CTIL Files Show Misinformation and Censorship Activities But Omit Critical Infrastructure Role

A whistleblower report (1, 2) has revealed a trove of new documents that supplement the information gained from the Twitter Files and Facebook Files. They describe the activities of a so called anti-disinformation campaign run by a group called the Cyber Threat Intelligence League (CTIL). The group began as the volunteer project of members comprising data scientists, defense, intelligence community veterans. Their Brexit inspired efforts, among them to stop a repeat of 2016 election, have been expanded into multiple official projects, including those of the Department of Homeland Security (DHS). Together with the Twitter and Facebook Files, they provide a comprehensive picture of a new “anti-disinformation sector” otherwise known as the Censorship Industrial Complex.

Michael Shellenberger, Alex Gutentag, and Matt Taibbi broke the story in late November 2023. Their report states that a network of over 100 government agencies and nongovernmental organizations are working together to urge censorship and the spreading of propaganda on social media platforms about select “disfavored” individuals, topics, and narratives. The trove of documents includes strategy documents, training videos, presentations, and internal messages revealing the development of the sweeping censorship framework by US and UK military and intelligence contractors.

According to the whistleblower, the ultimate goal of CTIL was to become part of the federal government. It was made clear in weekly meetings that they were building these organizations within the federal government in the hopes of securing jobs through the first iteration, which involved government participation in “misinfosec communities” operating as information exchanges. The censorship framework also calls for discrediting individuals, training influencers to spread messages, and getting banks to cut off financial services to those individuals, which include activists organizing rallies and other events.

“Most misinformation is actually true, but set in the wrong context. You’re not trying to get people to believe lies most of the time. Most of the time, you’re trying to change their belief sets. And in fact, really, deeper than that, you’re trying to change, to shift their internal narratives… the set of stories that are your baseline for your culture. So that might be the baseline for your culture as an American.”

Sara-Jayne Terp, UK researcher and lead CTIL developer

There are also more activities reported by the CTIL group that are not included in the governmental record at this time. Their webpage states that they are “the first Open Global Volunteer Emergency Response Center aims to create a safer cyber-space for hospitals, the medical sector and life-saving organizations world wide.” They offer their services pro-bono. Going deeper on their site they appear to be responsible for cybersecurity and infrastructure protection within the medical life-saving sector including hospitals, pharmaceutical companies, and other healthcare organizations in addition to the newly disclosed censorship program. Law enforcement organizations along with water systems appear to be included as well.

The founder of the CTIL, Ohad Zaidenberg is also the Lead Cyber Intelligence Researcher for ClearSky Cyber Security, Israel. Prior to ClearSky, Zaidenberg was a commander in the elite clandestine and signal intelligence unit known as Unit 8200 in the Israel Defense Force. His bio at RSA Conference further states that he currently lives in Tel Aviv Israel and tracks state-sponsored and state-backed malware, propaganda, influence campaigns, and psychological warfare. Iran is the focus of ClearSky as a strategic intelligence target and Zaidenberg is said to be an authority in the operations of key Iranian Advanced Persistent Threats (APTs).

A past report regarding ClearSky describes the creation, by Iran, of fake websites masquerading as news outlets such as the BBC. Their news articles were said to be made-up current affairs stories designed to spread disinformation and discredit legitimate media.

Other founding members of the CTI League include military and Microsoft cybersecurity professionals. Another past report, this time from the Microsoft Security Response Center, blames an Iranian group called Phosphorus for attacking the reelection campaign of former President Trump in 2020.