Author: DarkOwl Content Team

Monitoring the War in the Middle East

Written by DarkOwl Content Team on . Posted in Blog.

October 12, 2023

DarkOwl analysts have assembled a list of Telegram channels commenting on the current conflict in the Middle East. It is important to note that the channels labeled hacktivists are hacker groups, people actively DDoSing websites (distributed denial-of-service attacks), defacing websites, etc. Conflict media includes channels that are not related to hacking but are sharing various forms of near real time content from the conflict in the form of text, audio, images, and video. Analysts have found that there is more propaganda and misinformation on the conflict media accounts versus the hacktivist accounts (not say that it does not exist).

The team will continue to update this chart as more Telegram channels emerge amongst the continued conflict.

Pro Hamas Conflict MediaPro Palestine HacktivistsPro Israel Conflict MediaPro Israel HacktivistsIran Hezbollah Iraqi Yemeni (Houthi) Hacktivists
samy44 انتاج جيش_فلسطين_الالكتروني
PalestineEArmy2		HAMAS-ISRAEL WARFucking HaMaS حماسالقدرات العسكرية السورية
smc2020
Syrian
ahfadosama  جيش القدس الالكتروني
Jerusalem Electronic Army		משתיקי הרשע
Silencers of Evil		The Archivists DomainThe last breath of the Zionists…
Iranian
mogawem2019  تغريدات || جيش فلسطين الإلكتروني PEA
Palestine E Army		חדשות ישראל בטלגרם ללא צנזורה
linkNews21M		ICD – Israel Cyber Defenseالموجز
almujaz_syria
Syrian
للإعــلام_الـحــربـي
mbmgy		Arab Anonymous Teamדיונים – מתקפת פתע על ישראל
linknews09u		Gaza parking lot crewرسانه حزب الله
hizbollahsyber
JehadQasaamMr mohammadעמית סגל
amitsegal		Kerala Cyber Xtractorsحزب الله سایبری
hizbollahsyberi
qudscapitalofpalistineGHOSTS of Palestineהימין הלא מתנצל של הצל
TheBigBadShadow		Indian Cyber Force1915 Team
Kurdish, Iraqi, Yemeni hackers
qasemy1 CyberActivismTeAm UcC OpErAtIoNsمحمد ضبع
MohamadDabaa
Syrian war journalist
AqseeoyaGhost ClanGaruna OpsSAM SYRIA
Syrian Army monitoring 
said_alshuhadaa9AnonGhost Officialחדשות סייבר – ארז דסה
CyberSecurityIL		khabaralaan
Syrian
شُهَدَاء الْعَقِيدَة وَالْوَطَن
bk31_3		SkynetRansomed.vcT.Y.G Team
Yemeni hackers
الاعلامي فقار الفياض
fqar_4		GANOSEC TEAM0x£_exp0s3dCyber Av3ngers
Iranian
Aqsamedia313Cyber Error SystemTEAM UCC INDIAYemen Legions Team
Yemeni Hackers
Al_Aqsa2Ganosecteam publikکانال گنجشک درنده
GonjeshkeDarande		Black Security Team
Farsi hackers
أبو عبيدة “الناطق العسكري باسم كتائب القسام”
spokesman 2020		Team_insane_PakistanIT ARMY of Ukraineالمقاتل وسيم عيسى
Syrian war reporter
الخليل في قلب الحدث
From Hebron		Team Azrael–Angel Of DeathCyber Club (Support)
Hamas OnlineWe are team_r70Anonymous Israel
جنين القسام
Jenin Qassam		We Are Team R70GlorySec
STUCX TEAMTeam NWH Security
HIZBULLAH CYB3R TEAM < PUB >Anonymous India
SYLHET GANG-SGDark Cyber Warrior
UserSecIndian Darknet Association
TengkorakCyberCrew Official
₮Ɇ₦₲₭ØⱤ₳₭ ₵Ɏ฿ɆⱤ ₵ⱤɆ₩ Chat
Khalifa Cyber Crew
Khalifa Cyber Crew Official
ACEH ABOUT HACKED WORLD
1915 Team
ASKAR DDOS
./CsCrew
EAGLE CYBER CREW
PANOC TEAM COMMUNITY
StarsX Team
CYB3R G4NG
J 0 K Λ R Ξ S
Ξ N D SODOMΛ
Fuck The system
مناقشة عالم الهكر العربي
Hacker Squad 75
عالم الهكر العربي
Hacker 501
4 EXPLOITATION Channel
Sudanese anonymous
Moroccan Black Cyber Army
Electronic_Tigers_Unit
جيش الهكر الإسلامي
Anonymous KGT
أنصار جيش الهكر الإسلامي
Islamic Hacker Army
Khan Cyber Army
Khan white Hat Hacker’s Team
SiegedSec
Jateng Cyber Team 01
Jateng Cyber Team 777
Systemadminbd Official (BCF)
AnonHaMz
Anonymous 070 / zurück zu den Wurzeln
VulzSec Official
GhostSec
WeedSec
Muslim Cyber Army (CMA)
JATIM RedStorm Xploit [JRX]
Dark Storm team
Dark Strom Team
GB ANON 17
Cyb3r Drag0nz
russian tools
Moroccan Defenders Group

Hamas Affiliated Channels Quiet Preceding Invasion?

Written by DarkOwl Content Team on . Posted in Blog.

October 12, 2023

Introduction

When Hamas militants entered Israel along several fronts on 7 October 2023, Israel and the world were shocked. As events have unfolded this has turned to disbelief that Hamas were able to mount such a complex and successful attack without prior intelligence to indicating an attack. In the months and years to come people will surely reflect on the entirety of intelligence failures that lead to these events, but initial reports seem to suggest that Hamas succeeded by “going dark.”

DarkOwl analysts reviewed our coverage of Hamas linked Telegram channels to identify if there was any change in their activity preceding the assault. We identified that there was a period of inactivity in the run up to the attacks for some but not all the channels. This could have been a coincidence, and we have seen no hard evidence suggesting that the period of inactivity was a precursor to the invasion. However, it is important to monitor the activity of pro Hamas Telegram channels to establish if there were any patterns to the posts.

In this blog, we review some of the channels we are currently monitoring.  

Hamas Telegram Channels Go Dark 

DarkOwl has been tracking several Telegram channels which are linked to Hamas or are pro-Palestine. These channels actively share information related to their “cause” with messages from Palestinian officials and military statements from al-Qassam Brigades. While most of these channels were making several posts a day, a pattern has emerged where a period of inactivity ensued before the attacks.  

The telegram channel حماس | HAMAS | فلسطین | غزة, which translates to Hamas | Hamas | Palestine Gaza, has over 66,000 subscribers. The description of the channel claims to provide a media network, with speed and credibility and exclusive firsthand news. Regular posts were made until 4 July when they stopped, with no explanation. The next post was made at 8:04am local Gaza time on 7 October.  

Figure 1:  حماس | HAMAS | فلسطین | غزة, telegram channel 
[TRANSLATED IMAGE]
Urgent Commander in Chief of the Qassam Brigades, Muhammad Al -Dhaif: We decided to put an end to Israeli violations and start the Al -Aqsa Flood Operation

From that point on that channel is very active, with regular posts made in Arabic and many images shared, including breaching “the wall.”

[TRANSLATED IMAGE]
Young people are storming the Gaza Strip after storming the settlements and burning Israeli military vehicles. 

The group I.C.C (Islamic Cyber Corps) is a hacktivist group that publishes leaked information and shares details of their hacking activities. Although it is not a very active channel, there is a noticeable gap in postings between 22 September and 7 October. From that time, they have shared more posts including information purportedly from the Israeli DOD and fact checking media stories.  

AnonGhost Data Leak channel, which is a channel dedicated to sharing leaked information obtained by the hacking group last posted on 2 April. Their next post was on 7 October when they began to leak information related to Israeli car systems, encouraging followers to capture Israelis in their cars. This group has always targeted Israel specifically, and it is worth noting they were more active on their official channel.  

Figure 2: AnonGhost Data Leak Telegram Channel 

The channel “أبو عبيدة “الناطق العسكري باسم كتائب القسام” which translates to “Abu Ubaidah, Military Spokesman for the Al-Qassam Brigades” has almost 400,000 followers. The Al-Qassam Brigade is the military wing of Hamas. The channel is used to make official announcements. Although the updates are not regular, there are no posts made between 6 July and 7 October. 

[TRANSLATED IMAGE]
Shortly after … an urgent and important tweet of the military spokesman in the name of the Al -Qassam Brigades Abu Ubaidah through his channel on Telegram 

The channel Free Palestine 48 had a period of inactivity from 10 September until 7 October, when its first post was a video, it claimed showed “children of Gaza rejoice, playing on top of an armored truck seized by the resistance fighters.”

Figure 3: Free Palestine 48 telegram channel 

Previous posts had shown pro-Palestine images and details of Saudi Arabia’s normalization talks with Israel as well as what it claims are Israeli infractions on the people of Gaza. There is no indication of why the channel did not post between these time periods. Unlike many other channels reviewed in this blog the posts are made in English rather than Arabic, likely to project its message to a larger audience. 

تغريدات || جيش فلسطين الإلكتروني PEA, The PalestineEArmy had not posted on their Telegram channel since 5 August. They first posted on 6 October. The majority of the posts were forwarded from the Arab Anonymous Team Telegram Channel. The Arab Anonymous Team were also inactive from 27 July to 7 October. Their first post announced the bombing of Israel from Gaza.  

[TRANSLATED IMAGE]
Gaza bombed Zionist settlements 🔥 

Hamas Linked Channels Stay Active 

The Telegram channel طوفان الاقصئ من قلب الحدث (The flood of Al Aqsa from the heart of the event) has nearly 4,000 subscribers. The account self identifies as pro-Palestine and regularly reshares prominent religious texts. The channel was actively posting in the run up to the attacks. They did not start posting images or text related to the invasion until the afternoon of 7 October. The videos shared of the attacks including images of hostages and militants entering Israel have not been corroborated at this time.

Figure 4: Image from Sahr_2023 telegram channel 

كتيبة جنين الإعلام الحربي-الحساب الاح – Jenin Military Media Brigade-Account, did not publish videos related to Hamas militants breaking through the wall. On 3 October they posted images of what appear to be militants holding pro-Palestinian images with pictures of individuals, they indicate this is “part of the participation of the Al-Quds Brigades-Kaba, the commemoration of the Jihadist launch, the Martyrs of Victory.”

Figure 5: Sarayajneen Telegram channel 

The content of the posts in the days preceding the invasion continued with a similar tone, often displaying images of militants with weapons, sometimes holding images of martyrs (fallen soldiers). These images are likely intended to evoke excitement from their supporters. Although they continued sharing images of militants with weapons and messages from the brigade and posts which appear to be religious text, unlike a lot of the other channels that we are monitoring they do not share images or videos of the Hamas incursion.  

المَـرْيَــ𓂆ــم𓂆 طوفـ𓂆ـان_الاقصى 🔥💚2(Al -Maryoufan_Al -Aqsa 🔥💚) is another Telegram channel that was active in the period preceding the attack. They had previously shared images of militants holding weapons, as well as some memes. Subsequent to the attack this channel regularly shared a large number of videos of the events, some of which are very graphic in nature. They also regularly make what are known as martyrdom posts — or sharing the images of militants who have been killed, from personal pictures.   

Of note, a channel named Hamas Online, which appears to make official statements on behalf of Hamas in English, did not stop posting in the lead up to the activity. However if official channels had gone quite that could have been an indication that the status quo had changed. The last post made before the events of 7 October is a post in relation to the October war of 1973 which it says “bears witness that resistance is the only option to deter the Zionist colonial occupation.” Which, in hindsight does seems to be an indication of what was to come. 

New Pro-Hamas Channels Pop Up 

As part of our collection efforts DarkOwl is constantly searching for an adding new sources of relevance to our data collection. Since the events of last Saturday, we have identified a number of new channels which have been created in response.  

Other channels were created in direct response to the conflict. للإعــلام_الـحــربـي 🇵🇸 (for war flags) was created on 8 October and has already amassed a following of over 5,000 followers. This purports to be sharing news about the conflict and updates on what has been bombed.  

Conclusion 

Our coverage of Telegram channels linked to Hamas or Pro-Palestine have shown that they have operated in different ways. It is unclear if any of this activity was linked to the invasion or directly linked to it. Although there were strange periods of inactivity on some of the channel, we cannot know what caused that. However there does not seem to be a clear pattern in the activity that would suggest that the periods of inactivity were in any way coordinated among the different groups. Furthermore, the number of channels that remained active would indicate there was no mandate of silence.  

What is clear is that these channels are being used by the operators to spread information relating to the conflict and in the days since the invasion they have become very active sharing videos, images, and commentary on the events. While we cannot corroborate the validity of what is being shared, it is clear that Telegram is being used as a way to share news and information at a speed that is quicker than the traditional news media. In our next blog we will examine how this is being done.  

Introducing: The Mental Health Strategies for OSINT Professionals (MHS4OSINT) Project

Written by DarkOwl Content Team on . Posted in Blog.

October 10, 2023

In recognition of World Mental Health Day, DarkOwl is excited to announce the initiation of the “Mental Health Strategies for OSINT Professionals” (MHS4OSINT) Project, aiming to provide OSINT professionals strategies to reduce the mental health impact of exposure to distressing content in their work.

Why OSINT Analyst Mental Health Matters

Most individuals report experiencing stress in the workplace – 94%, according to the American Institute of Stress. However, OSINT analysts (such as those involved in anti-human trafficking efforts or dark web research) are routinely exposed to subject matter and content that an average person does not willfully engage with when navigating online spaces. Exposure to “distressing content” may result in vicarious trauma which in turn leads to an array of negative mental health outcomes.

Vicarious, or secondary in some literature, trauma has competing definitions. For the purpose of this project, we will adopt a more general definition from Hannah Ellis at Bellingcat: “mental distress that is experienced as an outcome of interacting with graphic online media.” Vicarious trauma is thought to occur when exposed to what we will refer to as distressing content, or content that elicits negative responses from users upon exposure. The nature of distressing content is highly varied and includes (but is not limited to) war footage, gore, CSAM, extreme ideology, X-rated content, among others. Further, this content is not limited to only photos or videos; sounds, imagery, or extreme rhetoric is thought to also invoke vicarious trauma.

The toll of vicarious trauma is thought to be cumulative over time. Repeated, frequent exposure to such materials adds up, and this exposure cannot be undone; in other words, it’s not possible to “unsee” something once exposed to it. This can contribute to multiple negative mental health outcomes, such as analyst burnout. Burnout is, of course, a poor outcome for the analyst themselves, but also impacts the long-term health of OSINT as a profession and is economically impactful for employers and organizations who rely on OSINT work. Other professionals that frequently experience vicarious trauma, such as 911 operators and journalists in sensitive areas, typically have access to plentiful resources to combat the negative effects of exposure to distressing content. OSINT professionals however do not have a centralized repository of resources dedicated to combating burnout and other negative outcomes (though some excellent individual materials exist, such as the 2 previously linked Bellingcat articles). Further, advice from individual OSINT professionals on reducing burnout may be differentially effective; a strategy used by one OSINT analyst to reduce burnout may not be impactful for another, or the variances in reduction may vary depending on the nature of the distressing content. This project seeks to help address these issues in the OSINT community.

The Mental Health Strategies for OSINT Professionals Project

The Mental Health Strategies for OSINT Professionals Project (MSH4OSINT) is a crowd-sourced, data driven project aimed at collecting, validating, categorizing, and distributing mental health strategies freely for the OSINT community.

Researchers on this project aim to collect Strategies (specific actions, behaviors, or modifications of belief that will lessen the negative impacts of vicarious trauma when exposed to distressing content) from a wide variety of OSINT practitioners and validate their effectiveness using empirical evidence. Once validated, Strategies will then be categorized using qualitative research methodology and distributed to the OSINT community via DarkOwl’s website, presentations at conferences, social media, and other typical ways of reaching OSINT professionals.

These strategies will be freely accessible and accessing the strategies (as well as contributing to the project) is anonymous. Note that these strategies are not medical advice nor intended as a replacement for professional therapy or other medical interventions. It is also unlikely that all strategies, even when empirically validated, will be impactful, thus we encourage trying out strategies from numerous categories.

Project Methodology

Though decidedly not an academic project, this project endeavors to follow sound academic principles and methodology to ensure the highest likelihood of success at reducing burnout.

The first phase of the MHS4OSINT project is data collection of strategies used by OSINT professionals. This will be done via an anonymous self-administered online survey, hosted here. Data collection will be ongoing and Strategies will be evaluated as they are submitted.

Once data is collected, it will be cleaned and enter the validation step. This project will only put forth strategies that have empirical backing (though we invite contributors to include ALL strategies used). Project researchers will seek out literature to demonstrate the efficacy of a submitted strategy and include that source with the suggested Strategy. Strategies with no evidence of success at improving mental health outcomes will not be moved on to the categorization step.

Upon validation, Strategies will then be categorized using qualitative research methods. As we are in the very early stages of data collection (and the fact the data should derive the categories), permanent “categories” are yet undefined and are very likely to change. However, some possible categories we may see from the data include:

  • Environmental/Physical Strategies
    • Proximity/working space, changes in clothes/style, physical health and nutrition
  • Mental Strategies
    • Meditation, mindfulness, building resilience, “inoculation against the internet”, work/life balance, professional identity
  • Technical Strategies
    • Browser extensions that blur images, pause auto-playing videos, mute extensions
  • Moral? Social?
    • Can mission success mediate the impacts of exposure?

Once a considerable amount of data is collected, validated, and categorized, we will then distribute Strategies for the community via future blog content, social media, and conference presentations. As more data is collected, ongoing updates will be made to the Strategies and their categories, with the aim to have a large repository of Strategies that may prove effective at reducing burnout regardless of the type of distressing content OSINT professionals are exposed to.

Contribute!

If you’re an OSINT professional that would like to offer Strategies you use to reduce burnout, we would love your (anonymous) input! The entire success and impact of this project hinges on the collection of quality data from the OSINT community. Submit your strategy. We will also be at OSMOSISCon in New Orleans, Louisiana on October 15-17, 2023, detailing some of the very preliminary findings from the project.

Make sure to get the latest research and our findings. Sign up for our newsletter!

Dark Web Groups Turn Their Attention to Israel and Hamas

Written by DarkOwl Content Team on . Posted in Blog.

October 10, 2023
Disclaimer: DarkOwl is not affiliated with any of the groups mentioned in this article and do not support the actions of cybercriminals regardless of their motivations. This information is provided for informational purposes only and has not been independently verified.

Other Resources Since the Publication of This Blog:

Introduction 

The world was shocked by the invasion of Hamas insurgents into Israel along multiple entry points from the Gaza Strip on October 7, 2023. This has led to a huge number of posts, images and videos being shared of the incursion and atrocities on social media but also on the dark web and dark web adjacent sites.  

DarkOwl analysts are closely monitoring this situation and have identified a wealth of information being shared, some of it legitimate and some likely to be disinformation. We will be authoring a series of blogs showing our initial findings as well as providing new information as it is uncovered.  

Here we provide information relating to known cyber groups active on Telegram and how they have reacted to the invasion.  

Which Side to Pick? 

As events unfolded over the weekend, chatter on several Telegram channels monitored by DarkOwl turned towards Israel and Hamas and the events unfolding in the Middle East. A number of these groups have been heavily involved in the Russian Ukraine Conflict supporting one side or the other and posting leaked information, DDOS attacks and defacement among other things. 

Some groups quickly pledged their support for one side or the other. Killnet posted their intention to target the Israeli government, posting in both Russian and Hebrew, stating this was due to Israel’s support for Ukraine. An affiliate of theirs Anonymous Sudan quickly followed suit.  

Figure 1: Killnet Telegram channel
Figure 2: Anonymous Sudan Telegram channel 

The Five families, including SiegedSec and GhostSec posted on October 7 confirming their support for Palestine/Hamas. These groups have been very active on behalf of Russia in the Ukraine Russian conflict.  

Figure 3: GhostSec Telegram channel 

A hacktivist group known as Cyb3r Drag0nz who has targeted several groups and organizations from many countries posted a poll to their public channel asking them which country they should support. They quickly began activity in support of Palestine.  

Figure 4: Cyb3r Drag0nz Telegram channel 

A ransomware group known as RansomVC, was reported to be buying access to any countries affiliated with Gaza, including Iran and Palestine. Although no other information was provided it is likely this means the group is planning to attack organizations within these countries.  

Figure 5: RansomedVC Telegram channel 

The threat group ThreatSec stated it didn’t like Israel but that they also don’t like war, so they plan to attack the Gaza region as that is where many of the Hamas fighters are located. They later had to clarify this statement saying they are neither on the side of Israel or Palestine and they want to stay neutral. So, they will target both countries.  

The group Garuna Ops made a number of posts in support of Israel and stated as well as attacking Palestine they would attack any other countries that supported them.  

This is just a small number of the groups identified which were previously active in the Russia Ukraine conflict. It is worth noting there are a number of other groups on both sides which have been supportive of Hamas or Israel for some time. We will provide more information on them in subsequent blogs.  

The Cyber War Begins?

Hacktivist groups have been quick to launch attacks on both sides of the war, the type of activity conducted has varied depending on the group and presumably what skills they possess. DarkOwl has not verified the reported attacks were successful. 

Some channels as well as providing details of the attacks they have conducted or information they have obtained have also shared graphic images and videos of the conflict as well as support for their chosen side and justification for their beliefs. Here we only focus on the attacks they claim to have conducted.  

DDOS Attacks

Two separate groups claimed to have taken down the Red Alert System. This is the system used by Israel to alert its citizens of the threat of a rocket attack. The system has an app which is installed by the user. Anonymous Sudan first made the claim on October 6, providing a screenshot which showed a loading image on the app and a screenshot saying there had been no alerts in the past day. However, the screenshots do not provide a date or time.

Figure 6: Anonymous Sudan Telegram Channel 

GhostAnon was the second group to claim it had taken down the app and it was affecting different areas. Again, they did not provide any concrete evidence this was in fact the case. 

Figure 7: AnonGhost Official Telegram channel 

The manager of the Red Alert app refuted the claims the app was down. This is possibly corroborated by a further threat group posting images of the Red Alert Map showing where Hamas rockets were striking Israel, although the timing of the screenshot is unknown.  

Anonymous Sudan also claimed to have successfully DDOS The Jerusalem Post, the website of a newspaper based in Israel. The company did post on X (formally Twitter) that they were suffering from a major cyber-attack and the site continues be down several hours later.  

Figure 8: Anonymous Sudan Telegram channel 

The Electronic_Tigers_Unit claimed they had successfully attacked the Mossad open website via a DDOS attack. Although this is the open site and therefore unlikely to hold any sensitive information its likely aim was to cause distraction to the Israeli Intelligence services.  

Defacements 

A cyber hacktivist group knows as Cyb3r Drag0nz posted a series of images claiming it had defaced several Israeli websites. The image featured a Palestinian flag as well as the aliases of the individuals involved and their associated Telegram channel.  

Figure 9: Cyb3r Drag0nz Telegram account 

The companies that were targeted by this group ranged in industry and no reasoning was provided other than they have a .il domain. Defacements have long been used by less sophisticated users or those that want recognition for the activities they are causing. This is a known tactic of Iranian cyber actors.  

Leaked Information

Another group Cyber Av3ngers, which is supportive of Iran, activities preceded the invasion and began on October 6 when they targeted Noga Company, an electricity company claiming they were causing power outages “due to the actions of your [Israel] government.”  

They have also targeted Dorad Power station both in a DDOS attack and a claim they have obtained sensitive information, this included images of the facility which they shared on their telegram channel, it is likely this was done to assist with an attack on the facility.  

It is worth noting this group had previously claimed responsibility for attacking an Israeli public railroad in mid-September. Although this incident was denied by Israel.  

On October 9, AnonGhost-Info provided a list of IP addresses which it claimed formed part of the Israeli Iron Dome. This is the missile defense system which attempts to destroy any rockets entering Israeli airspace. Although these IP addresses have not been verified if legitimate these addresses could be used by a cyber actor to attack the Iron Dome. The IP addresses have been redacted for security purposes.  

Pro-Palestinian groups have also been targeting Israeli citizens and sympathizers. Leaks of their alleged information have been revealed with users being encouraged to target their social media accounts to provide pro-Palestinian messages.  

On October 9, Cyb3r Drag0nz also claimed to have hacked the Israeli Instagram and provided screenshots showing the information they had obtained which included images and usernames. They later released a download which they claimed included all the user data which contained more than 100,000 Israeli Instagram accounts. This information has not been verified.  

Figure 10: Cyb3r Drag0nz Telegram account 

High ranking officials have been subject to DOX attacks with the purported name and phone number of the Director General of the Israel National Cyber Directorate being released and followers being encouraged to spam his phone.  

Figure 11: AnonGhost Official Telegram channel 

Summary

Although Government sources have claimed they have not yet seen any evidence of cyber-attack, DarkOwl’s coverage of darkweb adjacent groups has shown they have been quick to involve themselves in the conflict. While the tactics which have been observed so far are not assessed to be highly sophisticated, they can be very disruptive, and it is likely more sensitive information is being shared in closed channels. It appears, just with Russia and Ukraine, cyber-attacks will be another front in this war both from hacktivist groups as well as nation states acting directly and via proxies.

DarkOwl coverage on this topic will continue. 

Examining Recent Telegram Posts from Russia’s “Z Bloggers”

Written by DarkOwl Content Team on . Posted in Blog.

October 05, 2023

Who are the “Z Bloggers” or “Z Army”

The letter “Z” has been heavily used as a pro Russian invasion propaganda motif since the early days of the invasion in 2022. The “Z” symbol is often associated with images of Russian leaders in the government or military.

Image 1: Sergey Mironov wearing a pin with “Z” symbol, Governor of Kuzzbass

The symbol is also commonly associated with Russian war journalists, soldiers, and other Kremlin supporters typically used as vehicles for misinformation campaigns  on chat platforms like Telegram. The media commonly refers to this group of individuals as the “Z bloggers”, the “Z Army”, and more generally as war influencers.

Image 2: Russian soldiers embracing the “Z” symbol on a military vehicle; Source: Moscow Times

The  Z bloggers will sometimes display the “Z” somewhere on their Telegram profile (as seen in the below screenshot for WarJournal). Often these “journalists” are embedded on the frontlines with Russian soldiers, which is how they are able to obtain near real-time conflict footage. These videos provide fuel to propaganda aimed towards increasing Russian enlistments into the Armed Forces or Wagner Group.

Figure 1: Screenshot of WarJounal’s Telegram bio

A recent BBC article reported the sudden increase of Telegram members in various “Z blogger” channels is correlated with a “surge in Telegram’s advertising market” like WarGonzo and Grey_Zone. These war influencers have taken advantage of this trend by selling advertisements through Telegram posts to companies looking to reach a younger target audience. According to Telegram’s website: “Sponsored messages on Telegram are displayed in large public one-to-many channels with 1000+ subscribers and are limited to 160 characters. Sponsored Messages are based solely on the topic of the public channels in which they are shown. This means that no user data is mined or analyzed to display ads, and every user viewing a particular channel on Telegram sees the same sponsored messages.”

This blog will take a look at recent posts from 3 different “Z blogger” channels in an effort to better understand how this content has recently been utilized as a propaganda motif. DarkOwl analysts selected the following Telegram channels for review:

  • WarGonzo, over 1.2 million subscribers
  • WarJournal, over 41,000 subscribers
  • Grey Zone, over 600,000 subscribers

WarGonzo

WarGonzo is one of the most prolific “Z bloggers” with well over 1.2 million Telegram subscribers. This channel is reportedly run by  Russian citizen, Semoyon Pegov, an image of him with Vladimir Putin was posted on X (formerly Twitter) and Telegram in April this year.(see image 3). It is unclear how many individuals are associated with this channel but we have observed multiple “correspondence” posting information and embedded with the military. A representative for ‘WarGonzo” was interviewed by the BBC and reported that they make an estimated £1,550 per Telegram post via advertising revenue. Users are able to submit content to advertise by following the instructions and steps (in Russian) using a Telegram bot, @pegov_bot. It is unclear if there are any restrictions on what can be advertised.

Image 3: Image of Pegov standing with Vladimir Putin; Source: Twitter 04/06/2023

WarGonzo posts at least once a day and often several times a day. For example, on September 26, 2023 there were 10 posts. The content of these posts ranges from interviews from correspondents on the front lines of a conflict in Ukraine or other correspondents reporting on recent escalating events between Azerbaijan and Armenia in Nagorno-Karabakh. The Ukrainian video content is typically more violent often showing images of dead soldiers and civilians immediately following some sort of military kinetic activity (air strike or explosion) whereas in the Azerbaijani videos, the correspondents are dressed in civilian clothes and not on the front lines. This money has helped WarGonzo to expands its coverage to other conflicts such as in Armenia and Azerbaijan. The below screenshot of a WarGonzo post made on Sep 26, 2023 displays a video of a WarGonzo correspondant, named Dmitry Seleznev, reporting on the recent Azerbaijani attack that targeted ethnic Armenians in the town of Goris:

Figure 2: Image from WarGonzo’s Telegram channel
[TRANSLATED IMAGE]
⚡️Refugees are delivered by land and by helicopter⚡️Activation of WG from Goris⚡️
Refugees are arriving in Goris, the closest city to Nagorno-Karabakh. They are registered at the central house of culture, provided with food and water, given medical care to those who need it, and sent to be resettled in the regions and cities of Armenia.
Helicopters fly over the city, delivering victims after yesterday’s explosion of a fuel tank near Stepanakert.
Watch the live broadcast of our special correspondent Dmitry Seleznev from Goris.
@wargonzo
*our project exists on the funds of subscribers, a card for help
4279 3806 9842 9521

WarJournal

WarJournal, is another “Z blogger” Telegram channel,  where the content creators are  embedded with Russian soldiers on the front line, and has a large following with over 41,000 subscribers. Content published on this channel is similar conflict content to WarGonzo, utilized to motivate Russians to enlist in the army.

The following screenshot was taken from a recent post on September 26, 2023, which depicts the Russian Air Force destroying a bridge with a X-38 aircraft missile over the Oskol River. Users reacted 41 times using the “thumbs up” emoji and 14 times using the “fire” emoji. DarkOwl analysts identified the forwarding Telegram channel where this information was originally posted on the same date, РаZвед_ДоZор (t.me/razved_dozor), which is yet another war influencer apart of the “Z blogger” network.

Figure 3: Image from WarJournal’s Telegram channel
[TRANSLATED IMAGE]
The Russian Air Force used an X-38 aircraft missile to destroy (https://t.me/bortzhyrnal/139) the bridge across the Oskol River in Kupyansk and significantly hampered the ability of the Ukrainian Armed Forces to supply its troops in the Kupyansk direction.

Grey Zone

Grey Zone is another “Z blogger” account that identifies as an official channel for the Wagner Group. Open Source reporting has not identified one particular individual running this channel at this time, however, according to its Telegram bio the username, @greyzone_admin, is the channel admin.

Grey_Zone also has a large Telegram following with well over 602,000 subscribers as of September 27, 2023. The BBC also reported that this channel reportedly makes £260 per post. The content shared on this channel is consistent with other “Z bloggers;” they display near real time conflict videos, images honoring dead soldiers, and other Pro-Russian propaganda motifs that are intended to motivate Russian sympathizers to enlist with the Wagner Group.

The below screenshot is an example of this, referring to a Wagner Group “hero of Russia.”

Figure 4: Image from Grey Zone’s Telegram channel
[TRANSLATED IMAGE]
“We are always ready to talk man to man. Moreover, we have known each other since the first and second wars in Chechnya” – commander of the “Wagner Group” Hero of Russia Dmitry Utkin.

The style of this image is reminiscent to the imagery used in Jihadist martyrdom posts from groups affiliated with ISIS or Al Qaeda. The image below illustrates a martyrdom post created by an Indian Al Qaeda affiliate called the Ansar Ghazwat-ul-Hind (AGH) in June 2019:

Figure 5: Image of an AGH martyr, Long War Journal

Conclusion

DarkOwl analysts assert it is highly likely that Russia will continue to expand the reach of its propaganda campaigns through chat platforms like Telegram. Since the outbreak of the Russian invasion of Ukraine, the use of Telegram has been integral to the spread of Russian misinformation by a cohort of supporters that have become known as the “Z bloggers” or “Z army”. The recent BBC article highlighted how influential accounts like WarGonzo and Grey_Zone are able to make hundreds to thousands of dollars a day from Telegram posts. WarGonzo now has the budget to report on conflicts in nearby countries such as the current ethnically charged violence towards Armenians in Goris.

Don’t miss any DarkOwl research > sign me up for emails!

Products

Services

Use Cases

Company

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.