When a mysterious Russian hacking gang announced last week that it had assaulted the National Rifle Association with a ransomware attack, the NRA was quiet on whether the claim was true. But a network of hundreds of Twitter trolls were far from muteâthey lapped up the news and went to town amplifying it across Twitter.
The move was unusual. Ransomware gangs typically share information about their hacked victims on their own extortion sites, needling them to pay up by posting allegedly stolen files and embarrassing them along the way. And the ransomware gang in question, called Grief Gang, did just that, posting files it claimed to have run off with after hacking the NRA.
But Grief Gang seems to be taking it to the next level.
The Twitter accounts, which sport primarily womenâs namesâsuch as Kimberlee Strum, Elvera Vickerman, and Jann Priestleyâwere created in bulk around the same time in August and September.
The majority of the accounts donât follow anyone and donât have any followers. But despite not following each other, they appear to be tweeting in a carefully orchestrated manner. Most of the accounts seem to have whirred into gear to post almost entirely about the Grief ransomware gangâs latest activity. Some of the accounts had also shared original content about a separate hacking incident the Grief Gang carried out, Sam Riddell, associate threat intelligence analyst of information operations at Mandiant, told The Daily Beast.
The purpose of the network appears to be to spread word about Grief Gangâs successes and hacking campaigns, according to an analysis Mandiant security researchers conducted and shared exclusively with The Daily Beast.
âGiven their exclusive focus on promoting content pertaining to Grief-related incidents, we suspect that their primary objective is to amplify coverage on these incidents,â Riddell told The Daily Beast. âOur analysis suggests that the sole purpose of this network is to amplify coverage of Grief activity.â
Jeremy Kennelly, senior manager of financial crime analysis at Mandiant, said the group was likely feeling forlorn or nervous that its hacking crusades werenât getting enough attentionâand worried about whether it would receive payment from its victimsâso it took the fight to Twitter.
Kennelly told The Daily Beast that, since ransomware groups have really started to incorporate data theft and extortion into their campaigns, thereâs been an increasing shift toward calling attention to their data breaches. It used to be as simple as posting about a ransomware attack on a blog and letting the media and security researchers notice it.
âAnd over time,â Kennelly said, âI think thereâs been a little bit of ennui about that, as thereâs a huge explosion in the number of groups and the number of websites and the constant flurry of breaches, so these groups have started to adopt new strategies, or new levers, effectively, for pushing out their message and getting people to pay attention to it.â
Itâs not entirely clear if the gang itself created and operated the fake network of accounts, but according to Mandiant that appears to be the case.
âGiven the fact that it has amplified multiple incidents associated with the Grief operators, I find that there are few credible, realistic explanations besides them either operating the network or having an association with an individual whoâs it on their behalf,â Kennelly said.
The recent rush of the troll network to retweet and post about Grief gangâs hacking campaigns is believed to be the first time thereâs been an overlap between a ransomware gangâs activity and information operations, according to Mandiant. And it could represent the next chapter of ransomware gangsâ swindling and hacking operations.
âIt wouldnât surprise me if in the wake of this we see that used more broadly,â Kennelly said. âI suspect that the reason we havenât necessarily seen it⌠in the past is largely a failure of infrastructure and creativity.â
âThereâs never been a rule that information operationsâ tactics techniques and procedures (TTPs) could only be used to serve for political gain,â Riddell said. âThat just happens to be how much of the public was introduced to this conceptâof influence campaigns and bots and the like⌠but like anything else information operations TTPs are just tools that can be wielded by their operators for a wide variety of purposes.â
The apparent Grief Gang network has all of the telltale signs of a network of fake accounts being puppeteered behind the scenes, according to Mandiant.
The vast majority of the accounts only have default egghead Twitter profile pictures, and their operator or operators didnât even bother trying to make them look real. It appears that the operators had a change of heart somewhere along the way and started trying to make the accounts look real, as only some of the accounts have colored profile pictures. But many of the profile shots appear to be stolen from Russian dating sites Shuri-Muri or Tralolo, according to Mandiant analysis.
Shuri-Muri and Tralolo did not return requests for comment.
The influence operation may not just be about Grief Gang, however, as the network has given some hints that it could be bigger than just a ransomware payment pressure-cooker, according to Tom Richards, co-founder and chief strategy officer of GroupSense, a firm that negotiates with ransomware groups.
The Twitter troll network associated with the Grief Gangâs hacking has also posted content about political issues, including the NRA, gun violence, and Nazis, according to GroupSense, a firm which has previously investigated information operations associated with the accounts Muellerâs Team investigated.
âIâm inclined to believe this activity is simply being done to increase the pressure on the victims and raise the profile of the breach,â Richards told The Daily Beast. âThat being said, we canât be naive in thinking that the (ransomware) groups arenât at least indirectly or covertly being influenced by nation-state actors⌠These accounts remind me exactly of the same things we saw during the 2016 election.â
The Grief-related influence operation did not appear to be overwhelmingly well-plotted, however.
Some tweets that the network posted âuse heavily stilted Englishâ which indicates that non-native English speakers could be behind the operation, said Riddell. And several of the accounts were suspended by the end of last week. A Twitter spokesperson told The Daily Beast of the takedown: âOur team completed an investigation into this activity and as a result has taken action on numerous accounts violating our platform manipulation and spam policy.â
Although this might be the new frontier for ransomware gangsâusing more traditional online accounts to spread news of their hacking campaigns in an effort to get a paydayâthis doesnât mean itâs going to actually help them in the end.
âEffort does not equal engagement,â Riddell said. âJust because these actors are trying this doesnât mean itâs successful. I think that itâs likely that more actors will try to use information operations tactics in support of other goals, like in this instance ransomware goals. That doesnât mean theyâll be successful or that they are successful this time.â
As for whether the NRA was hacked or not, the mystery remains. Last week the gang made multiple posts over the course of several days with content alleged to come from the NRA hack, including meeting minutes and a W-9 that appeared to come from the NRA. But by the end of the week, the documents had vanished from the site. Itâs unclear what that meansâsometimes hackers delete their victim shaming posts to indicate they paid up, and sometimes they delete them for no reason at all, experts say.
The NRA did not return requests for comment about whether it had paid up.
