Bring up the topic of social media and state-sponsored disinformation, and most people think reflexively of Russian interference in the 2016 U.S. election. As the Mueller report recently affirmed, Russian entities operated a sweeping and systematic social media “active measures” campaign designed to sow division and support Donald Trump leading up to the election.
But what may be less appreciated is just how many other actors in countries and regions all over the world are now undertaking social media influence operations, each with their own unique objectives, flavour, and style. In India, for example, citizens “are bombarded with fake news and divisive propaganda on a near-constant basis from a wide range of sources.” In Myanmar, it is now widely acknowledged that Facebook was used to incite genocide. Throughout Africa, hoaxes, disinformation, and spoofed articles circulate so widely that they are now commonplace; one study found that an alarming 38% of Kenyans, 28% of Nigerians, and 35% of South Africans surveyed acknowledged having shared stories which they knew to be fake.
Indeed, it is fair to say that social media has quickly become what Citizen Lab’s John Scott-Railton has described as a giant “disinformation laboratory.” Multiple actors in just about every region of the world are now experimenting with new techniques to sow disinformation, spread inauthentic narratives, project power and influence, and undermine adversaries. Given this new reality, it is imperative that researchers carefully dissect as many different disinformation operations as can be found to better understand the innovations in tactics, techniques and procedures in this quickly evolving terrain.
Enter “Endless Mayfly.” Endless Mayfly is the name we have given to “an Iran-aligned network of inauthentic personas and social media accounts that spreads falsehoods and amplifies narratives critical of Saudi Arabia, the United States, and Israel.”
Endless Mayfly is but one among many invasive species in the social media ecosystem. What distinguishes it from others, however, is a technique we dubbed “ephemeral disinformation.” Endless Mayfly publishes content on websites they create that impersonate legitimate media outlets, like Le Soir, or the Guardian, using a variety of typosquatting and domain spoofing techniques (e.g., bloomberq[.]com instead of bloomberg[.]com).
Inauthentic personas managed by Endless Mayfly, with names such as “Brian Hayden” or “Mona A. Rahman,” then attempt to amplify the content over social media, by circulating them on their own, or by privately and publicly engaging journalists and others over social media.
But Endless Mayfly’s real innovation comes in the form of its use of ephemerality. Once Endless Mayfly’s carefully constructed content achieves some degree of social media pickup, the spoofed articles are permanently deleted and the links are altered to redirect to the legitimate domain being impersonated.
Click on the link to one of Endless Mayfly’s inauthentic Guardian articles, for example, and after a period of time a user is taken to the legitimate Guardian website instead.
What happened to the original article? “Perhaps it’s the Guardian’s fault?” one might wonder. Who’s to say? In our data-saturated, always-on world, who has the time to find out? Endless Mayfly’s operators appear to be banking on social media users’ short attention spans and our inclination to trust headlines associated with what appear to be credible sources, rather than dig deeper to verify facts from the ground up ourselves.
In total, we found Endless Mayfly created 72 of these fake domains, many of which were used to host 135 of their inauthentic articles. Some of these domains the operators appear to have kept in reserve for future operations, like theglobalandmail[.]org (instead of .com), which was registered by Endless Mayfly but not employed in a specific campaign.
Did it work? It is difficult to measure whether this technique had much of an impact. Quantitatively, engagement with the links to their various articles, accounts, and personas was modest at best. But on several occasions, Endless Mayfly’s inauthentic content was picked up by mainstream media, creating significant confusion. In one instance, for example, Washington Post columnist Anne Applebaum stumbled upon part of Endless Mayfly’s operation and wrongly attributed it to yet more Russian malfeasance.
In terms of our own attribution, we determine with moderate confidence that Endless Mayfly is linked to Iran. This level of confidence is based on “the overall framing of the campaign, the narratives used, and indicators from overlapping data in other reports.” In terms of the latter, in August 2018 accounts and pages associated with Endless Mayfly were deactivated by Facebook in coordination with FireEye, and FireEye traced back registration information and other indicators to Iranian origins. But beyond that circumstantial evidence, we have no “smoking gun” that proves Endless Mayfly is an operation run by the Iranian state itself.
The technique of ephemerality pioneered by Endless Mayfly presents major challenges to researchers, policymakers, and others hoping to investigate and mitigate disinformation operations. Deliberately hiding one’s tracks in this way makes it harder to pin down, analyze, and trace the origins of a malicious campaign, let alone verify the truth-claims and other content that may be getting social media traction. If it becomes a popular tool in the disinformation toolkit, it could sow serious short-term confusion in social media spaces.
In the end, Endless Mayfly’s biggest accomplishment may not be around its principal objective, which was apparently to undermine Iran’s adversaries. It may have more to do with contributing in yet one more way to the ongoing poisoning of our social media public sphere.
When it comes to cyber security, it is usually the technological layer that gets the most attention, like risks to critical infrastructure and other technical systems. But what about the social and cultural layer? In fact, it may be in this layer where the most intense geopolitical struggles and malicious experimentations are taking place. Given the properties of social media — which as presently constituted favor lewd, salacious, and shocking information — it may also be the layer that is most challenging to defend.
We have no simple remedy to the problems that operations like Endless Mayfly poses, other than to undertake more research, refine our methods, and collaborate with others to better understand the evolving terrain of social media disinformation. To that end, alongside our report, we are publishing a major disinformation research bibliography compiled and annotated by Citizen Lab fellow Gabrielle Lim.
Read the main report here: https://citizenlab.ca/2019/05/burned-after-reading-endless-mayflys-ephemeral-disinformation-campaign
Our annotated bibliography of disinformation research is here: https://citizenlab.ca/wp-content/uploads/2019/05/Disinformation-Bibliography.pdf