Tag: Advanced Threat Detection
Intelligence and law enforcement professionals need to collect, filter and analyze data across a large number of constantly evolving social media platforms. This blog covers the challenge of tracking the movement of threat actors across open-source platforms including Gab, Parler, Reddit, and 8kun and highlights an example related to QAnon.
For important missions including counter-terrorism, identifying human and drug trafficking networks, assessing extremist movements, and combatting transnational organized crime, the ability of intelligence analysts to identify the social media platforms being used by persons and communities of interest and when they are moving to new platforms or online communication solutions is essential. Criminals and threat actors are radicalizing, advertising, recruiting, and planning across a constantly evolving range of websites and social media platforms, and are often communicating in ways that make it difficult for intelligence and law enforcement organizations to monitor their activities and understand the nature of the threats at any given moment.
In recent months, we have seen a lot of public discourse around the use of social media to coordinate, communicate and plan concerning events. This includes how seemingly niche or non-traditional social media platforms such as Parler were used to coordinate violent and disruptive protests at the US Capitol on Jan 6th. We have also seen the major tech platforms respond to these events.
The Open-Source Intelligence Challenge
The movement of groups to new platforms presents a number of challenges to the National Security sector. These groups are effectively moving around platforms to create an echo chamber for their ideas and isolating themselves from outside parties in order to maintain privacy and security.
This facilitates coordination and knowledge sharing, which can enhance group tradecraft and ultimately enable these groups to evade online detection from law enforcement or intelligence organizations. National security teams need to be able to identify the threat actors, where they are communicating, and where they might move next. Let’s look at an industry example of an ideologically motivated extremist group – QAnon – to showcase the importance of this effort.
The Spread of QAnon
QAnon is an interesting case. It provides a prime example of how extremist movements are spawned over the internet and migrate across open-source platforms. Examining the path the QAnon conspiracy has taken over the past few years can help us identify new extremist threats, and predict how they will spread online.
QAnon initially started on 8chan (now 8kun), a sister site to the more well-known 4chan. These ‘chan’ sites are a very specific type of social media platform. The users are entirely anonymous and each time a user posts in a different thread, they are given a different series of numbers and letters as their ID. While 8kun has its appeal, it is not a site that will draw in a mass audience. Had the QAnon conspiracy remained isolated to 8kun, it is unlikely that it would have generated the mass following it has now.
The first place outside of the ‘chans’ where the QAnon conspiracy took off was Reddit in 2018. The development of, and Reddit’s reaction to, the QAnon conspiracy is itself a microcosm of how other social media sites would later react. Reddit at the time was unique among platforms in the eagerness of moderators and developers to censor or outright ban users and communities that violate the terms of service. As a result, Reddit has been vilified within the QAnon community and almost all positive discussion of the conspiracy has left the site. Some of these actors returned to 8kun, but many continued to promote QAnon on larger mainstream social media sites and Voat.
Prior to its shut down on Christmas 2020 due to lack of funding, Voat was another gathering point of the QAnon conspiracy. In this instance, the platform’s financial troubles drove QAnon away. Voat’s primary investor defaulted on payments earlier in 2020 and Voat was only able to self-fund through December.
Parler became a new site for the QAnon community to gravitate toward. Many conservative politicians moved to Parler starting in 2018 after concerns that Facebook and Twitter were poised to moderate their content just as the 2020 Presidential campaign was set to begin.
After the Capitol Insurrection, most of the major social media platforms quickly distanced themselves from the QAnon, and these actors needed to again change platforms. Parler was already a hub of right-wing extremism and had been gathering steam throughout 2020. However, Parler was kicked off of Amazon Web Services (AWS) for promoting violence. While Parler may now be back online, it has lost credibility in the eyes of many far-right extremists and is no longer considered a safe place to congregate.
But QAnon actors would not let platform moderation, financial shortfalls, or server shutdowns keep them off the internet. Quickly, Gab became the new hub, with an increase in visits surpassing 50 million in the days following the Parler ban, a huge increase in direct visits. Today Gab is still a major hub for QAnon attention. The two largest QAnon related Gab groups, aptly named ‘QAnon’ and ‘QAnon Patriots’ have over 300k members between them.
Tracking Threat Actors Across Open-Source Platforms
Without social media, QAnon would not exist and the way QAnon related actors have moved around the internet following bans and content restrictions shows us how any extremist group can and will adapt to new platforms and new means of communication.
Analyst teams that can predict, identify and track the activity and movement of groups and actors across platforms will be at the forefront of driving successful investigations that protect global communities. Open-source intelligence is a key part of the analyst toolbox required to address these challenges. The advanced data collection and AI-enabled risk detection framework of Fivecast ONYX delivers actionable insights from masses of unstructured data that can be critical for tracking threat actors across open-source platforms and websites and supporting investigation outcomes.