Russian cyber-disinformation campaigns have many missions, but one of particular interest is the use of technology to monitor, influence, and disrupt online communication in relation to culturally sensitive issues or protests. The ability to observe these events and even filter positive or negative tweets results in the ability to perform a series of disinformation campaigns.
With reports of Russian disinformation campaigns in the news, many are curious how these attacks look at all possible. As with most effective attacks, everything starts with a good education. Scanning a global conversation on social media is not the same as scanning a network, but thanks to Maltech's Twitter monitoring engines, we can use some of the tools we use to explore networks to visualize social media conversations.
Distinformations campaigns became popular through the tactics discovered by hackers in 2016 during election fraud. These attacks took advantage of the anonymous nature of Twitter and other social platforms to polarize political and social divisions in US society by disseminating false and misleading information.
To facilitate these campaigns, online conversations were conducted to produce Information carefully examined That would have the maximum effect. As soon as sensitive issues were collected, the fake news was aggressively injected into the public discussion through strategically placed bots aimed at real users who were destined to share the content legitimately. Often these conversations seem to come from a valid or known source, or at least from a member of an existing fringe group.
Careful study of online conversations used by activists or other politically engaged users was an important part of these campaigns. Several tactics contributed to the success of these efforts by, for example, sending fake content to real users for distribution by sharing and sharing the news.
Social media companies have developed the ability to automatically sort tweets and social media messages by sentiment and to use machine learning to identify patterns associated with positive or negative tweets are linked. By using sentiment analysis, an attacker can amplify a polarizing discussion by nudging an army of bots to retweet and share legitimate tweets about specific topics or people, depending on whether they say negative or positive things.
The advantage of this attack is that you can emulate a reactive jammer waiting for a certain type of communication to take place before the jamming action is taken. In this case, an attacker can use mood analysis to sort polarizing tweets to reinforce and quickly overwhelm a discussion by reinforcing marginal opinions. This prevents a fair and open debate that allows the attacker to avoid deviating views with tweets written by real users.
In general, the techniques used to interfere with other communications are equally applicable to social media interactions. In particular, we will discuss how continuous jamming, deceptive jamming, and scan jamming can be used to dominate an online conversation.
Continuous jamming effectively aims to overload the communication with random noise in order to make it unsuitable for use. It does not try to fit into the conversation, it looks more like spam. Bots are used to flood a specific hashtag that is used to communicate with unrelated tweets, which dilutes the discussion to make finding legitimate tweets impossible. This tactic has the added benefit of Twitter automatically censoring the tweet because it is used to spread spam.
Deceptive disruption aims to disguise the attack by making disturbance appear as part of the conversation. In this attack, a targeted hashtag floods with legit-looking tweets that spread confusing misleading information. By rendering information on the channel useless by introducing doubts, anyone who uses the hashtag to communicate or understand what is happening can be found among tweets that offer important sounding false information. This attack can also be targeted by spreading negative information about critical people faster.
In order to launch such attacks, it's important to be able to "scan" a running Twitter conversation the same way you Nmap on a network Without knowing an attack surface, you can not design a practical plan to attack it, so the challenge is to map a very organic conversation, such as Twitter, using hacking tools that are usually better at scanning routers and hosts
As it turns out, Maltego is a perfect platform for social media conversations, and with the added benefit of importing targets directly into Maltego for investigation or targeting, a hacker using Maltego can be social To track media, find all the important hashtags and users involved in disseminating information about an event, topic or person involved.
While most hackers consider Maltego to be useful for finding static information such as network fingerprints, several Maltego devices are specifically designed for tracking users and topics of interest in social media.
These tactics are used by public authorities in real time for the social media accounts of well-known activists, which allow the police to be informed in real-time about the current state of the protests without protests. The same tactic can be used to decide how best to use an army of Twitter bots to destroy a half-world society.
Step 1: Log in to Maltego
To install Maltego, you must have Java installed on your computer. Maltego is installed by default in Kali Linux, so you should start Kali simply by selecting it in the main menu
If you are using macOS or Windows, you can download the Maltego Community Edition from the Paterva website  Once you've opened Maltego in Kali or installed it on another system, you'll need to create a free account with Paterva to use the community version. Register the account, receive the confirmation email and enter the code to confirm your account so you can log in.
When this happens, log in to Maltego Community Edition and you can create a new graph
Step 2: Start the conversation
In our For example, we are looking for conversations about sensitive current events that could be used in a disinformation campaign. To begin with, we use a machine that monitors Twitter for activities around certain phrases. These phrases, such as "space force" or "collusion," are likely to lead to a heated debate on a sensitive topic. By engaging in the global conversation on these issues, we can begin to determine who the main actors are and what the discussion looks like.
To start, click on the Machines tab in Maltego and you will be taken to a menu where you can select the Run Machine icon.
There are three relevant options within the machine's menu. From these three you see a "Twitter Digger X", a "Twitter Digger Y" and a "Twitter Monitor".
We will use a phrase to find tweets, so we choose "Twitter Monitor". The input will be a phrase that we expect the conversation to take place. It is important that we choose something that will trigger a controversial debate. For our examples we have selected "Papa John", "Space Force" and "Collusion" in separate searches.
Once we start our machine, we need to have the information filled in the graphic. This can take a few minutes for Maltego to do new iterations to get more data, especially if you're using the free version of Maltego. The information you see in the graph can be overwhelming, so it's best to set the layout mode to organic in Layout Layout on the toolbar on the left side of the graph.
If you set the view to " Ball Size of Diverse People" in the "Manage Views" options on the "View" tab, we can search for larger ball symbols that appear larger in discussions; This will make the relationships clearer by highlighting things that many people talk to with larger symbols.
This computer will automatically import updates and you can see the timer doing this in the top right corner of Machines . When the information fills the graph, you can start to organize it by selecting all objects with Ctrl-A .
In the window Detail View bottom right you can click the box next to the plus symbol to organize elements by type. Within these groupings, you can see that Maltego has resolved certain entities as persons that are frequently mentioned or discussed.
This will begin to show you the people behind the discussions on this topic. Here we can see the key persons mentioned in discussions about "arrangements" after the machine has been run several times.
We can also use this method to identify links
In a disinformation campaign, we could search for articles that have been released for the weirdest and most cleavable content and share users with these links. After we've created fake and seditious information, we can pass the fake messages on to the real users who are the most likely to share them.
Step 4: Identifying Social Media Channels for Jamming
If an attacker wants to block a conversation on a topic, this Maltego computer provides a handy list of hashtags that are used to communicate with a specific topic , With this information, an army of bots could flood the channel with noise and make conversation impossible.
You should be able to automatically display hashtags from detected tweets, but if you only see tweets in your chart, you can select Click on the chart, select Ctrl-A right click, to bring up the transformation menu, type "hashtag" in the search bar that appears. This should show the "To Hash Tags" transformation, which allows you to extract hashtags from tweets.
Now you can select the hashtags involved and how many sort times they appear with the other options in Detail View . In a social media jamming attack, any hashtag about a given popularity could be automatically routed to Twitter bots to bother with behaving like a "scan jammer" constantly looking for activity to jam.
Once you've created a pool of tweets on a specific topic, you can start organizing them automatically after a few rules. One of the most interesting is sentiment analysis, which allows you to separate negative or positive tweets about the topic you are monitoring. These tools have been available to the social media manager for years, but Maltego gives hackers the same benefit.
To sort found tweets by feel, select all with Ctrl-A and then right-click to view the transform menu. Type "sentiment" to display the transformation "To Sentiment [IBM Watson]". Click to start all found tweets. If you have a lot of tweets in the Community Edition with a limit of 50 units per run, grab the tweets 50 at the same time in the Detail View and quickly run them through the transform to compress all the data
The issue will do a useful job of trying to organize the tweets according to their meaning. This has its limits, as sarcasm is still pretty much deceiving this system.
You can see all negative tweets by selecting the "Negative" ball and then selecting the "Investigate" tab at the top left. Next, click Add Parents to add each tweet that has been sorted as Negative. You can do the same with the "positive" and "neutral" balls.
You can use this approach to sort inbound tweets, and in an attack, a number of bots could simply reinforce one side of the conversation to the legitimate one To overwhelm discourse. The tactic of sorting legitimate tweets by the user's expression and promoting one page over the other becomes much easier and more effective with tools that automate the process.
Thanks to the promise of open, real-time communication in a scalable manner, Twitter has been used by journalists, activists and others reported critical information or coordinated events. This use has made the service a primary goal for monitoring, disrupting and suppressing online conversations with those who are capable of doing so.
Advanced persistent threats such as nation-backed hackers will continue to exploit these weaknesses on platforms such as Twitter. These will be used for online discussions to satisfy political ambitions, propaganda and censorship ambitions.
Because these attacks are derived from traditional jamming, some of the same defenses can be used. First, it must be determined if jamming takes place at all. When a conversation is suddenly flooded with news from accounts that have little or no reputable input, or that appear to have been abducted and suddenly appear uncharacteristic, this is a sign that a conversation is being conducted autonomously. Using the same tactics in Maltego, you can talk about interests and determine the likelihood of being influenced or jammed.
I hope you enjoyed using this guide Maltego to monitor events on Twitter in real time! If you have questions about this tutorial or about Maltego's machines, feel free to leave a comment or call me on Twitter @KodyKinzie .