Investigation Demonstrates Coordinated Inauthentic Behavior
Earlier this week, a Daily Beast investigation exposed a network of 19 fake online identities which had placed op-eds in over three dozen online publications. The online identities were associated with multiple fake social media profiles which, in turn, were populated with fake or stolen images and suspicious backstories. After the Daily Beast’s reporting was made public, Twitter, LinkedIn, and others removed the fake accounts.
This network of 19 fake identities appears to be the latest example of a CAMOSINT operation, an online activity that relies on the use of inauthentic social media profiles. This network and its ultimate exposure also illustrates the consequences of poor managed attribution (MA) practices.
What is CAMOSINT?
Social media has become an increasingly contested operational space in which state and sub-state actors create and use inauthentic profiles to gain access and operate. In a 2019 Nsight Paper, Ntrepid Academy categorized these operations as “CAMOSINT” operations.
Such operations rely on the use of social media profiles that intentionally misrepresent the true identity, affiliation, and motivations of the actors behind them—like camouflage. CAMOSINT operations can be conducted pursuant to a variety of objectives, but the common theme is their use of inauthentic social media profiles.
In this particular case, most described themselves as citizen journalists or political consultants. They relied on fake websites and inauthentic Twitter and LinkedIn profiles for their backstopping, and used pirated or AI-generated images to make their profiles appear more authentic.
Using these online identities, the journalists placed op-eds favorable to several Gulf states in various online publications.
CAMOSINT & MA
CAMOSINT operations rely on gaining and maintaining access to various social media platforms and other online spaces. Accordingly, proper MA practices are a key enabling factor for such operations. Even minor technical or behavioral missteps can unravel a CAMOSINT operation, and that’s what appeared to happen to this network of citizen journalists.
Many of the were contributors to two now-defunct websites, The Arab Eye and Persia Now. The Daily Beast’s investigation, however, revealed that both sites were registered on the same day and hosted from the same IP address. Both sites also shared the same Google Analytics account. These minor technical mistakes linked two ostensibly independent sites to each other, which in turn also called into question the “journalists” who were placing content on the sites.
The group also displayed inauthentic online behavior which, ultimately, was suggestive of malicious activity. Some of the social media profiles associated with the bloggers were created around the same time, had similar back stories, wrote about similar topics, and were used to amplify each other’s content. The use of AI-generated images may have made the social media profiles passable at first glance, but a closer examination revealed odd and unnatural facial features. All of this activity is similar to the coordinated inauthentic behavior seen in other CAMOSINT operations.
So what?
The case of this group is instructive for two reasons. First, it proves that CAMOSINT operations do not have to be large in scale or scope. 19 fake identities is not an extensive network (this assumes that 19 is the extent of the network). None of the online accounts associated with the bloggers attracted a particularly large online following. Second, this case proves that with CAMOSINT operations, success is subjective. The fact that the network was exposed is certainly a failure; however, the network of journalists did initially succeed in placing op-eds in several fairly prominent online outlets.
Ultimately, social media has become an operational environment to which inauthentic accounts provide access. Accordingly, it’s likely that CAMOSINT operations will continue to become more sophisticated as actors incorporate lessons learned from previous operations.
