<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>
Hi all--</div><div><br></div><div>Great piece on linking disparate sites to a single campaign.</div><div><br></div><div>Best,</div><div>--bart<br>
<br>
---- <br>
<b><a href="http://globalvoicesonline.org/2015/07/13/open-source-information-reveals-pro-kremlin-web-campaign/">Open-Source Information Reveals Pro-Kremlin Web Campaign</a></b><br>
// <b><a href="http://globalvoicesonline.org/2015/07/13/open-source-information-reveals-pro-kremlin-web-campaign/">Global Voices in English » RuNet Echo</a></b><br>
<br>
<div class="wp-caption"><img height="485" alt="Graph showing shared use of Google Analytics, server software and social media" width="800" class="wp-image-530488" src="http://globalvoicesonline.org/wp-content/uploads/2015/07/WebsitesMaltego-800x485.png"><p class="wp-caption-text">Graph showing shared use of Google Analytics, server software, and social media by websites in the network. [Full size <a href="https://imgur.com/U4hZwgb">1</a> <a href="https://imgur.com/KgKWYq0">2</a>] Image by Lawrence Alexander.</p></div>
<p>In April of this year, <a href="http://www.rferl.org/content/russian-trolls-vast-insult-cartoon-database/26938435.html">Radio Free Europe/Radio Liberty</a> and <a href="http://www.theguardian.com/world/2015/apr/02/putin-kremlin-inside-russian-troll-house">the Guardian</a> reported on the website <a href="http://xn--80acbo6d9a.xn--p1ai">вштабе.рф</a>, a large photo gallery of pro-Russian memes and “demotivator” graphics. Most of these crude caricatures ridicule US, Western, and Ukrainian leaders, whilst portraying Vladimir Putin as strong and heroic.</p>
<p>The site gives no credit or attribution for its design, and offers no indication as to who might be behind it. Intrigued by this anonymity, I used <a href="https://www.paterva.com/web6/">Maltego open-source intelligence software</a> to gather any publicly-available information that might provide clues.</p>
<p><strong>The Secrets of Google Analytics</strong><br>
My use of Maltego revealed that the site was running Google Analytics, a commonly used online analytics tool that allows a website owner to gather statistics on visitors, such as their country, browser, and operating system. For convenience, multiple sites can be managed under a single Google analytics account. This account has a unique identifying “UA” number, contained in the Analytics script embedded in the website's code. Google provides <a href="https://support.google.com/analytics/answer/1102152">a detailed guide</a> to the system's structure.</p>
<div class="wp-caption"><img height="231" alt="Google Analytics Code" width="800" class="wp-image-527785" src="http://globalvoicesonline.org/wp-content/uploads/2015/06/Analytics-800x231.png"><p class="wp-caption-text">Google Analytics account number for <a href="http://xn--80acbo6d9a.xn--p1ai">вштабе.рф</a>, found at the bottom of the page's HTML code.</p></div>
<p>Journalists and security experts have already raised the potential of this code to link anonymous websites to particular users.</p>
<p>The method was <a href="http://www.wired.com/2011/11/goog-analytics-anony-bloggers/">reported by Wired in 2011</a>, and cited by FBI cyber crime expert Michael Bazzell in his book <a href="https://books.google.co.uk/books?id=zY7pnQEACAAJ&dq=editions:IhbwvEF_2bMC&hl=en&sa=X&ei=RdGCVdG2AY-y7QbR8qKoDA&redir_esc=y"><em>Open Source Intelligence Techniques</em></a>. Several free services have sprung up that allow easy reverse searching of Google Analytics ID numbers, one of the most popular being <a href="http://sameID.net">sameID.net</a>.</p>
<p>I wanted to see whether the person or organisation behind <a href="http://xn--80acbo6d9a.xn--p1ai">вштабе.рф</a> was running any other sites from the same Analytics account. Viewing thewebsite's source code gave me the all-important Google Analytics ID number. When I performed a broader search on it, the results were surprising—it was linked to no less than <a href="http://sameid.net/analytics/53176102/">seven other websites</a> (<a href="https://web.archive.org/web/20150612185424/http://sameid.net/analytics/53176102/">archived copy</a>).</p>
<p>These included <a href="http://whoswho.com.ua">whoswho.com.ua</a> (<a href="https://web.archive.org/web/20150616183512/http://whoswho.com.ua">archive</a>), apparently aimed at collating compromising information on Ukrainian officials, whilst purporting to be a Ukrainian project; <a href="http://zanogu.com">Zanogo.com</a> (<a href="https://web.archive.org/web/20150616191226/http://zanogu.com">archive</a>), another repository of memes, many anti-Western; and <a href="http://yapatriot.ru">yapatriot.ru</a> (<a href="https://web.archive.org/web/20150615193648/http://yapatriot.ru">archive</a>), which appears to be an attempt to discredit Russian opposition figures. Another of the websites using the same Analytics account was <a href="http://syriainform.com/">syriainform.com</a> (<a href="https://web.archive.org/web/20150617094810/http://syriainform.com/">archive</a>), a site seemingly promoting an anti-US and pro-Assad slant on events in Syria.</p>
<p>Most striking of all was the presence of <a href="http://material-evidence.com/en/">Material Evidence</a>—a website for the touring photo exhibition that has featured in several media investigations into its alleged pro-Kremlin connections. In 2014, Gawker <a href="http://gawker.com/whos-behind-this-shady-propagandistic-russian-photo-ex-1643938683">reported on the New York show</a>, commenting on its large, well-funded advertising campaign. They noted that its website was registered in St. Petersburg, which is confirmed by <a href="https://who.is/domain-history/material-evidence.com">historic WHOIS records</a>.</p>
<p><strong>Down the Rabbit Hole</strong><br>
Whilst investigating the network of sites tied to account UA-53176102, I discovered that one, <a href="http://news-region.ru">news-region.ru</a>, <a href="http://www.spyonweb.com/news-region.ru">had also been linked to</a> a second Analytics account: UA-53159797 (<a href="https://web.archive.org/web/20150707121917/http://www.spyonweb.com/news-region.ru">archive</a>).</p>
<p>This number, in turn, was associated with a further cluster of nineteen pro-Kremlin websites. Subsequent examinations of these webpages revealed three more Analytics accounts, with additional sites connected to them. Below is a network diagram of the relationships I have established to date.</p>
<p></p><div class="wp-caption"><img height="600" alt="Relationships between websites and Google Analytics account numbers." width="553" class="wp-image-530485" src="http://globalvoicesonline.org/wp-content/uploads/2015/07/Analytics-ID-relationships-553x600.jpg"><p class="wp-caption-text">Relationships between the websites and their Google Analytics account numbers. [<a href="https://imgur.com/D1Ktjnz">Full size</a>] Image by Lawrence Alexander.</p></div>One of the websites in this larger network, <a href="http://emaidan.com.ua/">emaidan.com.ua</a> <a href="https://web.archive.org/web/20150619115037/http://emaidan.com.ua">(archive</a>) appears at first glance to be a legitimate information resource for the Ukrainian protest movement. But closer inspection shows it is laced with rising anti-Ukrainian sentiment, as if written by a disillusioned former Maidan supporter. <a href="http://putininfo.com/">putininfo.com</a> (<a href="https://web.archive.org/web/20150619114827/http://putininfo.com">archive</a>) is a glowing tribute to the Russian president, complete with <a href="https://twitter.com/my_putin">“My Putin”</a> social media <a href="https://www.facebook.com/my.putin.rus">accounts</a>.
<p>At the time of writing, the Analytics codes remain unchanged and visible on most of these sites. My findings can easily be verified by viewing their source code, either in the <a href="http://www.computerhope.com/issues/ch000746.htm">browser</a> or by saving the page and viewing it in a text editor.</p>
<p>Besides Google Analytics, the websites had some other common traits: shared use of <a href="https://metrika.yandex.ru/">Yandex Metrika</a>, Yandex Verification, and a <a href="https://en.wikipedia.org/wiki/Nginx">Nginx</a> server—all Russian-made tools—characterized the sites in the network.</p>
<p>It became clear that I was most likely looking at a large, well-organised online information campaign. But whilst the Google Analytics code demonstrated shared involvement in and management of the websites, it couldn't tell me who was behind them.</p>
<p><strong>A Personal Connection?</strong><br>
Spurred on by curiosity, I did a little more digging through publicly available information. <a href="https://whoisology.com/archive_7/minoborony.com">Domain registration records</a> in <a href="http://whois.domaintools.com/emaidan.com.ua">several places</a> [<a href="https://whoisology.com/archive_8/eu-rf.com">1</a> <a href="https://whoisology.com/archive_8/antiliberalism.com">2</a> <a href="http://www.whoismind.com/email/dGVyZGVyLm4-gmail.com.html">3</a>] revealed a second common factor: the e-mail address <a href="mailto:terder.n@gmail.com">terder.n@gmail.com</a>. [Archive: <a href="https://web.archive.org/web/20150707125407/https://whoisology.com/ajax/archive_search_count?i=whois_archive7&f=registrant_state&s=saint-petersburg&n=7">1</a> <a href="https://web.archive.org/web/20150707130534/https://whoisology.com/ajax/archive_search_count?i=whois_archive7&f=registrant_postal_code&s=730017&n=7">2</a> <a href="https://web.archive.org/web/20150707131001/http://www.whoismind.com/email/dGVyZGVyLm4-gmail.com.html">3</a> <a href="https://web.archive.org/web/20150707131118/https://whoisology.com/ajax/archive_search_count?i=whois_archive8&f=registrant_organization&s=private%20person&n=8">4</a>]. I found it to be associated not only with the majority of sites I had already identified, but also with a new group of websites, apparently still under construction. Their titles suggested themes similar to the existing network: either overt pro-Russian polemic, or more subtle disinformation under the guise of legitimate Ukrainian journalism. They included <a href="https://whoisology.com/archive_8/antiliberalism.com">antiliberalism.com</a>, <a href="http://dnepropetrovsknews.com">dnepropetrovsknews.com</a> and <a href="https://whoisology.com/archive_8/maidanreload.com">maidanreload.com</a>.</p>
<p>It took less than a minute of searching to link the e-mail address to a real identity. <a href="https://vk.com/club54796588">A group</a> on Russian social networking site VKontakte [<a href="https://web.archive.org/web/20150628145650/https://vk.com/club54796588">archive</a>] lists it as belonging to one <a href="https://vk.com/terder">Nikita Podgorny</a>.</p>
<p>Podgorny's <a href="https://www.facebook.com/profile.php?id=100004803726275">public Facebook profile</a> shows he is a member of <a href="https://www.facebook.com/groups/sochiworld/?pnref=lhc">a group called Worldsochi</a>—the exact same name as one of the websites linked by the two Google Analytics codes I examined.</p>
<div class="wp-caption"><img height="400" alt="Nikita Podgorny's membership of Worldsochi Facebook group." width="297" class="wp-image-530489" src="http://globalvoicesonline.org/wp-content/uploads/2015/07/Podgorny-Facebook-Worldsochi-297x400.png"><p class="wp-caption-text">Nikita Podgorny's membership of Worldsochi Facebook group.</p></div>
<p>Podgorny has a <a href="https://www.pinterest.com/werdaswerdas/223/">Pinterest account with only one pin</a> [<a href="https://web.archive.org/web/20150707135205/https://www.pinterest.com/werdaswerdas/223/">archive</a>]—an infographic of Russia's space accomplishments taken from a site called <a href="http://infosurfing.ru/">infosurfing.ru</a>. Whilst <a href="http://infosurfing.ru">infosurfing.ru</a> doesn't have an embedded Google Analytics code, it shares some similarities in image construction with several sites in the pro-Kremlin network.</p>
<p>The online FotoForensics tool shows that images from <a href="http://infosurfing.ru">infosurfing.ru</a> [<a href="http://fotoforensics.com/analysis.php?id=a59556c548e01de0c934ea57166145d4584c7a4f.1066974&show=meta">1</a> <a href="http://fotoforensics.com/analysis.php?id=6f5761f6df27c4ae0d7e65639d439c2f3c3758ee.1305839&show=meta">2</a> <a href="http://fotoforensics.com/analysis.php?id=2cba911a7a7c2adc383004ab89a1323088dce0c8.1161117&show=meta">3</a>], <a href="http://putininfo.com">putininfo.com</a> [<a href="http://fotoforensics.com/analysis.php?id=fb637fded1ac55a7ca3d381ad769b5b6f3e1740a.999506&show=meta">1</a> <a href="http://fotoforensics.com/analysis.php?id=cb65fac0d11a58ddfa760d3da629307056cf61bb.936117&show=meta">2</a>] and <a href="http://xn--80acbo6d9a.xn--p1ai">вштабе.рф</a> [<a href="http://fotoforensics.com/analysis.php?id=c07640a430bcbf7b05d6b4fb566ec733bc811dd1.101465&show=meta">1</a> <a href="http://fotoforensics.com/analysis.php?id=6a58750d7901f20a271027e01d4c69f5a968332f.1265490&show=meta">2</a>] contain metadata sourced from the exact same version of software: Adobe XMP Core: 5.5-c014 79.151481, 2013/03/13-12:09:15. By itself this is not a unique identifier, but it might be suggestive of a connection, especially in the context of additional information about Podgorny's online persona.</p>
<p>Most notably, Podgorny is <a href="http://i.imgur.com/mPkShqP.jpg">listed in</a> the leaked employee list of St. Petersburg's <em>Internet Research Agency</em>, the pro-Kremlin troll farm featured in <a href="http://www.theguardian.com/world/2015/apr/02/putin-kremlin-inside-russian-troll-house">numerous</a> <a href="http://www.pbs.org/newshour/bb/russian-trolls-spreading-online-hoaxes-u-s/">news</a> <a href="http://www.theatlantic.com/international/archive/2013/10/russias-online-comment-propaganda-army/280432/">reports</a> and <a href="http://www.nytimes.com/2015/06/07/magazine/the-agency.html?_r=0">investigations</a>, including RuNet Echo's own <a href="https://globalvoicesonline.org/2015/03/14/russia-kremlin-troll-army-examples/">reports</a>.</p>
<p>Podgorny's date of birth, given on his public VK profile, is an exact match for that shown in the <a href="http://i.imgur.com/mPkShqP.jpg">leaked document</a>.</p>
<div class="wp-caption"><img height="343" alt="Podgorny's date of birth, as shown on his VK profile, compared with listing in the leaked Internet Reseach Agency document." width="698" class="wp-image-530490" src="http://globalvoicesonline.org/wp-content/uploads/2015/07/Podgorny-VK-Profile-DOB.png"><p class="wp-caption-text">Podgorny's date of birth, as shown on his VK profile, compared with listing in the leaked Internet Reseach Agency document.</p></div>
<p>Podgorny is also VK friends with Igor Osadchy, who is named as a fellow employee in the same list. Osadchy has <a href="http://www.buzzfeed.com/maxseddon/documents-show-how-russias-troll-army-hit-america#.rt4GWX3kJ">denied working for the <em>Internet Reseach Agency</em></a>, calling the leaks an “unsuccessful provocation.”</p>
<div class="wp-caption"><img height="249" alt="Podgorny-Osadchy VK connection" width="400" class="wp-image-530492" src="http://globalvoicesonline.org/wp-content/uploads/2015/07/Podgorny-Osadchy-400x249.png"><p class="wp-caption-text">Nikita Podgorny's VK association with Igor Osadchy.</p></div>
<p>When contacted by Global Voices, Podgorny neither confirmed nor denied involvement in the websites, and would not comment further.</p>
<p>In the next post on the pro-Kremlin website network, we will look in more detail at the content, the aims, and the ideology behind the websites.</p>
<div>RuNet Echo author <a href="https://globalvoicesonline.org/author/aric-toler/">Aric Toler</a> contributed translation and interpretation for this post.</div>
<p><span><span>Written by <a title="View all posts by Lawrence Alexander" href="http://globalvoicesonline.org/author/lawrence-alexander/">Lawrence Alexander</a></span></span> · <span><a title="comments" href="http://globalvoicesonline.org/2015/07/13/open-source-information-reveals-pro-kremlin-web-campaign/#comments">comments (0) </a></span><br><a title="read Donate" href="http://globalvoicesonline.org/donate/">Donate</a> · <span><span>Share this: </span> <a title="twitter" target="new" href="http://twitter.com/share?url=http%3A%2F%2Fglobalvoicesonline.org%2F2015%2F07%2F13%2Fopen-source-information-reveals-pro-kremlin-web-campaign%2F&text=Open-Source+Information+Reveals+Pro-Kremlin+Web+Campaign&via=globalvoices"><span>twitter</span></a> <a title="facebook" target="new" href="http://www.facebook.com/share.php?u=http%3A%2F%2Fglobalvoicesonline.org%2F2015%2F07%2F13%2Fopen-source-information-reveals-pro-kremlin-web-campaign%2F"><span>facebook</span></a> <a title="reddit" target="new" href="http://reddit.com/submit?url=http%3A%2F%2Fglobalvoicesonline.org%2F2015%2F07%2F13%2Fopen-source-information-reveals-pro-kremlin-web-campaign%2F&title=Open-Source+Information+Reveals+Pro-Kremlin+Web+Campaign"><span>reddit</span></a> <a title="googleplus" target="new" href="https://plus.google.com/share?url=http%3A%2F%2Fglobalvoicesonline.org%2F2015%2F07%2F13%2Fopen-source-information-reveals-pro-kremlin-web-campaign%2F"><span>googleplus</span></a></span>
</p>
<div></div>
<br>
---- <br><br>
Shared via <b><a href="http://feedly.com">my feedly reader</a></b>
</div><div><br><br>Sent from my iPhone</div></body></html>