How Adversaries Conduct Reconnaissance For Disinformation Operations

Building on our series exploring the adversarial mindset, disinformation actors seek amplification of their content, regardless of whether their goal is financial, ideological, or political. Disinformation actors need venues to post their content that will be most likely to result in viral spread of their messages. Oftentimes, depending on the sophistication of the actors and the narrative they are trying to publicize, they might not even care if they are identified or not.

To find these venues, sophisticated disinformation actors will conduct reconnaissance on the social media groups or outlets that will be most likely to host their content and most likely to result in viral spread based on the psychological characteristics of that outlet. 

Actors will look to use content that validates the prior assumptions of the target audience, particularly if it preys on a primal emotion such as fear or anger. This content will be more likely to be shared widely than a post that is neutral or disconfirms a target audience's prejudices. 

For example, Macedonian actors host US political content on ad-supported websites and post that content into social media groups that are most likely to share that content. When social media users click on the links - often because their titles or content are written in language designed to provoke strong emotions - the disinformation actors profit from the resulting ad revenue.  

Similarly, the Russian actors behind the recently uncovered disinformation campaigns targeting left-leaning audiences with peacedata(.)net and right-leaning audiences with NAEBC would have had to conduct reconnaissance to find Americans willing to write for them as well as identify the outlets that would be most likely to re-publish their content. 

Requirements for Anonymous Disinformation Campaigns:

• Native Speakers:
  First, and most importantly, actors need access to native speakers of the audience they are trying to influence, technical experience within creating domains and websites, graphic designers, anonymous persona management, and possibly scraping techniques.
  
• Infrastructure:
  Second, actors need infrastructure to conduct reconnaissance. Most importantly, the actors need a one-stop shop for secure access to anonymized internet to minimize the likelihood of operational security mistakes.
  This would allow them to maintain infrastructure to backstop activity with personas, websites, and mis-attributable selectors. Facilitating payment anonymously and at scale would be an important part of this infrastructure as well.
  Generally infrastructure includes:

Domain Registration: More advanced adversaries backstop personas before registering domains. Some financially motivated actors do not use such sophisticated operational security. Actors need anonymous or mis-attributable domains for website hosting infrastructure. Financially motivated actors may use two low cost and consumer-oriented registrars (Namecheap and Enom), while more sophisticated efforts could mimic business-oriented registrars like Network Solutions, MarkMonitor, and CSC (more common for authentic news websites).

Certificate Usage: One key feature is the number of domains that a certificate covers (based on the Subject Alternative Name field). More sophisticated actors could mimic news websites that have more domains in their certificates because parent news organizations use one certificate to cover their subsidiaries. Less sophisticated actors may have a large number of domains in their certificates attributable to low-cost hosting providers that deploy shared certificates.

Hosting: Unsophisticated actors use mass-market hosting providers like GoDaddy and Namecheap while advanced actors may use hosting providers such as Incapsula, often used by more authentic news websites. 

• Campaign Tracking:
  Third, an actor likely needs to pilot the real time deployment of an ad classifier to understand the performance so the site gets page views and ad clicks.
  Disinformation domains – and the actors behind them – have different motivations. One actor’s intent might be simply to get more site traffic and increase ad revenue. Another’s intent might be to sway political opinions and votes. Or another actor might be doing it as part of a targeted campaign (i.e. commercial or political).
  Simple implementation could use a commodity server to ingest new domains from a domain registration tracker, a feature that tracks new TLS/SSL certificates,  combined with a social media platform’s API and another commodity server to collect infrastructure data and generate features for an ad or article. 
• Evasion Techniques:
  Fourth, evasion techniques such as changing a WordPress theme or renewing an expired TLS certification are important. More sophisticated actors who can bear the cost can include evading predictive features such as changing the lifespan of a website’s domain, purchasing a certificate from a reputable issuer, registering a domain for a longer time, switching to a more expensive top level domain, or migrating to a more trustworthy hosting provider. 
• Target Audience Demographics:
  Fifth, similar to marketing techniques, the actors need to determine whether they are attempting to influence a wide population (the dragnet) or only a focused population (the spear).
  Depending on whether or not the actors are financially motivated, they will need to be able to scour the internet to find interests, potential vulnerabilities in personal lives or segments of a population being influenced, recruit writers to produce narratives that seem authentic, communicate with groups of friends or like minded associates, profile socioeconomic status of target audiences, understand organizational or geopolitical sensitives and culture, and potentially even vulnerabilities in family and friends to exploit.
• Content Writers:
  Finally, and very important, the actor has to be able to recruit the narrative writer and be confident that the writer will not report them to law enforcement authorities or other security organizations. 

After the adversary has conducted the necessary reconnaissance, steps can be taken to weaponize the disinformation campaign in the appropriate outlets to conduct information and influence operations.

For more on the adversarial mindset, check out our overviews of cyber threat actor reconnaissance and fraud actor reconnaissance.