When a mysterious Russian hacking gang announced last week that it had assaulted the National Rifle Association with a ransomware attack, the NRA was quiet on whether the claim was true. But a network of hundreds of Twitter trolls were far from mute—they lapped up the news and went to town amplifying it across Twitter.
The move was unusual. Ransomware gangs typically share information about their hacked victims on their own extortion sites, needling them to pay up by posting allegedly stolen files and embarrassing them along the way. And the ransomware gang in question, called Grief Gang, did just that, posting files it claimed to have run off with after hacking the NRA.
But Grief Gang seems to be taking it to the next level.
The Twitter accounts, which sport primarily women’s names—such as Kimberlee Strum, Elvera Vickerman, and Jann Priestley—were created in bulk around the same time in August and September.
The majority of the accounts don’t follow anyone and don’t have any followers. But despite not following each other, they appear to be tweeting in a carefully orchestrated manner. Most of the accounts seem to have whirred into gear to post almost entirely about the Grief ransomware gang’s latest activity. Some of the accounts had also shared original content about a separate hacking incident the Grief Gang carried out, Sam Riddell, associate threat intelligence analyst of information operations at FireEye’s Mandiant, told The Daily Beast.
The purpose of the network appears to be to spread word about Grief Gang’s successes and hacking campaigns, according to an analysis FireEye’s Mandiant security researchers conducted and shared exclusively with The Daily Beast.
“Given their exclusive focus on promoting content pertaining to Grief-related incidents, we suspect that their primary objective is to amplify coverage on these incidents,” Riddell told The Daily Beast. “Our analysis suggests that the sole purpose of this network is to amplify coverage of Grief activity.”
Jeremy Kennelly, senior manager of financial crime analysis at Mandiant, said the group was likely feeling forlorn or nervous that its hacking crusades weren’t getting enough attention—and worried about whether it would receive payment from its victims—so it took the fight to Twitter.
“I think there’s been a little bit of ennui about that, as there’s a huge explosion in the number of groups and the number of websites and the constant flurry of breaches, so these groups have started to adopt new strategies, or new levers, effectively, for pushing out their message and getting people to pay attention to it.”
— Jeremy Kennelly, senior manager of financial crime analysis at FireEye’s Mandiant
Kennelly told The Daily Beast that, since ransomware groups have really started to incorporate data theft and extortion into their campaigns, there’s been an increasing shift toward calling attention to their data breaches. It used to be as simple as posting about a ransomware attack on a blog and letting the media and security researchers notice it.
”And over time,” Kennelly said, “I think there’s been a little bit of ennui about that, as there’s a huge explosion in the number of groups and the number of websites and the constant flurry of breaches, so these groups have started to adopt new strategies, or new levers, effectively, for pushing out their message and getting people to pay attention to it.”
It’s not entirely clear if the gang itself created and operated the fake network of accounts, but according to Mandiant that appears to be the case.
”Given the fact that it has amplified multiple incidents associated with the Grief operators, I find that there are few credible, realistic explanations besides them either operating the network or having an association with an individual who’s it on their behalf,” Kennelly said.
The recent rush of the troll network to retweet and post about Grief gang’s hacking campaigns is believed to be the first time there’s been an overlap between a ransomware gang’s activity and information operations, according to Mandiant. And it could represent the next chapter of ransomware gangs’ swindling and hacking operations.
“It wouldn’t surprise me if in the wake of this we see that used more broadly,” Kennelly said. ”I suspect that the reason we haven’t necessarily seen it… in the past is largely a failure of infrastructure and creativity.”
”There’s never been a rule that information operations’ tactics techniques and procedures (TTPs) could only be used to serve for political gain,” Riddell said. “That just happens to be how much of the public was introduced to this concept—of influence campaigns and bots and the like… but like anything else information operations TTPs are just tools that can be wielded by their operators for a wide variety of purposes.”
The apparent Grief Gang network has all of the telltale signs of a network of fake accounts being puppeteered behind the scenes, according to Mandiant.
The vast majority of the accounts only have default egghead Twitter profile pictures, and their operator or operators didn’t even bother trying to make them look real. It appears that the operators had a change of heart somewhere along the way and started trying to make the accounts look real, as only some of the accounts have colored profile pictures. But many of the profile shots appear to be stolen from Russian dating sites Shuri-Muri or Tralolo, according to Mandiant analysis.
Shuri-Muri and Tralolo did not return requests for comment.
The influence operation may not just be about Grief Gang, however, as the network has given some hints that it could be bigger than just a ransomware payment pressure-cooker, according to Tom Richards, co-founder and chief strategy officer of GroupSense, a firm that negotiates with ransomware groups.
“Just because these actors are trying this doesn’t mean it’s successful. I think that it’s likely that more actors will try to use information operations tactics in support of other goals, like in this instance ransomware goals. That doesn’t mean they’ll be successful or that they are successful this time.”
— Sam Riddell, associate threat intelligence analyst of information operations at FireEye’s Mandiant
The Twitter troll network associated with the Grief Gang’s hacking has also posted content about political issues, including the NRA, gun violence, and Nazis, according to GroupSense, a firm which has previously investigated information operations associated with the accounts Mueller’s Team investigated.
“I’m inclined to believe this activity is simply being done to increase the pressure on the victims and raise the profile of the breach,” Richards told The Daily Beast. “That being said, we can’t be naive in thinking that the (ransomware) groups aren’t at least indirectly or covertly being influenced by nation-state actors… These accounts remind me exactly of the same things we saw during the 2016 election.”
The Grief-related influence operation did not appear to be overwhelmingly well-plotted, however.
Some tweets that the network posted “use heavily stilted English” which indicates that non-native English speakers could be behind the operation, said Riddell. And several of the accounts were suspended by the end of last week. A Twitter spokesperson told The Daily Beast of the takedown: “Our team completed an investigation into this activity and as a result has taken action on numerous accounts violating our platform manipulation and spam policy.”
Although this might be the new frontier for ransomware gangs—using more traditional online accounts to spread news of their hacking campaigns in an effort to get a payday—this doesn’t mean it’s going to actually help them in the end.
“Effort does not equal engagement,” Riddell said. “Just because these actors are trying this doesn’t mean it’s successful. I think that it’s likely that more actors will try to use information operations tactics in support of other goals, like in this instance ransomware goals. That doesn’t mean they’ll be successful or that they are successful this time.”
As for whether the NRA was hacked or not, the mystery remains. Last week the gang made multiple posts over the course of several days with content alleged to come from the NRA hack, including meeting minutes and a W-9 that appeared to come from the NRA. But by the end of the week, the documents had vanished from the site. It’s unclear what that means—sometimes hackers delete their victim shaming posts to indicate they paid up, and sometimes they delete them for no reason at all, experts say.
The NRA did not return requests for comment about whether it had paid up.