In this episode for The Pivot podcast, we welcome our guest Léa Ronzaud from Graphika!
Léa plays a central role at Graphika as an investigator specializing in online investigations, state influence operations, and European extremist groups. She is part of the team that exposed Secondary Infektion is a series of operations run by a large-scale, persistent threat actor from Russia. She had also done research on the recent competing Russian and French influence operations in the Central African Republic.
This episode is packed with learnings about her projects related to internet mapping in state operations in today’s day and age. Moreover, the episode also delves into decrypting controversial state attacks and the multiple layers of thinking that go into it!
The Pivot: Your New OSINT and Infosec Podcast 🔗︎
Brought to you by Maltego, The Pivot is your OSINT and infosec podcast that dives deep into topics pivoting from information security to the criminal underground. Through The Pivot episodes, we aim to share insightful information for beginners and seasoned investigators alike, shedding light on all things OSINT and infosec from an insider’s perspective.
Each episode features one or two of Maltego’s own Subject Matter Experts as the host and an external expert, researcher, or industry leader invited to share their projects, stories, experiences, and advice.
Where to Listen to The Pivot? 🔗︎
The Pivot podcast is available on Spotify, Apple Podcast, Google Podcast, and the Maltego YouTube channel. Each episode is 45 to 60 minutes long and is released on the 15th of every month. Stay tuned with us for more updates!
Could you tell us a bit about yourself? 🔗︎
Léa: My name is Léa and I’ve been working at Graphika as an analyst and an investigator for three years already. I specialize on state sponsored operations as well as online extremism.
I got into OSINT mainly by chance. Before ending up at Graphika, I was mainly studying ancient languages and foreign trade with a specialization in Russia because I’ve been learning Russian for around 14 years. Thereafter, I applied to the French Institute of geopolitics after a bachelor for international trade. When I applied to the French Institute of geopolitics, I got very lucky because I was interviewed by two PhDs who noticed my Python and Russian skills and instantly they were like, “Do you want work on cyber?” From there, I began working on tech stuff like cybersecurity oriented analysis and then things just fell into place.
Could you elaborate on what internet mapping is really about? 🔗︎
Léa: So we are mainly mapping social media platforms and social media conversations. It means that we use public data surrounding the use of one hashtag or people mentioning its total accounts.
In the end, we end up with a clear map of where most of the communities appear very distinctly. And then we can navigate through those maps and see who used what hashtags and who is talking about what. This is actually really interesting because that’s how I got into investigations. Through maps, we can find very good leads for investigations, be it coordinated behavior around a certain hashtag or targeted harassment and so on.
Does attacking a country usually have multiple layers of thinking or actions attached to it? 🔗︎
Léa: For example, with the attack on the electrical grid in Estonia, the whole system pretty much got closed. It was really interesting because on one side, it was the systems that they got, completely closed everywhere on internet, states, websites and so on and so forth. On the other side, you had a whole disinformation campaign that actually resembles some things we’re seeing about Ukraine right now.
At the same time in Estonia, the cyber-attacks happened in an attempt to destabilize the country. Basically, it is attacking a country in multiple layers, like having the attacks on the grid and then having this disinformation campaign simultaneously. Today, we see even more of this since the internet is much more evolved than it was back then.
How do you recognize or look for posts that don’t seem very organic in nature? 🔗︎
Léa: Honestly, most of the time, we get tipped off by either journalists or social media platforms because they have, especially in the case of social media platforms, they have all the technical data behind these state operations.
Sometimes they’re quite bad at concealing their traces and that’s how we ended up finding the whole Russian network in the Central African Republic that was fighting with French trolls apparently led by the French military.
Are there any particularly interesting types of investigations you are currently working on? 🔗︎
Léa: Recently I’ve been doing some corporate and financial investigations: Looking into seemingly independent media outlets or companies. For instance, we found some Chinese outlets that may or may not be sponsored by the Chinese government.
Financial investigation and corporate investigation play a big role in my investigations recently because it is basically going from just one name and then trying to get everything that revolves around it. And that’s quite interesting.
What do you think about using fake identities during investigations? 🔗︎
Léa: My red line, for instance, is in interacting directly with someone. If I have to interact with someone, like actually talk to someone under the fake identity in my investigation, then that’s the end of my investigation. This is not something I want to do myself even though it’s very nice on paper.
But it turns out that more and more communities and the groups that we’re investigating are operating on closed discussion spaces, be it on discord or on telegram. This is something that, for instance we had to do when we worked on our VV report. For a bit of context, the VV is Anti-vax movement that was launching harassment campaigns online against the Pro-vax politicians, media, and medical stuff.
There’s More! Listen to Our Full Interview with Léa! 🔗︎
If you find the snippets of the interview interesting, don’t miss the full interview!
Listen to our full interview with Lea to learn more about:
- Léa’s journey and how she initially got into investigations through her work
- A peek into decrypting state operations and the diverse thinking that go into it
- Léa’s take on identifying state operations, fake identities, etc.
And much more!
Check out Léa’s work on her Twitter!