Someone Is Building A Finnish-Themed Twitter Botnet

Finland will hold a presidential election on the 28th January 2018. Campaigning just started, and candidates are being regularly interviewed by the press and on the TV. In a recent interview, one of the presidential candidates, Pekka Haavisto, mentioned that both his Twitter account, and the account of the current Finnish president, Sauli Niinistö had recently been followed by a number of bot accounts. I couldn’t resist investigating this myself.

I wrote a tool to analyze a Twitter account’s followers. The Twitter API only gives me access to the last 5000 accounts that have followed a queried account. However, this was enough for me to find some interesting data.

As I previously wrote, newly created bulk bot accounts often look very similar. I implemented some logic in my follower analysis tool that attempts to identify bots by looking for a combination of the following:

  • Is the account still an “egg” (default profile settings, default picture, etc.)?
  • Does the account follow exactly 21 other accounts?
  • Does the account follow very few accounts (less than 22)?
  • Does the account have a bot-like name (a string of random characters)?
  • Does the account have zero followers?
  • Has the account tweeted zero times?

Each of the above conditions give a score. If the total of all scores exceeds an arbitrary value, I record the name of the account.

I ran this tool against @Haavisto and @niinisto Twitter accounts and found the following:
Matches for @Haavisto account: 399
Matches for @niinisto account: 330

In both cases, the accounts in question were by-and-large under 2 months old.

Haavisto bot account age ranges

Account age ranges for bots following @Haavisto

 

Niinisto account bot follower age ranges

Account age ranges for bots following @niinisto

Interestingly, I checked the intersection between these two groups of bots. Only 49 of these accounts followed both @Haavisto and @niinisto.

Checking a handful of the flagged accounts manually using the Twitter web client, I quickly noticed that they all follow a similar selection of high-profile Finnish twitter accounts, including accounts such as:

Tuomas Enbuske (@TuomasEnbuske) – a local comedian
Riku Rantala (@rikurantala) – host of Madventures
Sauli Niinistö (@niinisto) – Finland’s current president
Juha Sipilä (@juhasipila) – Finland’s prime minister
Alexander Stubb (@alexstubb) – Former prime minister of Finland
Pekka Haavisto (@Haavisto) – presidential candidate
YLE (@yleuutiset) – Finland’s equivalent of the BBC
Kauppalehti (@KauppalehtiFi) – a popular Finnish newspaper
Ilta Sanomat (@iltasanomat) – a popular Finnish newspaper
Talous Sanomat (@taloussanomat) – a prominent financial news source
Helsingin Sanomat (@hsfi) – Helsinki’s local newspaper
Ilmatieteen laitos (@meteorologit) – Finnish weather reporting source

What the bots are following

All the bots were following similar popular Finnish Twitter accounts, such as these.

Running the same analysis tool against Riku Rantala’s account yielded similar results. In fact, Riku has been the recipient of 660 new bot followers (although some of them were added on previous waves, judging by the account ages).

Account age ranges for bots following @rikurantala

I have no doubt that the other accounts listed above (and a few more) have recently been followed by several hundred of these bots.

By the way, running the same analysis against the @realDonaldTrump account only found 220 new bots. To verify, I also ran the tool against @mikko yielding a count of 103 bots, and against @rsiilasmaa I found only 38.

It seems someone is busy building a Finnish-themed Twitter botnet. We don’t yet know what it will be used for.


Tagged: Election, OSINT, Python, Twitter

Article Link: https://labsblog.f-secure.com/2018/01/11/someone-is-building-a-finnish-themed-twitter-botnet/