Suspected Russian government trolls are trying to pin the COVID-19 pandemic on the Pentagon; hyping Rudy Giuliani’s conspiracy theories about collusion between Democrats and Ukraine; and trying to meddle in European elections, an investigation by The Daily Beast reveals.

Working with researchers from the disinformation-tracking firm Graphika, The Daily Beast found at least 20 fake news articles pushed by over 40 suspected Kremlin-backed personas across dozens of social media networks like Facebook, Reddit, Medium, and smaller web forums. 

“This looks like a Russian disinformation operation we call ‘Secondary Infektion’ that's been running for years,” said Ben Nimmo, director of investigations at Graphika, who has been investigating the operation since Facebook exposed a first set of accounts in May 2019. “It uses blogging platforms as the soft underbelly of the internet, planting false stories based on forged documents or leaks that never happened. The fakes mostly appear designed to trigger tensions between European countries, or between Europe and the United States, but they were generally too clumsy to be believed.”

Nimmo and other disinformation researchers first identified the Secondary Infektion campaign in 2019, which uses forgeries and fake articles to push Moscow-friendly propaganda through fictional personas. The troll personas and articles identified by The Daily Beast followed the same Secondary Infektion pattern identified by Graphika and others. Trolls would set up one-time-use accounts at a handful of outlets in specific places—from obscure forums like the DebatePolitics and DefendingTheTruth to larger platforms like Medium and Reddit—and post articles and forgeries in broken English just minutes after creating their accounts.

The cluster of personas and articles identified by The Daily Beast date back through 2016. They add to a growing body of evidence that shows Russian information operations didn’t stop after Moscow’s interference in the last presidential campaign, but rather continued on, spreading to other countries. The trolls in this campaign forged letters and screenshots in an attempt to meddle in elections in Sweden and Latvia, touted Trump attorney Rudy Giuliani’s Ukraine conspiracy theories, and tried to sow confusion about a former suspect in the leak of NSA hacking tools.   

Pinning COVID-19 on the Pentagon

As COVID-19 ravaged China and began to spread around the globe, the State Department issued cryptic warnings in February and March that Russia was trying to pin the virus on the U.S. both through its overt and covert propaganda organs. In one February briefing, Assistant Secretary of State Philip Reeker called out the propaganda campaign in vague terms and claimed that Moscow was "once again choosing to threaten public safety by distracting from the global health response" with a COVID-19 disinformation campaign.

American diplomats offered no specifics, but just a few days before Reeker’s briefing, a fake story bearing the hallmarks of Secondary Infektion trolls surfaced in Russian-language blogging platforms.

The story, posted to Russian-language blogs and Reddit by multiple fake personas, tries to pin the blame on the COVID-19 outbreak on the U.S. and Kazakhstan by casting the virus as the byproduct of a U.S. nonproliferation program in the country. The trolls pointed to social media posts by a group of hackers calling themselves “Anonymous Kazakhstan.” 

It’s a well-documented tactic among Secondary Infektion posts, which often use fictitious Anonymous-style hacker groups from a range of different countries as the source of forged documents, according to Graphika. 

In this case, the authors of the story claim that, in the course of hacking employees of the U.S.-funded Central Reference Laboratory in Almaty, Kazakhstan, they discovered that the lab was responsible for the release of COVID-19 into the public.

Rather than a nefarious factory for new bioweapons, the Central Reference Laboratory in Almaty is part of a U.S.-funded nonproliferation effort aimed at giving steady employment to biologists in Kazakhstan, once home to Soviet biological weapons programs, and keep them from seeking employment in rogue state or terrorist bioweapons efforts. The authors of the fake story appeared to aim at ginning up fear and opposition to the U.S. funding and warned that the fake viral leak could prompt sanctions from China, an important ally and source of investment in Kazakhstan. 

“This story only circulated in Russian, unlike other Secondary Infektion claims, but it was posted on exactly the same mix of blogging platforms by exactly the same sort of fake persona. If this wasn't Secondary Infektion, it was someone trying really hard to look like them," said Nimmo.

Other may have reached the same conclusion as The Daily Beast. In a recent update, cybersecurity firm FireEye vaguely referenced a disinformation campaign it attributed to Secondary Infektion which included “a false hacktivist persona to spread the conspiracy theory that the U.S. developed the coronavirus in a weapons laboratory in Central Asia.”

Election Meddling and Spy Games

The trolls behind the COVID-19 article and others identified by The Daily Beast are most likely part of a well-documented group of Russia-linked disinformation actors known as Secondary Infektion. The group, labeled after the Soviet Union’s “Operation Infektion” disinformation campaign, which sought to blame the HIV/AIDS outbreak in the 1980s on the U.S. military’s former biological weapons research lab, was first labeled by the Atlantic Council’s Digital Forensic Research Lab in June 2019 after Facebook suspended a number of accounts operated by the campaign a month prior.

The group typically works in three stages, according to Nimmo. Propagandists first forge documents to further their narratives and plant them on small, obscure blogging platforms with single-use accounts created on the day of posting and never used again. Next, the authors translate the articles accompanying forgeries into as many as half a dozen languages like Russian, Spanish, and German and further spread the fake stories. Finally, trolls take the articles to larger social media platforms like Facebook, Reddit, and Twitter, often creating still more single-use accounts to do it. 

Secondary Infektion is notable for the sweeping breadth of forums it employs in order to spread its articles. “Pretty well all serious influence operations these days are cross-platform, but Secondary Infektion took it to extremes. They worked across literally scores of sites and platforms in different languages," Nimmo explained.  Researchers have tracked the campaign’s articles across scores of often niche and obscure platforms, from British college forum TheStudentRoom to an Austrian local news platform, Mein Bezirk. 

The network of Russian-linked trolls identified by The Daily Beast goes beyond just a single post on COVID-19 conspiracies. From at least 2016 through this year, trolls sought to spread disinformation on elections in the U.S. and Europe, pit Western countries against each other, and ruin Ukraine’s international reputation.

In December 2019, as impeachment proceedings against President Trump took place, Russian-linked trolls spread an article that falsely claimed Democrats colluded with a former KGB officer during the 2016 elections. The article, “Former KGB agent sponsored Democrats in the 2016 election,” falsely accuses Ukrainian oligarch Victor Pinchuk of having worked for Soviet intelligence during the Cold War and financing Hillary Clinton’s 2016 campaign.

The theme of Democratic collusion with Ukraine to undermine Trump’s candidacy, often touted by President Trump and his allies, is a theme Russian intelligence operatives have pushed for years, according to The New York Times. 

Relying on Rudy

Many of the Secondary Infektion stories used phony screengrabs or forged documents to further their narrative. By contrast, the authors of the fake KGB support story relied on the conspiracy theorizing of Rudy Giuliani and the Trump-cheering cable news channel OANN to push their story.

“Rudy Giuliani's recent visit to Ukraine exposed many secrets of the Democratic Party, which is trying to distract the public from its crimes through the impeachment of the incumbent US president,” the trolls wrote alongside links to OANN’s coverage of the impeachment scandal.  

The Secondary Infektion crew also ventured beyond the relitigation of America’s 2016 presidential election to meddle in elections in Europe. 

In advance of Sweden’s 2018 elections, the trolls used a series of fake conspiracies focused on the right wing nationalist Sweden Democrats party to interfere in Sweden’s 2018 election. Secondary Infektion propagandists forged a fake letter in stilted English purporting to show Secretary of State Mike Pompeo warning Poland’s foreign minister that “Russian special services are going to provide technical and material support to the Swedish Democrats and help them in the election campaign” as part of a hacking campaign.

“It bears the digital hallmarks of forgery,” said Sam Meyer, a research associate at the Middlebury Institute of International Studies. Meyer ran the Pompeo letter image through the Tungstène imagery analysis software and found that the image was based on a digital template bearing the State Department letterhead and Secretary Pompeo’s signature with the text digitally added separately. 

Many of the the Secondary Infektion articles identified by The Daily Beast appeared aimed at dividing the U.S. from its allies in Europe. 

Since its forces began occupying eastern Ukraine, Russia has tried to oppose the U.S. sale of lethal aid to Ukrainian forces, particularly the Javelin anti-tank missiles which could be useful in fending off Russian armor. As the Trump administration mulled the prospect of a sale in the fall of 2017, Russian trolls published a forged screenshot pretending to come from the Twitter account of U.S.-backed Kurdish forces in Syria. “Javelins from Ukraine will help #YPG/#YPJ fighters defeat #IS in Deir al-Zour. #JazeeraStorm #defeatDaesh.”

Except the tweet was never sent and neither American nor Ukrainian forces ever transferred Javelins to partner forces in Syria. The apparent goal of the forgery and accompanying article was an attempt to paint the Trump administration’s arms sale to Ukraine as reckless and to create tensions between the U.S., Ukraine, and Turkey, which has strongly objected to transfers of less sophisticated arms to Kurdish forces in Syria. 

But not all of the articles fit into such neat thematic categories. At least one appeared aimed at diverting attention from or at least provoking confusion about a criminal case involving the theft of classified information from the National Security Agency.

Federal prosecutors charged former NSA contractor Hal Martin in 2016 with unlawfully taking home vast amounts of classified NSA data. Martin had initially come under suspicion as a result of an investigation into the publication of classified NSA hacking tools released by a group calling itself “The Shadow Brokers,” which some believe may be a front for Russian intelligence. 

Martin was never charged with involvement in the Shadow Brokers leak. But in November 2016, a month after prosecutors arrested him, personas bearing the hallmarks of the Secondary Infektion campaign began posting articles falsely claiming that Martin had betrayed the identities of undercover CIA officers associated with the Bush-era torture program.

Another Secondary Infektion article took aim at what would seem an unlikely target for the Kremlin: former Russian Prime Minister Dmitry Medvedev. In 2018, while Medvedev was still serving as prime minister of Russia, the trolls used a fake screenshot of a nonexistent article from The Guardian to cast doubt on his political future, writing that Medvedev was “facing a whole bunch of problems, from lack of financing to health issues and even alcohol.”

Bang for the buck?

For all the effort put into the troll campaign, the impact appears to have been small to nonexistent. In 2016, IRA trolls operating Twitter and Facebook accounts racked up millions of views throughout the U.S. presidential election, but the greater scrutiny of Russian disinformation and more cautious operational security practices used by the Secondary Infektion have come at a steep cost in terms of reach.

None of the articles or forgeries identified by The Daily Beast appear to have been picked up and amplified by news outlets or social media users outside of Secondary Infektion.

"One of the biggest mysteries about Secondary Infektion is what the operators thought they were doing,” said Nimmo. “I've never seen so little bang to the buck."

In the history of documented Secondary Infektion articles, only one appears to have gained any traction—the leak of authentic U.K.-U.S. trade documents shortly before the British general election in 2019.

The reach of articles identified by The Daily Beast is much shorter. The posts, published to obscure and nich web forums like WorthyChristianForums and DefendingTheTruth, garnered just a few dozen views according to view counters available on some of the sites. Some generated agreement or at least debate among a handful of forumgoers and social media users where they were posed, but they also generated derision and skepticism as well.

“Arthur,” one Reddit commenter wrote under a Secondary Infektion persona’s piece about Brexit, “you've done something that I couldn't imagine was possible. You've written a piece so poor that brexiteers and remainers can unite around how dreadful your opinions are. There's something in here to make everyone scoff.”

Others social media users noticed the pattern of single-use accounts posting articles on known Russian themes and found them appropriately suspicious. “New Reddit User. 1 post. Article about the east.” a Redditor commented on a post trying to stir up tensions between Hungary and Ukraine. “You almost got me Putin.”