Uncovering Foreign Trolls (Trying) To Influence French Elections on Twitter

An inside look at a cyber psychological operation against France

x0rz

Published in

Just another infosec blog type of thing

9 min readJul 12, 2018

Where it all started: first link

In June 2018, a mostly inactive Twitter account @viepepere (archived link) sent a threat message to @_rabbindesbois_ (French individual known for being a former Dark Net vendor according to his recent book). The now deleted tweet read, in Russian, “ Мы знаем, что вы делаете. Вы не должны были говорить. Глаза на вас. Руки скоро.” which roughly translates to “ We know what you’re doing. You were not supposed to tell/say. We are watching you and will react fast.”. According to a Russian-speaking friend, the word structuring is odd, this could either mean the person doesn’t know Russian well, used Google Translate or is from a former USSR country.

That alone could make for another story, but let’s focus on that particular account for a minute.

Weird mix of French and Russian, don’t you think? — Screenshot shows last activity (14 April 2017 and the Russian tweet of 13 June 2018)

Twitter OSINT

“viepepere” (French for “vie pépère”) means “CushyLife”

At first glance this account appears typical, we see a young French girl, apparently living in Paris (the cover picture showing the Eiffel Tower by night and the background of his profile picture showing Haussmannian buildings are available cues).

Looking more closely we observe that she is Muslim (as written in her profile description) and consistently trolling far-right activists by sending hatred messages, using hashtags like #musulmans (#muslims), #Marine2017 (far-right candidate), #islamophobie, #islam, etc.

So far, nothing too odd for Twitter, we all know trolls are pretty common on this social network and things can be a little heated. But something about her profile picture looks wrong…

A reverse Google Images search gives nothing in particular, so this is most likely a unique image (not ripped off from another profile).

No need to be a Photoshop expert to recognize the girl has been cropped or was behind some kind of green screen, we can notice a weird noise/glitch effect around the hair. We can confirm that the picture has been tampered with by looking at the difference between error levels, notably the same colors in the picture are showing different error levels (which is abnormal):

Now for any non-Parisian this may not seem obvious but she’s indeed in Paris. The careful observer might recognize the Pont d’Iéna in the bottom-left and the tall Grenelle towers in the background.

GEOINT to the rescue! Google Maps is a fantastic tool for that, and we can pinpoint the exact location where this picture was supposedly taken: near the the Hôtel Shangri-La at 10 Avenue d’Iéna, Paris.

Approximate location where the the profile picture was taken (10 Avenue d’Iéna, 75116 Paris, France)

Searching for the hotel gives this image as a first result

Profile picture and Google image are fitting (almost) perfectly

It’s a match! We can confirm the background is a photograph taken from the Terrace Suite room at the Hôtel Shangri-La.

Notice the matching clouds. Apparently the original image was resized/modified/rotated to some extent (maybe as a protection to avoid reverse-search detection?). This proves that the profile picture is fake and was carefully edited to make it look real.

Now what about the content of this account, you might ask. Well, it’s filled with hate messages targeting the French far-right:

“But what are you talking about buffoon? 3 Muslims? What is this? If you come to talk shit, get out faggot!”

When an antifa befriends a far-right activist

One of the most mentioned and retweeted user is @oummoriste (archived link), quite at the opposite of the @viepepere persona. This ‘oummoriste’ account appears to be a far-right sympathizer, with a few Islamophobic tweets (“ISLAM GO TO HELL !”).

Both linked and being operated by the same group/person?

They both use a lowercase screen_name but all upper case displayed name “ISLAM, MON AMOUR” and “VIVE MARINE”;
Both accounts were created a few days apart on 1st of October and 2nd of October 2016;
Both are only using the Twitter Web Client (as seen from metadata);
Both are sending messages on and about French election topics such as (and mainly) immigration and islam;
They follow each other;
Both interacted with each other in a weird and awkward way;
They share the same activity calendar (see below);
Both are using similar e-mail address lo****@gmail.com:

Interactions and activity

The two personas will interact with each other the most, but also with lots of alt-right and far-right activists (“fachosphère” in French) — notably quite a few suspended accounts now (@AigleDissident, @corsica_lena, @JeremPatriote, …). They both interacted with approximately the same number of accounts (respectively 93 and 88 accounts for @viepepere and @oummoriste), which could mean they were both tasked the same workload on this propaganda mission.

The two personas sharing a few interesting interactions together

Activity analysis

Activity distribution (using Tweets Analyzer)

With low to medium confidence we could argue that the activity could match the UTC+3 timezone with the start of activity around 06:00 UTC (9 AM local time), and a lunch break between noon and two (local time).

Personas were very involved during the first period of the French primary of the right and centre (first public debate on 13th of October 2016). Also a few tweets were sent a couple of weeks before the presidential election held on 23rd of April 2017 (first round). Notice the long blackout between October 2016 and April 2017, which doesn’t make sense for any kind of ordinary account.

Covert PSYOPS in action

Several approaches can be employed by bots or fake accounts in order to manipulate the masses: astroturfing, disseminating fake news, provoking people (why we call them “trolls”) and all sort of influencing techniques. The hypothesis of this being heavily used by foreign operators is very likely here. We have personas acting like French people trying to cleave society into two opposed groups. The end goal? Raise extremism. Divide and conquer.

Immigration is a hot topic, and has always been. Considering the French political landscape no wonder this is a golden topic for an aggressive narrative. We see the far-right getting more votes across all Europe, and we all know that these far-right political parties want out of Europe. Brexit might be a first win for Russia after all.

A weaker and divided Europe could mean a stronger Russia.

Speculation & wild attribution

What intelligence data point have we got thus far?

A Russian tweet a year after last account activity [fact];
A matching UTC+3 (Moscow) timezone [medium confidence];
Some unusual French semantics and mistakes despite the use of slang. Oddly enough, quite a few tweets were in English (about 14%). This could mean a foreign individual was writing the French messages [low confidence];
A very sporadic activity with a pattern matching the French political calendar [high confidence];
A carefully crafted profile picture, probably to avoid suspicion and make it look legitimate [high confidence];
Accounts were created on October 2016, during the French “primaires” pre-election campaign [fact];
The personas were heavily relying on hashtags to give more visibility to their tweets [high confidence];
Accounts were being used to excite and provoke extremists (targeting far-left and far-right activists) [high confidence];
Accounts languages (lang attribute) are set to either fr or en (French or English) [fact];
Accounts using exclusively the Twitter Web Client (ie. using www.twitter.com through a web browser), which could easily be used in conjunction with “anonymity” tools such as Tor or VPN/proxies [low confidence];

Overall, with a high confidence we can claim this particular network is composed of at least two fake personas being operated remotely, aiming to incite racial or religious hatred.

Propaganda and psyops have always been a key strength of the Russian foreign policy, notably with more or less overt use of trolling (read Russian Social Media Influence from the RAND). The Kremlin attempts to achieve policy paralysis, by sowing confusion, stoking fears, and eroding trust in democracy.

Russia is definitely the number 1 suspect here, but let’s think at the other options. Knowing that Rabbin des Bois (“Rabbi Hood” in English, the initial threat message recipient) is Jewish, and that there are lots of Russian-speaking Jews in Israel. We could easily suspect Israel too (matching UTC+3 timezone).
What about non-state actor? A French individual trying to promote his ideology? It could be, but less likely in my opinion.

The clear goal here is to polarize the target nation. We noticed the same thing happening in the US with the notable use of Facebook ads targeted at both opposing political parties, and the extensive use of memes trying to make the messages trend/propagate more easily.

Source: https://www.reddit.com/r/dataisbeautiful/comments/8k3z1i/this_is_not_normal_voting_patterns_of_every/

A truly polarized a nation becomes numb, unable to change or to take any important political decisions. To give credit where credit is due, this is honestly a very good long-term strategy to further some adversary political agenda.

This new kind of cyber warfare isn’t just some soft war. It can impact a whole nation by changing the minds of a few and then conquer the rest slowly until it reaches a tipping point. By provoking people from opposing factions, you’re adding fuel to the fire.

Impact assessment

The two detected “troll” accounts were relatively low-key, counting few followers and very few organic retweets. In this particular network I’d say the impact was low but it’s difficult to give any valuable metric. Most tweets weren’t liked or retweeted, which means the overall visibility was probably low. I personally don’t think this particular network had any success influencing people.

What if there were hundreds or thousands of small cells of personas exciting both the far-left and the far-right in France and throughout Europe? What could be the outcome?

I already spotted another similar network of fake personas targeting the French far-right… maybe for another blog post 😉.

First Update (2018–07–02) — before any publication

It appears the @viepepere account is now back on track with a few provocative tweets (achive link) and an original — and poorly edited — video promoting the Burkini (a kind of “Islamic” swimwear) in a weird and offensive way. Far from being neutral, this topic was known for being subject to a fierce and cleaving debate a few years ago. These tweets are happening right in the middle of the European immigration crisis, after a year-long period of silence. How peculiar? 🤔

Second Update (2018–07–06) — before any publication

Viepepere just deleted all its tweets and unfollowed @oummorist. This is happening before this article has been published, so it looks like they detected the initial OPSEC fail (lack of containment) and decided to clean up the mess. At the same time the oummorist account changed its profile description and was renamed “LARBIN DES BOIS” (an allusion to Rabbin des Bois?) instead of “VIVE MARINE”.

Another attempt at provoking French Muslims

Third Update (2018–07–10) — before any publication

Both accounts appears to have been cleaned up and “filled” with fake content now (claiming to be some sort of artificial neural network company or laboratory).

Data

The dataset is available here (85 KB), this only includes tweets (JSON format) of the two suspected accounts.

Thanks

Shout out to the peeps at 0day.rocks Discord that helped with the OSINT/GEOINT investigation.

Any remarks or suggestion, feel free to ping me @x0rz. If you liked this article you can also buy me some coffee☕!