chips due to the increased risk of conflict, as well as an article from a local Fox affiliate website published on September 5, 2022. Additionally, an article published in Newsweek discussed a report on the 3,500 targets China would likely focus on in Taiwan during a conflict. Analysts found no mention of the reaction of China’s domestic population to increasing tensions with Taiwan in western media sources. Finally, most articles that feature the perspective of individuals in Taiwan focus solely on their view on the incursion of Chinese ships and planes over the median line of the Taiwan Strait.

In summary, the content found in U.S. news media tends to focus only on the U.S.’s role in the current tensions between Taiwan and China, while content specific to Taiwan generally focuses only on the potential flashpoints that could cause the conflict to erupt. The perspective and responses of the Chinese and Taiwanese to these crises are missing from these narratives and can only be fully understood through the analysis of regional media created outside the United States. 

Our Assessment 

Social media platforms like Twitter and Facebook have recently been in the news regarding their campaigns to remove politically motivated bot-accounts from their platforms. Overwatch analysts assess that this will have a great effect on IO campaigns across social media but will not have a great impact on news and political agendas. As such, Overwatch and Pangea analysts will be monitoring the trends in media over the next 30 days to see just how much of an effect the removal of these accounts will have on IO campaigns in plain sight.  

 

 

 

Information Operation Campaigns In Plain Sight

The invasion of Ukraine by Russian forces was perhaps a global eye-opener to the fact that sovereign nations still go to war with each other. As unpleasant as the concept of war is, it will not be the last time we see events like this unfold. However, what is different now is that any action, big or small, can draw the observation and criticism of not just governments, but citizens of the world who are all connected through the internet. How will those nations fight back? In this first installment of an Overwatch series, analysts look at how sovereign nations use the internet to prepare the global stage for their actions. Enter: Information Operations or IO. 

Understanding information operations is crucial to understanding what is happening around us. Every message from a media agency or government delivers a well-designed purpose to a target audience. To see the full spectrum of an IO campaign, you must put yourself in the shoes of both the deliverer and receiver of the message. To do this, Overwatch analysts partnered with Pangea Group to provide ground-level research and intelligence. Comparing this native-level insight into cultural and linguistic nuances enables a research team to see things that conventional artificial intelligence and machine learning tools overlook.  

Three Sides of the Coin 

While it may be common knowledge that countries such as Russia or China fully employ IO campaigns, it’s not always clear how complex they can be. With the help of analysts in the local area, we can now see that China has three very distinct functions of its IO campaign with Taiwan:  

Overwatch analysts will highlight the different IO campaigns and how they support China’s mission to prepare the stage for future actions as we move forward.  

The View from Taiwan 

Since the invasion of Ukraine by Russian forces, common themes and messages coming from Taiwanese locals, and the media outlets they follow, have slightly changed from a distant possibility of a Chinese invasion to the full likelihood of it. According to the Formosa survey conducted on March 23-24, 2022, as stated in an article in Newsweek, local Taiwanese concern of invasion had increased by 10%. To the outside observer, this increase may seem low; however, in an environment that – “For more than 70 years, people have ‘waited’ for a war that is yet to come.” – this shows a shift in local sentiment significant enough to pay close attention to.  

Taiwan’s information environment has seen sentiment from pro and anti-reunification messaging for over 70 years. This has led to several Taiwanese generations anticipating that, someday, the Chinese Communist Party (CCP) can and will be in control of Taiwan by any means. This is a narrative preferable to the CCP as they speak of trying to create a peaceful solution while simultaneously creating deterrent messages towards foreign influence like a flash invasion, lightning assault, and firmly cracking down on Taiwan’s independence separatist acts. 

According to the white paper released by Xinhua on August 10, 2022, people on both sides…have set out on a path of peaceful development, a message the CCP would have the mainland and the Wai Mei 外媒, or foreign media, believe. This messaging is amplified through CCP Western social media campaigns with messages stating:  

  • You have me, and I have you – relating to the electronic semiconductor industry where influencers attempt to create a sense of panic around the issue of a world shortage in the event tensions rise in the Taiwan Strait to open conflict.  
  • I waited for a long time, motherland; you finally came to pick me up -, using famous Hong Kong singer Andy Lau’s song “Today” to provide the assumption that Taiwan would see the CCP’s invasion as a liberation.  

  • Taiwan reunification – mentioned several hundred thousand times a day with common messages stating surrender, comply, re-education, and untenable. 
  • Taiwanese are Chinese… Actions speak louder than words – Singer Li Jianfu wrote the song “Descendants of the Dragon” in 1978 in response to America’s decision to break off diplomatic relations with Taiwan to pursue relations with the CCP. Using historical significance and pop culture, this song has been replicated and shared with millions of re-tweets, shares, and likes. 

  • Taiwanese should strive for national rejuvenation– suggestive language in response to Ambassador Qin Gang’s statement that “One Country and Two Systems” is democracy.                     

Much of the internal messaging by the CCP on the topic of Taiwan is lighthearted and suggestive of a long-lost relative as opposed to an oppressive foreign invader. In line with their Internal IO campaign, these types of messages are meant to normalize the idea that reunification is the best option for the Taiwanese people. While media outlets and social media outside of mainland China are painting one picture, locals see something very different inside mainland China. 

China’s Public Face

In its first public message on Pelosi’s visit to Taiwan on August 2nd, 2022, China has primarily tried to portray the United States as the instigator of the current tensions and reassure China’s domestic population that the CCP is defending the country’s sovereignty. Beijing issued a rare and highly authoritative Foreign Ministry Statement that stated China “will never accept” Speaker Pelosi’s visit and “will never agree to it” and that the visit is tantamount to “playing with fire.” An equally rare Taiwan Affairs Office (TAO) Statement mirrors these statements. At the same time, the People’s Liberation Army (PLA) Eastern Theater Command announced a series of multi-day military operations in various locations around Taiwan, one of which was to entail “conventional firepower demonstrations” east of the island.  

These messages set the ground for an IO campaign that prepared observers for the uncertainty and strife that would occur if outside entities interfered with Chinese internal governance. China made a bold attempt to push these IO campaigns further by making multiple public claims on state-sponsored media sites that focused on an internal audience that it was sending SU-35 fighter jets over the Taiwan Strait less than 20 minutes before the Speaker’s arrival in Taipei. This message was likely meant to bolster patriotism and the belief that China would defend its sovereignty. However, the Ministry of National Defense for Taiwan quickly debunked these claims 

China continued its IO public messaging surrounding the mid-August and late-August US congressional delegation, the first and the second since the US Speaker of the House visited Taiwan in early August. These public statements continued to paint the United States as the sole party responsible for changing the status quo in the Taiwan Strait and accused the US side of having repeatedly breached its commitments to Beijing concerning Taiwan. These key themes are consistent with those observed in response to the Speaker’s visit and in line with Chinas third aspect of IO: preparatory. Beijing is now attempting to signal that it has no choice but to respond forcefully to these provocations on issues pertaining to its sovereignty and that the international community is aligned with Beijing on this issue.  

Taiwan Independence, a toxic cup of wine: Image created by Global Times, a Chinese State-run media company, in response to the visit by the U.S. Speaker of the House. The image was created by CGTN, an Englishlanguage media company based in Beijing. This cartoon has made it into every corner of the internet, from U.S. based credible news sources to Chinese and U.S. social media platforms.  

Separate from the messages directed against U.S. interference with China, we also see countermessaging themes denying human rights violations.

This cartoon was recently broadcast on Weibo, Twitter, Facebook, and Telegram in response to a United Nations report generated by the Office of the High Commissioner for Human Rights (OHCHR). The report details investigations of China’s Xingjian Uighur Autonomous Region (XUAR) in response to “2017… increasing allegations by various civil society groups that members of the Uyghur and other predominantly Muslim ethnic minority communities were missing or had disappeared”.  

In a recent Public Broadcasting System article, the Chinese Foreign Ministry Spokesperson replied, “The assessment is a patchwork of false information that serves as political tools for the U.S. and other Western countries to use Xinjiang to contain China strategically,” Foreign Ministry spokesperson Wang Wenbin said. “It again shows that the U.N. Human Rights Office has been reduced to an enforcer and accomplice of the U.S. and other Western countries.” This continues the narrative that the U.S. and the U.N. deliberately spread falsehoods to undermine China’s security and internal peace.  

The Global View  

In next week’s Overwatch brief, analysts will uncover what everyone else on the internet sees when they take a cursory look into the affairs of China and Taiwan. In the following brief, Overwatch and Pangea Group analysts will look deeper into how these Information Operations campaigns can affect global economies, governments, and private citizens in Jackson, Mississippi. 

An Unsealed Indictment Unravels How Russian Informants Leverage American Fracture Points

On July 29, 2022, the United States Department of Justice unsealed an indictment charging Russian national Alexander Viktorovich Ionov with acting as an unregistered foreign agent on behalf of Russia, and conspiring to have “U.S. Citizens act as illegal agents of the Russian government” between December 2014 and March 2022. While the maximum penalty for this crime is five years of imprisonment, the implications of this conspiracy are significant, as the indictment alleges that Ionov was in contact with, and working on behalf of, the Russian Federal Security Service (FSB) members during this period. Ionov, and his various affiliated organizations, have since been sanctioned by the United States for his activity. 

This week’s Overwatch investigates the conspiring activities of Ionov and U.S. Political Groups 1, 2, and 3, as listed in the unsealed indictment. Subsequent actions by the United States government, along with context clues within the indictment, allow analysts to identify the groups conspiring as agents of the Russian government, as well as understand their structure, content, and strategy of Russian influence operations in the United States. 

Alexander Ionov and the Anti-Globalization Movement of Russia 

Alexander Ionov’s website describes him as the President of the Anti-Globalization Movement of Russia (ADR) since 2011. The ADR is described as “a socio-political movement that advocates ensuring the full sovereignty of the states of the world and, above all, the sovereignty of Russia itself as an independent player in the political, economic and cultural arena of the world.” Additionally, according to his website, Ionov is involved in several other businesses and groups, including being a member of the Presidium of All-Union Organization “Officers of Russia,” a Member of the Coordinating Council of the Anti-Maidan Movement, and Vice President of the International Committee for the Defense of Human Rights, among others. Interestingly, the “Anti-Maidan Movement” is an anti-Ukrainian, pro-Russian Republic group that was started in response to Ukrainian action against separatists and Russian activity in the east of the country, which culminated in the ongoing war today. 

Ionov’s activity has not been contained to separatist and left-leaning movements as the indictment would seem to convey; his interest also breached into traditionally right-leaning, non-governmental organizations (NGOs). For example, in 2018, Ionov and the ADR started a fund for Russian agent Maria Butina, who had been charged with acting as an unregistered agent for the Russian government. Butina had used the NRA (National Rifle Association) to establish back channels to American political figures and power brokers. This action denotes a broader coalition between unregistered foreign agents working on behalf of Russia, not defined by ideology but by a shared goal of Russian influence.  

For this brief, analysts focused on activities associated with the ADR. The group’s website shows “honorary members,” such as the Dictator of Syria, Bashar Hafez Al-Assad, and the President of Iran from 2005-2013, Mahmoud Ahmadinejad.  

ADR Honorary Members

Further review of the site indicates little activity since 2015, but that is not a reflection of the organization’s activities or the activities of Ionov.  

Ionov and the ADR hosted conferences called: the Dialogue of Nations – the right to self-determination and constructing a multipolar world in 2015, 2016, and 2020. In 2015 and 2016, the conferences were in-person events held in Russia, while the 2020 event was virtual due to COVID. Conference participants ranged from Texas Separatists, Puerto Rican Separatists, Eastern Ukrainian Separatists, and Northern Irish political groups looking to break away from the United Kingdom and rejoin Ireland. A post from Alexander Ionov’s Facebook page includes a list of 19 speakers for the 2020 conference. Among the participants are U.S. Political Group 1, 2, and 3 leaders.  

During the first conference in 2015, the Department of Justice (DOJ) indictment alleges that Ionov paid for and first established, contact with the Uhuru Movement. Ionov likely established his connection to the Yes, California movement at one of these annual events.  

Since the indictment and raid on the Uhuru, recent posts by Ionov have focused on combatting statements made in the indictment and defending the Uhuru Movement. Examples of these posts can be seen below, attempting to spin the arrests as an unjust targeting of African Americans by the FBI.  

FBI

social post hands off uhuru

Having gained some understanding of how Ionov first established contact with the unnamed groups in question, Overwatch analysts found it pertinent to explore these groups’ backgrounds in further detail and survey their digital content.  

Uhuru/APSP 

U.S. Political Group 1 is described in the indictment as a group out of St. Petersburg, Florida. The indictment alleges that Ionov helped the group facilitate a trip to Russia in 2015, exercise direction and control over senior members for seven years, fund protests, and most shockingly, fund and help supervise 2017 and 2019 local elections in which the group ran candidates.  

The group has since been identified as the Uhuru movement, an African Internationalist Movement founded in 1972 and tied to the African People’s Socialist Party (APSP), headquartered in St. Louis, Missouri and St. Petersburg, Florida. The Federal Bureau of Investigation (FBI) subsequently raided this group, and key leaders were arrested the same day the indictment was released.  

The Uhuru movement is an international organization and a branch of the African People’s Socialist Party, led by chairman Omali Yeshitela, also known as Joe Waller. The organization’s website lists the movement’s goal as “…uniting African people as one people for liberation, social justice, self-reliance, and economic development.” Even though the organization has been around since the 1970s, a review of the group’s digital content shows that it only began publishing and pushing content overtly friendly to Russian interests starting in 2015, when the now chairman Omar Yeshitela went to the first Dialogue of Nations conference hosted by Ionov.  

Early posts between 2015 and 2018 on Yeshitela’s personal Facebook page and his organization’s Twitter and Facebook accounts feature content that juxtaposes the lack of police brutality against Africans in Russia compared to the U.S., features multiple pictures with Ionov, and posts declaring solidarity with the ADR.

More recent content, specifically since the beginning of the war in Ukraine, has overwhelmingly defended Russian action. These posts criticized North Atlantic Treaty Organization (NATO), painted Russian aggression as a defensive war, and played into the narrative that Ukrainian fighters are U.S.backed Nazis targeting Africans and Russians. Outside of Facebook, many of these narratives have been pushed during livestreams published on the Groups YouTube channel, The Burning Spear TV. Ionov has made multiple appearances on the channel, including an interview with Ionov on March 13, 2022. 

This content has even been shared to other non-related groups, such as the Dr. M.L.K. March For Racial Equality, Economic Justice, and Peace Facebook group, most likely to spread Russian-backed narratives to a broader Africa-American audience. 

Since the indictment and arrest, the Uhuru Movement has posted multiple times on social media, demanding the FBI back off their organization. A press conference after the arrests featured the organization’s spokesperson reaffirming the group’s support of Russia but refused to comment on whether they received illegal funds from Ionov. 

Black Hammer 

U.S. Political Group 2 is described as an Atlanta-based political group for whom Ionov allegedly sent money to protest Meta/Facebook for their restrictions on Russian posters. They were identified as the Black Hammer Movement, a cult-like offshoot of the Uhuru Movement.  

Black Hammer was started by the Uhuru’s former Secretary General Gazi Kodzo. Before his time at Uhuru, analysts identified that Kodzo went by the alias Smiletone, posting blogs and photos about his life and various parties in Atlanta and Los Angeles. Kodzo’s first overtly political post discovered by analysts was in 2012 and focused on the perceived disparity between the money given to Israel and the lack of money given to African Americans by the U.S. government. Between 2014 and 2015, Kodzo moved to St. Petersburg, Florida, and became involved in the Uhuru movement. During his time with Uhuru, Kodzo was active in the St. Petersburg area, protesting at council meetings, organizing marches supporting Black Lives Matter, and posting videos protesting police brutality. Kodzo’s affiliation with the group officially ended in 2018, and according to videos posted by Kodzo, he separated due to corruption and misuse of funds within the Uhuru Movement. 

After leaving Uhuru, Kodzo started the Black Hammer organization in Atlanta, and the group devolved into a cult-like organization, with Kodzo as its leader. The group went on to run digital campaigns against police brutality and injustices faced by African Americans to bolster their brand and drive fundraising and recruitment. Many of these campaigns were meant to manufacture controversy through hashtags such as #2BFrank, belittling the tragedy of the Holocaust. Additionally, the group attempted to start a breakaway city in Colorado called Hammer City, only to reveal that the group was squatting on the land after failing to purchase the property officially. 

In addition to these campaigns, Black Hammer also made several posts supporting Russia and Russian action in Ukraine. In a video titled “Happy Victory Day to Russia!” posted to Commander Gazi’s YouTube Channel on May 9, 2022, viewers can see members of Black Hammer waving a Russian flag in front of the CNN building in Atlanta, Georgia. A second video was posted to the channel on May 22, 2022, featuring Black Hammer members protesting in front of the Meta building in California, waving a Russian flag again. On Facebook, Kodzo made a post in April claiming Vladimir Putin had shouted out the group after they formed a “Z” in support of the Russian military and their action in Ukraine. This story was picked up by Russian State media, suggesting some level of coordination.  

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Four months later, Kodzo and another member of Black Hammer were arrested on July 21, 2022, for charges not associated with the Ionov indictment. Since the arrest and the indictment of Ionov, Black Hammer social media has continued to consistently post statements by Kodzo from jail and posts supporting the Russian invasion of Ukraine.

 

 

 

 

 

 

Yes, California 

Finally, U.S. Political Group 3 is described as a California-based group whose goal is the secession of California from the United States. This group is easily identified as the Yes, California Movement. The indictment alleges that Ionov helped fund a February 2018 protest by the group in Sacramento, California. 

Yes, California is an organization started around 2015 by right-wing activist turned California Secessionist, Louis J. Marinelli. Marinelli first appeared on the political scene in 2015 when he ran for California State Assembly on a platform of California Independence for the United States. Before that, Marinelli had lived and studied in Russia since 2006, moving back sometime in the early 2010s. Marinelli has since moved back to Russia, though he remains active in the Yes, California organization acting as their “ambassador” and representative in the country.  

The movement and Marinelli have been featured in news stories posted to Russia Today, a Russian State-controlled new organization funded by the Russian government. Stories featuring the group, often in conjunction with Texas Separatist groups, started as early as 2016 and seemed to have continued up to about 2018. This, along with Marinelli’s Russian background, his and the group’s participation in Ionov’s conferences, and the opening of a “California Embassy” in Russia, would be enough to begin posing questions about Russia’s interest and influence when it comes to the organization. Still, reviewing the content paints an even stronger association between the group and Russian interests.  

The group’s content regarding Russia displays a pattern of support for Russian action against Ukraine and general participation in Russian-backed events. In 2020, for example, the group tweeted that it would be attending the Dialogue of People’s conference, noting that the Donetsk People’s Republic was organizing it. Around the same time, the group’s Facebook page supported Russia’s annexation of Crimea, pointing out U.S. hypocrisy after it seized California and other territories during the Mexican-American War.  

Yes, California’s support of Russian objectives did not limit itself to support only Russian action in Crimea. In 2021 the group tweeted that Martinelli was attending a conference led by the Union of Yemeni Citizens in Moscow, as well as a tweet and video criticizing Western Sanctions against Russia.

 

 

 

 

 

 

 

Overwatch analysts could not locate further tweets on Yes, California associated with Russia or Russian narratives, and analysts could not locate any statement following the indictment.  

Our Assessment 

As a result of the investigation outlined above, Overwatch assesses Russian information operations in the United States span across group type, goal, political affiliation, age, and structure. Russian influence seems to withstand internal group fracture, with group offshoots continuing their relationship with Russian agents. Further, we assess that Russian influence operations will continue targeting existing fracture points in U.S. society. Whether those fractures are economic, social, or political does not matter as they all contribute to the overall goal of instability and, as a byproduct, paralysis when countering foreign adversaries.  

Additionally, while national election interference often makes headlines, interference in smaller local elections rarely seems to be a concern when talking about potential interference. However, within these smaller ecosystems, information operations can be most effective in terms of results and swinging local elections. This is because an information operation contained in a niche group or locale can go mainstream somewhat organically, adding a level of subterfuge that would not otherwise be present in a more extensive information operation.  

Finally, we assess that because of this indictment and potential arrests made in the wake of it; we will likely see Russian information operations become more covert in nature, eschewing high-profile influencers like Ionov for more covert means of contact with a targeted group. 

 

Computers for Hire: A Look at the Growing Phenomenon of Mercenary Hackers

Overwatch 64 Header Mercenary Hackers

Overwatch 64 Header Mercenary HackersIn December of 2021, the United States Department of State announced a hack had been attempted on several State Department employees’ cellphones. The announcement revealed that the hack had occurred using Pegasus, spyware made by NSO, an Israeli company. The hack targeted U.S. State Department employees active in Uganda. In response, NSO claimed they were unaware of any such use of their technology and ensured clients in question could no longer use the platform.

This NSO case elevates concerns impacting national security and morals. It displays how these types of tactics and tools, once bought, can affect a target’s civil rights or a state’s national security. It also raises questions about the morality and ethics of this type of technology and service, and what legal barriers should be in place when selling this type of product or service. Already, we have seen Israel mandate that NSO obstruct Pegasus from targeting United States-based cell phone numbers, use the technology as a bargaining chip with Middle Eastern Gulf countries, and bar the company from selling the technology to Ukraine and Estonia for fear of damaging Israel’s diplomatic relations with Russia.

In this issue of Overwatch, we will focus on what this digital threat actor landscape looks like in a world where they can pose as legitimate information security companies while selling potentially illegal hacking technology and services to the highest bidder. We will draw on recently publicized cases to understand what is becoming a critical security issue for not only states but also private companies, civil society, and individuals.

Growing Demand for Hack-for-Hires

Hack-for-hire is the act of hiring a firm/individual or purchasing their technology to target someone and gain access to their digital devices for surveillance or theft. These groups are often called Mercenary Advanced Persistent Threat Groups (APTGs) or Private-Sector Offensive Actors (PSOAs) by companies such as Microsoft. While outfits participating in this activity can range from one individual or a small group, accusations against large information security firms engaging in this business are common.

An APTGs is “…a covert cyber-attack on a computer network where the attacker gains and maintains unauthorized access to the targeted network and remains undetected for a significant period.” These attacks often surveil activity and steal data rather than shut down a network or hold it hostage for ransom.

APTGs that engage in cyber-attacks are often linked to nations with adversarial relationships with the United States, such as Russia, China, North Korea, and Iran. However, the existence of mercenary APTGs shows a large and growing market for this type of service both in the private sector and in countries that may not have the resources or skill to establish their own outfits or technologies.

Different national laws surrounding computer hacking can create a grey area regarding the legality of such operations by private individuals or businesses. However, the tools, scope of work, and the hackers themselves, once hired, often have little consideration for national laws or boundaries.

Examples of the names used by targeted tech companies such as Meta or InfoTech Security companies like Norton, to track these types of groups can be seen on the map below. As displayed, attacks by these groups often cross national borders:

Cyjax Map
Source: Cyjax

Phishing Tactics

Frequently these groups can be tied back to legitimate businesses. This was the case with a mercenary APTG traced through the code name “Sourgum,” which was tracked back to an Israeli Surveillance firm named Candiru. More famously, an Indian InfoTech company named BellTroX InfoTech/BellTrox Services or BellTroX D|G|TAL Security (p) Ltd., was tied to the mercenary APTG group codenamed “Dark Basin.”

APTGs use a variety of methods to infiltrate systems. One of the most prominent tactics is phishing attacks, where an email or notification is sent to someone’s phone or computer, enticing engagement to gain access to their device. Additionally, an APTG looking to target a specific individual may practice a tactic called spear phishing, where publicly available information is leveraged to personalize the message, enticing an action from the receiver. An example of this type of tactic can be seen in the image below:

Phishing Email

More advanced tactics include creating bootlegged versions of popular and high-traffic websites to prompt users to click a link, or even the creation of an application for exploitation. In this August 2021 tweet, an Islamic social media app, Jamaat, is accused of being a front for surveillance, enticing targets to download the application. A blog on the campaign showed that once downloaded, access is granted to the target’s phone information: contacts, storage, audio recording, location, camera, device settings, and call logs. The threat actor not only has access to the contents of their phone but can also surveil and track the phone’s owner.

Jamaat tweet

Once information is retrieved by the mercenary APTG, the detection information can be delivered in several ways, a mass dump of data into paste bins or through the use of Internet dead drops. An Internet dead drop can be a link in a bio, post comment, or product description. The link contains an encryption key used to decipher and access information stored in a second dead drop.

Mercenary APTGs have been known to target several entities on behalf of governments and private individuals or businesses. The purposes of these cases have ranged from the discovery of evidence during litigation to targeting activists, journalists, and politicians or corporate espionage operations.

Downfall of BellTroX

Darkmatter is a recent example that came into the news last year, with a September 2021 press release by the U.S. Department of Justice stating that three former NSA employees had been fined over $1.68 million for their role in hacking operations. In place of criminal charges, the three were also banned from holding security clearances, pursuing work involving network exploitation, and receiving U.S. security clearances.

The severity of this punishment stems from several factors surrounding the case. None of the three men had received the proper license from the U.S government to work for the United Arab Emirates (UAE) in this capacity, shared classified information and techniques, and Darkmatter programs were used to target U.S. companies and individuals. These three, as well as other alleged former U.S. Intelligence Community members, were also implicated in launching an app called ToTok, which is suspected to be a surveillance tool used by the Emirati government. At the time of this brief, ToTok is still available in several app stores, including the Apple Store and the Galaxy Store.

Galaxy Store

Darkmatter and the government of the UAE deny charges that their actions and technologies were used to target Americans. Since 2019, Darkmatter and the UAE have been blacklisted from obtaining the status of internet security watchdog by many large technology services such as Mozilla Firefox and Google. Darkmatter is still an active company and continues to attract employees from large tech firms and even the U.S. Intelligence community. A look at the company’s SignalHire page, a corporate data aggregator, shows employees that worked for Microsoft/Dell, the Rand Corporation, Hewlett Packard/AT&T, Sony, Russian Tech companies, and most interestingly, the U.S. Army/ODNI. Darkmatter’s continued existence and client base reinforce how mercenaryAPTGs can operate in a grey zone under the sanction of their home state.

Unlike Darkmatter, not all organizations operate as openly. Insert, BellTroX. On the surface, BellTroX InfoTech Services looked like a legitimate information and technology security company based in New Delhi, India. The company’s now-deleted website claimed to provide services such as Medical Transcription, IT Security, Cyber Security, and training on how to spot malware and protect your company from cyber threats. In other words, the company claimed to be dealing only in defensive and preventative IT Security; however, as early as 2015, this turned out to be a lie.

Belltrox

In 2015, the United States Department of Justice indicted the company’s founder Sumit Gupta, AKA Sumit Vishnoi, in a case about email hacking by private investigators supporting a party in a litigation suit. Though indicted, Mr. Gupta’s residence in India prevented his apprehension, and the company continued to operate. Searches for Mr. Gupta revealed an archived post he made on the website web.pod.io promoting his business. In the post, Mr. Gupta, under the name Sumit Vishnoi, advertises the services of BellTroX to “Private Investigators, Corporate Lawyers, Corporate Investigators, Corporate Firms, Celebrities, Politicians.”

Sumit Vishnoi

In 2020, a report released by The Citizen Lab out of the University of Toronto alleged that a notorious hack-for-hire group nicknamed Dark Basin was tied to BellTroX. The report claims a series of operations taken by the group targeted both foreign nationals and U.S. citizens. Some of the most prominent campaigns associated with the group were focused on activists and nonprofits orchestrating a movement called #ExxonKnew, which alleged the company had purposefully misconstrued and hit data about climate change, and a campaign against organizations pushing to uphold net neutrality in the U.S.

The release of this report sparked renewed interest leading to the arrest of Aviram Azari, a former employee of a covert surveillance unit in Israel by the Department of Justice (DOJ). Mr. Azari has been acting as a private detective in New York City and working with BellTroX on behalf of his clients to undertake a corporate espionage campaign against various hedge funds, according to court documents.

The publication of their identity as Dark Basin and the guilty pleas and cooperation of Mr. Azari is likely what led BellTrox to shut down its website and social media presence. To date, it is unclear in what capacity this group is still active. While the company’s digital footprint has been erased, including the company’s listing on Google, which lists it as permanently closed, the corporation is still registered as active according to an India-based corporate data aggregator, and Mr. Gupta has yet to be apprehended.

Adding to the evidence that the group is still active is the fact that Overwatch analysts were able to find a private Facebook group using the name and company logo. Analysts also found recent posts referencing Dark Basin’s hacking services on various sites and forums, including Blizzard. forum (a video game forum), Good Reads, Reddit, and even that a site compiled emails and domains used by Dark Basin to track the group.

Analysts searched the dark web to track the forum with partial success. During the investigation, analysts located an onion URL for another group called T3AMPOISON, which claims to be selling illegal hacking services.

Analysts did find a mirrored webpage potentially attributed to the group. The website’s header displays the name Dark Basin and claims hacking offerings such as: hacking of personal email and social media accounts, content removal from websites, spying into email accounts, and boosting/hacking credit scores. It is likely that even if this website is not attributed to the Dark Basin Mercenary APTG, the group still exists in some form despite the alleged closure of their front company BellTroX.

Dark BasinDark Basin Services

Our Assessment

Considering the threat landscape and specific examples outlined above, Overwatch assesses that as the commercial environment and market share for open-source intelligence (OSINT) and information technology companies continue to expand, so will the number of bad actors in the space. This will make trusting your OSINT provider to follow legal and moral guidelines even more critical, as failure to do so could lead to legal issues and scandal down the road. In other words, ensuring the companies you work with practice #OSINT4GOOD will become even more important.

Additionally, Overwatch assesses that we will continue to see hacking services and technologies advertised by private companies to companies, individuals, and nation-states. This may lead to increased civil rights and legal violations, as what was once the purview of state intelligence and security apparatuses—constrained by legal codes, jurisdictions/authorities, and time-tested best practices—bleeds into the private sector, where national boundaries and jurisdiction mean little. This trend will continue to increase until the point in which the private sector either imposes its own standard operating procedures on the sale/use of hacking technology/services or has one imposed on them by state actors. This resolution, though, will not likely come for a long time as the creation of industry norms both organically and artificially is often a lengthy process.