The Internet Research Agency is infamous for flooding mainstream social media platforms with compelling disinformation campaigns. The GRU, Russia’s military intelligence agency, deploys strategic data leaks and destabilizing cyberattacks. But in the recent history of Russia’s online meddling, a third, distinct entity may have been at work on many of the same objectives— indicating that Russia’s disinformation operations went deeper than was publicly known until now.
Dubbed Secondary Infektion, the campaign came on the radar of researchers last year. Today, the social media analysis firm Graphika is publishing the first comprehensive review of the group’s activity, which seems to have begun all the way back in January 2014. The analysis reveals an entity that prioritizes covering its tracks; virtually all Secondary Infektion campaigns incorporate robust operational security, including a hallmark use of burner accounts that only stay live long enough to publish one post or comment. That’s a sharp contrast to the IRA and GRU disinformation operations, which often rely on cultivating online personas or digital accounts over time and building influence by broadening their reach.
Secondary Infektion also ran disinformation campaigns on a notably large array of digital platforms. While the IRA in particular achieved virality by focusing its energy on major mainstream social networks like Facebook and Twitter, Secondary Infektion took more than 300 platforms in all, including regional forums and smaller blogging sites. The combination of wide spread and endless burner accounts have helped the group hide its campaigns—and its motives—for years. But the approach also made the actor less influential and seemingly less effective than the IRA or GRU. Without being able to build a following, it’s difficult to get posts to take off. And many Secondary Infektion campaigns were either flagged by platform anti-abuse mechanisms or simply pilloried by regular users.
“The main thing is that this really adds a large scale persistent threat actor into the mental map we have of Russian information operations,” says Ben Nimmo, director of investigations at Graphika. “All the while you have the IRA running its operations, all the while you have GRU running its operations, you had Secondary Infektion running its own brand of operations, which had a very different style, had a very different approach. This was all running at the same time and quite often they were all homing in on the same targets.”
Secondary Infektion has a familiar hit list. The group has been active in running disinformation campaigns related to world elections, has attempted to sow division between European countries, and has highlighted United States and NATO dominance and aggression. Domestically, the actor has run campaigns in defense of Russia and its government, targeted activists and groups critical of the regime—like the reporting group Bellingcat and anti-corruption advocate Alexei Navalny—and tried to discredit the World Anti-Doping Agency. Secondary Infektion has also painted Turkey as a villainous rogue state and sown division over issues of global migration, particularly Muslim displacement. They’ve run relatively few campaigns related to Syria and its civil war, but is devoted to a common priority for Russia-backed digital actor: undermining and destabilizing Ukraine.
Though Secondary Infektion’s activities are difficult to track, Graphika researchers were able to piece the actor’s activity together by looking at rare occasions where the group reused an account a few times, and identifying patterns in sets of blogs and forums the group would post to. Secondary Infektion also has a particular tendency to build its campaigns around “leaked” documents that are really just fabricated by the group, but claim to reveal, say, corruption among the Kremlin’s critics or an anti-Russian plot from the US. Graphika did not see evidence that Secondary Infektion used ads to promote its content, but after months of investigation the researchers did find a sort of digital fingerprint they could use to track Secondary Infektion campaigns at a much larger scale and link many more digital posts to the actor. Graphika would not comment on the nature of this tell, though.
Facebook was the first to discover a group of Secondary Infektion accounts in May 2019, and provided the data to disinformation researchers along with the initial attribution to Russia. Since then other social networks and researchers have gathered more examples of the actor’s activity and reinforced the attribution. The group seemingly reduced its operations or went further underground after being publicly named in 2019. But it was still operating as of at least March 2020. Graphika is clear, though, that Secondary Infektion has still not been tied to a specific organization or apparatus within Russia. Based on the available evidence and the group’s distinctive techniques and behaviors, the researchers don’t believe that the actor operates under the purview of the IRA or GRU. But it remains possible.