As the COVID-19 quarantine wears on, cabin fever has set in for many Americans. As people grow tired of staying at home and the impact of the economic shutdown continues to escalate, frustrations have mounted to the point that Reopen States rallies are now taking place across the country to oppose shutdowns. ZeroFox Alpha Team has analyzed hundreds of social media posts, including public content as well as Facebook groups being used to organize anti-shutdown rallies all over the United States. Through this analysis, we have uncovered demonstrated similarities between the activity in some of these groups and the coordinated influence campaign activity of the 2016 presidential election. The operators behind the groups in question can be linked to dubious non-profit organizations likely intended to generate profit for the founders rather than for the cause of the group. In this post, you’ll find a review of our findings as well as a comparison of these operators’ tactics, techniques & procedures (TTPs) to those used by the Internet Research Agency (IRA) during the 2016 US presidential election.
Coordinated activity in the 2016 Presidential Election
The 2018 Mueller report revealed the extent of Russian interference in the 2016 US presidential election. Much of this interference involved coordinated campaigns conducted on various social media platforms by a Russian agency known as the Internet Research Agency (IRA). Consisting of groups of people paid to post specific content on social media platforms, the IRA created a variety of social media groups, political ads and posts focused on spreading highly polarizing political content. Additionally, the IRA created a number of fake social media accounts used to share content originating from these groups, increasing their visibility. These influence campaigns sought to promote specific candidates that Russia believed would benefit them. By taking these actions, the IRA sought to influence American public opinions on these candidates. Although it cannot be said with certainty whether or not the IRA was successful in changing election results, the actions of the IRA cast some amount of doubt on the outcome.
Reopen States movement relies on social media to organize
On April 15, 2020, ZeroFox Alpha Team observed a sudden rash of Facebook groups created to promote Reopen States rallies. Many of these groups follow standardized naming conventions like “Marylanders Against Excessive Quarantine,” and “Reopen Michigan.” The most active of these, “Pennsylvanians Against Excessive Quarantine”, is currently listed as gaining 840 new posts each day. The groups are primarily used for posting articles related to reopening state businesses and for organizing activity to support the cause. In total, ZeroFox observed 177 reopen states groups, and 61 events as of April 20, 2020. Note that the large majority of these groups represent legitimate causes and pose no threat.
Several groups come from same source: Dorr brothers
Although many of these groups are legitimate, some group’s intentions may be different than what they appear at first glance. Despite attempts to appear as a grassroots movement like the rest of the Reopen States groups, a subsect of these groups were all created around the same timeframe and by the same people. The creation of many of these groups can be traced back to the same individuals, the Dorr brothers (with a history of questionable activity), as reported by the Washington Post.
Many of the groups created by the Dorr brothers have similar descriptions and link to similar external websites.
The home pages of the websites listed in the group descriptions shown in Figure 4 and 5 have very similar appearances.
Both of these sites reference gun rights groups in the top left corners. A further look into the “Pennsylvania Firearms Association” of Figure 6 suggests it may not be the legitimate non-profit it claims to be. A quick Google search for the group name reveals that there is another similarly named group, the “Pennsylvania Firearm Owners Association,” which has been registered as a non-profit since 2007. The latter group has made posts on their forum discussing the group run by the ReopenPA founders.
This forum posts says:
“If one looks at their affiliates page (‘https://www.pennsylvaniafirearmsassociation.org/affiliated-groups/’) it appears like 3/4 of their so called affiliates were put together by the same person or group. This really looks like a get rich quick by riding the coattails of public sentiment and PAFOA.”
The affiliates page of the suspect Pennsylvania Firearms Association includes many other groups of dubious nature. Although some seem to be legitimate non-profit organizations, the Dorr brothers are behind many of these groups, including the Iowa Gun Owners group. This particular group has been publicly called out by Iowa lawmakers as being a scam. Similarly, the Dorr-controlled Minnesota Gun Rights group had its non-profit status revoked in 2016 for failing to file required forms that account for the group’s financials.
Very few Dorr non-profits report their financial records as required for non-profit organizations. For many of the states where the Dorr brothers operate these gun ownership nonprofits, it appears that the Dorr brothers have created Reopen Facebook groups. These groups link to websites that either redirect to web pages hosted on the Dorr gun group website itself, or link to the gun group on the homepage of the linked site. Although it could be that the group wants to drive policy change via these pages and events, it is clear that traffic is being driven from these social networks and into their dozens of domains and websites. The exact intent of these websites is somewhat nebulous.
Dorr Brothers rely on familiar tactics
The tactics utilized by the Dorr brothers in these Reopen groups bear some similarity to those employed by the Russian IRA – in particular, coordinated campaigns masquerading as grassroots movements. These grassroots movements tend to involve polarizing or divisive topics. Increased political division can further create a rift between those on either side of the debate, increasing tension, and potentially leading to dehumanization of the two sides. This was also apparent during the 2016 election, where bouts of violence happened at political rallies, which arguably were fueled by some of these polarizing groups. In addition to creating political tension and perhaps swaying public opinion to fit the goal of a particular organization, these influence campaigns can also be leveraged by opportunists, looking to cash in on donations to a falsified cause, as appears to be the case with the Facebook groups created by the Dorr brothers. With the 2020 presidential election quickly approaching, it has become crucial to proactively identify efforts to sway public opinion to fit the agenda of influence groups, rather than doing so after the fact, as was the case in the 2016 election.
Although wild rumors have rushed through the security community that the operatives behind many of the “reopen” domains were linked to Russia, ZeroFox has not observed any links between the subsect of Reopen groups operated by the Dorr brothers, and nation-state operatives. Many of these rumors began with a Reddit thread, where a user began to uncover domains and WHOIS information surrounding these Reopen campaigns. Although the original analysis in the post is valid, many of the repliers and others amongst the thread began to dox the person who registered some of these Reopen domains. Some researchers in the security community extrapolated this to the point of linking these domains to Russia. After the release of the article that made this claim, Mother Jones also investigated the purchaser, which revealed that he was a man who wanted to prevent astroturfing. To do so, he spent $4000 of his own money in purchasing the domains, only to be doxxed for doing so. Although identifying influence campaigns is highly important to the authenticity of information, the security research community must also take care to stick to verifiable facts, rather than overreaching.