States, non-states, proxies - Digital Threat Digest

Don’t worry, this isn’t going to be about International Relations theory because I had those lectures at 9am on Fridays in 2014. Instead, we begin with me telling you that I spent a decent amount of 2022 looking at Russian non-state actors.

These were generally anonymous groups focused on doxxing and harassing Ukrainian nationals, soldiers, sympathisers. They would crop up, pick a suitably patriotic name (Work! Brothers!), target a whole load of individuals, then dissolve into the ether once again. In most geographies we’d consider such groups low hanging fruit. But there was one interesting consistency across them: the quality of intel they had on the targets they were doxxing. Emails, phone numbers, approximate locations are all easy enough. But with passport numbers, recent travel history, medical information, we start to veer into high quality signal territory. The type of signal that a state actor using a pseudonymous non-state group as a proxy would have access to.

Cut to 31 October 2023, and tens of high-profile Indian politicians receive a warning from Apple that their iPhones are being targeted by state-sponsored attackers. Compare and contrast these targets of high-ticket malware with those in the sights of non-state-but-state-aligned hacktivist and doxxing groups and you’ll find the same names. A multi-pronged attack using the state and the non-state’s respective capabilities.

Cut to 6 November 2023, and I’m flicking through LinkedIn in the evening (wild Monday night, amirite?) when I see post from a well-known social media monitoring firm. The post claimed that they had been monitoring the Israel-Hamas war, and that they continued to find evidence of massive pro-Hamas IO campaigns.

I have a bit of a problem here – the politicisation of analysis.

This can happen in two ways, either: 

1. You set out to prove a predetermined conclusion, OR

2. You ignore part of the evidence you identify during an open investigation

If you set out to find evidence that backs a specific conclusion, you can find it, because the internet is massive and platforms every single perspective on every single issue. And I’m not saying there isn’t pro-Hamas IO activity ongoing at the moment – there very much is. And there very much was before 7 October. And there will be this time next year still. But there’s also quite a lot of pro-Israel IO activity ongoing at the moment.

You can't understand the significance, scale, or sophistication of one, without understanding the equivalent of the other. We've been tracking and mapping pro-Hamas activity, and we've been tracking and mapping pro-Israel activity. Throughout 2022 we tracked and mapped Ukrainian non-state actors doxxing the family members of Russian individuals. Some violative behaviours online have to exist in a contextual vacuum to allow for objective assessment and understanding of threat actors.

Whether deliberate or accidental, the omission of information identified removes the integrity of analysis. When you’re a non-state actor, when you’re located in a specific state, when you only present one side of the picture, and when that one-sided presentation matches the story a state is telling, you’re no longer a non-state actor, you’re a proxy.

More about Protection Group International's Digital Investigations

Our Digital Investigations Analysts combine modern exploitative technology with deep human analytical expertise that covers the social media platforms themselves and the behaviours and the intents of those who use them. Our experienced analyst team have a deep understanding of how various threat groups use social media and follow a three-pronged approach focused on content, behaviour and infrastructure to assess and substantiate threat landscapes.

Disclaimer: Protection Group International does not endorse any of the linked content.