Twitter Sock Puppet network, Shugali and the Russian prisoners
UPDATE 15/12/2020: this network was part of a Russian IO operation. read more here https://cyber.fsi.stanford.edu/io/news/africa-takedown-december-2020.
Happy Monday, let’s dig in already!
how did I even find the network?
Well, I had a random search for Mitiga airport on Tweetdeck and was cleaning up my columns when I saw the following tweet from an account @Shugalei.
It’s tweeting an odd story about the Russian prisoners in Tripoli being moved to a hospital in Mitiga and then one of them being moved to Ruwaimi prison. ( can not verify any of that). Looking deeper into the account I saw that it was created 3 months ago.
It’s also using a mix of Twitter web app and Tweetdeck. Tweetdeck use raised a flag, since it’s not very common with Libyan accounts.
Searching for similar words and phrases used by this account gave me a few accounts to look at. The first one @Nelbarssi is odd straight away I’m suspicious. The Russian prisoner case isn’t that interesting to actual Libyans. This account was tweeting that Mishry was behind their prolonged detention (red flag). The imagery used within the tweet was another clue.
so let’s see what she uses to tweet? Tweetdeck again…
ok, this account shares https://www.arabitoday.com/ website quite a lot so i go looking for this account on Facebook. Well, it’s an interesting clue, says the admins are in Syria and Russia. I can’t do anything with that info right now but it could be interesting later. ( or if you work at Twitter and want to take a look)
Let’s keep looking. ( do check out the amazing tool that is https://accountanalysis.app/)
Let’s pick a few other names @wafaalta, @oalfitouri, @farkashhend @amalaljazere . these names are interesting because they’re actually Libyan names. Kudos for trying!
ok let’s check them
they all use Tweetdeck
they all RT similar accounts
they’re all listed by the same couple of accounts as "influential users”
The real Libyan caught my eye, he’s written Libya in Russian which is weird ( again could be a false flag). His list is interesting and includes all the accounts I’ve found in it.
let’s keep moving ( i’ll skip the boring parts)
Why is this network suspicious?
they have their own cartoonist
activity hours for these accounts all look like a 9-5
high engagement numbers for weird accounts, suggest some amplification and boosting happening.
Political positions taken were very very weird. The below tweets asks russia to make sure to hold onto their citizen’s rights and not engage with the GNA and Bashagha in any negotiations unless the prisoners are released. ( talk about a huge red flag unicorn signal)
Female personas heavily used, this is an interesting phenomenon needs to be explored further.
TO BE CONTINUED: I’ll leave it there, for now, I’ll try to do a network graph later. But this networking is very interesting and I’d bet on the fact that it is foreign originated (maybe gulf) for a few reasons I won’t disclose. Positions are anti-GNA, anti-Turkey. I’ll leave attribution for someone else to dig into.
update:
Monday reading: Analyses of a Muslim Brotherhood-Linked Information Operation