MS Risk Blog

The Disinfodemic Has Hit Eastern Europe

Posted on in Uncategorized title_rule

The number of requests for information about COVID-19 developments, such as death tolls and vaccine updates, remains high. Some are taking advantage of the current desire for information as evidenced by the rising spread of misinformation and disinformation about the virus. First of all, it is important to distinguish between the two. While misinformation is defined as false information that is spread, regardless of intent to mislead, disinformation generally refers to deliberately misleading or biased information and manipulated narrative or facts. The crucial difference between the two, therefore, is intent.

Disinformation is dangerous as it can be destructive and divisive. It has often been used by countries to undermine rival nations. Since the pandemic started we have seen several incidents involving spread of disinformation. Cyber-security firm FireEye warned in a July 2020 report, “’Ghostwriter’ Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned with Russian Security Interests”, that hackers have broken into news websites and posted fake stories aiming at stirring up anti-NATO sentiment. FireEye researchers said these are designed to “chip away” at support for NATO in the eastern European countries of Poland and Lithuania, in addition to Latvia. According to them, this disinformation campaign, which has been dubbed Ghostwriter, has been going on since 2017.

While the people behind the attacks have not been identified, the stories are “aligned with Russian security interests” according to the researchers. They generally attempt to discredit NATO and the US, and include discussion favouring Russia. Furthermore, “[i]t appears, based on the limited public information available regarding the website compromises we have tied to Ghostwriter, that the actors behind the campaign are relatively well-resourced, either directly possessing traditional cyber threat capabilities themselves or having ready access to operational support from others who do.”

The hackers publish “falsified news articles, quotes, correspondence and other documents designed to appear as coming from military officials and political figures in the target countries.” For instance, in April 2020 a fake message calling for troops to fight against “the American occupation” was published on the Polish War Studies Academy’s website. It claimed to be from this organisation’s commander and came after Poland had begun seeking to have the US establish a permanent military base there. Meanwhile Russia has called the arrival of US troops there a threat to its security. On May 27, a falsified interview transcript containing quotes from US Army Lt. Gen. Cavoli was published. Its narrative was that Cavoli criticised Polish and Baltic militaries.

More recently, several fake news articles have been focused on the current pandemic, with some suggesting that NATO is pulling out of Lithuania because of the COVID-19 virus and others blaming NATO forces in Europe of contributing to its spread. For instance, in March 2020, falsified quotes from Lithuanian Defence Minister Ramundas Karoblis was published which contained statements that Lithuania would go ahead with DEFENDER-Europe 20 NATO Exercises despite the COVID-19 pandemic. In addition to these, FireEye identified several other individual attacks and collected it into what they say is a “broader influence campaign.”

The hackers apparently gained access to the targeted websites’ content management systems (CMS) to replace old articles with own content or post completely new false articles. “Website content management system vulnerabilities are commonplace and easily exploited,” Mallory Knodel, CTO at the Center for Democracy and Technology (CDT), said. “Strong and secure websites protect against this by making only cached versions of the website available to users through content delivery networks, and some might go so far as to ensure that the back end, the site’s CMS, [isn’t] exposed on the internet at all, and that version control for static page content, like the content of a news story, is closely monitored.” Knodel continued: “Strong authentication for anyone with back-end access is a must, and this can be done through the use of strong passwords, second-factor authentication, and limiting access to those on a virtual private network.”

Furthermore, director of security strategy at Akamai, Tony Lauro, warned that CMSs may be even easier to compromise when attackers can leverage security weaknesses created by the current pandemic-related remote working conditions. “If an attacker can gain access to [the] CMS platform, either by taking over the remote employee’s workstation or by otherwise phishing their login credentials, as you’d imagine, they’d have the keys to the kingdom,” said Lauro. Lauro suggests that “[o]rganizations should look into zero trust-related technologies for remote access so that when employees connect to internal content management systems to upload media, they are not connecting to any additional network resources. This is done by way of a proxied connection between the inside resources and outside users.”

To combat disinformation, independent fact-checking organisations; news organisations; platforms; academics; and civil society organisations continuously monitor and fact-check published information. For instance, an International Fact Checking Network (IFCN) initiative currently spanning 70+ countries fact-checked and debunked over 1.500 COVID-19 related online falsehoods. Such initiatives are vital to uncover the continuously changing disinformation. Other measures have included criminalising acts of producing or sharing COVID-19 disinformation. For instance, Serbia announced a decree in April 2020 limiting access to public information, for which the stated goal was to limit the spread of fake news. On March 31 Russian lawmakers passed amendments to Article 207 of Criminal Code, under which those found to have deliberately spread false information about serious matters of public safety, such as COVID 19, will face fines of up to €23,000 and up to five years in prison. Such measures have however been criticised for having a potential chilling effect on journalists writing about the pandemic as they can stifle independent reporting on the government’s measures. While examining the validity of this criticism is beyond this article, it is important to note that there may be other motivations behind measures implemented to combat disinformation.

Criticism aside, measures must be implemented to combat the current disinfodemic, and not just in eastern Europe as the campaign may eventually spread beyond this region. FireEye warned that the Ghostwriter campaign could be repurposed and target other geographies. “Given the established history of cyber threat and information operations tactics regularly migrating from targeting Eastern Europe to targeting Western Europe and the U.S., this campaign may warrant special attention, especially as elections near,” they said. It is therefore important that security firms and governments continue to pay attention to this campaign and any future developments.

Access to truthful information is essential during the current crisis. Reliable information is necessary for individuals to adapt their behaviour, such as implementing certain social distancing measures, and for countries to learn from other countries’ experiences and responses. Disinformation can be deadly as it sows confusion about live-saving personal and policy choices. It is therefore vital that security for news websites is prioritised and that published information is properly monitored and fact-checked.