all repos — site @ 644edec3641b7eb388bd741aafa2cf74b0804edf

source for my site, found at icyphox.sh

pages/blog/ru-vs-gb.md (view raw)

  1---
  2template:
  3title: Disinfo war: RU vs GB
  4subtitle: A look at Russian info ops against Britain
  5date: 2019-12-12
  6url: ru-vs-gb
  7---
  8
  9This entire sequence of events begins with the attempted poisoning of
 10Sergei Skripal[^skripal], an ex-GRU officer who was a double-agent for
 11the UK's intelligence services. This hit attempt happened on the 4th of
 12March, 2018. 8 days later, then-Prime Minister Theresa May formally
 13accused Russia for the attack.
 14
 15[^skripal]: https://en.wikipedia.org/wiki/Sergei_Skripal
 16
 17The toxin used in the poisoning was a nerve agent called _Novichok_.
 18In addition to the British military-research facility at Porton Down,
 19a small number of labs around the world were tasked with confirming
 20Porton Down's conclusions on the toxin that was used, by the OPCW
 21(Organisation for the Prohibition of Chemical Weapons).
 22
 23With the background on the matter out of the way, here are the different
 24instances of well timed disinformation pushed out by Moscow.
 25
 26## The Russian offense
 27
 28### April 14, 2018
 29
 30- RT published an article claiming that Spiez had identified a different
 31toxin---BZ, and not Novichok.
 32- This was an attempt to shift the blame from Russia (origin of Novichok),
 33to NATO countries, where it was apparently in use.
 34- Most viral piece on the matter in all of 2018.
 35
 36Although technically correct, this isn't the entire truth. As part of
 37protocol, the OPCW added a new substance to the sample as a test. If any
 38of the labs failed to identify this substance, their findings were
 39deemed untrustworthy. This toxin was a derivative of BZ.
 40
 41Here are a few interesting things to note:
 42
 431. The entire process starting with the OPCW and the labs is top-secret.
 44How did Russia even know Speiz was one of the labs?
 452. On April 11th, the OPCW mentioned BZ in a report confirming Porton
 46   Down's findings. Note that Russia is a part of OPCW, and are fully
 47   aware of the quality control measures in place. Surely they knew
 48   about the reason for BZ's use?
 49
 50Regardless, the Russian version of the story spread fast. They cashed in
 51on two major factors to plant this disinfo:
 52
 531. "NATO bad" : Overused, but surprisingly works. People love a story
 54   that goes full 180°.
 552. Spiez can't defend itself: At the risk of revealing that it was one
 56   of the facilities testing the toxin, Spiez was only able to "not
 57   comment".
 58
 59### April 3, 2018
 60
 61- The Independent publishes a story based on an interview with the chief
 62executive of Porton Down, Gary Aitkenhead.
 63- Aitkenhead says they've identified Novichok but "have not identified
 64the precise source".
 65- Days earlier, Boris Johnson (then-Foreign Secretary) claimed that
 66Porton Down confirmed the origin of the toxin to be Russia.
 67- This discrepancy was immediately promoted by Moscow, and its network
 68all over.
 69
 70This one is especially interesting because of how _simple_ it is to
 71exploit a small contradiction, that could've been an honest mistake.
 72This episode is also interesting because the British actually attempted
 73damage control this time. Porton Down tried to clarify Aitkenhead's
 74statement via a tweet[^dstltweet]:
 75
 76> Our experts have precisely identified the nerve agent as a Novichok. 
 77> It is not, and has never been, our responsibility to confirm the source 
 78> of the agent @skynews @UKmoments
 79
 80[^dstltweet]: https://twitter.com/dstlmod/status/981220158680260613
 81
 82Quoting the [Defense One](https://www.defenseone.com/threats/2019/12/britains-secret-war-russia/161665/) 
 83article on the matter:
 84
 85> The episode is seen by those inside Britain’s security communications team 
 86> as the most serious misstep of the crisis, which for a period caused real 
 87> concern. U.K. officials told me that, in hindsight, Aikenhead could never 
 88> have blamed Russia directly, because that was not his job—all he was 
 89> qualified to do was identify the chemical. Johnson, in going too far, 
 90> was more damaging. Two years on, he is now prime minister.
 91
 92### May 2018
 93
 94- OPCW facilities receive an email from Spiez inviting them to
 95a conference.
 96- The conference itself is real, and has been organized before.
 97- The email however, was not---attached was a Word document containing
 98malware.
 99- Also seen were inconsistencies in the email formatting, from what was
100normal.
101
102This spearphishing campaign was never offically attributed to Moscow,
103but there are a lot of tells here that point to it being the work of
104a state actor:
105
1061. Attack targetting a specific group of individuals.
1072. Relatively high level of sophistication---email formatting,
108   malicious Word doc, etc.
109
110However, the British NCSC have deemed with "high confidence" that the
111attack was perpetrated by GRU. In the UK intelligence parlance, "highly
112likely" / "high confidence" usually means "definitely".
113
114## Britain's defense
115
116### September 5, 2018
117
118The UK took a lot of hits in 2018, but they eventually came back:
119
120- Metropolitan Police has a meeting with the press, releasing their
121findings.
122- CCTV footage showing the two Russian hitmen was released.
123- Traces of Novichok identified in their hotel room.
124
125This sudden news explosion from Britan's side completely
126bulldozed the information space pertaining to the entire event.
127According to Defense One:
128
129> Only two of the 10 most viral stories in the weeks following the announcement 
130> were sympathetic to Russia, according to NewsWhip. Finally, officials recalled, 
131> it felt as though the U.K. was the aggressor. “This was all kept secret to 
132> put the Russians on the hop,” one told me. “Their response was all over the 
133> place from this point. It was the turning point.”
134
135Earlier in April, 4 GRU agents were arrested in the Netherlands, who
136were there to execute a cyber operation against the OPCW (located in The
137Hague), via their WiFi networks. They were arrested by Dutch security,
138and later identifed as belonging to Unit 26165. They also seized a bunch
139of equipment from the room and their car.
140
141> The abandoned equipment revealed that the GRU unit involved had sent
142> officers around the world to conduct similar cyberattacks. They had
143> been in Malaysia trying to steal information about the investigation
144> into the downed Malaysia Airlines Flight 17, and at a hotel in Lausanne,
145> Switzerland, where a World Anti-Doping Agency (WADA) conference was taking
146> place as Russia faced sanctions from the International Olympic Committee.
147> Britain has said that the same GRU unit attempted to compromise Foreign
148> Office and Porton Down computer systems after the Skripal poisoning.
149
150### October 4, 2018
151
152UK made the arrests public, published a list of infractions commited by
153Russia, along with the specific GRU unit that was caught.
154
155During this period, just one of the top 25 viral stories was from
156a pro-Russian outlet, RT---that too a fairly straightforward piece.
157
158## Wrapping up
159
160As with conventional warfare, it's hard to determine who won. Britain
161may have had the last blow, but Moscow---yet again---depicted their
162finesse in information warfare. Their ability to seize unexpected
163openings, gather intel to facilitate their disinformation campaigns, and
164their cyber capabilities makes them a formidable threat. 
165
1662020 will be fun, to say the least.