Cybersecurity & Tech

TikTok Manipulation Report Is Too Little Too Late

Tom Uren
Friday, May 31, 2024, 10:00 AM

The latest edition of the Seriously Risky Business cybersecurity newsletter, now on Lawfare.

Chinese cultural influence, Stable Diffusion

Published by The Lawfare Institute
in Cooperation With

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on

TikTok Manipulation Report Is Too Little Too Late

TikTok has released a report covering covert influence operations on its platform, but this will do precisely nothing to allay fears the video sharing application is insulated fromPeople’s Republic of China (PRC) influence.

TikTok’s report described influence campaigns it had detected and disrupted from January through April this year. The 15 campaigns spanned 3,000 accounts and reached millions of followers. A domestically targeted pro-Ukrainian campaign reached 2.6 million followers and a domestically aimed Iraqi campaign nearly 500,000, but the rest of the campaigns reached a relatively small number of followers. The report even called out a Chinese campaign that targeted a U.S. audience with positive narratives about Chinese policy and culture.

The report said:

We assess this network operated from China and targeted a US audience. The individuals behind this network created inauthentic accounts in order to artificially amplify positive narratives of China, including support for the People’s Republic of China (PRC) policy decisions and strategic objectives, as well as general promotion of Chinese culture. This network utilized accounts impersonating high-profile US creators and celebrities in an attempt to build an audience.

However worthy TikTok’s actions are, it is the organization’s tremendous cultural influence, combined with the Chinese Communist Party’s (CCP’s) ability to coerce its China-based owners to act in its interests, that poses a significant risk to U.S. sovereignty. The risk is not “Chinese operations fool TikTok’s algorithm” so much as the “Chinese government controls TikTok’s algorithm.”

Still, the report provides valuable insights into the types of campaigns being run. For example, an Iran-based campaign also targeted U.S. and U.K. audiences with pro-Iranian narratives. TikTok also identified domestically focused campaigns in Indonesia, Venezuela, Equator, Serbia, Guatemala, Germany, and Bangladesh.

These campaigns are similar to those previously reported by companies such as Meta, Google, and Twitter.

TikTok also released information on how it counters covert influence operations, which it defines “as coordinated, inauthentic behavior where networks of accounts strategically work together to mislead people or our systems and influence public discussion.” It says it looks for evidence that:

  1. They [accounts] are coordinating with each other. For example, they are operated by the same entity, share technical similarities like using the same devices, or are working together to spread the same narrative.
  2. They are misleading our systems or users. For example, they are trying to conceal their actual location, or using fake personas to pose as someone they’re not.
  3. They are attempting to manipulate or corrupt public debate to impact the decision making, beliefs and opinions of a community. For example, they are attempting to shape discourse around an election or a conflict.

Each of these campaigns was detected by TikTok’s own investigations.

We should expect transparency reports from all large technology companies that are, in effect, media companies. But if TikTok’s management was hoping this report would do anything to repair its reputation among Western lawmakers, it will be sorely disappointed.

U.S. Cyber Command Is a Half-Ripe Melon

Observers are divided about the need for a U.S. Cyber Force, but they agree that U.S. Cyber Command needs to change.

In the U.S. House of Representatives, legislation amended last week would require the National Academy of Sciences to study the implications of creating a Cyber Force. In Defense News, Rep. Morgan Luttrell (R-Texas) summarized his motivation for the amendment:

Cyber warfare requires a unique approach to recruiting, retaining, and compensating service members. It requires a robust research and development apparatus and an exemplary ability to train personnel. These tasks are difficult, and they’re only made harder when fragmented across multiple services, which are already challenged with wider recruitment and modernization objectives. When the Chief of Naval Operations is struggling to recruit the numbers required to fill crews for the surface fleet, it’s understandable that Navy isn’t prioritizing its requirements for cyber operations.

Also last week, former Defense Secretary James Mattis at DefenseTalks argued that a U.S. Cyber Force was not required. Instead, cyber agencies within the Department of Defense needed the authority to operate domestically in the event of a serious cybersecurity incident.

Mattis argued that while adversaries operate inside the United States, the majority of the country’s cyber capabilities reside in organizations that are not empowered to operate inside the country.

“If you look at my job as a secretary of defense, I had 95% of the country’s cyber defense and cyber offense under me … yet I have no authority to operate inside this country. None whatsoever.”

Mattis and Luttrell are highlighting two very different problems, and we sympathize with both arguments. Each needs to be addressed.

On the “demand” side of the equation, although cyber operations are unlikely to be decisive in any conventional conflict, until there is a real war, they are one of the primary avenues for adversary nations to try to gain advantage.

Scattered Spider Is the Hollywood of Cybercrime

The group of young cybercriminals known as Scattered Spider is made up of about 1,000 people, according to Bryan Vorndran, assistant director of the FBI’s Cyber Division.

Speaking at the Sleuthcon conference, Vorndran described the group as “expansive” and dispersed and said many members did not know each other directly.

Scattered Spider is prolific and infamous for involvement in disruptive attacks on MGM’s and Caesars’s casinos. It is what we call “Lapsus$-like,” in that it is characterized by the use of relatively novel techniques to break through organizations’ standard cybersecurity practices.

Given its size and the very loose affiliations between members, we don’t think it makes sense to talk about Scattered Spider as a “group,” so much as a community that shares a collection of techniques, with members who occasionally team up for particular projects. It’s more like Hollywood than Sony Pictures Entertainment.

Law enforcement efforts against Scattered Spider have been criticized. According to Reuters in November 2023:

For more than six months, the FBI has known the identities of at least a dozen members tied to the hacking group responsible for the devastating September break-ins at casino operators MGM Resorts International and Caesars Entertainment, according to four people familiar with the investigation.
Industry executives have told Reuters they were baffled by an apparent lack of arrests despite many of the hackers being based in America.

Although arrests would be nice, we don’t think they’ll put any kind of a dent into the problems that Scattered Spider are causing. Would arresting the cast of “Oppenheimer” stop Hollywood from making movies?

Three Reasons to Be Cheerful This Week:

  1. U.S. sanctions residential proxy IP botnet operators: The U.S. Treasury has sanctioned three Chinese nationals for involvement with the “911 S5” botnet. The botnet enabled paying users to proxy their internet connections through compromised computers. Treasury says the botnet compromised around 19 million IP addresses, was used in fraud that cost the U.S. government “billions of dollars,” and was also “linked to a series of bomb threats made throughout the United States in July 2022.”
  2. AI not destroying elections: At an MIT Technology Review EmTech conference, Meta’s president of global affairs, Nick Clegg, said that at least “so far” there has been relatively little AI-generated misinformation based on elections that have occurred so far this year in Indonesia, Taiwan, and Bangladesh. Clegg said it was present but described it as a “manageable amount.” This is consistent with the amount of content on Rest of World’s AI elections tracker, which aims to document the most noteworthy AI content used in elections this year.
  3. Stalkerware hack leads to shutdown: The founder of the pcTattletale stalkerware, Bryan Fleming, told TechCrunch that he has shut down the service in the wake of a breach. The shutdown comes shortly after a hacker defaced the company’s website and published internal data including customer databases. Based on these databases, the company had 138,000 users.


How Cyber Operations Are Just Different

In the “Click Here” podcast, Jacquelyn Schneider from the Hoover Institute describes how people treat cyber operations differently from conventional threats. Schnedier says that after she started running war games that contained cyber elements:

I realized people react in very unusual ways to cyber operations. I would run experiments and wargames, and I would find that individuals don’t respond to cyber operations like they would when faced with a physical threat.
Instead, they treat cyber operations in this kind of anxiety-inducing way, where the uncertainty about cyber operations actually creates this kind of buffer area where they don't feel an impetus to respond violently to cyber.

Recovering a $2 million password

Kim Zetter in Wired has an interesting story about the recovery of $2 million of cryptocurrency after the owner lost the 20-character password when the encrypted file it was stored in was corrupted. The recovery effort took advantage of a flaw in the password generation algorithm of RoboForm software when it was used in 2013 to create the password.

Insurance Info With Bite

Insurance company Coalition has published a report looking at claims data that quantifies the risk of running certain internet-facing boundary devices. It found that in 2023, for example, businesses with internet-exposed Cisco ASA devices were almost five times as likely to experience a claim compared to organizations without internet-exposed ASA devices. Those running Fortinet devices were twice as likely, and those with internet-exposed RDP were 2.5 times more likely.

Risky Biz Talks

In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq talk about the role of the state in tackling ransomware. They discuss why action has been slow and ineffective, and what it will take to truly change the situation.

From Risky Biz News:

IR reports are not protected documents, multiple judges rule: Courts in three countries have now ruled that incident response (IR) and forensic reports are not protected legal documents and must be made available in other court cases or to authorities on request. Legal precedents now exist in Australia, Canada, and the U.S.

Breached companies began requesting that IR investigators not produce a report at all, instructing that all findings be delivered in oral form. All incident response communications were required to take place via IM clients that supported disappearing messages, and if an IR report needed to be put on paper, it had to contain the least information possible. The main purpose of all of this was to avoid leaving any paper trail that could be used in the discovery process of any possible class-action lawsuit.

​​[more on Risky Business News, including further details of the court cases and more on the undesirable second-order consequences]

Google throws out GlobalTrust certs: Google is removing GlobalTrust TLS certificates from the Chrome browser’s certificate root store. The ban will apply to any new certificate issued by GlobalTrust after June 30 this year. Chrome will continue to trust older/existing GlobalTrust certificates, and websites using them will work as before. Google says e-commerce monitoring GmbH, the Austrian company behind the GlobalTrust brand, had several issues over the past years and failed to follow incident reporting requirements (e.g., [1],[2],[3],[4],[5],[6],[7],[8]).

[more on Risky Business News]

Backdoor found in court and jail AV recording software: Cybersecurity researchers from Rapid7 and S2W have found a backdoor trojan inside a popular app used for recording courtroom and jury meetings. The malware was found in the installer for JAVS Viewer, version 8.3.7, an app from Justice AV Solutions that allows customers to play back older recordings. JAVS customers who downloaded the official installer from the company’s website between April 1 and mid-May are likely infected with a version of the GateDoor backdoor.

The malware is written in Go and is the Windows version of RustDoor, a Rust-based backdoor that could infect macOS systems. Previous reports from Bitdefender and S2W linked both versions of the malware to server infrastructure previously operated by the AlphV (BlackCat) ransomware operation.

[more on Risky Business News]

Tom Uren writes Seriously Risky Business, a big-picture, policy-focused cyber security newsletter. He also co-hosts the Seriously Risky Business and Between Two Nerds podcasts that appear on the Risky Business News feed. He was formerly a Senior Analyst in the Australian Strategic Policy Institute's (ASPI) Cyber Policy Centre where he contributed to various projects including on offensive cyber capabilities, information operations, the Huawei debate in Australia and end-to-end encryption.

Subscribe to Lawfare