Tracing disinformation campaign in Myanmar

During the days leading up to the Myanmar 2020 elections, a coordinated propaganda campaign spread conspiracy theories alleging that a cabal of Western interests, led by George Soros’ Open Society Foundations, was working with the National League for Democracy (NLD) to steal the elections and take control of Myanmar politics.

The conspiracy campaign distributed material using three main channels:

  • Articles and videos on the website
  • Videos posted on Facebook and later Youtube
  • Spoofed email campaign (mails made look to come from a range of official sources)

A news website

The website was registered the 9th of September 2020 and soon after moved to a GoDaddy’s hosting space in Singapore.

The website branded itself as a source of “Myanmar Secret News” and articles were written by Admin from “Myanmar Secret News Organization”.

The website originally intended to use the “Wikileaks branding” in social media (Facebook, YouTube and Twitter).

The forgotten USDPLEAK folder

A careful look into the HTML of the first page of the site “sample-page” shows:

  1. An old reference to hxxp://localhost:81/usdpleak/wp-admin
  2. Multiple references to myanmarwikileakorg{@}

These left-overs suggest that the attackers wanted to use the “Myanmar Wikileaks” branding initially and that the developer of the WordPress site worked in his computer in a webserver installed in port 81 and prepared the website in the www folder usdpleak. The name “usdpleak” is equivalent to USDP Leak, a leak site for Union Solidarity and Development Party, the successor to the formerly ruling military junta’s mass organisation, USDP is known for its close ties with the military and most of the party officials are former military personnel.

The 12th of November 2020, the domain was “parked” and placed for sale in GoDaddy Hosting.

YouTube channel

A YouTube channel was created the 2nd of November 2020 to distribute the videos that summarize the articles on the news site myanmarleak{.}info

The authors decide to use the “Anonymous” branding for these multimedia releases.

The anonymous wallpaper is used to brand the “MMLeakTeam”

49+] Hacker Wallpaper HD on WallpaperSafari

Spoofed emails

A series of spam campaigns starting in early November 2020 were used to distribute the link to the YouTube channel of the MMLeakTeam.

The content of the email

ြမန်မာအစိ းရထိပ်တန်း ပဂိုလ်များ ှင့် တိ င်းတပါးသားတိ ့၏ လ ို့ဝှက်အ ကံအစည်
များေပါက် ကားမ ပ်/သ

When looking into the domains used for the spam campaign we found:

  • amyotha.hluttaw{.}mm
  • myanmarpresscouncil{.}org

The e-mails distributed the 5th of November 2020, seems sourced from the IP address 103.47.185{.}214

A careful look into the email headers of the spam campaign shows that the mail was routed via WIN-L6H15DQA4NG and a PHP script was executed “contact.php” with User ID (UID) 0 (admin/root)

Searching for the windows server ID WIN-L6H15DQA4NG we found a pastebin from 2019

The message is signed by the nick “ak13370 MEA” and the name “Aung Khant”. In pastebin also publishes code of Google Flutter.

In Blogger he uses the nick “Cho Ko” and in github “ElectroArmy

His Facebook page uses the nick Aung Khant MEA.

ak133720 game nick of Aung Khant

A profile of “ElectroArmy” aka Arkar Kyaw, can be found in Bauman Moscow State Technical University

Arkar Kyaw, also uses the Facebook account “kwi.aungkhant” and You Tube channel “mr d1g r00t

In the past @ElectroArmy used the account @MagicDemonn in github until the account was suspended for abuse. In this account he was testing how to use github to host PHP Shells inside of .svg files.

Election Day

During election day another wave of mails were sent out to advertise a new YouTube channel.

As in the mails sent the 4 and 5th of November, the distribution of these new videos used the same compromised server in the IP 103.47.185{.}214