Friday 5 October 14:30 - 15:00, Green room
Andrew Brandt (Independent researcher)
An anonymous tip from an internet user late in 2017 pointed me to what looked, at first glance, like the website of what claimed to be a small-town newspaper based in Illinois, USA, but under scrutiny, things didn't really add up. The newspaper's own page about itself listed a real street address, but the town in which the newspaper was supposed to be located was hundreds of miles from the small town whose name graced the paper's masthead, on a street and at a numbered address that didn't exist in either town. That alone got me curious and I began digging for more information, none of which made any sense.
The site's web hosting also raised questions: for what should have been a small, local independent paper, the site was hosted on an IP address located on the other side of the Atlantic. While the domain registration was private, there were hundreds of other domains hosted on the same IP address range that all appeared to be named for small towns across the United States, Canada and Europe. The sites shared certain characteristics, but none of the information provided by the sites about themselves withstood even casual scrutiny - all of them used falsified street address and telephone number information on their 'About' page - and it is doubtful that any of the 'papers' actually exist. Moreover, the 'news' coverage hosted on this large interconnected network of websites shared a curious fascination with a specific spin on international political coverage and a complete absence of local news to a degree that seems extremely odd and out of place for a typical small, middle-American newsroom.
In this session, I will disclose the results of my investigation of the network and information breadcrumb trail that led from one of these sites to hundreds more, and then on to the ostensible owner of the network, whose family also runs a small private taxi company based in a suburb of London, out of his home. As the world grapples with massive disinformation campaigns waged by the intelligence agencies of hostile nations, we should not forget that such activities are not limited to the purview of the Bears or Pandas of the world, and that even relatively small operations such as this one can be abused to broadly manipulate public opinion and sow chaos on a confused and troubled planet.
Andrew Brandt is a former investigative reporter turned network forensics investigator and malware analyst, who works as a principal researcher for SophosLabs. Brandt uses his knowledge about the behaviour of malicious software to profile identifiable characteristics of undesirable or criminal activity. His analysis techniques seek to determine general principles that can help analysts and defenders rapidly and comprehensively identify the root cause of infection and data loss, putting real-time network data analysis at the front line of prevention.
Kurt Baumgartner (Kaspersky Lab)
Mike Scott (Kaspersky Lab)
Sayeed Abu-Nimeh (Seclytics)
Matthias Leisi (DNS Whitelist (DNSWL))
Benoît Ancel (CSIS)
Aleksejs Kuprins (CSIS)