TA11 "Persist in the Information Environment"

Belongs to phase P03 Execute

Summary: Persist in the Information Space refers to taking measures that allow an operation to maintain its presence and avoid takedown by an external entity. Techniques in Persist in the Information Space help campaigns operate without detection and appear legitimate to the target audience and platform monitoring services. Influence operations on social media often persist online by varying the type of information assets and platforms used throughout the campaign.

TA11 Tasks
TK0023 retention retention
TK0024 customer relationship customer relationship
TK0025 advocacy/ zealotry advocacy/ zealotry
TK0026 conversion conversion
TK0027 keep recruiting/prospecting keep recruiting/prospecting
TK0041 OPSEC for TA11 OPSEC for TA11

TA11 Techniques
T0059 Play the long game Play the long game refers to two phenomena: 1. To plan messaging and allow it to grow organically without conducting your own amplification. This is methodical and slow and requires years for the message to take hold 2. To develop a series of seemingly disconnected messaging narratives that eventually combine into a new narrative.
T0060 Continue to Amplify continue narrative or message amplification after the main incident work has finished
T0128 Conceal People Conceal the identity or provenance of a campaign account and people assets to avoid takedown and attribution.
T0128.001 Use Pseudonyms An operation may use pseudonyms, or fake names, to mask the identity of operation accounts, publish anonymous content, or otherwise use falsified personas to conceal identity of the operation. An operation may coordinate pseudonyms across multiple platforms, for example, by writing an article under a pseudonym and then posting a link to the article on social media on an account with the same falsified name.
T0128.002 Conceal Network Identity Concealing network identity aims to hide the existence an influence operation’s network completely. Unlike concealing sponsorship, concealing network identity denies the existence of any sort of organization.
T0128.003 Distance Reputable Individuals from Operation Distancing reputable individuals from the operation occurs when enlisted individuals, such as celebrities or subject matter experts, actively disengage themselves from operation activities and messaging. Individuals may distance themselves from the operation by deleting old posts or statements, unfollowing operation information assets, or otherwise detaching themselves from the operation’s timeline. An influence operation may want reputable individuals to distance themselves from the operation to reduce operation exposure, particularly if the operation aims to remove all evidence.
T0128.004 Launder Accounts Account laundering occurs when an influence operation acquires control of previously legitimate online accounts from third parties through sale or exchange and often in contravention of terms of use. Influence operations use laundered accounts to reach target audience members from an existing information channel and complicate attribution.
T0128.005 Change Names of Accounts Changing names of accounts occurs when an operation changes the name of an existing social media account. An operation may change the names of its accounts throughout an operation to avoid detection or alter the names of newly acquired or repurposed accounts to fit operational narratives.
T0129 Conceal Operational Activity Conceal the campaign's operational activity to avoid takedown and attribution.
T0129.001 Conceal Network Identity Concealing network identity aims to hide the existence an influence operation’s network completely. Unlike concealing sponsorship, concealing network identity denies the existence of any sort of organization.
T0129.002 Generate Content Unrelated to Narrative An influence operation may mix its own operation content with legitimate news or external unrelated content to disguise operational objectives, narratives, or existence. For example, an operation may generate "lifestyle" or "cuisine" content alongside regular operation content.
T0129.003 Break Association with Content Breaking association with content occurs when an influence operation actively separates itself from its own content. An influence operation may break association with content by unfollowing, unliking, or unsharing its content, removing attribution from its content, or otherwise taking actions that distance the operation from its messaging. An influence operation may break association with its content to complicate attribution or regain credibility for a new operation.
T0129.004 Delete URLs URL deletion occurs when an influence operation completely removes its website registration, rendering the URL inaccessible. An influence operation may delete its URLs to complicate attribution or remove online documentation that the operation ever occurred.
T0129.005 Coordinate on encrypted/closed networks Coordinate on encrypted/ closed networks
T0129.006 Deny involvement Without "smoking gun" proof (and even with proof), incident creator can or will deny involvement. This technique also leverages the attacker advantages outlined in "Demand insurmountable proof", specifically the asymmetric disadvantage for truth-tellers in a "firehose of misinformation" environment.
T0129.007 Delete Accounts/Account Activity Deleting accounts and account activity occurs when an influence operation removes its online social media assets, including social media accounts, posts, likes, comments, and other online artifacts. An influence operation may delete its accounts and account activity to complicate attribution or remove online documentation that the operation ever occurred.
T0129.008 Redirect URLs An influence operation may redirect its falsified or typosquatted URLs to legitimate websites to increase the operation's appearance of legitimacy, complicate attribution, and avoid detection.
T0129.009 Remove Post Origins Removing post origins refers to the elimination of evidence that indicates the initial source of operation content, often to complicate attribution. An influence operation may remove post origins by deleting watermarks, renaming files, or removing embedded links in its content.
T0129.010 Misattribute Activity Misattributed activity refers to incorrectly attributed operation activity. For example, a state sponsored influence operation may conduct operation activity in a way that mimics another state so that external entities misattribute activity to the incorrect state. An operation may misattribute their activities to complicate attribution, avoid detection, or frame an adversary for negative behavior.
T0130 Conceal Infrastructure Conceal the campaign's infrastructure to avoid takedown and attribution.
T0130.001 Conceal Sponsorship Concealing sponsorship aims to mislead or obscure the identity of the hidden sponsor behind an operation rather than entity publicly running the operation. Operations that conceal sponsorship may maintain visible falsified groups, news outlets, non-profits, or other organizations, but seek to mislead or obscure the identity sponsoring, funding, or otherwise supporting these entities. Influence operations may use a variety of techniques to mask the location of their social media accounts to complicate attribution and conceal evidence of foreign interference. Operation accounts may set their location to a false place, often the location of the operation’s target audience, and post in the region’s language
T0130.002 Utilize Bulletproof Hosting Hosting refers to services through which storage and computing resources are provided to an individual or organization for the accommodation and maintenance of one or more websites and related services. Services may include web hosting, file sharing, and email distribution. Bulletproof hosting refers to services provided by an entity, such as a domain hosting or web hosting firm, that allows its customer considerable leniency in use of the service. An influence operation may utilize bulletproof hosting to maintain continuity of service for suspicious, illegal, or disruptive operation activities that stricter hosting services would limit, report, or suspend.
T0130.003 Use Shell Organizations Use Shell Organizations to conceal sponsorship.
T0130.004 Use Cryptocurrency Use Cryptocurrency to conceal sponsorship. Examples include Bitcoin, Monero, and Etherium.
T0130.005 Obfuscate Payment Obfuscate Payment
T0131 Exploit TOS/Content Moderation Exploiting weaknesses in platforms' terms of service and content moderation policies to avoid takedowns and platform actions.
T0131.001 Legacy web content Make incident content visible for a long time, e.g. by exploiting platform terms of service, or placing it where it's hard to remove or unlikely to be removed.
T0131.002 Post Borderline Content Post Borderline Content

TA11 Counters
C00131 Seize and analyse botnet servers Take botnet servers offline by seizing them.
C00138 Spam domestic actors with lawsuits File multiple lawsuits against known misinformation creators and posters, to distract them from disinformation creation.
C00139 Weaponise youtube content matrices God knows what this is. Keeping temporarily in case we work it out.
C00143 (botnet) DMCA takedown requests to waste group time Use copyright infringement claims to remove videos etc.

TA11 Detections
F00062 Detect when Dormant account turns active
F00063 Linguistic change analysis
F00064 Monitor reports of account takeover
F00065 Sentiment change analysis
F00066 Use language errors, time to respond to account bans and lawsuits, to indicate capabilities
F00082 Control the US "slang" translation boards
F00083 Build and own meme generator, then track and watermark contents