INFLUENCER VACCINE: IDENTIFYING INFORMATION OPERATIONS INFRASTRUCTURE USING CYBER THREAT INTELLIGENCE

Kyle Ehmke, ThreatConnect

Influence operations and networks of troll-peddled propaganda garnered the limelight during the 2016 US elections and continue to be identified in various social media platforms. These information operations issues often exist tangentially to or outside of the cybersecurity realm, but this case study will highlight the importance of applying typical cyber threat intelligence tools and analysis to this problem. This talk will provide an overview of how ThreatConnect used infrastructure hunting methodologies and capabilities typically reserved for understanding malicious network activity to identify an actor and dozens of domains possibly associated with Russia's Internet Research Agency and their influence operations. This investigation begins with activity related to the 2016 elections, but many of the “news” sites we identified are currently still in use today and most focus on content relevant to Russian domestic issues, while some have been geared toward Ukrainian and US audiences.