Super secretive Russian disinfo operation discovered dating back to 2014

Researchers uncover six-years-worth of Russian attempts to mold international politics using fake news and forged documents.

secondary-infektion.png

Image: Graphika

Social media research group Graphika published today a 120-page report [PDF] unmasking a new Russian information operation of which very little has been known so far.

Codenamed Secondary Infektion, the group is different from the Internet Research Agency (IRA), the Sankt Petersburg company (troll farm) that has interfered in the US 2016 presidential election.

Graphika says this new and separate group has been operating since 2014 and has been relying on fake news articles, fake leaks, and forged documents to generate political scandals in countries across Europe and North America.

The research team says it  first learned of the group from reports published by Reddit and Facebook last year, along with previous research done by the Atlantic Council's Digital Forensic Research Lab.

Graphika says that based on previous research, they've now tracked down more than 2,500 pieces of content the Secondary group Infektion has posted online since early 2014.

graphika-timeline.png

Image: Graphika

According to Graphika's analysis, most of the group's content has followed nine primary themes:

  • Ukraine as a failed state or unreliable partner
  • The United States and NATO as aggressive and interfering in other countries
  • Europe as weak and divided
  • Critics of the Russian government as morally corrupt, alcoholic, or otherwise mentally unstable
  • Muslims as aggressive invaders
  • The Russian government as the victim of Western hypocrisy or plots
  • Western elections as rigged and candidates who criticized the Kremlin as unelectable
  • Turkey as an aggressive and destabilizing state
  • World sporting bodies and competitions as unfair, unprofessional, and Russophobic

Graphika says that most of this content has been aimed at attacking classic Russian political rivals like Ukraine, the US, Poland, and Germany, but also other countries where Russian influence came under attack, at one point or another.

Graphika said the group didn't publish only in English, but also adapted to each target and published content in its local language. In total, researchers found content posted in seven languages.

graphika-articles-per-country.jpg

Image: Graphika

Unlike the IRA, which was primarily focused on creating division at the level of regular citizens, Secondary Infektion's primary role appears to been to influence decisions at the highest level of foreign governments.

This was done by attempting to influence political decisions by creating fake narratives, pitting Western countries against each other, and by embarrassing anti-Russian politicians using fake articles and forged documents.

"The 'leaks' typically exposed some dramatic geopolitical scandal, such as a prominent Kremlin critic's corrupt dealings or secret American plans to overthrow pro-Kremlin governments around the world," the Graphika team said today.

The group had operations going during the US presidential elections in 2016, the French elections in 2017, and in Sweden in 2018, but election interferene was never the group's primary target.

Graphika said the group "aimed to exacerbate divisions between countries, trying to set Poles against Germans, Germans against Americans, Americans against Britons, and absolutely everyone against Ukrainians."

Secondary Infektion liked blogs more than social media

Furthermore, another way in which Secondary Infektion differed from the more well-known IRA was that while the IRA was mostly active on social media networks, the Secodanry Infektion gang had a broader reach, with a lot of its content being published on blogs and news  sites.

Graphika said it found content published on more than 300 platforms, from social media giants such as Facebook, Twitter, YouTube, and Reddit to blogging platforms like WordPress and Medium, but also niche discussion forums in Pakistan and Australia.

graphika-platforms.png

Image: Graphika

Graphika researchers also said Secondary Infektion was more advanced than the IRA. Unlike the sloppy IRA operators who were easily traced back to an exact building in Sankt Petersburg, Russia, the mystery about Secondary Infektion's real identity remains unsolved.

"[Secondary Infektion's] identity is the single most pressing question to emerge from this study," the Graphika team wrote in its report today.

Researchers said the group managed to keep its identity secret because they paid very close attention to operational security (OpSec). Graphika says Secondary Infektion agents employed single-use burner accounts for almost everything they posted online, abandoning each account in less than an hour after promoting their content.

This approach has made it more difficult for the group to build a dedicated audience but has allowed it to orchestrate high-impact operations for years, without giving away their infrastructure, modus operandi, and goals.

With its identity still a secret, the group is expected to continue operating and sowing conflict between Russia's rivals.