,
30 tweets,
14 min read
Read on Twitter
JUST OUT: welcome to operation #SecondaryInfektion, a Russian-based information operation that's persistent, sophisticated, and well resourced.
Suspected source: Russian intelligence.
@DFRLab has been investigating. Top takeaways here.
medium.com/dfrlab/top-tak…
Suspected source: Russian intelligence.
@DFRLab has been investigating. Top takeaways here.
medium.com/dfrlab/top-tak…
This was a major operation. At least 9 languages, dozens of fake accounts, over 30 different platforms. It had high ambition, but most of the time, low impact.
The full report on #SecondaryInfektion is online here: digitalsherlocks.org/ourwork
The full report on #SecondaryInfektion is online here: digitalsherlocks.org/ourwork
How do we know it was from Russia? It started with a @Facebook takedown of accounts "emanating from Russia". Kudos to FB for finding it, these operators tried hard to hide.
When we dug into it, we realised the assets on FB were the tip of the iceberg.
newsroom.fb.com/news/2019/05/m…
When we dug into it, we realised the assets on FB were the tip of the iceberg.
newsroom.fb.com/news/2019/05/m…
Almost all the activity was on other platforms, like Medium and Reddit, and MeinBezirk.at.
The content the operation posted there often focused on Russian geopolitical concerns.
The content the operation posted there often focused on Russian geopolitical concerns.
The operation even forged a letter from the European Commission, trying to claim that the EC had called Russian anti-corruption campaigner Alexei Navalny an "odious nationalist."
@DFRLab checked with the EC. The letter's a fake.
@DFRLab checked with the EC. The letter's a fake.
The language was just +epic+. Time and again, there were grammatical errors characteristic of native Russian speakers who are skilled in English, but not native.
Sometimes, it read like a James Bond villain.
Sometimes, it read like a James Bond villain.
The action on Facebook and Twitter was a tiny percentage of the total. Far more, this operation targeted other platforms in other languages.
This shows just a few of them.
This shows just a few of them.
The operation had consistent tradecraft.
1. Create a forgery.
2. Make it into a meme.
3. Share it with a burner account on a small forum.
4. Post it to more forums in more languages, using burner accounts.
At least once, a state outlet boosted one of their fakes too.
1. Create a forgery.
2. Make it into a meme.
3. Share it with a burner account on a small forum.
4. Post it to more forums in more languages, using burner accounts.
At least once, a state outlet boosted one of their fakes too.
The operators were obsessed with operational security. Time and again, on different platforms, we saw accounts like this, created, posted, and dumped the same day.
Some of their accounts used real people's pictures to try and look more legit, like this one, ripping off @adamlevine.
The biggest irony, and mystery, is that by hiding so carefully, they hid their content too. Almost all their stories failed to catch on.
#SecondaryInfektion prioritised security over clicks. Great way of staying hidden, but I've never seen so little bang for so much buck.
#SecondaryInfektion prioritised security over clicks. Great way of staying hidden, but I've never seen so little bang for so much buck.
The operation came from Russia, and focused on Russian geopolitical concerns and Western divisions. It ran for years, and used multiple languages and dozens of fake accounts, yet put secrecy first.
Precise attribution is not possible, but this looks like an intelligence op.
Precise attribution is not possible, but this looks like an intelligence op.
Some of the stories were amazing, too.
This fake tweet attributed to @marcorubio was one of theirs. It started off as a meme posted by a burner account.
This fake tweet attributed to @marcorubio was one of theirs. It started off as a meme posted by a burner account.
The operation amplified it on Facebook, and embedded it in articles in multiple languages and on multiple platforms.
French, German, and Spanish versions, all here.
French, German, and Spanish versions, all here.
This is absolutely typical for this operation. French and German accounts, created one day, used once the same day, and abandoned.
The odd thing with this Rubio story is that RT Deutsch ran a whole article on it too. That wasn't the normal pattern, as far as we could see.
Based on our research, @MarcoRubio tweeted to expose the fake. RT added that he "disputed" the original, but didn't correct.
Based on our research, @MarcoRubio tweeted to expose the fake. RT added that he "disputed" the original, but didn't correct.
One story was just breathtaking.
It started with a letter in Spanish, claiming that extremist Remainers were plotting to assassinate... @BorisJohnson.
The letter claimed to be from the Spanish foreign minister, but couldn't even spell his name (it's "Borrell", not "Borell").
It started with a letter in Spanish, claiming that extremist Remainers were plotting to assassinate... @BorisJohnson.
The letter claimed to be from the Spanish foreign minister, but couldn't even spell his name (it's "Borrell", not "Borell").
As before, the operation used burner accounts to spread the fake in different languages. One was English... of a sort.
For examples of burner accounts, take a look at these.
Same name, three different platforms.
"Joined: August 13, 2018.
Last seen: August 13, 2018."
Typical of this operation.
Same name, three different platforms.
"Joined: August 13, 2018.
Last seen: August 13, 2018."
Typical of this operation.
And then they turned it into a meme.
Stories like this didn't penetrate. That's probably partly because of the burner accounts, partly because of the nature of the fakes.
This makes it unlikely this was run from the troll farm. They knew how to work on social media.
Stories like this didn't penetrate. That's probably partly because of the burner accounts, partly because of the nature of the fakes.
This makes it unlikely this was run from the troll farm. They knew how to work on social media.
Some of the operation's stories targeted Northern Ireland.
This one used a tweet attributed to @GavinWilliamson implicating the Real IRA in the Salisbury poisoning.
Posted by a burner account on Medium, again. All the indications are that the "tweet" was a fake.
This one used a tweet attributed to @GavinWilliamson implicating the Real IRA in the Salisbury poisoning.
Posted by a burner account on Medium, again. All the indications are that the "tweet" was a fake.
The Medium account used @hughlaurie as Dr House for its profile picture.
I'd love to know if the operators were House fans. Open sources, sadly, don't go that far.
I'd love to know if the operators were House fans. Open sources, sadly, don't go that far.
Again, burner accounts posted articles using the "tweet" in multiple languages, and across multiple platforms.
As far as we've been able to tell, they didn't get pickup. Using an endless series of burner accounts is not the best way to build an audience.
As far as we've been able to tell, they didn't get pickup. Using an endless series of burner accounts is not the best way to build an audience.
There were other attempts on Ireland, too. One story claimed to leak an email from @duponline's Arlene Foster to the EU's top Brexit negotiator, saying that the EU offer was better than the UK one.
This time, a burner account even posted the story on a forum in Pakistan.
This time, a burner account even posted the story on a forum in Pakistan.
Yet again, the English wasn't exactly, well, English.
Another Irish-focused story was even weirder. It claimed the Real IRA had tried to enlist Islamist militants for training.
This time, it started off on Reddit. Burner account, created the same day it posted, and abandoned.
This time, it started off on Reddit. Burner account, created the same day it posted, and abandoned.
Burner accounts posted the story in English, and also in Spanish. These are the profile pages for some of the Spanish ones. Reddit, mediavida.com, and globedia.com, this time.
Created, posted, dropped, all the same day.
Created, posted, dropped, all the same day.
There's loads more of this operation; another thread coming tomorrow. For more reading now, there's this lovely take by @jc_stubbs.
reuters.com/article/russia…
reuters.com/article/russia…
The operators used burner accounts so persistently that there's likely to be a lot more of this still out there, undiscovered. Platforms like Medium, Indybay, homment.com and Reddit were their favourites.
Good hunting.
// Thread ends.
Good hunting.
// Thread ends.
