An Investigation Into Foreign Entities Who Are Targeting Servicemembers and Veterans

[Green Man]

The whole report is much too long to fit. Follow link or wait for subsequent posts for the interesting part.

An Investigation Into Foreign Entities Who Are Targeting Servicemembers and Veterans Online
Prepared by
Kristofer Goldsmith
Chief Investigator
Associate Director for Policy and Government Affairs

https://vva.org/wp-content/uploads/2...estigation.pdf



for
Vietnam Veterans of America


3



TABLE OF CONTENTS
6 Executive Summary 12 Introduction
14 Approach
16 Abbreviations
18 Glossary

1. 177 Appendix 1: Facebook Primer
2. 178 Appendix 2: Foreign Admins’ Countries of Origin

1. 180 Author Biography
2. 181 Acknowledgments
3. 182 Endnotes

1. 21 The Investigation
2. 22 Chapter 1: The Imitation of Vietnam Veterans of America
   22The First Bulgarian Entity: “Vietnam Vets of America”...
   33 The Broader Investigation Begins
   35 Unknown Origins: The Anti-Trump “Vietnam Veterans Advocacy Group”35 Unknown Origins: “Vietnam Vets Unite”
   36 International Effort to Sell Counterfeit VVA Merchandise...
   46 Fundraising Scams
   49 Snapchat
   51 Instagram

54 Chapter 2: The Bulgarian and Russian Entity 60 Creation of an Online Ecosystem...
68 Chapter 3: Creation of Fake Veterans Organizations 68 “We Are Veterans”...
74 Chapter 4: The Content Used by Foreign Admins... 74Audience-Building Content
77 Divisive Content
77 Categories of MilVet Content
77 Historical Photographs
80 Use of Prominent Servicemembers: Marilyn Gabbard, Aaron Mankin, Kyle Carpenter,
Kirstie Ennis, Chris Kyle 80 Casket Photos
87 Racist and Xenophobic Propaganda94 Antifa
94 Obama vs. Trump...
94 Elderly Veterans...
94 Kaepernick and the NFL vs. Troops
94 Exploiting KIAs, WIAs, and Mourning Servicemembers100 Holidays
100 Secretary Mattis Memes
100 Exploiting Military Women
100 Exploiting Homeless Veterans
108 Chapter 5: What We Know About the Russian Ads...
108Evaluating the IRA Ads
108The Content Russia Has Already Used to Target MilVets...
109 Chart: Specifically Targeted Veterans Organizations
110 Chart: Targeting Criteria
111 Chart: Topics
113 Russians Selling MilVet Merchandise
113 Captain Luis Carlos Montalvan
113 Indications of What MilVets Running for Office in 2020 Should Expect...


4



TABLE OF CONTENTS
116 Chapter 6: Identity Theft of MilVets to Engage in Financial Fraud and Espionage116 The Yahoo Boys
118 Chinese Espionage
119 Spotting Fakes/Army Staff Sergeant Sherri Vlastuin
119 Members of Congress With Military Backgrounds Used for Romance Scams122 Members of Congress With Military Backgrounds: Patrick J. Murphy
124 Members of Congress With Military Backgrounds: Lee Zeldin, Adam Kinzinger
126 Chapter 7: Facebook’s Switch to “Groups” and the Dangers of “Community”... 130 The Evolution of a Backup Group...
137 “Veterans Nation” and “Veterans Nation — Honoring All Who Served”
142 Chapter 8: First-Known 2020-Election Interference — Macedonians Steal and
Promote “Vets for Trump,” Facebook Fails to Respond to American Admins’ Pleas for Help 146 Attacks Against Politicians by Macedonians: Joe Biden, Elizabeth Warren, Kamala Harris,
Bernie Sanders, Beto O’Rourke, Cory Booker, Kirsten Gillibrand

1. 152 Arsov/usapoliticstoday
2. 153 Screenshots: Pro-Putin/Assange; Anti-Comey/FBI/Obama/Clinton/
   Election Disinformation

155 Pro-Putin/Pro-Assange/Anti-Comey/Anti-FBI
155 Maligning Barack Obama and Hillary Clinton and Spreading Election Disinformation155 Fomenting Hate Against Democrats of Color: Alexandria Ocasio-Cortez, Ilhan Omar,
Rashida Tlaib

1. 161 Chapter 9: Russian Hackers Make Terroristic Threats Against Military Families WhileClaiming to Be ISIS
2. 162 Chapter 10: Suspicious Accounts Purporting to Work for Reputable MilVet-FocusedOrganizations

162 Fake Veterans Advantage Employee: “Richard Gordon”
164 Conclusion

1. 166 Recommended Action
2. 167 White House

170 Department of Veterans Affairs

1. 170 Department of Defense
2. 171 Department of State

171 Department of Justice
171 Congress
173 Social-Media and Internet Companies


5



EXECUTIVE SUMMARY


Vietnam Veterans of America’s (VVA) two- year investigation, beginning in August 2017, has documented persistent, pervasive,andcoordinated online targeting of Americanservicemembers, veterans, and their families by foreign entities who seek to disruptAmerican democracy. American veterans and the social-media followers of several congressionally chartered veterans serviceorganizations were specifically targeted bythe Russian Internet Research Agency withat least 113 ads during and after the 2016 election. However, this represents but a tinyfraction of the Russian activity that targeted this community with divisive propaganda: The organic politically divisive content(organic meaning not having to do with ads, rather unpaid posts and comments) created by Russians have a far greater reach than
the known paid ads; for even though many of the original sources have been removedfromsocial-media platforms, their posts and comments continue to be propagated and disseminated by foreign administrators (aka admins, who maintain and manage online sites) to spread hateful and politically divisivemessages.
In 2018, Facebook released a tool to reveal the countries of origin of Facebook-pageadmins for pages that have more than110,000 followers or have purchased ads
of a political nature. This toolhasnotinhibited the creation, rapid growth, and influence of foreign-born Facebook pages. This measure has, however, revealed thatknown Russian propaganda and similar politically divisive content that targetsservicemembers and veterans is being spread by admins from at least 30 foreign countries,with concentrations in Eastern Europe and Vietnam. The tool has also revealed thatthese pages often have admins in multiple countries, including suspicious combinations of countries with native language barriersand no geographic commonalities: Forexample, the American-focused Facebookpage “Veterans Nation” has spread Russian- generated content and had admins only
in Vietnam, Brazil, and Ukraine.Asecondexample is the “Honoring our AmericanHeroes” Facebook page, which has four admins in the US, one in Indonesia, one in Iran, one in Malaysia, one in the Philippines, and one in Vietnam. This cross-border
6

cooperation suggestsaninternationalconspiracy possibly related to and largerthan the previously reported Russian disinformation campaign.
Fake Veteran Accounts
These foreign admins have created individual social-mediaaccountsthatpurport to belong to American veterans working at reputable veterans organizations.They use these fake-veteran accounts to
send friend requests to the relatively small community of veteran advocatesandconnectwith its prominent members who work toshape federal policy. These fake-veteranaccounts infiltrate both public Facebook pages and private Facebook groups, where they can spread propaganda and false news, while shaping and moderating/censoring
the conversations of the unsuspecting community of American veterans who follow or join these groups and pages. These admins also recruit Americans who have an interest in veterans and other foreign nationals to help moderate the groups and pages and make them appear more legitimate.
One such page, “Veterans of Vietnam,” with nearly 160,000 followers, has had admins
in Russia, Ukraine, and Italy. This page has been bolstered by at least threededicatedRussian-generated Vietnam-veteran-
focused websites that were created to build the Facebook page’s credibility by sharing information about the Vietnam War and veterans’ benefits. These admins also control a closed Facebook group, “American Veterans of Vietnam,” which solicitsinformationfromVietnam veterans regarding their military experience.
Fake accounts are also beingutilizedbyhostile Chinese intelligence services toconnect with high-ranking and influential members of the intelligence and defensecommunities centered in and aroundWashington, DC. Chinese officials are seeking to exploit financially vulnerable members
of these communities and leveragedebtstorecruit spies.



Using Established Names and Logos
Foreign admins have been using VVA’s logo and name, and the logos ofseveralothercongressionally chartered veterans serviceorganizations (in addition to introducing almost identically named organizations:such as Vietnam Veterans of America
versus Veterans of America), to establish influential social-media presences.Theseforeign admins then exploit the reputationsof these established and legitimate veterans organizations to spread false, politically divisive, and hateful content while peddling counterfeit merchandise, both creating income for these criminal organizations and introducing inflammatory political contentinto the physical world from an online environment.
Separately, individual Snapchat and Instagram accounts have been persistently using VVA’s name and logo tolureitssupporters into participating in fraudulent fundraising. These foreign admins askveterans to supply their personal banking information, claiming that if they solicit money by pretending to be doing fundraising for the VVA, they will then receive a share
of the funds themselves, whichwillbedeposited into their personal accounts.
Identity Theft
Foreign entities,primarily individuals from West Africa, have been stealing the identities of servicemembers and veterans, including those who have been killed in action, totarget Americans with romance scams.
The primary targets of theseinsidiousandcruel scams are older, lonely Americans
who are relatively new to social media
and the internet. The ploy of posingasaservicemember or veteran for financial gain has serious consequences for both thosewhose identities are stolen and those who are duped into giving money. The FBI receivednearly 18,500 complaints from victims
of romance or similar internetscamslastyear, with reported losses exceeding $362 million, up 71 percent from 2017, according to a recent article published by the New York Times.1

EXECUTIVE SUMMARY
Interference in Presidential Campaign
VVA has discovered foreign entities targeting veterans for the purpose ofinterferenceinthe 2020 presidential campaign.
Admins from Macedonia and the UnitedKingdom controlled the page “Vets forTrump,” from April 2019 to August 2019,2which has amassed over 131,000 followers.This page posts explicitly pro-Trump and anti-Democratic-candidate messages andmemes. The page also posts pro-Russia/ Putin, pro-Assange/WikiLeaks, as well as anti-Robert-Mueller and anti-FBI content. In terms of anti-Democrat content, the page has been primarily focused on attacking
the top Democratic presidential candidates:Vice President Joe Biden, Senator Elizabeth Warren, and Senator Bernie Sanders, while also going after Congressman Beto O’Rourke, Senator Kamala Harris, Senator Cory Booker, and Senator Kirsten Gillibrand. Whileprevious reporting revealed in hearings heldby committees such as the House Permanent Select Committee on Intelligence (HPSCI) have focused primarily on paid ads by foreign elements — the unpaid, organic postsand comments that appear on pages like thishave mostly escaped scrutiny, despite the fact that they have far greater influence because of their tendency to be copied and shared.
While under the control of foreign admins,“Vets for Trump” has also focused onfomenting hatred by using xenophobic
and Islamophobic propaganda against
the Democratic women of color who
are freshmen in Congress. After creating incendiary posts about Representatives Ayanna Pressley, Ilhan Omar, Rashida Tlaib, and Alexandria Ocasio-Cortez,theseforeignadmins then connect them with propagandato the 2020 Democratic candidates. Theseinsidious tactics sow discord amongAmericans, providing fuel for conflict on a public forum between veterans sympathetic to the damaging, false message planted andAmericans of other political persuasions.
The foreign admins are skilled and sophisticated enough tooperateundetectedby not only laypersons but those in politicallife as well: Followers of the “Vets for Trump”page include at least one elected Republican official who was a campaign surrogate of the
7



8


Trump campaign during the 2016 election,aswell as an individual who was the inaugural chairman of a veteran-centric GOP PAC closely tied to the White House.
This page had coordinated its behavior with a similarly named Facebook page, “Veterans for Donald Trump,” withidenticalcontentthat was frequently posted at the same timefrom a mobile phone through at least April 3, 2019. Identical content was again posted on August 22. The “Veterans for Donald Trump” page currently has 14 domestic admins (with no foreign admins able to be seen).
Combatting Foreign Predators
Vietnam Veterans of Americaispresentingthis report to the general public so that Americans and Congress can be aware of
and have a betterunderstandingofhowthese foreign admins operate. We are urgingthe White House, Congress, and the private sector to act quickly to combat this predatory behavior in cyber-environments and toensure that the exploitation of and attacksagainst servicemembers, veterans, and ourfamilies do not go unpunished.
Although social-mediacompanieshavebeen the primary focus of condemnationfor these attacks against Americans — andthey are absolutely responsible for their vulnerabilities — our citizens and the politicians who represent us must recognize that these attacks are by foreign enemies. While social-media companies, the US government, and the American public
must make efforts to harden our current vulnerabilities, we must also prioritize the endeavor of disincentivizingattacksbypunishing foreign adversaries.

Recommended Action
White House
The White House mustelevateAmericancybersecurity to the Cabinet level by Executive Order (EO), thereby prioritizing and centralizing our response and safeguards to risks from bad actors. A Director of Cybersecurity’s role would be to ensure
that American cybersecurity is apriorityinevery aspect of modern government. ThisEO should create a Civilian CybersecurityAdvisory Board consisting of ChiefInternet Security Officers (CISOs) from
the American companies that are the most important stakeholders in Americaninternetinfrastructure and cybersecurity.
In recognition of the fact thatmilitaryserviceresults in increased likelihood of targeting by foreign adversaries, the EO should be used
to appoint a Deputy Assistant Secretary of Cyber-Health at the Department of Veterans Affairs. The Deputy Assistant Secretary of Cyber-Health would report directly to the VA’s Under Secretary of Health and be charged with the responsibility of developing and prioritizing programs at the VA to improve cyber-hygiene — thepracticeoftaking steps and the precautions necessary to keep data secure from outside attacks.
The President should make permanent
and expand the identity-theft insurance
and credit-monitoring currently provided
to victims of the Office of Personnel Management (OPM) data breach of 2015
to includeallservicemembers, veterans,
and their families. The EOshouldalsoprovide complimentary antivirus software to servicemembers, veterans, and their families, which would be a preventive measure against cybercrime and furthermore would reducethe reliance on programs that repair damageafter a cybercrime has been committed.
Department of Veterans Affairs
The Secretary of Veterans Affairsshouldimmediately develop plans to make thecyber-hygiene of veterans an urgent priority within the Department of Veterans Affairs.The VA must educate and train veterans
on personal cybersecurity: how to mitigate vulnerabilities, vigilantly maintain safe practices, and recognize threats, including



how to identify instances of online manipulation.
Department of Defense
The Secretary of Defense shouldcreateaworking group to study the security risks inherent in the use of common personal electronic devices and apps at home
and abroad by servicemembers. The Secretary must also direct commanders to include personal cybersecurity training and regular cyber-hygiene checks forallservicemembers.
Department of State
The Secretary of State should instruct
the State Department to take all possible diplomatic efforts to ensure that countries around the world prioritize the apprehension of cybercriminals who target Americans. The Secretary should draft strong,diplomaticpunitive measures against countries thatshield or refuse to prosecute cybercriminalsfrom their countries who target Americans.
Department of Justice
The Attorney General mustensurethatcompanies that do business on the internetmaintain evidence of and report allcybercrimes and propaganda campaigns suspected to have been committed against Americans by foreign entities.
Congress
Congress should updatelawsregardinginternet privacy and fraud protection, inaddition to granting federal law enforcement the jurisdiction to respond to and preventcybercrimes. Congress should guarantee
that law enforcement has the personnel
and funding needed so that itcanprioritizeinterdiction of networks of foreigncybercriminals who target Americans for financial fraud. It is essential to have laws that make certain all evidence of cybercrimes
and foreign disinformation campaigns are preserved and that statutes of limitation
are extended appropriately so that law enforcement and independent researchers can ensure that victims seetheirperpetratorsbrought to justice.

EXECUTIVE SUMMARY
Senate and House Committees on Veterans’ Affairs
The Committees on Armed Servicesmustcommission studies to evaluate the risk toforce readiness presented by cybercrime
and foreign-born propaganda campaigns and determine howmanyservicemembers have already been impacted, as well as
what security risks are presentedbyservicemembers’ use of personal devices
and apps at home and abroad. TheCommittees should pass legislation to
offer all servicemembers and their families complimentary antivirus software,inaddition to make permanent the offer of lifetime credit-monitoring and identity-theftinsurance. This legislation should instructthe Department of Defense (DoD) to make personal cyber-health a priority and require training of all servicemembers in cyber-hygiene.
Social-Media and Internet Companies
Social-media companies, including but
not limited to Facebook, Instagram,andTwitter, must maintain all evidence of foreign interference for examination by lawenforcement and independent researchers.If current laws or regulations prevent this,these companies should actively petition the government for the appropriate changes. Evidence approved for releaseshould be watermarked, which will verify its authenticity, and maintained in publicrepository of known propaganda.
Social-media companiesshouldproactivelyand continually screen military and veteransgroups and pages for inauthentic behavior. Furthermore, they should verify military service of those who claim it (especially LinkedIn) — use a “green” checkmark or verification badge, display a clear warning for claimed but unverified military status,
or prohibit military/vet status from being claimed/visible unless internally verified.
In addition to screeningmilitaryandveterans groups and pages, social-mediacompanies should aggressively hunt for criminals using these platforms and report suspicious activity to law enforcement ratherthan simply rely on reports submitted byusers.


9



10


Social-media and internet companies must also empower reliable individuals and organizations with tools to assist them indiscovering foreign “trolls” — those whodeliberately post provocative, incendiary, orfalse content with the intent to cause harm.The “troll hunters” who produce reliable reporting should be well compensated.
Facebook
Include locations of all current and past admins in page history — and make the country of origin more prominent so that average users can see this information without a click-through.
Scan for confirmed political propaganda
of Russian/foreign origin using artificial intelligence (AI) and notify users/pages; auto-watermark content to identifyaspropagandafrom Russian/foreign source.
Develop AI to detect romance scammers —zero in on suspicious connections between military-affiliated West Africa and the United States, a common link.
Twitter
Seek out and verify legitimate veterans and veterans organizations who are engaged in politics and policy, and suspend predatory,false ones.
LinkedIn
Verify claimed military affiliations, and hide those that are unverified.



11

[Green Man]

INTRODUCTION
American servicemembers, veterans, and
the organizations that represent them have been persistently targeted by hostile foreign entities in online environments for nefarious purposes. These entities include but arenotlimited to Russian intelligence services.3 Their goals are to perpetrate financial fraud,4 spread anti-American propaganda,5 and manipulate the online public community spaces and sow discord by exploiting and inflaming national divisions.6,7 While their objectives also include election interference,8 their activities and their effects continue without interruption year-round and are not limited to political elections.
Vietnam Veterans of America (VVA), a congressionally chartered veterans service organization (VSO), has endured persistent and pervasive foreign-born online campaigns that have targeted our membership and organization since at least 2014. VVA first became aware of these cyberattacks in August 2017 with the discovery of an impostor Facebook page using VVA’s trademarked name and logo that was found to be linked to a suspicious Europe-based website. The page was spreading falsified news — changing dates on true stories and sensationalizing and exaggerating otherwise benign
reporting — on issues that are closely associated with this specific population.
Early results of VVA’s investigation were shared with various federal agencies and congressional committees in March and April 2018. This preliminary report identified an entity in Plovdiv, Bulgaria, as responsible for the creation of impostorsocial-media accounts meant to mislead Americans into believing that they represented VVA.9 That analysis sparked an ongoing investigation,which has over the course of thousands
of hours led to the discovery of foreign entities from at least 32 countries targeting members of the military and veterans (MilVets) community on social media by impersonating servicemembers and MilVets organizations. The list of host nations includes Russia and concentrations of countries in Eastern Europe and the Asian- Pacific.

Foreign adversaries have many motivations for targeting members of the MilVets community. This population has a higherpropensity than other subgroups of Americans who are politically
engaged — they are more likely to vote and serve in public office — and they tend to wield greater political influence on thosearound them.10 Additionally, nearly one- third of the federal workforce is composed of veterans.11 This makes the targeting
of the MilVets population a means to jeopardize federal agencies ranging from law enforcement and defense to healthcare and food safety.
America’s adversaries focus on deceiving MilVets because they are particularly vulnerable to blackmail: Beyond the battlefield and long after they’ve taken off the uniform, MilVets who require security clearances can have their careers ended if their finances are compromised or if they are put in situations that leave them vulnerable.
The data breach that was announced by the Office of Personnel Management (OPM)12 on June 4, 2015, became a valuable lesson in cybersecurity. Malware allegedly associated with a Chinese-government- sponsored “advanced persistent threat,”
or APT, known as Deep Panda obtained
the background-investigation records of current, former, and prospective federal employees and contractors dating as far back as 2000. Twenty-two-million individuals
had their personal data stolen. To put this into the context of the MilVets community, every servicemember whose military occupational specialty, rank, or position required a security clearance since before
the Global War on Terror began had sensitive information such astheirsocial-security numbers, address histories, and contact information stolen by a foreign government. Soon after the breach was publicized, OPM and the Department of Defense (DoD)announced a contract to provide temporary credit-monitoring and identity-theft insurance to victims of the breach. Congress then passed the Consolidated Appropriations Act of 2017 (Public Law No. 115-31). Section 633 of that law requires OPM to provide complimentary insurance to these 22-million affected individuals from 2016-2026.



Four years after the OPM data breach, the Justice Department filed charges alleging that some of that data had been used to
take out fraudulent loans in the names of unsuspecting victims.13This incident could be the first of many, particularly if the state-sponsored APT Deep Panda is selling the information on the dark web (the portion
of the internet that allows users to remain untraceable). There remains the tremendous risk of APT Deep Panda coordinating withhostile non-state intelligence services, such as WikiLeaks, or hostile nation states in
an attempt to disrupt the US government
and population. If published publicly, this vast trove of information would cause
serious personal damage to the 22-million affected Americans. The ripple effect of this vulnerability being exploited would cause incalculable social and economic harm to our country.
While this threat of personal financial ruin hovers over the heads of millions of veterans, an even more disturbing hazard awaits troops on the battlefield at the intersection of cyber- and kinetic warfare, or cyber-kinetic warfare, in which enemy forces can detect and/or interfere with electronic devices
and use them to cause harm. The Russian hacking unit known as APT 28, or Fancy Bear, has been known to use malware on
the personal devices of Ukrainian troops
to track their movements and ultimately target them with conventional weapons.14Ukrainian troops and their families have
also been targeted by Russia with “pinpoint propaganda” messages sent via text.15 These messages aren’t meant only to destroymorale. Texts sent to Ukrainian military families falsely announcing that their soldiers were killed in action cause panic,
and Russians track the resulting surge in
calls and mobile-phone signals from thefamilies to the troops so that they can target the soldiers with conventional weapons.16This insidious tactic could be similarly used against American troops in current conflict areas with information garnered from theOPM leak, as well as by using information easily gathered from American troops’ social- media profiles. The effects could be further amplified by impostor social-media accounts meant to look like reputable or high-ranking MilVets and the organizations that represent them — while thousands of bot accounts (autonomous programs on the internet designed to behave like real individuals) are

INTRODUCTION
activated to make it confounding to discern fact from fiction.
In 2018 yet another growing threat related to impostor social-media accounts that target the intelligence and defense communitieswas brought to light. LinkedIn was singled out as a platform exploited by China through the use of impostor accounts meant to blend in with those of MilVets and intelligence professionals.17 US officials have said that there is some correlation between targets
of the Chinese LinkedIn campaign and the OPM data breach. Recent court documents have demonstrated that China uses LinkedIn to target Americans for recruitment as spies and then pays those spies to hand over the information of LinkedIn users they connect with. This tactic is as easy as creating a fake profile using a picture of a servicemember and falsifying a military affiliation in the account’s work history.
This report will focus on the recent targeting of MilVets by foreign entities online — primarily on social-media platforms. We document the creation of websites meant to mislead as well as mine data from and implant malicious software into the computer systems of American servicemembers and veterans. The tactics, techniques, and procedures (TTPs) that foreign entities use to build audiences and spread disinformation and social discord will be displayed visually so that readers can see how this problem looks and evolves. We also reanalyzed the ads known to have been created by the Russian Internet Research Agency (IRA) to reveal that the targeting
of MilVets during the 2016 campaign
was so specific that the Russians paid to explicitly reach followers of the Facebook pages of trusted VSOs such as “Vietnam Veterans of America,” “Disabled American Veterans,” and “AMVETS,” as well as veterans organizations affiliated with far-left and far-right politics such as “Vietnam Veterans Against the War” and “Concerned Veterans for America.” The report will conclude with policy recommendations for coordinating the response necessary to protect veterans and national security in this world where everything is connected through the internet — through the Fifth Domain: the newest theater of warfare.


13



14

APPROACH
This report will provide a detailed qualitative analysis of the methods foreign adversaries use to target servicemembers and veterans
in cyber-environments, as well as provide recommendations for the White House, Congress, and the private sector to respond effectively. Our analysis will reveal previouslyunpublishedfindingsthatinclude, but are not limited to, a massive campaign to trick veterans into downloading malware by an as- yet-unidentified foreign entity.
To conduct this study, we analyzed suspicious social-media activity in and around the tight-knit community of MilVet advocates centered in Washington, DC, for two years, beginning in August 2017. Suspicious social-media accounts and websites were documented with screen-captures (a screenshot of an image on a computer,
tablet, or cell phone), then catalogued and organized by date of recording.
“Suspicious activity” includes: coordinated inauthentic behavior;18 spelling and grammar mistakes typical of non-native Englishspeakers; sharing URLs that are associated with malware; masking of links with URL- shorteners; soliciting personal information from MilVets; the use of ad technology to target and retarget MilVets; and the use of the same MilVet-related photos, memes (a captioned picture or video, often altered
to be humorous, that is copied and spread online), or links across multiple accounts
and platforms.Suspicious activity also includes false representation of MilVet
status or VSO affiliation and the spreading
of known foreign-state-sponsoredandstate- controlled propaganda such as TASS,19RT,20 and Sputnik News.21 Other suspicious activity includes the changing of the names and focuses (ie, topics of discussion, themes) of pages and groups related to MilVets.
Searches were performed via the Internet Archive Wayback Machine22 to examine now-shuttered websites and the previous editions of websites that are still functioning. Suspicious websites whose information was publicly available were examined via the DomainTools WHOIS page23 to determine country of origin, date of creation, registrar, and registrant. Suspicious written content was checked for plagiarism/origin via the

Google search engine and the website PapersOwl.com. Reverse-image-search was performed with the TinEye Google ChromePlugin, as well as Google’s reverse-image- search function.
Facebook’s automated “recommended pages” and “related pages” functions that appear on users’ Facebook pages on desktopwere used to map networks of suspicious pages targeting the MilVets community.
How Facebook’s algorithms determine
what pages are related or recommended is unclear, but the tool has been consistently useful nonetheless. Beginning inAugust2018, Facebook made available to users
in the United States a function to reveal
the countries of origin of admins of pages with very large followings and those who have purchased adsonpoliticallysensitivetopics and “issues of national importance,” which appears to include all MilVet-related merchandise. When available, admin profiles of the less-followed individual Facebook pages, group administrators, and bots (autonomous programs on the Internet designed to behave like a real individual) were examined to determine likely country of origin based on geographic “check-ins,” likes, and the languages used in public posts.
All Russian IRA ads released by the
House Permanent Select Committee on Intelligence (HPSCI)24 were examined, and we determined that 113 of themincludedunredacted imagery and/or text content and/ or targeting details that were related to the MilVet community. Isolating the MilVet-focused IRA ads from the rest allowed new patterns to emerge. We analyzed the ads by separating them into subcategories according to the specific affinity groups or divisive issues that they targeted, paying special attention to the ads with which the Russians specifically targeted VVA and other legitimate veterans organizations.
Most suspicious accounts in our investigation on Twitter found us — following, retweeting, and liking VVA-affiliated Twitter accounts in unusual yet predictable patterns. Twitter’s automated “who to follow” function that appears on users’ browsers and mobile apps allowed us to identify networks displaying coordinated inauthentic behavior. As is the



case with the similar Facebook function,
it is unclear how the algorithm works, but Twitter’s automated recommendations were very helpful for mapping bot networks. Other Twitter accounts were brought to our attention by MilVets and other VSOs who were aware of our investigation and believed they had spotted suspicious behavior.
Facebook’s free Google Chrome extension “CrowdTangle”25 was used to determine which social-media accounts had sharedspecific links, such as web pages featuring falsified news. This helped us to identify coordinated inauthentic behavior and relatedaccounts that spanned various social-media platforms. This tool also lists the number
of followers of each social-media account that shared these links and the number of reactions (likes, shares, retweets, etc.) eachshared link resulted in. This helped us to estimate the impact and virality of certain content.


APPROACH


15



16


ABBREVIATIONS
AI: Artificial Intelligence
APT: Advanced Persistent Threat
C2: Command & Control
CVA: Concerned Veterans for America
DoD: Department of Defense
HPSCI: House Permanent Select Committee on Intelligence IAVA: Iraq and Afghanistan Veterans of America
ICA: Intelligence Community Assessment
IRA: Russian Internet Research Agency
MilVets: Military and Veterans
NSPM: National Security Presidential Memorandum
OPM: Office of Personnel Management
PII: Personally Identifiable Information
TTPs: Tactics, Techniques, and Procedures
URL: Uniform Resource Locator (also known as a web address) VA: Department of Veterans Affairs
VPN: Virtual Private Network
VSO: Veterans Service Organization
VVA: Vietnam Veterans of America



17



18


GLOSSARY
This list contains terms narrowly defined within the context of and in relation to this investigation.
Admin/administrator: a Facebook admin/administrator controls and manages settings on pages and groups
Adware: usually refers to unwanted advertisements or malware (malicious software)
Antifa: stands for the “anti-fascist” movement that had its roots in left-wing protests against right-wing conservatism; a loose collection of regional groups and individuals aiming — through peaceful and violent measures — to resist and disrupt political actions they consider to be far-right and/or racist
App: short for “application,” a program for personal electronic devices
Bot: autonomous programs on the internet designed to behave like real individuals; some run automatically, while others require specific input to execute commands; bots are often used to perform malicious actions
Command and Control: the exercising of authority by a commander (including planning, coordinating, directing, and controlling) to accomplish a mission
Cyber Caliphate: cyber-hacker group self-identifying as the digital army for ISIS Cyber-health/cyber-hygiene: practice of risk mitigation online; includes taking steps such as
changing passwords frequently and installing antivirus software
Cyber-kinetic warfare: in which enemy forces can detect or interfere with electronic devices and use them to cause physical harm
Dark web: a collection of websites that use anonymity tools to hide their IP addresses
Deepfake: Combining/superimposing images or video, often with the nefarious purpose of producing video/images of people who may not actually exist or of real people saying/doing things they did not actually do
Deep Panda: a Chinese-government-sponsored threat group
Dog whistle: a strategy to communicate that sends a subtly coded message
Evergreen content: content that does not become dated
Facebook group: joining allows Facebook users who share common interests to be connected and communicate in one place
Facebook page: for business accounts and public figures to create an online presence; offers advertising features
False flag: a covert operation designed to deceive; the deception creates the appearance of a particular party, group, or nation being responsible for some activity, disguising the actual source of responsibility
Falsified news: real news stories that are subtly altered in order to provoke outrage, often includes the plagiarization of complete articles with only the date of publication changed so that readers are made to believe the content is more recent
Fancy Bear: Russian cyberespionage group, also known as APT 28
Follows: when a person “likes” a Facebook page or connects with a social-media account, they will
automatically see updates in their news feed
Inauthentic behavior: misleading actions to deceive others about who an individual/group is or what the individual or group is doing



GLOSSARY
IP: Internet Protocol, which is a numerical label that identifies a device and location
Junk news: misleading or deceptive content, deliberate misinformation purporting to be authentic
and true
Like: a social-media feature that allows users to express a positive reaction or support to content
Link/URL-shortener: a tool to shorten links, which can be used to circumvent bans or disguise websites
Malware: malicious types of software such as adware, spyware, viruses
m.me URL: a shortened URL that Facebook users can use to enter into a conversation with the
affiliated page admin
Meme/internet memes: an image, video, or concept, often captioned and altered to be humorous, that is copied and spread online
News feed: a list of updates about friends on a Facebook home page as well as advertisements Retweet: reposting content by another user on Twitter, with or without an additional comment
Screen-captures/screenshots: a copy of the image that appears on a cell-phone, tablet, or computer screen
Social media: websites or apps that allow users to interact and share content
Sockpuppet: a false online identity meant to deceive
Spam: unsolicited messages sent to a large number of recipients
Spear-phishing: sending emails from an ostensibly trusted source to solicit confidential information Spoof: creation of an IP with a false address
Spyware: a kind of malware, which a user unknowingly installs, that can gain access to the computer and steal data
Tab: a feature on Facebook that loads content; examples are “About” tab, “Community,” “Info and Ads” Troll: a person who seeks to sow discord, disrupt, or influence behavior on the internet by posting
inflammatory content
Troll farm: an organization whose members or employees engage in online behavior that is meant to disrupt, distract, cause conflict, and influence conversations/behavior for nefarious purposes
Useful idiot: a naive person who is persuaded by a group (usually through deception) to further its political agenda without fully comprehending the goal or its ramifications
WHOIS: an Internet service used to look up information about a domain name or IP address
Zero-day vulnerability: a computer-software vulnerability unknown to the manufacturer, typically used in targeted attacks


19

[Lenno]

The VVA is a commie front and this is just another attempt to link Russia (instead of China) to nefarious operations against the US