THE INTERNET RESEARCH Agency is infamous for flooding mainstream social media platforms with compelling disinformation campaigns. The GRU, Russia’s military intelligence agency, deploys strategic data…
THE INTERNET RESEARCH Agency is infamous for flooding mainstream social media platforms with compelling disinformation campaigns. The GRU, Russia’s military intelligence agency, deploys strategic data leaks and destabilizing cyberattacks. But in the recent history of Russia’s online meddling, a third, distinct entity may have been at work on many of the same objectives—indicating that Russia’s disinformation operations went deeper than was publicly known until now.
Dubbed Secondary Infektion, the campaign came on the radar of researchers last year. Today, the social media analysis firm Graphika is publishing the first comprehensive reviewof the group’s activity, which seems to have begun all the way back in January 2014. The analysis reveals an entity that prioritizes covering its tracks; virtually all Secondary Infektion campaigns incorporate robust operational security, including a hallmark use of burner accounts that only stay live long enough to publish one post or comment. That’s a sharp contrast to the IRA and GRU disinformation operations, which often rely on cultivating online personas or digital accounts over time and building influence by broadening their reach.
Secondary Infektion also ran disinformation campaigns on a notably large array of digital platforms. While the IRA in particular achieved virality by focusing its energy on major mainstream social networks like Facebook and Twitter, Secondary Infektion took more than 300 platforms in all, including regional forums and smaller blogging sites. The combination of widespread and endless burner accounts has helped the group hide its campaigns—and its motives—for years. But the approach also made the actor less influential and seemingly less effective than the IRA or GRU. Without being able to build a following, it’s difficult to get posts to take off. And many Secondary Infektion campaigns were either flagged by platform anti-abuse mechanisms or simply pilloried by regular users.
“The main thing is that this really adds a large-scale, persistent threat actor into the mental map we have of Russian information operations,” says Ben Nimmo, director of investigations at Graphika. “All the while you have the IRA running its operations, all the while you have GRU running its operations, you had Secondary Infektion running its own brand of operations, which had a very different style, had a very different approach. This was all running at the same time, and quite often they were all homing in on the same targets.”
Secondary Infektion has a familiar hit list. The group has been active in running disinformation campaigns related to world elections, has attempted to sow division between European countries, and has highlighted US and NATO dominance and aggression. Domestically, the actor has run campaigns in defense of Russia and its government, targeted activists and groups critical of the regime—like the reporting group Bellingcat and anti-corruption advocate Alexei Navalny—and tried to discredit the World Anti-Doping Agency. Secondary Infektion has also painted Turkey as a villainous rogue state and sown division over issues of global migration, particularly Muslim displacement. It has run relatively few campaigns related to Syria and its civil war but is devoted to a common priority for Russia-backed digital actors: undermining and destabilizing Ukraine.
Though Secondary Infektion’s activities are difficult to track, Graphika researchers were able to piece the its activity together by looking at rare occasions where the group reused an account a few times, and identifying patterns in sets of blogs and forums the group would post to. Secondary Infektion also has a particular tendency to build its campaigns around “leaked” documents that are really just fabricated by the group but claim to reveal, say, corruption among the Kremlin’s critics or an anti-Russian plot from the US. Graphika did not see evidence that Secondary Infektion used ads to promote its content, but after months of investigation the researchers did find a sort of digital fingerprint they could use to track Secondary Infektion campaigns at a much larger scale and link many more digital posts to the actor. Graphika would not comment on the nature of this tell, though.
Facebook was the first to discover a group of Secondary Infektion accounts in May 2019, and provided the data to disinformation researchers along with the initial attribution to Russia. Since then other social networks and researchers have gathered more examples of the actor’s activity and reinforced the attribution. The group seemingly reduced its operations or went further underground after being publicly named in 2019. But it was still operating as of at least March 2020. Graphika is clear, though, that Secondary Infektion has not been tied to a specific organization or apparatus within Russia. Based on the available evidence and the group’s distinctive techniques and behaviors, the researchers don’t believe that Secondary Infektion operates under the purview of the IRA or GRU. But that remains possible.
“We have not ruled out that this could be a GRU operation,” says Camille Francois, Graphika’s chief innovation officer. “What we’re able to say is it doesn’t resemble in any way the other operations that have been exposed.”
Though Secondary Infektion has often marched to the beat of its own drummer, there are a number of moments in the recent timeline of Russian disinformation campaigns when it converged with other groups. For example, Secondary Infektion targeted Hillary Clinton’s campaign, crafting posts about shady donations and even accusing Clinton of being a murderer, during the 2016 US presidential campaign season in which the IRA and GRU were also extremely active. And Secondary Infektion was active in the lead-up to the 2017 French presidential election, in which the GRU ran a dramatic leaking campaign. Secondary Infektion also targeted the World Anti-Doping Agency in 2015 and early 2016 after WADA called Russia out for major doping violations. Its tactics included publishing forged documents that purported to be leaks from inside WADA and the Committee for the Protection of Journalists. In fall 2016, the GRU breached WADA and leaked stolen data.
“That’s part of the classic playbook, low-quality forgeries oftentimes, so in a way I’m really not that surprised that we see this kind of activity,” says Thomas Rid, a disinformation and warfare researcher at Johns Hopkins University who viewed the report in advance. “I’m also not surprised that it wasn’t effective, and in fact it was pretty low-quality from an active-measures tradecraft perspective. It’s important to highlight that not all Russian active measures are impressive in quality or indeed effective. In fact the vast majority are not.”
Though it converged on these and other crucial Russian initiatives, Secondary Infektion was not generally as focused on elections overall, instead often working on spurring division between countries, like stoking tension between the US and the United Kingdom, trying to ignite controversy between Poland and Germany, or pushing anti-American sentiment among Germans. And the actor also always came back to pitting everyone against Ukraine. But Secondary Infektion’s low-quality forged leaks and focus on using burner accounts limited its overall reach and impact.
Still, in spite of its seeming lack of results relative to the IRA and GRU, Secondary Infektion has apparently received substantial funding over time to continue its operations. This likely indicates that it is either housed within a Russian government agency or is perhaps run through a long-term contractor. And Secondary Infektion has not been entirely unsuccessful. The group caused a stir ahead of the UK general election in fall 2019 when it leaked a seemingly legitimate cache of US–UK trade documents on Reddit and other sites using one-time burner accounts.
Even with so much more information about Secondary Infecktion’s campaigns and methods, the full picture of the group’s motives and goals is still elusive.
“From a historical perspective, we understood the IRA before really we understood the GRU information operations, which definitely was a second moment in our understanding,” Graphika’s Francois says. “So for me this is sort of like the third movement, and it’s honestly a bit disconcerting to realize how slow we are to piece back together the broader picture of Russian information operations. There are still things that we don’t really know.”