The Russian troll factory that meddled in the 2016 election isn’t the only unit in Moscow’s troll army. Since 2014, a different and more shadowy disinformation crew linked to the Russian government has been spreading forgeries and disinformation across social media. In a report released Tuesday, the social media tracking firm Graphika has uncovered the online trail of Secondary Infektion stretching across half a dozen years, two continents, and thousands of fake articles.
“When we made the investigative breakthrough in January, we knew we might be on the verge of something major, but we never expected to find over 2,500 pieces of content across more than 300 platforms,” Ben Nimmo, Graphika’s director of investigations, told The Daily Beast. “I’ve seen some cross-platform operations in my career, but nothing even close to this.”
Welcome to Rabbit Hole, where we dive deep on the biggest story. It’s for Beast Inside members only. Join up today.
ADVERTISEMENT
Facebook gave the world the first hint about the existence of Secondary Infektion in May 2019 when it announced the takedown of a handful of accounts engaged in coordinated inauthentic activity. The company’s attribution of the accounts to Russia raised eyebrows and Nimmo, then at the Atlantic Council’s Digital Forensic Research Lab, authored the first report delving into the group and giving the operation its name (a nod to the KGB’s attempt to paint HIV/AIDS as a U.S.-made bioweapon).
The report released by Graphika on Tuesday marks the most comprehensive tally of Secondary Infektion operations ever released. Across the 2,500 pieces Graphika found were articles in seven languages targeted at audiences across Europe and North America.
To spread their propaganda, Secondary Infektion operators created fake personas posing as users on social media forums like Reddit, Medium, Facebook, and a myriad of more obscure forums like WorthyChristianForums, Homment.com, and “The Student Room.” The personas posted article-like comments and blog posts, often buttressed by forged screenshots of fake documents or mainstream news articles. Earlier in the campaign’s history, operators used more active personas like “Joseph Hashever” with accompanying blogs and Twitter accounts.
Content: The overwhelming focus of Secondary Infektion’s activities is targeted at tarnishing Ukraine at home and abroad with content aimed at painting the country as a “failed or unreliable state,” according to Graphika.
Aside from Ukraine, the most common themes Graphika researchers found in Secondary Infektion content fell into a handful of areas including to highlight alleged aggression by the U.S. and NATO; meddle in elections; divide European countries; paint Turkey as an aggressive, destabilizing force; and defend the Russian government’s reputation.
Forgeries are common in disinformation operations, particularly from Russian actors dating all the way back to the KGB, but Secondary Infektion seemed to revel in them. The campaign made extensive use of forged documents purporting to come from former White House Chief of Staff John Kelly, U.S. senators, generals, and officials across Europe.
Twin troll armies: Secondary Infektion appears to be a different, if parallel, line of effort alongside its more well-known Moscow-backed disinformation cousin, the Internet Research Agency (IRA). The IRA, which is run by Russian catering magnate and Putin crony Yevgeny Prigozhin, became famous for its role in social media meddling during the 2016 presidential election.
It’s less clear who within the Russian government is behind Secondary Infektion, but it sometimes crossed paths with the IRA. During the 2016 presidential campaign, both the IRA and Secondary Infektion worked to damage Hillary Clinton’s campaign. One long-running Secondary Infektion persona identified by Graphika posted articles calling the Democratic nominee the “Hildebeast” and claiming “the most warmongering lady ever lived in the White House has been thirsting for returning back in a new role.”
Others found by Graphika claimed Clinton was in the pocket of Saudi Arabia and tried to stoke tensions with supporters of Bernie Sanders. In one especially absurd example, Secondary Infektion authors claimed that the GRU’s theft of Democratic National Committee emails was actually a conspiracy orchestrated by Clinton to distract from Sanders supporters’ “materials for the inner-party investigation regarding unacceptable methods of support for Clinton from the sidelines of Democrats.”
Despite working toward similar ends, neither Secondary Infektion nor the IRA appear to have overlapped in their content. The closest the two operations ever came was when a Secondary Infektion-linked Twitter account flagged a forgery to @Jenn_Abrams, one of the more active IRA-run Twitter personas. The incident is “insufficient to suggest a connection between Secondary Infektion and the Russian IRA, but it is noteworthy,” Graphika wrote.
Nor was the 2016 campaign the only election in which Secondary Infektion bumped up against their colleagues in the Russian government. As GRU hackers dumped gigabytes of data from the campaign of Emmanuel Macron, Secondary Infektion ran articles casting the now French president as too welcoming of migrants and “an embodied synthesis of industrial and banking PR-technologies and pan-European red-tape lobbyists.”
Bigotry for clicks: Much like the IRA, Secondary Infektion operators were only too happy to appeal to the worst instincts of their target audiences and exploited bigotry against immigrants, Muslims, and women in an attempt to sow division.
As European far-right parties appeared to gain support amid an influx of Syrian refugees to Europe, Secondary Infektion stoked racist and religious resentment with content geared to demonize Muslims and refugees. One forgery identified by Graphika invented fake calls by “radical Muslim clerics to attack European women on St. Valentine’s Day.” Others were characteristically over the top, like a German-language article warning “REFUGEES BRING DEATH TO EUROPE!” that falsely claimed refugees were poised to bring a deadly pandemic of measles to Europe.
The group’s “attacks on female politicians were notably sexist,” Graphika concluded and leveraged “a well-established pattern of information operations on social media leveraging sexist tropes to attack female politicians around the world.”
Articles smeared Lithuanian President Dalia Grybauskaite as a CIA agent and former prostitute, while Reddit trolls working for Secondary Infektion smeared Angela Merkel as the “Chancellor of Germany and female alcoholism.”
Boomerang effect: The biggest targets for Russian disinformation—the people Moscow is most worried about—are Russians and not foreigners. The operators behind Secondary Infektion deployed similar techniques abroad to those honed against domestic opponents of Russian President Vladimir Putin’s government.
“The very first posts we have identified from the operation were in Russian and targeted the opposition,” including anti-corruption activist and frequent Kremlin target Alexei Navalny, Graphika’s report concludes. Secondary Infektion’s early 2014 campaign against Russian dissidents soon morphed into a campaign against Ukraine’s new government after Russia invaded the country’s east and annexed Crimea and eventually extended to targeting audiences in Europe and the U.S.
“In this regard, Secondary Infektion is remarkably similar to the IRA, which started off by targeting the Russian opposition before it turned on foreign targets. Russia’s disinformation tends to start at home, but it doesn’t stay there,” Nimmo says.
When does the infection end? Graphika researchers were surprised by one element of the group’s activities: Why did they carry on for years when they were so ineffective? With the notable exception of one purported leak of government documents that became a flashpoint during the 2019 U.K. elections, little if any Secondary content managed to find an audience outside the narrow corners of the platforms where it was posted. The group’s shoddy command of any language besides Russian made its crude forgeries that much easier for reporters and potential amplifiers to dismiss.
“[W]hy they kept on doing it across six years of activity when their stories so often died unnoticed” remains unknown, the report says.
Even though most of its content failed to go viral, Nimmo says it would be a mistake to ignore the group or think that it’s incapable of having a malign influence on elections or public discourse.
“Secondary Infektion has proved itself to be a persistent actor for more than six years, and there are some indications that it tried to improve its ability to operate undetected after the first big round of exposures in May-June 2019. The one time it obtained genuine documents to leak, it managed to have an impact on the U.K. election debate for at least a news cycle,” he told The Daily Beast. “We do need to stay alert for Secondary Infektion-style operations, and for the danger of interference through leaks more broadly. Complacency would not be a good idea right now. “
As The Daily Beast reported in April, Secondary Infektion trolls seized on the coronavirus pandemic to push conspiracy theories blaming U.S.-funded labs in the former Soviet Union. Lee Foster, who tracks disinformation for the cybersecurity firm FireEye, told The Daily Beast that the most recent Secondary Infektion content appears to focus on audiences closer to home.
“What we've seen is almost entirely Ukrainian and Russian language activity," Foster said. “There’s the narrative about Biden exerting improper influence on the removal of Viktor Shokin. They’re also now pushing a narrative that ‘a single financial and political group’ is orchestrating anti-racism protests in the U.S., U.K., and Ukraine with veiled references to George Soros.”