On 09 December 2020, details emerged concerning network infrastructure I’d previously identified as suspicious on 07 December:

Further research and investigation showed that the domains in question – which were relocated from “.org” to “.us” infrastructure – were hosting “kill lists” comprising politicians, civil servants, and employees of Dominion Voting Systems, including information such as home addresses. As seen in the following image, the intent of this page is not left to one’s imagination, thanks to the crosshairs superimposed over the faces of each “enemy of the people.”

Investigation of network infrastructure identified the following indicators or observations related to this activity:

  • enemiesofthepeople\.org
  • donttouchthegreenbutton\.org
  • enemiesofthepeople\.us
  • donttouchthegreenbutton\.us
  • donttouchthegreenbutton\.net
  • 193.56.255\.179
  • 2.56.242\.22 
  • voychik-7923@yandex\.com
  • ivan0v.pi@yandex\.com
  • onzayt@yandex\.com

From the above, several observations stand out:

  • Use of the Yandex mail service, a company domiciled in the Russia Federation.
  • Apparent use of Slavic-looking names in email addresses and registration information (when not privacy protected).
  • Hosting of infrastructure in the Russian Federation and Romania.
  • Additional references in active webpages to services owned by Russian companies, and hosted in Russia, such as the following:

While overall “themes” are focused on the US election – and with the “green button” reference in domains, they may appear to be specifically focused on or aware of particular concerns in Arizona – nearly all network selectors and observations are linked to Russia or Eastern European entities. However, WhoIs information for the domains – where available – reflects a location in Georgia that appears to be a small residence that also is the home of a tax preparation company:

So – what the hell is going on???

First, the general impetus of the webpage(s) in question are not in doubt – this resource is specifically designed to intimidate and threaten individuals involved in the US electoral process. That this extends to an open “call” for further information – including home addresses – is both shocking and shameful.

These obvious points aside though, we are now left with a question of “who benefits” from such activity. For this, multiple hypotheses can be put forward and evaluated:

  • Given the “green button” item and recent, hard-line/far-right postings the campaign may reflect an initiative by the Arizona Republican Party to (crassly and unethically) rile up its base as part of continuing efforts to question the result of the 2020 US Presidential election.
  • The broad targeting of the website – which includes officials in Michigan, Georgia, and Nevada as well as employees of Dominion – combined with the interesting WhoIs data above may indicate the activity is a rogue or disgruntled reactionary activist expressing themself.
  • The Russian and Eastern European infrastructure, email addresses, and other referenced services may represent some grand distraction designed to post sensitive information about political enemies while simultaneously discrediting criticism (at least among certain segments of the US population) that such opprobrium is linked to a continued “It’s Russia’s fault!” narrative.
  • The use of multiple domains and servers, combined with specific details of various politicians and private employees of relevant firms, may reflect the operations of a professional intelligence or disinformation organization, but designed and implemented in an amateur-seeming fashion to match the same haphazard approach observed in Trump campaign efforts to overturn election results.

Overall – this is very strange! While the content of the pages in question is absolutely abhorrent, who is responsible is incredibly murky as each of the above scenarios seems plausible to some extent. Furthermore, nothing seems to outright discredit or disqualify any of the above possibilities either. So at present, we in the US are left with a situation where any of the following may hold:

  • A regional Republican Party element has basically “gone rogue” and decided to engage in actions that are closer to terrorism than politics.
  • An individual or small group of Republican activists have taken matters into their own hands and are either directly trying to threaten the lives of opposition figures, or trying to frame such an operation as a foreign disinformation engagement.
  • A foreign intelligence service or other entity is engaging in continued disinformation to deepen fissures within the US political system while hiding in the current turmoil to evade obvious detection.

As of this moment, insufficient information exists to disposition events toward any of the above possibilities – but the very fact that this campaign exists is deeply worrying. While past disinformation and influence operations, whether operated by foreign or domestic entities, have emphasized the corruption or unfitness of various persons or parties for office, no widespread campaign has taken such advocacy to the point of calling for the execution of persons who are merely doing their job. Irrespective of who is responsible for this campaign, norms have been shattered and discourse has changed for the worse.

Given the vile nature of these items, I sincerely hope that all parties, public and private, will work together to collect evidence, perform a thorough investigation, and forward results to law enforcement. Such actions as witnessed in the items above are beyond acceptable and must be snuffed out quickly, so that such threatening and violent speech does not take root within our system.


10 Dec 2020, 1015:

An additional domain appeared overnight – enemiesofthenation\.com – which hosts the same material, but is using CloudFlare services to mask hosting:

Additionally, it is worth noting that email addresses associated with network registration are using the more global-oriented “yandex.com” instead of the Russian language “yandex.ru”. This may be circumstantial, or it could support the theory that the activity in question attempts to look like Russian-based actions but lack of language skills prompted the use of the com site instead of the Russian-language ru.

Nonetheless, contact information remains strange and seemingly ties back to locations in the Russian Federation:


6 Comments

Cowboy Ron · 12/12/2020 at 01:17

[…] As documented by Joe Slowik, a senior security researcher at the firm DomainTools, enemiesofthepeople.org and a sister website, enemiesofthepeople.us, were registered by individuals using the Russian email service Yandex, and the website’s IP servers are hosted in Russia. […]

US election 2020: FBI links Iran to websites targeting poll officials | TheNews.Rocks · 12/24/2020 at 11:44

[…] Joe Slowik, a senior security researcher at the firm DomainTools, said in a blog post that publicly available domain registration details were set up to indicate as though the operation had o…. […]

US election 2020: FBI links Iran to websites targeting poll officials - Lyricsmint.xyz · 12/24/2020 at 19:01

[…] Joe Slowik, a senior security researcher at the firm DomainTools, said in a blog post that publicly available domain registration details were set up to indicate as though the operation had o…. […]

US election 2020: FBI links Iran to websites targeting poll officials – The Globe Today · 12/24/2020 at 19:24

[…] Joe Slowik, a senior security researcher at the firm DomainTools, said in a blog post that publicly available domain registration details were set up to indicate as though the operation had o…. […]

US election 2020: FBI links Iran to websites targeting poll officials | LiveTube · 12/24/2020 at 19:30

[…] Joe Slowik, a senior security researcher at the firm DomainTools, said in a blog post that publicly available domain registration details were set up to indicate as though the operation had o…. […]

FBI links Iran to websites targeting poll officials - I Am Digital India · 12/26/2020 at 05:05

[…] Joe Slowik, a senior security researcher at the firm DomainTools, said in a blog post that publicly available domain registration details were set up to indicate as though the operation had o…. […]

Comments are closed.