“The Russian Disinfo Operation You Never Heard About”
WIRED, June 16, 2020
Security
By Lily Hay Newman
“The campaign known as Secondary Infektion appears to be a distinct effort from the meddling of the IRA and GRU—and it went undetected for years.”
The Internet Research Agency is infamous for flooding mainstream social media platforms with compelling disinformation campaigns. The GRU, Russia’s military intelligence agency, deploys strategic data leaks and destabilizing cyberattacks. But in the recent history of Russia’s online meddling, a third, distinct entity may have been at work on many of the same objectives—indicating that Russia’s disinformation operations went deeper than was publicly known until now.
Dubbed Secondary Infektion, the campaign came on the radar of researchers last year. Today, the social media analysis firm Graphika is publishing the first comprehensive review of the group’s activity, which seems to have begun all the way back in January 2014. The analysis reveals an entity that prioritizes covering its tracks; virtually all Secondary Infektion campaigns incorporate robust operational security, including a hallmark use of burner accounts that only stay live long enough to publish one post or comment. That’s a sharp contrast to the IRA and GRU disinformation operations, which often rely on cultivating online personas or digital accounts over time and building influence by broadening their reach.
Secondary Infektion also ran disinformation campaigns on a notably large array of digital platforms. While the IRA in particular achieved virality by focusing its energy on major mainstream social networks like Facebook and Twitter, Secondary Infektion took more than 300 platforms in all, including regional forums and smaller blogging sites. The combination of widespread and endless burner accounts has helped the group hide its campaigns—and its motives—for years. But the approach also made the actor less influential and seemingly less effective than the IRA or GRU. Without being able to build a following, it’s difficult to get posts to take off. And many Secondary Infektion campaigns were either flagged by platform anti-abuse mechanisms or simply pilloried by regular users.
“The main thing is that this really adds a large-scale, persistent threat actor into the mental map we have of Russian information operations,” says Ben Nimmo, director of investigations at Graphika. “All the while you have the IRA running its operations, all the while you have GRU running its operations, you had Secondary Infektion running its own brand of operations, which had a very different style, had a very different approach. This was all running at the same time, and quite often they were all homing in on the same targets.”
Secondary Infektion has a familiar hit list. The group has been active in running disinformation campaigns related to world elections, has attempted to sow division between European countries, and has highlighted US and NATO dominance and aggression. Domestically, the actor has run campaigns in defense of Russia and its government, targeted activists and groups critical of the regime—like the reporting group Bellingcat and anti-corruption advocate Alexei Navalny—and tried to discredit the World Anti-Doping Agency. Secondary Infektion has also painted Turkey as a villainous rogue state and sown division over issues of global migration, particularly Muslim displacement. It has run relatively few campaigns related to Syria and its civil war but is devoted to a common priority for Russia-backed digital actors: undermining and destabilizing Ukraine.
About the Author:
Lily Hay Newman is a senior writer at WIRED focused on information security, digital privacy, and hacking. She previously worked as a technology reporter at Slate magazine and was the staff writer for Future Tense, a publication and project of Slate, the New America Foundation, and Arizona State University. Additionally her work has appeared in Gizmodo, Fast Company, IEEE Spectrum, and Popular Mechanics. She lives in New York City.
