My country, the United States, has experienced days of disruption and discord not witnessed since the late 1960s across multiple municipalities and regions. Adequately parsing and analyzing these events, their motivations, and what lasting impacts they may have will be the work for others. Instead, these chaotic events identify a concrete opportunity and example of a phenomena previously discussed, cheekily referred to as being “kicked while down” – where an adversary takes advantage of conditions to execute disruptive actions to exacerbate such conditions to cause ever greater harm.

The political culture and overall social ecosystem of the United States is currently in shambles, having faced a brutal one-two punch of the COVID-19 response (and its resulting political fallout – largely conservative if not outright reactionary) followed by protest and unrest over the murder of George Floyd. These events come against an already fraught backdrop given the divisiveness of the Donald Trump Presidency, continued (and unwarranted, given the preponderance of evidence) questioning of foreign interference in the 2016 US election, and the growing fear that similar manipulation (or worse) may transpire in the November 2020 US elections. From the standpoint of societal stresses and political weaknesses, the United States would appear primed for a well-timed, well-aimed “nudge” to set already disruptive (and increasingly violent) matters onto an even more concerning and dangerous path.

One of my hobbies within the realm of information security is finding malicious network infrastructure based on previously-identified patterns exhibited by entities such as FANCY BEAR, SANDWORM, APT33, OilRig, Lazarus, and other threats. In the course of such activity, I recently came across a series of new domain registrations that appear to mirror current tensions – reflecting both progressive and reactionary positions.

Shown in the table below, the items largely coalesce around hosting properties previously associated with Russian strategic interests, as indicated in multiple public reports in the past few years from the US Department of Justice, the US National Security Agency, the security firm CrowdStrike, and other entities. Although this is not definitive and the analysis presented here is cursory (and done on my own free time), overall the cluster of activity in the table below “looks like” someone trying to stoke the flames of unrest in an already troubled environment.

DomainRegistrarDate CreatedName ServerIP AddressHosting Provider
defundnypd.comNameCheap06 Jun 2020nsone.net157.245.130.6DigitalOcean
defundbikepolice.comTucows05 Jun 2020hover.comVariousSquarespace
defundbikepolice.orgTucows05 Jun 2020hover.comVariousSquarespace
defundingthepolice.comTucows04 Jun 2020googledomains.com23.227.38.65Cloudflare
defundlasd.comTucows04 Jun 2020nsone.netVariousSquarespace
defundspd.orgTucows04 Jun 2020njalla.no95.215.19.12Privactually
defundthenypd.nycTucows05 Jun 2020nsone.netN/AN/A
defundthepolice.coNameCheap04 Jun 2020registrar-servers.com192.64.119.35NameCheap
americanironfront.comTucows02 Jun 2020njalla.noVariousFastly
americanironfront.orgTucows02 Jun 2020njalla.noVariousFastly
armedlabor.comTucows01 Jun 2020njalla.noN/AN/A
armedlabor.orgTucows31 May 2020njalla.no185.193.126.200Cyberdyne
barr.charityTucows04 Jun 2020njalla.noVariousPrivactually
bonespur.charityTucows02 Jun 2020njalla.noVariousPrivactually
hellopigs.comTucows03 Jun 2020njalla.no185.193.126.209Cyberdyne
ironfront.orgTucows02 Jun 2020njalla.noVariousFastly
policebrutality.liveTucows31 May 2020njalla.noN/AN/A
thedonald.charityTucows02 Jun 2020njalla.noVariousPrivactually
wnydefenseleague.orgTucows02 Jun 2020njalla.noN/AN/A

While the items above could certainly represent mere opportunism on the part of unscrupulous actors, the timing and themes recorded indicate potentially something more. Some items display strong political statements – arguably far stronger than mainstream views on police reform – such as the following two sites:

And:

Meanwhile, the conservative-leaning “charity” sites redirect to the Bail Project website, designed to facilitate bail payment for arrested protesters within the US (for my non-US friends – the concept of “bail” is strange and messed up, and delving into it is another conversation entirely):

Overall much of this may reside within “authentic” protest and disruptive activity, but as noted in Thomas Rid’s interview of Ladislav Bittman, a defector from the then-Czechoslovakian intelligence service, in his book “Active Measures”, disinformation and similar content must correspond to reality to some degree, or at least to widely accepted views within the targeted population. Fantastical, far-out ravings stand out from “regular” discourse and can be identified and dismissed quickly. More subtle injections into communicative streams are harder to detect, and possess the ability to “nudge” conversations and deliberations further in a direction designed by their master or creator to foment distrust, disruption, or even outright revolution.

Overall, the network items above are early-stage observables, but compared to over fifty other domains and websites created in the past two weeks reflecting similar political themes, they stand apart based on registration patterns and infrastructure. It may be these are simply anomalies within the broader protest effort and worth no further thought. However, it is also possible (and not yet proved otherwise) that such items could represent initial actions by some unknown external entity to take advantage of situations to further drive the current, bitter wedge through US society to its long-term detriment.

Given the plethora of disinformation already spread through selectively-edited videos, clips, and cellular phone captures, creating avenues for message propagation would represent a natural next step for entities – either domestic or foreign – seeking to expand current fires into a raging, destructive conflagration.

From the perspective of those participating in the very valid and overdue movement to reform policing activity within the United States and working to ensure the security (and survival) of African-American citizens, they should be aware of external entities attempting to use and manipulate their justified outrage for other purposes. Remaining inquisitive and potentially skeptical of received information is key to detect possible disinformation or manipulation, designed not to reform social inequalities but to undermine the state in which they live. Those approaching the issue on the other side must be equally wary of such manipulation and its likelihood to dehumanize or delegitimize the concerns of protesters to enable violent, potentially deadly retaliatory action.

On the heels of COVID-19 and with what will surely be a bitterly contested election coming in a few months, the United States is in a position of acute, dangerous risk. Various entities will attempt to exploit these divisions and disagreement to the long-term detriment of the country and its people. By having an appropriate level of skepticism and questioning around otherwise passively-received information – from social media, email, or websites – we can work to deny such interlopers entrance into the national discourse as we, residents of the US, work to resolve our problems and improve our society. Falling prey to external interlopers, even if their messages may seem aligned with broader opinions at first, will only enable prolonged and ever-more destructive strife, unrest, and dislocation. In an age of rapid, almost unchecked information manipulation and warfare, all parties working to resolve current societal issues must be vigilant and aware of those desiring to exploit conditions for their own malicious purposes.

UPDATE – 12 JUN 2020

Since initial publication, additional domains have merged, many of which appear linked to the “Capitol Hill Autonomous Zone” movement in Seattle.

mainRegistrarDate CreatedName ServerIP AddressHosting Provider
spread-peace.orgPDR10 Jun 2020bacloud.com91.216.163.74UAB
capitalhillautonomouszone.comTucows11 Jun 2020njalla.no185.193.125.110Cyberdyne
thecapitalhillautonomouszone.comTucows11 Jun 2020njalla.no95.215.19.12Privactually
rateourpolice.orgTucows11 Jun 2020njalla.no95.215.19.12Privactually
rateourcops.orgTucows06 Jun 2020njalla.no95.215.19.12Privactually

Looking at the “Capital” (sic) items specifically, they appear to align with responses or reactions to the BLM movement:

While the “rate” sites appear to function as a Yelp-influenced service for law enforcement evaluation:

Overall, these sites appear divorced from the overall protest movement and inject potential alternative – or disagreeing – views. While nothing especially inflammatory or objectionable is presented by either, there remains a trend of subverting or co-opting themes and infrastructure for political purposes – while registration and hosting data aligns closely with known non-US entity behaviors.


1 Comment

The Call is Coming from Inside the House – Stranded on Pylos · 06/13/2020 at 15:02

[…] movement in the US following the murder of George Floyd, an event which already is inviting potential disinformation campaigns of its own, the state of US society and politics is in an especially vulnerable […]

Comments are closed.