Top takes: Suspected Russian intelligence operation

This article highlights the operation’s most important features. The accompanying posts analyze specific stories on fake assassination plans, Northern Ireland, Russia and Ukraine, Germany and immigration, the European Parliament elections, Venezuela, and a rare account that posted repeatedly.

Operated from Russia
While the DFRLab does not receive access to Facebook’s backend data, contextual and linguistic points helped to corroborate Facebook’s attribution to a likely Russian source.

Many of the operation’s stories focused on geopolitical incidents in Russia’s neighborhood and interpreted them from the Kremlin’s standpoint. Numerous posts attacked Ukraine and its pro-Western government. Some focused on Kremlin allies such as Venezuela and Syria, while others took aim at political events in neighboring countries such as Armenia and Azerbaijan.

One particularly striking story, based on an apparently forged letter, made the remarkable claim that the European Commission had asked a European educational group focused on the crimes of totalitarianism not to award a prize to Russian anti-corruption campaigner Alexei Navalny, calling him an “odious nationalist with explicitly right-wing views.” The letter proposed nominating a Russian Communist instead.

The operation’s content repeatedly featured language errors characteristic of Russian speakers, such as uncertainty over the use of the and a and of the genitive, incorrect word order, and verbatim translations of Russian idioms into non-idiomatic English. For example:

“Current situation is jeopardizing our joint action directed against the regime of usurper Maduro.”

“Why the Democrats collude with Ukraine?”

“As the saying runs, there is a shard of truth in every joke.”

These factors support Facebook’s assessment that the operation originated in Russia.

Far more than Facebook
The operation reached far beyond Facebook: it focused on internet platforms around the world. Medium was a particularly frequent target, as were the online forums (based in Berlin) and (based in San Francisco).

The operation posted articles in at least six languages, including English, German, Spanish, French, Russian, and Ukrainian. It also referenced documents in Arabic, Polish, and Swedish that it probably forged itself. The assets also posted articles about Armenia, Azerbaijan, the European Union, Germany, Ireland, Poland, Ukraine, the United States, and Venezuela.

This graphic lists a selection of the platforms the operation is known to have used, and the languages deployed on each one.

The use of so many online forums indicates a key online vulnerability: the ease with which throwaway accounts can be created and used to post false content. It also underscores the size and scope of the operation: it would have taken significant resources to craft content in so many languages.

The tradecraft
The operators used consistent tradecraft. They would create an account on an online platform and use it to post a false story, often incorporating forged documents. A second set of fake accounts would post expanded versions of the same story in multiple languages, using the original posts as their source.

In the third step, additional fake social media accounts amplified the false stories and tried to bring them to the attention of the mainstream media.

This approach resembled the conduct of Operation Infektion. The main difference between the two operations is that Operation Infektion focused on a single story, while New Infektion spread many stories.

The operation stood out for its attention to operational security (OPSEC): efforts made to keep its activity covert. Most of its posts were made by accounts that were created the same day, posted the one article, and were never used again.

Many of the accounts did not even provide a profile picture, while a few took their images from online sources. One asset [the “Salih Demirkan” profile page] on Medium repurposed a photo of celebrity musician Adam Levine:

Paradoxically, this approach became one of the operation’s most common forensic clues. Repeatedly, the DFRLab’s investigation came across articles that, in addition to other clues, were posted by accounts that had been created the same day, used once, and abandoned.

This approach is suggestive of intelligence operators whose mission is to carry out their work undetected, without creating a discernible community; it is uncharacteristic of social media influencers and marketing experts, whose job is to garner as much attention for their work as possible and build as large a community as possible.

Impersonation and infiltration
On several occasions, the operation impersonated real individuals who were politically active in their home countries. At least twice, the operation published screenshots of tweets that it attributed to leading political figures : then-Defense Secretary Gavin Williamson in the United Kingdom and Senator Marco Rubio in the United States. Open-source evidence indicated that both screenshots were photoshopped in an apparent attempt to stoke tensions between the United States and United Kingdom as well as within the United Kingdom.

Meanwhile, two Facebook accounts impersonated citizens of the United Kingdom and one impersonated a citizen of another EU country. All were associated with parliamentary work.

In each case, the impersonation account copied its profile picture, banner, and “personal” posts (such as comments on sports and restaurants) from the real person’s profile. To protect the privacy of the real individuals involved, the DFRLab will not share any identifying details.

As an example of these operations’ tradecraft, however, one account posed as a person affiliated with the British Labour Party in Westminster. In between its “personal” posts, this account shared content from the Labour Party and its leader, Jeremy Corbyn. This appears to have been an attempt to establish a credible identity for the impersonation account.

Each of these impersonation accounts shared one story that the operation created. In each case, the story was based on a forgery, and the Facebook account was an early amplifier. Open-source evidence cannot determine whether the sole purpose of these unusually detailed fakes was to plant false stories or whether they were also intended to attract genuine followers for other purposes, such as entrapment or espionage.

High drama, low impact
Many of the stories presented dramatic and emotional claims, apparently calculated to generate viral sentiment among conspiracy-minded communities. The most outstanding of these was an allegation in August 2018 that Spanish intelligence had uncovered a plot by opponents of Brexit to assassinate leading Brexiteer — now the favorite to become the United Kingdom’s next prime minister — Boris Johnson.

Despite such sensational content, or perhaps because of it, almost none of the operation’s stories had significant traction. This is likely in part due to the OPSEC measures that made it impossible for individual accounts to build a following.

The Facebook accounts seldom scored any reactions. Typical articles gathered a few dozen or a few hundred views, although some outliers recorded several thousands. Few comments were appended to any story, and those were usually negative.

The one exception was a virulently racist story the operation planted in German that was picked up by a local anti-immigrant news source. This outlet incorporated the fake content into a longer article that was shared over 3,500 times on social media.

Suspect: Russian intelligence
Facebook attributed the operation to a “small network emanating from Russia.” The content supports that attribution: both the use of language and the choice of subjects were consistent with earlier known Russian operations.

The size of the network is a different question. In terms of the number of assets on Facebook, it was indeed small, but, in overall terms, it was on an industrial scale.

It operated across at least six languages (nine, if the forgeries are included), over thirty platforms, and dozens of fake accounts. It ran for several years, with some Russian-language content dating back to 2014. Its articles in different languages did not appear to be machine translated: they resembled works written by skilled, but nevertheless non-native language, human authors. This suggests a substantial operation with multiple language teams working simultaneously on content generation and translation.

The devotion to OPSEC was remarkable and sets this apart from any other operation the DFRLab has encountered. At the same time, the obsessive secrecy meant that almost all of the operation’s articles failed to penetrate. The use of Facebook accounts to impersonate politically active figures may also have had an intelligence role.

The operation originated in Russia. It was persistent, sophisticated, and well resourced. It prioritized OPSEC over clicks, showed a high degree of skill and consistency in its tradecraft, impersonated politically active European citizens, and often covered issues of direct relevance to Russian foreign policy.

Open sources cannot provide a definitive attribution, but on the basis of the evidence so far, the likelihood is that this operation was run by a Russian intelligence agency.

The article, and its accompanying posts, were written with contributions from Ben Nimmo, a Senior Fellow for Information Defense with the Digital Forensic Research Lab (@DFRLab) based in the United Kingdom; Eto Buziashvili, a Research Assistant with @DFRLab based in Georgia; Michael Sheldon, a Digital Forensic Research Associate with @DFRLab based in the United States; Kanishk Karan, a Digital Forensic Research Associate with @DFRLab based in India; Nika Aleksejeva, a Digital Forensic Research Associate with @DFRLab based in Latvia; Luiza Bandeira, a Digital Forensic Research Assistant with @DFRLab based in Colombia; Lukas Andriukaitis, a Digital Forensic Research Associate with @DFRLab; and Reema Hibrawi, an Associate Director at the Atlantic Council’s Rafik Hariri Center for the Middle East. The article, originally posted to the website of the Atlantic Council’s Digital Forensic Lab, is published here courtesy of the DFRLab.