How Coordinated Inauthentic Behavior continues on Social Platforms

How Coordinated Inauthentic Behavior continues on Social Platforms

Assessing Coordinated Inauthentic Behavior on X, Tiktok and Telegram following Meta’s 2023 Q3 Adversarial Threat Report

On November 30 2023, Meta identified and disrupted networks of accounts engaged in what the platform defines as “Coordinated Inauthentic Behavior” (CIB) across 3 countries: Russia, China, and Iran. The Chinese activity was split into two groups, one that targeted India and the Tibet region, and another that targeted the United States and focused on US politics and US-China relations. The Russian network focused on creating fictitious “media” brands on multiple platforms—a long-established tactic in Russian propaganda behaviors—some of which were promoted by official state-linked embassy and diplomatic accounts. The Iranian cluster was far smaller; Meta described it posing as “a conservative news outlet in the United States,” and noted its presence on many platforms. In this post we examine the contours of the Chinese and Russian networks on X, describing their activity both before and after Meta’s public identification in late 2023.

As part of its takedown process, documented in the  Meta Adversarial Threat Report Q3 2023, Meta investigators named 90 accounts on X (formerly Twitter) that were connected to the networks. According to the report, some of the inauthentic content on Facebook produced by these networks “included X-specific language, such as ‘RT’ (i.e. retweet) or ‘@[particular X handles]’, suggesting that this operation had copied and pasted content from X to Facebook without editing it.” The Meta report included an appendix describing a distinct network that Meta believes is linked to Doppelganger, a persistent Russia-linked adversarial threat actor. The appendix also included a list of an additional 42 domains linked to the group; Meta’s full list of threat indicators relating to Doppelganger can be found in the Meta Threat Research Indicator GitHub Repository.

Despite these X accounts being named publicly by Meta in November 2023, X did not quickly take action to remove them. The Washington Post covered the continued presence of the networks on the platform in an article on February 16, 2024; by that point, X had removed one account from the Russia-attributed network, and three from the operation linked to China.  Approximately 12 days after the coverage, X suspended 81 more accounts. Five of the 90 X accounts identified by Meta remain   active as of April 25th, 2024. While examining the ongoing activity of the accounts,  Stanford Internet Observatory researchers independently identified an additional 21 accounts that appear to be linked to the Chinese  network, 10 of which remain active to date. Additionally, we observed the presence of accounts bearing the brands of the Doppelganger domains.

Key Findings

  • Although Meta posted investigative leads, X and TikTok appear to have been slow to take action on these published threat indicators related to inauthentic influence networks.
  • Accounts on X seemingly related to domains tied to the Russian influence operation ‘Doppelganger’ by Meta continue to be active to date. We examined the social media presences of the domains and found seven have active X accounts, posing as Western news outlets and posting in English and French.
  • Some accounts linked to the Russian network disrupted by Meta have moved their activity to Telegram and TikTok, where they continue to post in English about Ukraine, Russia and US politics.
  • Of the 90 X accounts identified by Meta, 85 originated in China, two in Russia and three in Iran. As of April 2024, one of the original Chinese accounts, one Russian account and three Iranian accounts remain active.
  • The Stanford Internet Observatory independently identified an additional 21 accounts that appear to be part of this Chinese network, 10 of which are still active on X.
  • This report highlights the importance of continuing to share threat intelligence while evaluating clearly persistent adversaries across platforms. 

     

Findings on an Expanded Network of Accounts on X, Originating in China

 

Building on the Washington Post’s February 2024 reporting on the network originating in China, we further investigated the nature and behavior of the network. The X accounts in this network targeted the US 2024 election and took profile pictures from apparently real American’s LinkedIn pages. While X has removed all but one of those directly attributed by Meta, we have observed what appears to be a broader network.

The majority of the accounts on X that Meta assessed as linked to China were posing as North Americans and posting in English; 53 accounts claimed to be located in the US, and 7 in Canada. The X accounts originating in China had 5,739 followers in aggregate; 65 of the accounts were created between April and September 2023, with the highest number (22) created in May 2023. Profile photos appear to have been stolen from real individuals’ LinkedIn pages, and names were changed. An example is @SeanHickman64677. A reverse image search of the profile picture on X matches the LinkedIn photo of a man with a different name located in Pennsylvania. 

sean hickman twitter Left: Screenshot of the Twitter/X account @SeanHickma64677 captured on February 10th 2024. Right: A LinkedIn account with the same profile picture captured on February 10th 2024

These accounts often shared identical tweets. For example, twelve accounts in the network attributed by Meta posted the following tweet between September 5 - October 16 2023: “Biden thinking about removing the tariffs from China to quote “decrease inflation” … It’s almost as if they hate the working class in the United States. They cannot be this ignorant.” 

twitter chinese network screenshots Twelve almost identical posts by accounts in the Chinese network, posted on X between September 5 - October 16 2023. Screenshots captured January 29, 2024.

The accounts got minimal engagement and views. Although they were posting, their content did not appear to have any significant impact on the conversations they attempted to participate in. All but one of these accounts have been suspended as of May 14th 2024.

However, the operators of the networks, it seems, continue to persist in their efforts.  Although we began our investigation examining social media accounts attributed by Meta, we observed a broader network of accounts on X that display similar behaviors and features. These accounts also post in English and focus on the US Elections. Of the 21 accounts we identified, 10 remain active to date. (Eleven were suspended around the time that the accounts identified by Meta were suspended.)

One of the accounts we identified is the account @LeanneFrie49553, which was created in May 2023 around the same time as many of the other accounts. The account claims to be located in Nashville, Arkansas, a town of just over 4,000 residents. Nine of the 85 accounts that Meta attributed as originating in China listed Nashville, AR. The profile image for the @leanneFrie49553 twitter account also appears to be stolen from LinkedIn;  a reverse image search matched it to a profile of an individual in Texas. 

Leanne Friel-twitter Left: Screenshot of the Twitter/X account @LeanneFrie49553 captured on May 16, 2024. Right: A LinkedIn account with the same profile picture captured on May 16, 2024.

@LeanneFrie49553 has 261 followers as of May 14 2024, and continues to receive very little engagement on their posts. This is true across the majority of the accounts originating in China, and those in the broader network we subsequently examined. These accounts have on average 67 followers, and post and retweet overwhelmingly on topics related to the US election, Trump and Biden. Much of the activity is retweeting, particularly of Elon Musk and low-quality domains. @LeanneFrie49553 posted and retweeted almost daily in April 2024; a cursory search on X of a post from April 17 found that 7 other X accounts posted an identical tweet.

Since April 29 2024, this account has posted a Donald Trump quote, retweeted conservative activist Brigitte Gabriel three times, tweeted a Nikki Haley quote accusing Putin of the murder of former Russian opposition leader Alexei Navalny,  retweeted Elon Musk and posted “This Henry Kissinger quote captures Donald Trump:   “The illegal we do immediately, the unconstitutional takes a little longer.”  Then Trump supporters wrap the quote in an American flag.”  This behavior shares many of the elements that characterize the behavior of the network identified by Meta.

Of the 85 X accounts identified by Meta as having originated in China, one remains active. The account, @NickJonas154141, posts in Nepali and English, sharing anti-corruption memes and specifically targeting individual Nepali politicians.

This account belongs to the subset of Chinese accounts that Meta describes as targeting Tibet and the Arunachal Pradesh regions of India, and posing as “journalists, lawyers and human-rights activists.” 

twitter nick jonas nepal Screenshot of the Twitter/X account @NickJonas154141 captured on May 16, 2024.

The account has 908 followers and a blue checkmark on X (formerly used to indicate a verified or prominent account). As of May 16th 2024, the account continues to post frequently. Recently, it appears to have created an X/Twitter “Community” with the name “Nepal Emergencies,” which has as its description: “We are committed …” The Community has only two other members, but it is an interesting indication of adaptation and incorporation of other X features into network behavior.

Findings on Russian Network Across TikTok, X and Telegram 

 

The Russian networks identified by Meta in their Adversarial Threat Report are more active on Telegram and TikTok, where they continue to post in English on US and European politics and the war in Ukraine. As of [DATE], one of the two X accounts identified in the Meta Adversarial Threat Report as originating in Russia remains active with minimal impact.  That account, Military Wave (@MilitaryWave001), was created in 2016 but has only 54 followers. In their report, Meta linked this account to a related and more active Telegram account, “Military Wave,” that uses the same profile picture. The Telegram account had 31,230 subscribers as of May 15 2024. The other account identified by Meta, People’s Press (which used the handle @PeopleSayNews), was removed from X but accounts with the same name are active on TikTok and Telegram. Both post primarily in English and posted about active military conflicts, mainly in Ukraine but also in Gaza. People’s Press also posts about US domestic issues.    

military wave screenshot from twitter Left: Screenshot of the X account @militarywave001 captured on May 16, 2024. Right: Screenshot of Telegram account @militarywave captured on May 16, 2024.

The @people.say.channel on TikTok has 13,200 followers as of May 15 2024 and publishes in English; it appears to be an account shift or respawn, as Meta’s original attribution was to an account “peoplesay05” that no longer exists. Many of the posts include the phrase “оригинальный звук” in Russian, meaning “original sound” in the audio description of the posts. This is a common feature on TikTok, denoting that the account creator has made the audio themselves. 

people say channel twitter screenshot Left: Screenshot of @PeoplesPress Telegram account, captured on May 16th, 2024. Right: Screenshot of @people.say.channel header on TikTok, captured on May 16, 2024.

The first pinned post on @people.say.channel is a video of a safari with a Russian voice over, which has 7.9 million views. The account holder has repeatedly reposted content by Russian state-owned news agency Ruptly (an approach previously taken in prior influence campaigns), as well as other Russian social media accounts. Posts include ‘IMMIGRANT LEARNING TO USE A SPOON’, ‘THE US REALITY: KIDS OUT, MIGRANTS IN’ and ‘HOW MANY GENDERS ARE THERE?’. There are posts about Russia, Ukraine and US politics mixed in amongst less political content, and memes. The posts appear to largely have limited impact, with most achieving a few hundred views.

The linked Telegram account posts under the handle @PeoplesPress. On October 12, 2023, @PeopleSayNews—the Telegram account identified by Meta—posted

             “To our cherished subscribers, We are moving to a new channel: The People’s Press!  Please follow us and subscribe. We have been forced into this decision by coordinated attacks from bots and ideologues who cannot bear to hear the truth. Our comment sections have been flooded with porn; organised campaigns have mass-reported our content to Telegram administrators; and we have been targeted by sophisticated censorship campaigns. As a result, our channel has now been blocked in several major European countries. Consequently we cannot fully develop our platform and increase the number of subscribers. It seems that in today's Europe, Truth has less value than obedience to the elites' anti-human agenda.”

The @PeoplesPress Telegram channel has 5,437 subscribers as of May 15 2024, uses identical graphic design to the TikTok channel, and also shares significantly from Ruptly. The content focuses on Russia and Ukraine and includes posts about European and American politics. The account has posted consistently on the Farmers’ protests in Europe.

Doppelganger Findings

 

Meta’s Report also included an updated list of websites identified as Russian operation ‘Doppelganger’ recidivism. Doppelganger is the name of a persistent Russian disinformation campaign first recognized in 2022, which tried to undermine support for Ukraine following the Russian invasion. It frequently creates fake websites that mimic existing legitimate news sources. These updates, posted publicly, are intended to inform researchers and companies tasked with studying or mitigating inauthentic activity or disinformation campaigns about updates to adversarial behaviors. We examined the social media presences related to the domains and found seven of the websites attributed in November link to active X accounts, posing as Western news outlets and posting in English and French.

Five of the seven sites have accounts that were created in 2011, one in 2023 and one in 2024. Two of the accounts—@AllonsY_Social and @candidat_news—post in French. The other five—@RRNmedia, @TruthGateOff, @50StatesOfLie, @SpConspiracy and @DragonflyTimes—all post in English. They appear to have few followers and minimal engagement. The accounts have characteristics commonly associated with influence operations activity: RRNmedia, for example, which does occasionally get several hundred engagements on its posts, appears to have replaced a suspended account—RRNworld—tied to the domain rrn.media (which it regularly shares from). Although the account has a creation date of September 2011, the oldest currently visible tweets are from July 5, 2023. These characteristics, taken together, suggest it might be worth additional evaluation by a platform integrity team to see if the handle was repurposed.

Content from the accounts with overlapping Doppelganger branding (or links to Doppelganger websites) focus on the war in Ukraine, Gaza and the US election. Recent posts from @50StatesOfLie include, ‘NOW – Trump makes surprise stop, greeted by screaming Union workers.. “WE WANT TRUMP” #Trump #TrumpTrials’ and “Zelensky has not lived up to Western expectations; after receiving tens of billions he has failed in his duties. Americans are fed up with this… #Ukraine”. The site poses as  a journalism outlet, sharing international breaking news. 

states of lie twitter Screenshot of posts on X by @50StatesofLie, captured on May 16, 2024.

@RRNmedia posted, ‘As #VladimirZelensky’s paranoia grows, the search for new conspirators and the intimidation of journalists have begun in #Ukraine. No longer considered a legitimate president, #Zelensky is struggling to fulfill the tasks set by the #UnitedStates.” Another post from @RRNmedia reads “#Biden administration accepts the #Israeli government’s assurances that it is not violating U.S. or international law in its prosecution of the war in #Gaza, a conclusion at odds with assessments made by the #UN and international aid groups”. Their videos have a watermark reading ‘Reliable Recent News’.

RNN media twitter Screenshots of posts on X by @5RRNmedia, captured May 16, 2024.

As we were preparing to publish this blog post, Meta published the Adversarial Threat Report Q1 2024, which highlights Doppelganger’s ongoing threat. The report describes how Meta “teams are engaged in daily efforts to find and block Doppelganger’s attempts to acquire new accounts”. This report notes that there has been a shift on meta platforms as Doppelganger networks are no longer “linking to spoofed domains impersonating news media or government agencies” and there are no longer “fictitious brands present on our apps (e.g., Reliable Recent News, etc.)”. This is a notable difference to what we have observed on X.

Meta’s Adversarial Threat Report Q1 2024 also reinforces the need for risk intelligence sharing. According to this report, ‘it would benefit us all to have a fuller shared picture of the global activity by these operators across the internet.’ The report continues, ‘In addition to sharing our own threat research, platforms should consider making it easier for open-source researchers to map their findings across different services.’

Conclusion

 

Although Meta is posting investigative leads, not all major platforms appear to be acting quickly to take action on inauthentic influence networks. We were able to identify what appears to be a broader network on X based in China, as well as X accounts linked to the Russian operation Doppelganger, relatively easily; while many did not attract much engagement, the content shared and created by these networks is political and election-focused. It is certainly possible that X and TikTok disagreed with, or were unable to confirm, Meta’s findings, or that they chose a different mitigation strategy not visible to us from the outside. It is also possible, however, that tech companies are no longer directly exchanging information about foreign inauthentic influence operations to the extent that they were in prior years. This report highlights the importance of continuing to share threat intelligence while evaluating clearly persistent adversaries across platforms.  

Read More

Ai collage
Blogs

Investigation Finds AI Image Generation Models Trained on Child Abuse

A new report identifies hundreds of instances of exploitative images of children in a public dataset used for AI text-to-image generation models.
cover link Investigation Finds AI Image Generation Models Trained on Child Abuse
watercolor style image showing a nexus of social media platform icons
Blogs

Addressing Child Exploitation on Federated Social Media

New report finds an increasingly decentralized social media landscape offers users more choice, but poses technical challenges for addressing child exploitation and other online abuse.
cover link Addressing Child Exploitation on Federated Social Media
watercolor style image showing a nexus of social media platform icons
Blogs

An update on the SG-CSAM ecosystem

cover link An update on the SG-CSAM ecosystem