On April 1, the day before a key parliamentary election in Armenia, Yerevan-based activist Babken DerGrigorian received a warning from Gmail. “Government backed attackers may be trying to steal your password,” it read. Then came three emails from Facebook saying that someone was trying to reset the password for his account.
DerGrigorian admits he’ll probably never know for sure who was trying to get into his accounts, but it fit perfectly into a bigger picture of suspicious activity that saturated Armenian cyber-space around the election and mirrors some of the election-related mischief in the U.S.
It started in late March when dozens of Russian-language profiles using the #armvote17 election hashtag began tweeting what they claimed to be an email from USAID, the development arm of the U.S. government. The letter expressed support for the opposition and implied that the U.S. was meddling in the Armenian election. “An NGO is trying to sabotage the vote,” many of the tweets read.
The U.S. embassy was quick to laugh the email off, pointing to numerous spelling mistakes and that it came from a Gmail account. “Recycled tricks and recycled lies. If you are going to lie, at least be creative about it,” the embassy wrote on its Facebook page. On March 29, a new version of the email with the mistakes corrected and Gmail address cropped out was shared on Pastebin, a website popular among coders for storing and sharing text.
An analysis by Ben Nimmo, a Senior Fellow at the Atlantic Council’s Digital Forensics Lab, found that dozens of Russian language accounts that shared the fake USAID email all had similar patterns of behavior, suggesting they are part of a coordinated group of bots. All of the accounts were created over a year ago, had few followers and repeatedly tweeted very similar phrases and images, often multiple times from the same profile.
While the accounts showed little previous activity, all of them had also tweeted during recent anti-corruption protests in Russia, using the protest’s hashtag to send irrelevant images and memes.
Armenian journalist Gegham Vardanyan believes the same bots not only spread fake news but also managed to trigger the suspension of four prominent twitter accounts in Armenia, including his. Three other suspended accounts belonged to two independent news outlets and the director of a pro-Western NGO.
Vardanyan and DerGrigorian say the attacks bear hallmarks of a Russian troll factory but neither can prove it. All four accounts were reinstated within two hours with the help of Access Now, a US-based nonprofit that defends “digital rights of users around the world.” Without their help, Vardanyan says it could have taken them days to get their accounts unblocked by going through Twitter’s own review procedure.
But the incident has highlighted the vulnerability of small Twitter markets to attacks and bots during significant political events. Similar suspensions of prominent bloggers in Ukraine have been attributed to coordinated attacks by bots, which are automated accounts that in this case sent multiple complaints about an account’s activity.
Twitter did not immediately reply to a request for comment.
Illustration by Alessandra Cugno.