Detect
Protect
Build
Insights
About
Digital Threat Digest Insights Careers Let's talk

Unique signals - Digital Threat Digest

PGI’s Digital Investigations Team brings you the Digital Threat Digest, SOCMINT and OSINT insights into disinformation, influence operations, and online harms.

Double-circle-designs12.png?auto=compress%2cformat&fit=crop&fm=webp&h=0&ixlib=php-3.1

Like the rest of the UK, I spent the bank holiday Monday outside, having a barbecue, stubbornly refusing to put on sunscreen. At one point, the Aperol Spritz-fuelled conversation turned to weird bodily functions, and I told a group of 10 people that I can rumble my ears - it's where you contract a tiny muscle in your ears to make a rumbling, thundery sound. Luckily, one of the barbeque attendees could also do it otherwise I’d have looked insane. But, usually, it’s the sort of thing that people with the capability to do it think is unique to them. I find the idea that we all think we’re unique fascinating; it’s a manifestation of ultimate hubris and egotism.

Social media and the wider digital environment strip away any notion of uniqueness. It normalises the fringe and puts you in contact with others with your ‘unique’ beliefs, interests, or talents. Drawn in by their acceptance, you start to spend more time with the community you identify with and get a sense of belonging from it. In the physical world, we’d probably call it a cult. In the digital world, nine times out of ten, it’s a Discord server or subreddit.

If your thing is building a personality around the US Office, you’ll find your people anywhere and everywhere across social media. But, if it’s ear-rumbling, then r/earrumblersassemble has just 96k subscribers. For context, Reddit has 500mn active monthly users, so 0.02% isn’t bad for perceived uniqueness. Maybe your thing is a metaverse themed around Garfield, in which case there’s a 10-subscriber Discord server for you. You might not think so, but there’s a community for every single thing, and the same thing happens in every one - centralisation and normalisation.

I reckon most threat actors probably think they’re unique in how they put together a campaign, but there are always common traits. Like why do the IRGC keep using Hetzner as their cloud host? Why, come 2023, has Egypt still not learned how to disguise Facebook admin locations while targeting Libya?

And why isn’t there a digital cult around this yet? YARA allows for the open sharing and crowdsourcing of threat intel from a CTI/malware perspective, so where’s the equivalent for other forms of malicious behaviour online? Unfortunately, every effort in this realm remains in-house and largely closed off.


More about Protection Group International's Digital Investigations

Our Digital Investigations Analysts combine modern exploitative technology with deep human analytical expertise that covers the social media platforms themselves and the behaviours and the intents of those who use them. Our experienced analyst team have a deep understanding of how various threat groups use social media and follow a three-pronged approach focused on content, behaviour and infrastructure to assess and substantiate threat landscapes.

Disclaimer: Protection Group International does not endorse any of the linked content.

This article was originally published on September 14, 2023 and updated on September 20, 2023.