THREAD: Here's the report from @Graphika_NYC on how last week's trade leaks resembled Russian info op "Secondary Infektion".
It's either the same operation back, or someone trying to mimic it.
graphika.com/tradeleaks
It's either the same operation back, or someone trying to mimic it.
graphika.com/tradeleaks
The initial sequence of events online was:
21 October: Reddit in English
23 October: Reddit in German
meinbezirk.at in German
homment.com in German
BeforeIt'sNews in English
23 October - 6 November: tweets to politicians and media
21 October: Reddit in English
23 October: Reddit in German
meinbezirk.at in German
homment.com in German
BeforeIt'sNews in English
23 October - 6 November: tweets to politicians and media
The first Reddit account, u/gregoratior, is a curious specimen. Created in 2017, but its first known post was September 2019.
Its use of English was odd. "Standing on her knees"?
Its use of English was odd. "Standing on her knees"?
Some of its specific language errors, like "Why I am not surprised?", had the same grammatical flaws as posts in "Secondary Infektion", an operation was confirmed by @Facebook as originating in Russia.
Write-up here: medium.com/dfrlab/top-tak…
Write-up here: medium.com/dfrlab/top-tak…
Note, though, that this post barely got traction: only one reply that day, and only 13 upvotes in the next *month*.
Just because a possible operation posts something, doesn't mean it's going to get noticed.
"How were you not screaming this at strangers on the bus?!"
Just because a possible operation posts something, doesn't mean it's going to get noticed.
"How were you not screaming this at strangers on the bus?!"
On October 23, accounts called "Max Ostermann", "Ostermaxnn" and "Ostermannx" posted a German article about the leaks to Reddit, meinbezirk (Austrian local news) and homment (fringe German site).
The accounts were created that day, used once that day, and abandoned that day.
The accounts were created that day, used once that day, and abandoned that day.
There's a double overlap with Secondary Infektion there.
1) It used that same combination of websites repeatedly.
2) It used the same sort of single-use burner accounts with matching, if not identical, names.
(Here, an example from March.)
1) It used that same combination of websites repeatedly.
2) It used the same sort of single-use burner accounts with matching, if not identical, names.
(Here, an example from March.)
For reference, according to @SimilarWeb, homment is the 381,018th most popular website in Germany. Fewer than 5k unique visitors a month. That's a pretty specific site for an operation to use, especially combined with a local news site in Austria.
An interesting point, too. The German Reddit account was created at 4:36 am ET on October 23, and posted its lone article at 5:14 am.
Create, post, abandon.
(Image from redetective[.]com. Times in ET because that's what my laptop's on.)
Create, post, abandon.
(Image from redetective[.]com. Times in ET because that's what my laptop's on.)
At 5:04 am ET, so right within that 38-minute slot, someone posted the English Reddit article across to BeforeItsNews[.]com. (Website is also timestamped to ET.)
That's pretty simultaneous timing.
That's pretty simultaneous timing.
Interestingly, the persona on BeforeItsNews wasn't limited to one post... but the first three were all copied. Two from Moon of Alabama, and one from @IanCobain at @MiddleEastEye.
Again, Secondary Infektion used this site too. Both with single-use personas and a more developed and prolific one.
(More on the Dark Lady here: medium.com/dfrlab/russian…)
(More on the Dark Lady here: medium.com/dfrlab/russian…)
Still on October 23, a Twitter account called @gregoratior began posting the English Reddit link to Labour and LibDem politicians...
... journalists...
Again, these efforts didn't take off. The tweets continued sporadically until November 6, when they were aimed at @NicolaSturgeon, the @theSNP, @FT and @PickardJE .
Then, as far as we can tell, they stopped.
Then, as far as we can tell, they stopped.
None of this activity seemed to gain traction. By the look of it, the breakthrough came when an unknown persona began emailing the Reddit link directly to interested people.
This @Graphika_NYC map shows how sparse the Twitter traffic was.
This @Graphika_NYC map shows how sparse the Twitter traffic was.
There are a couple of lessons here. First, it'd be important to work out how the documents leaked in the first place, to end up on a Reddit account that certainly resembled a known info operation.
Second, this operation didn't scatter its content to the winds: it tried to target it at high-value influencers, activists, journalists and politicians.
Expect more of that as the UK election race finishes, and the US one continues.
Expect more of that as the UK election race finishes, and the US one continues.
Third, as always, it pays to be super cautious on attribution.
The amplification of this operation looked like Secondary Infektion, but that doesn't prove that it *was*. It could be the same actor, or someone else, well, acting.
More evidence needed for attribution.
The amplification of this operation looked like Secondary Infektion, but that doesn't prove that it *was*. It could be the same actor, or someone else, well, acting.
More evidence needed for attribution.
