Uncovered Russian Disinformation Operation active since 2014

Effective disinformation campaigns have been a tried and tested method used by spies in times of war and in times of peace. Hackers, following the example set by certain state departments and intelligence services, learned fairly quickly that they could sell their services to the highest bidder in return for a disinformation campaign using social media to fan a wildfire. While hackers looked to use the same tactics honed by nation-state actors the same platforms used to disseminate have been cracking down on campaigns. However, it still appears that skilled operators can avoid measures put in place by the likes of Facebook, Twitter, and Google and spread false information to serve political ends.

Social media research group Graphika published a 120-page report that uncovers a widely unknown Russian disinformation operation active since 2014 and has flown largely under the radar. Those behind the operation have been named Secondary Infektion and is not to be confused with the Internet Research Agency (IRA), the Sankt Petersburg Company (troll farm) that has interfered in the US 2016 presidential election. Graphika is of the informed opinion that the two groups exist as separate entities with differing objectives despite the obvious overlap. Since operations began Secondary Infektion has been relying on fake news articles, fake leaks, and forged documents to generate political scandals in countries across Europe and North America. Along with the report, Graphika has also published a library of forgeries attributed to the group that shows the group's handiwork and ability to deceive even the most skeptical.

For those researchers who would later uncover more than 2,500 pieces of forged content used to give credibility to the campaigns conducted by Secondary Infektion, warning signs were signaled in 2019.

russian disinformation campaign active since 2014

First, Facebook in May 2019, announced that they had removed what the company terms inauthentic content. At the time, Facebook removed content distributed through two separate campaigns, the first was described as:

“We removed 97 Facebook accounts, Pages, and Groups that were involved in coordinated inauthentic behavior as part of a network emanating from Russia that focused on Ukraine. The individuals behind this activity operated fake accounts to run Pages and Groups, disseminate their content, and increase engagement, and also to drive people to an off-platform domain that aggregated various web content. They frequently posted about local and political news including topics like the military conflict in Eastern Ukraine, Russian politics, political news in Europe, politics in Ukraine, and the Syrian civil war.”

And the second,

“We also removed 21 Facebook accounts, Pages and Instagram accounts that were involved in coordinated inauthentic behavior as part of a small network emanating from Russia that focused on Austria, the Baltics, Germany, Spain, Ukraine, and the United Kingdom. The individuals behind this campaign — which was also active on other internet platforms — engaged in a number of deceptive tactics, including the use of fake accounts to join Groups, impersonate other users and to amplify allegations about a public figure working on behalf of intelligence services. They also posted content about local politics including topics like immigration, religious issues and NATO.”

In the same year, albeit later Reddit reported that it too had removed content believed to be part of a Russian disinformation campaign. In the related post, Reddit called the campaign part of a wider Secondary Infektion campaign. By this point, the group had been named due to the research conducted by the Atlantic Council's Digital Forensic Research Lab (DFRLab). The DFRLab concluded that although they could not determine who exactly was behind the group, the evidence strongly suggested that Russian Intelligence was behind the group’s operations and that there was an unusual emphasis on operation security. Secondary Infektion prioritized operational security to the point that they would never trade clicks, or put differently a pieces chance to go viral, ahead of shrouding operations in secrecy.

Graphika’s Findings

What the DFRLab discovered served as the foundation from which Graphika built its case against Secondary Infektion. In analyzing the available data it was clear that the forged content was used to target Russia’s political rivals such as Ukraine, Poland, Germany, and the US, as well as countries, where Russian influence came under attack some form of attack over the period investigated. The group would also publish articles in different languages depending on the targets and aims of the campaign. In total, the group used seven languages throughout several disinformation campaigns. According to Graphika, the content created by Secondary Infektion stuck to nine main themes, which are:

  • Ukraine as a failed state or unreliable partner
  • The United States and NATO as aggressive and interfering in other countries
  • Europe as weak and divided
  • Critics of the Russian government as morally corrupt, alcoholic, or otherwise mentally unstable
  • Muslims as aggressive invaders
  • The Russian government as the victim of Western hypocrisy or plots
  • Western elections as rigged and candidates who criticized the Kremlin as unelectable
  • Turkey as an aggressive and destabilizing state
  • World sporting bodies and competitions as unfair, unprofessional, and Russophobic

The group’s activities differed significantly from the IRA in that the latter primarily focused on creating division at the level of regular citizens, Secondary Infektion's primary role appears to have been to influence decisions at the highest level of foreign governments. To do this Secondary Infektion would attempt to influence political decisions by creating fake narratives, pitting Western countries against each other, and by embarrassing anti-Russian politicians using fake articles and the above mentioned forged documents to add credibility to claims.

As with DFRLAbs, Graphika also found that the group conducted campaigns not relying on social media and the creation of viral content, rather the group favored blogs and even niche forums discussing political matters. Social media, while using only amounted to 13% of the total content distributed. While DFRLabs attributed this to maintaining operational security and keeping the group's activity a mystery, Graphika adds that the group did so in order to meet production quotas. The expended effort in creating forgeries and being used in targeted campaigns seems at odds with traditional disinformation campaigns that look to have the widest audience possible, this is still a mystery to researchers as to why this is the case.

Graphika also noted the high levels of operation security Secondary Infektion employed to remain under the radar. Researchers noted,

“Secondary Infektion is also remarkable for its high operational security (OPSEC): multiple social media platforms who partnered with our team on this investigation have observed that the people behind this operation were sophisticated at hiding their traces consistently across the years. As of May 2020, this operation has not been directly attributed to a particular actor or entity. Several converging signals, from digital forensics indicators identified by our team or provided by the platforms to the clues of language, content, and context, help establish that the operation was run from Russia, but which organization(s) and individual(s) within Russia are responsible is still unknown.”


“The high OPSEC also made it difficult to expose the full scope of the operation. Secondary Infektion deployed single-use burner accounts so consistently that moving from one campaign, forgery, and story to the next proved difficult because most accounts only posted one article each. Reconstituting the broader picture of the operation presented a significant and time-consuming investigative challenge. This report is the first large-scale analysis of Secondary Infektion to look beyond anecdotal descriptions of individual stories and identify its systematic patterns.”

Secondary Infektion has had campaigns uncovered that were active during the US presidential elections in 2016, the French elections in 2017, and Sweden in 2018, but election interference was never the group's primary target. Many of the campaigns were also done to create division between countries as well as divisions between traditional allies like the US and UK. It was not only external political rivals that were targeted but also critics of the Kremlin. Those critical of the government could find themselves being exposed in a fake scandal, typically these “scandals” involved the targets supposed corrupt dealings or working with foreign powers to overthrow Kremlin-backed governments and interests.

Unlike the IRA whose identity and base of operations were relatively easy to identify due to what researchers have called sloppy work, Secondary Infektion’s emphasis on operational security and other tactics such as burning accounts shortly after posting content has made it harder to determine exact information like identities and locations. It can be safely assumed that despite the group being discovered they will continue to sow conflict between allies like NATO, other governments, and people the Kremlin sees as rivals to their hold on power and Russian influence in other countries.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps..

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal