Latest News | Election-related video generated with AI Latest News | A December video is used to manipulate the arrival of the diaspora for the 7th elections… Latest News | The image with the banner for Kurti from the protests in Tirana was generated with… Latest News | Petkovic conspires to favor Rašić in the case of the arrest in the village… Latest News | Analysis of political calls by Vučić and Petković for a vote in favor of L… Latest News | Serbian media and official narratives about the election campaign in Kosovo:… Latest News | The OQS presents as a case related to the election campaign an incident that occurred… Latest News | The child's right over the FATHER'S right Latest News | Without facts, it is claimed that a pre-election poll was conducted by LVV Latest News | Framing of the election campaign in Kosovo by Russian media in Serbian
[ ARTICLE ]

How the pro-Russian disinformation email overload attack unfolded

HIBRID

Wrote: Festim Rizanaj

Hibrid.info is one of the platforms targeted by the disinformation campaign.Operation Overload” (a continuation of Operation Matryoshka, specifically targeting media organizations and fact-checking platforms) where pro-Russian actors used emails and social media hashtags to request verification of specially created fake content. The content sent for verification was not authentic, but organized by the same source, with the aim of overloading and diverting the attention of trusted organizations such as Hibrid.info. The emails were sent primarily via Gmail and contained links that often led to Telegram channels, covering topics ranging from disinformation to political and social issues.

The analysis shows a spike in email activity on specific dates, such as 1, 16, 24 and 30 July 2024, suggesting a deliberate attempt to challenge Hibrid.info during periods of significant events (Paris 2024 Olympics and Euro 2024). The strategy also included the use of duplicate usernames and repeated patterns in constructing email addresses, suggesting an organized effort to distribute false content. Telegram played a key role in the distribution of this information, alongside occasional references to other platforms, indicating the deliberate spread of disinformation to also destabilize the work of Hibrid.info.

Hibrid.info received and analyzed 82 emails sent to the platform’s email account as part of the campaign, covering the period February 1 – August 1, 2024. From the dataset provided, it is clear that the platform has experienced varying levels of email activity, ranging from periods of minimal engagement to surges. While, as mentioned at the beginning, the Hibrid.info team has been receiving email inquiries starting from February 2, 2024, it has been observed that a significant increase in email volume has occurred. Specifically, on July 1 and 16 from 5 emails per day and, July 24 and 30 from 4 emails per day.

Additionally, notable increases occurred on several other dates where the platform received exactly 3 emails per day, including July 19, 17, 25, 9, 18, 2, 5, 31, 8, 2, 15, and August 1. Additionally, the platform received exactly 2 emails per day on July 26, 22, 23, 28, and May 15, 2024.

The objective of this tactic is to engage hibrid.info and its research team, forcing the platform's experts to divert their attention from current disinformation events to verifying and debunking false content created and distributed.

Several key themes and events can be identified, along with a systematic disinformation effort. The emails primarily contain links to Telegram channels that spread various news, rumors, and accusations. The focus areas in these emails include 5 distinct themes. Topics include accusations against the Ukrainian government and military, disinformation about international events such as the Olympics, and political scandals involving Ukrainian and international figures.

Subject contents in emails

Additionally, we analyzed the subjects in the emails sent and came up with several categorizations. For example, the topics in question can be categorized into different types, including fact-checking (e.g., “check it out”, “fake news”), specific events (e.g., “Olympics has fallen”, ” Ambulance service in Olympics “), and news topics (e.g., ” NBC NEWS is posting news clips on TikTok “, “DW published the news”).

On the other hand, some topics are repetitive or generic (e.g., “check the news,” “News”) while others are informative (e.g., “News from Greenpeace,” “Bedbug news”) or serve as calls to action (e.g., “What's going on?”, “Who portrayed him,” “where the graffiti is located”). Furthermore, clickbait or unclear subject links (e.g., “we found fakes,” “These are the links”) can also be observed during analysis and appear to be designed to spark curiosity or a sense of urgency.

Email service providers and usernames

An analysis of the email dataset reveals important insights into the use of different email service providers, especially those that are free and allow the creation of an anonymous account. The dataset, which includes emails sent from various domains, shows a usage of Gmail, with 82 emails originating from this service.

This distribution shows a clear preference for Gmail among email senders in the dataset, highlighting its dominant position in the market. The anonymity offered by these free services can be a double-edged sword, as they often facilitate deviant online practices, raising concerns about their role in enabling unethical online behavior. Notably, the same email providers were identified as commonly used in the Operation Overload report by Check First and Reset, highlighting their association with suspicious activity.

Many usernames appear to be constructed from personal names, either as full names or as combinations of first and last names. Numbers are often added to usernames, perhaps to distinguish users with similar names or to meet unique username requirements. Examples include "novillanita9339@gmail.com","fredericacrotts1@gmail.com”. Some usernames appear to include random strings of letters or initials, which may be an attempt to create a unique identifier or may be randomly generated. For example, “vg1958109@gmail.com","r6229222@gmail.com”. Some usernames include descriptive words or non-name elements that may reflect personal interests, nicknames, or other characteristics. E.g. “gealya23@gmail.com”, “aroeija9@gmail.com”.

Links and domains

Analysis of the isolated links reveals a significant concentration originating from the “t.me” domain, with a total of 192 links distributed in the emails sent, underlining the dominance of Telegram as a primary medium for communication and content sharing between users. Among the Telegram (t.me) accounts, some of them were sent more than once, such as; “t.me/belshkvarka/” (22 times), “t.me/shkvarka2/” (14 times), “t.me/OLYMPICSHASFALLEN/” (12 times), “t.me/belvestnik/” (4 times). This frequency emphasizes the platform’s key role in the dissemination of information.

Beyond “t.me,” other domains were identified, albeit with significantly lower frequencies. Notably, “twitter.com” and “x.com” were found 2 times each and rumble.com (1), respectively, suggesting random sharing of content.

The presence of “pravda.ru” (1), “pravda-es.com” (1), “pravda-it.com” (1), “pravda-de.com” (1), and “pravda-fr.com” (2) reflects the distribution of Pravda news articles across different specific language domains, indicating a multilingual distribution of news. Furthermore, the single occurrences of “newtral.es” (2) and “nytimes.com” (3), “microsoft.com” (1), “01net.com” (1), “storyboard18.com” (1), “mcafee.com” (1), “nationalpost.com” (1), “greenpeacefoundation.com” (1), “france24.com” (1) suggest the sharing of content from independent American, Spanish, and French news sources.

Attachments

Among the emails sent to the official email address of hibrid.info, 26 photos and 22 videos were identified. These included various images with false claims, as well as photos of graffiti related to Ukraine in various cities around the world.

cONcluSiON

This comprehensive analysis of 82 emails received by hibrid.info (February 1 – August 1, 2024), as part of a targeted campaign, sheds light on the tactics and strategies used by those who aim to hinder the platform’s mission. The coordinated campaign through emails with duplicate accounts and Telegram links aims to distract the Hibrid.info team, overwhelming it with requests to verify false content. These emails contain disinformation related to military and political issues, aiming to make the Hibrid.info team waste time verifying this false information. As a result, the platform is forced to divert attention from combating real disinformation events, which affects its effectiveness and the dissemination of accurate information to the public.

This detailed study of the email campaign directed at Hibrid.info revealed several key findings:

  1. Email activity patterns: Activity intensified on July 1, 16, 24 and 30, 2024, coinciding with major events the Paris Olympics and Euro 2024, indicating deliberate efforts to overload hibrid.info.
  2. Subject topics and connections: The emails included links to Telegram channels and the topics ranged from disinformation, political accusations, social issues, and international events, with subjective links that provoked urgency to attract the attention of Hibrid.info.
  3. Email service providers and aliases: The dominance of Gmail as a service, along with the use of repeated aliases, indicated a genuine organization by the same entities.
  4. Links and domains: The dominance of Telegram links shows the leading role of this platform in the dissemination of information, while various other sources were also included to distribute content in this campaign.
Report

Help us improve by reporting your problems or suggestions.

0 / minimum 10 characters