The reports, released on 23 September and 10 December, accuse Sputnik News and Sputnik Mundo of a "hacking" campaign to boost trust in Russia's Sputnik V vaccine and discredit the US-based Pfizer-BioNTech and Moderna vaccines, as well as the UK's Oxford-AstraZeneca counterpart, but findings reveal several major discrepancies in the FAS narrative.
These programmes include adware, Window registry keys, digital coin miners, worms, and many others, the report states, but fails to establish a credible motive or disclose the malware involved in the disinformation campaign.
Link Shorteners Protect From Malware
The FAS report accused Russian "hackers" from Sputnik Mundo of using link-shortening services such as bit.ly and Twitter to spread "vaccine-related malware across Latin America," but failed to explain that such services filter content for malware.
However, according to Bitly, link shortening services protect users from spam and malware with algorithms used to detect websites "flagged as suspicious or known to lead to a malicious page."
It adds blacklisted services and sites detected with "potentially malicious or inappropriate content," while even destination links shortened with other services will trigger a warning page informing the user of a potential cybersecurity risk.
Twitter's policy on link shortening services echoes Bitly's description of increased security against malicious websites.
"Having a link shortener protects users from malicious sites that engage in spreading malware, phishing attacks, and other harmful activity. A link converted by Twitter’s link service is checked against a list of potentially dangerous sites. Users are warned with the error message below when clicking on potentially harmful URLs," it reads.
Link shorteners can then warn users against entering a site if it is suspect. Linked services used to disseminate articles on social media would be flagged as containing malicious content.
Sputnik Mundo in FAS Crosshairs
The report accuses Sputnik Mundo of a campaign to spread malware to shift narratives against pharmaceutical firms such as Oxford-AstraZeneca, Pfizer-BioNTech, and Moderna.
From 80,000 tweets identified on 9 September, only four were reportedly found from the Sputnik Mundo page domain, despite the report initially accusing Latin American media outlets of a massive disinformation campaign.
"The malware network is large and presents a clear threat vector for the delivery of payload on vaccine stories. Vaccine malware-disinformation has spread beyond Russia’s Sputnik Mundo network and towards a series of other domains in Argentina, Venezuela, Chile, Peru, and Mexico. This is particularly alarming considering that aggressive conspiracy theories advanced by the Kremlin in Latin America have already tilted the region’s governments towards the use of the Sputnik V vaccine. Indeed, Russia is supplying Mexico with 32 million doses of Sputnik V. Venezuela and Argentina are set to purchase 10 million and 25 million doses respectively, while Peru is currently in negotiations to purchase the Sputnik V," it reads.
These accusations come as the Gamaleya Research Centre announced it had already inked agreements to ship the Spunik V vaccine to Belarus, the United Arab Emirates, and across the Middle East and Latin America, among many other countries.
The latest FAS report comes just days after British medical journal The Lancet found the Oxford-AstraZeneca vaccine had substandard efficacy rates of roughly 70 percent compared to its Pfizer-BioNTech and Moderna counterparts.
The Sputnik Mundo report cited by FAS criticises the messenger RNA technique used in the Pfizer-BioNTech, which requires much lower storage temperatures to transport vaccines to prevent efficacy loss, reported by global media.
Sputnik's Cybersecurity Analysis
Sputnik ran VirusTotal tests on all websites mentioned in the cybersecurity network, including Sputnik Mundo, Pagina12 in Argentina, La Tercera in Chile, El Comercio in Peru, La Octava in Mexico, and Correo del Caroni in Venezuela.
— Future Proof (@FutureP42264459) December 21, 2020
As of Monday, VirusTotal found no malware on any of the five websites featured in the December report.
Contrary to FAS findings, no specific malware was identified, but merely alleged points of origin via IP addresses in neutral, Chinese and Hungarian locations. But virtual private networks can mask IP addresses and their information.
— Future Proof (@FutureP42264459) December 21, 2020
A search on What Is My IP found two locations sharing the Hungarian IP address 18.104.22.168, in Hungary and in Sweden, with the former being blamed for the attacks and the latter omitted from the report. The Swedish address also offers full user data, with the Hungarian location only partial, indicating a possible Swedish origin via a VPN masking full user data.
The article also does not specifically comment how internet traffic can be "manipulated" through malware, whether via keystroke logging, screen-grabbing, repeated attempts to log in, or even changing device registries typical of malware.
It also fails to identify the specific malware involved in the attributed information, but rather provides random MD5 Hash identifiers in its December report screenshots, which verify the authenticity of files, but does not provide the file names.
But the programmes identified in the report are RT_CURSOR files used to track the cursor position on a computer screen.
Rather than focusing on the essential cybersecurity data needed to verify the attacks, the FAS appears to try and draw links between typical US adversaries – Russia, China, Argentina, Venezuela, Hungary, and others – to justify its report.
Kremlin-Baked Cookies Behind Malware Campaign?
The FAS December report claims that the most nefarious programme the alleged Kremlin-owned news station would use is...a cookie, and says this is the primary potential threat to global internet users.
One goal "is to identify the audience that is most interested in the issue of vaccines in order to micro-target the group with future items of interest, possibly to artificially tilt the conversation for or against certain vaccines," it reads.
"This malware technique can also be used to identify users who are interested in vaccine stories in order to target them with future vaccine news. Micro-targeting allows for companies to define specific, rigid user profiles in order to create an audience for content and ads. If users are placed within one of these audiences, companies placing ads are able to send them content tailored for their interests," the report continues.
According to Webopedia, cookies are beneficial for improving user experiences to "tailor advertisements, create an effortless authentication process, and maintain site preferences" for returning users, among other things.
It adds that some cookies can track data and be "used for malicious intentions" such as intercepting data and selling information to third parties, or "hijacking" computers to impersonate users on the internet, which was not mentioned in the report.
No other malware would be needed to track user data or tailor adverts and content to successfully launch such a campaign, and the FAS would still need to identify the names of the malware used in their primary allegations.
What is the Federation of American Scientists?
According to the FAS website, US scientists involved in building the atomic bombs used against Hiroshima and Nagasaki formed the organisation in November 1945 in a bid to reduce nuclear weapons in circulation and block nuclear terrorism.
The group aims to promote "a safer and more secure world" through nuclear security, government secrecy, and biosecurity, and has established a Disinformation Research Group to tackle alleged concerns over media disinformation.
FAS chair Gilman Louie founded In-Q-Tel to boost national security by "connecting the Central Intelligence Agency and U.S. intelligence community with venture-backed entrepreneurial companies" and has a background in the interactive entertainment industry, it states. Three of the group's seven reports focus on allegations against the Sputnik V vaccine.