Andy Patel from F-Secure recently published analyses of a Twitter botnet with Finnish-themed accounts. Finland has a presidential election today, January 28, 2018. Andy’s investigation was prompted after one of the presidential candidates, Pekka Haavisto, mentioned in an interview that both his Twitter account, and the account of the current Finnish president, Sauli Niinistö had recently been followed by a number of bot accounts.

following network for Finnish-themed twitter botnet (see section 3)

Andy wrote a tool to analyze a Twitter account’s followers, which you can read about in more detail in his two blog posts below. The bots don’t seem to be promoting any one candidate or political party or connected to the elections but since it appears to be a developing botnet, I contacted him to see if I could try to visualize the network he found and was able to make some interesting graphs based on his research.

The accounts in this network have not tweeted or liked anything yet, they are inactive accounts that appear to be padding follower counts. Because there was no activity to analyze, I created several graphs based on the dates the accounts were created. This network has been slowly building for a few years but the number of accounts escalated in the final months of 2017. The biggest cluster of accounts was created this month, January 2018.

1. Accounts sorted by month & year:

Nodes: 5224
Edges: 5192
Communities: 32

5224 nodes, 5192 edges, 32 communities

There are 32 communities in this network, representing the 32 month timespan over which this network was created. Only a few accounts were created in May, August, and December of 2014, then a few more were created in January, May, July and August of 2015. After that point, accounts were created every month throughout 2016 and 2017 up to and including the current month, January 2018.

accounts created in January 2018
accounts created in December 2017
accounts created in November 2017
accounts created in October 2017

Here are the 2017 clusters labeled by month and year. Production ramped up in August 2017 and has continued increasing since then.

5224 nodes, 5192 edges, 32 communities

We broke the network down further by the year, month and date that the accounts were created and that revealed more interesting patterns.

2. Accounts sorted by year, month and date:

Nodes: 5631
Edges: 5192
Communities: 439

Nodes: 5631 Edges: 5192 Communities: 439

The accounts in the largest cluster were created on January 12, 2018. Several other larger clusters were all created in January 2018 and December 2017.

accounts created on January 12, 2018
accounts created on January 11, 2018
accounts created on January 10, 2018
accounts created on January 9, 2018
accounts created on January 8, 2018

I thought maybe some of the single accounts that are floating on their own and not connected to a cluster might be real people, but I checked through many of them and they are all “eggheads” who only follow a few accounts and have never tweeted.

AboodCJ1 & 1bc4be848c2c4c6
AboodCJ1 & 1bc4be848c2c4c6

It’s obvious from the usernames that these are suspicious accounts. Many contain random strings of numbers but some seemed like they might be real names. I checked as many as I could manually, like this small cluster of 4 accounts that was created on June 5, 2017.

Those 4 accounts appear to be fake. I’ve explored this network for two weeks and have not found any accounts that look remotely like real people.

The accounts look the same regardless if they were created in 2014 or 2017.

Here are the profiles for the 4 accounts above. Marzia has a short bio and Elsa’s tweets are protected (although she hasn’t tweeted). Otherwise the accounts are the same as the others.

This cluster of 6 accounts created on July 25, 2017 follows the same logic.

accounts created on July 25, 2017
accounts created on July 25, 2017

Andy ran a follower analysis tool against a list of 114 “recommended” Twitter accounts included in his second blog post. The following visualization of that list shows the bots that are following each of the “recommended” Twitter accounts. Names shown in larger fonts are followed by more bot accounts.

The “recommended” Twitter accounts being followed by these bots appear to be a random mix of news sources, politicians and celebrities and there doesn’t appear to be any right/left slant.

3. Following network:

Nodes: 5307
Edges: 28,933
Communities: 11

following network for Finnish-themed Twitter botnet
following network for Finnish-themed Twitter botnet

Here’s a list of some of the high-profile accounts being followed by these bots:

Tuomas Enbuske (@TuomasEnbuske) — a Finnish celebrity
Riku Rantala (@rikurantala) — host of Madventures
Sauli Niinistö (@niinisto) — Finland’s current president
Juha Sipilä (@juhasipila) — Finland’s prime minister
Alexander Stubb (@alexstubb) — Former prime minister of Finland
Pekka Haavisto (@Haavisto) — presidential candidate
YLE (@yleuutiset) — Finland’s equivalent of the BBC
Kauppalehti (@KauppalehtiFi) — a popular Finnish newspaper
Ilta Sanomat (@iltasanomat) — a popular Finnish newspaper
Talous Sanomat (@taloussanomat) — a prominent financial news source
Helsingin Sanomat (@hsfi) — Helsinki’s local newspaper
Ilmatieteen laitos (@meteorologit) — Finnish weather reporting source

following network for Finnish-themed twitter botnet

Here is the above network filtered by degree range 50 to remove the noise and focus on the accounts who are being followed by bots in this dataset.

following network for Finnish-themed twitter botnet

Update: After I published this blog, Luca Hammer commented that the bots are probably following the accounts that Twitter automatically recommends in the signup process. That would make sense especially if the account creation process is being automated.

4. Accounts sorted by month, day and time:

The final network I mapped of the Finnish-themed accounts was sorted by month, day of the week and the time of day the account was created. This resulted in a somewhat cluttered graph that was hard to read. However Gephi clustered the accounts into 7 communities — one for each day of the week — which was an interesting discovery and we thought worth including. Accounts are being created every day of the week but more accounts are created on Friday than any other day. Maybe Friday is a busy day at the bot factory?

Nodes: 10,260
Edges: 10,695
Communities: 7

Nodes: 10,260 Edges: 10,695 Communities: 7

