IE 11 is not supported. For an optimal experience visit our site on another browser.

Russia-connected group pushed fake documents aimed at political flashpoints, researchers say

The report comes as election security experts remain on alert for efforts to manipulate the 2020 election from Russia and many other countries and nonstate actors.
Image: Russian President Putin
Russian President Vladimir Putin.Alexei Druzhinin / Sputnik/Kremlin via Reuters

On the internet, a letter from Sen. Ben Cardin, D-Md., dated July 13, 2019, looks legitimate. It has a U.S. Senate letterhead, Cardin's signature and even a small "Printed on Recycled Paper" at the bottom.

But it is fake. Cardin never sent the letter, which attempts to portray him as making an exaggerated case for Russian opposition candidate Alexei Navalny to Sen. Bob Menendez, D-N.J.

It's one of a handful of fake government documents that have circulated on the internet in recent months. One purports to be from a U.S. admiral, while another tries to float the idea that Secretary of State Mike Pompeo recognized the Armenian Genocide and blamed Turkey — something Pompeo has been careful not to do.

The letters were released Wednesday by the cybersecurity firm Recorded Future, which analyzed the documents and found what its researchers say is an organized, targeted effort with connections to Russia aimed at influencing geopolitical discourse. It's the kind of operation that could be deployed for the 2020 election.

The report builds on previous analysis of an ongoing online disinformation campaign dubbed “Secondary Infektion,” which promotes documents, often forged, that appear created to strain tensions in international relations, particularly between former Soviet bloc countries and the West. The group was first discovered late last year, but it had previously not been linked to forging official U.S. correspondence.

The researchers said that they were able to establish a clear pattern by the group. Someone creates a blog post with a fake account to write a political screed, often embedding an unreleased or "leaked" political document in the post. Then, another single-use account will promote it on another tech platform. Most posts support overt Russian foreign policy goals, and have appeared in multiple languages.

The strategy makes it difficult to trace documents back to their original posting.

"These are all techniques that individually are not unique or effective, but when you put them all together, they become a signature for behavior," said Priscilla Moriuchi, head of nation-state researchat Recorded Future, who wrote the study.

'Bad tradecraft'

The materials uncovered by Recorded Future primarily focus on undermining the country of Georgia's relationship with NATO, and Estonia's with the European Union, echoing Russia's aims for each.

But the researchers also found six documents that purport to be official correspondence with senior U.S. government figures. All contain strange grammatical errors that Recorded Future found are consistent with native Russian speakers.

The report comes as election security experts remain on alert for efforts to manipulate the 2020 election from Russia and many other countries and nonstate actors.

A spokesperson for the Office of the Director of National Intelligence declined to comment on the report, but pointed to past comments by the agency. In its last public intelligence report, the office warned that Russia would likely attempt to influence the 2020 U.S. election. In her most recent public comments, Shelby Pierson, ODNI's top dedicated election security official, said that "malign influence campaigns" are "on the rise."

Social media companies still often find it difficult to attribute influence operations on their sites to particular intelligence agencies, and don't often get that information from the U.S. government.

While a dedicated FBI task force occasionally tips them to specific actors — it told Facebook about a handful of Internet Research Agency accounts right before the 2018 midterms, for instance — the companies often rely on internal analysis and tips from private companies for insight into who is most likely behind those campaigns.

When Reddit announced in December it suspected that Russian intelligence was behind a Secondary Infektion operation to quietly release documents and upvote them to the site, the company was working on a tip from the social media analysis firm Graphika, rather than the U.S. government.

For much of the Cold War, the Soviet Union regularly seeded forged or falsified documents into small, friendly news outlets, watching most go ignored. A handful caught fire and were mentioned by mainstream news organizations.

“The forged letters and their surfacing look like classic Russian active measures at first glance — the sowing of internal divisions, and even the NATO references, we've seen all that before so many times, over decades," said Thomas Rid, a Johns Hopkins professor and author of a forthcoming book on the history of disinformation efforts. "But the quality of the fakes and the surfacing are uninspiring and just bad tradecraft.”

Little impact

The same tactics that make Secondary Infektion so hard to track seem to have hampered its efforts to get noticed.

“Secondary Infektion always struggled to reach its audience,” said Ben Nimmo, a Graphika researcher who published one of the first public reports on Secondary Infektion.

“Anyone who's ever had a social media account will appreciate why: The hardest thing is to attract your first follower,” he said. “Secondary Infektion used a new account for almost everything it ever posted, so it was always trying to attract the first follower. That's not a high-impact strategy.”

Notably, the one known incident where Secondary Infektion seemed to be successful was the rare time it promoted a document whose authenticity wasn't disputed. Late in the United Kingdom's 2019 parliamentary elections, Labour Party leader Jeremy Corbyn repeatedly touted a document that purportedly showed plans from the U.K.'s Department for International Trade to discuss the National Health Care Office with the U.S. How the document was leaked still isn't publicly known.

But before Corbyn cited it, the document was seeded by a singled-use account on Reddit, which took it down after receiving a tip from Graphika and noticing anonymous accounts were trying to upvote the post.

"I suspect they worked on the principle that if you haven't got an actual leak, make one up and see if anyone falls for it," Nimmo said.

That Secondary Infektion has such a limited hit rate — but can cause plausible deniability when it does have a document that catches public attention — is precisely why it could be influential in the U.S. if circumstances are right, Moriuchi said.

"There's this concerted effort to push these false stories into the mainstream. And thankfully in this case many of the Reddit threads were quickly deleted," she said.

"In the case of the NHS, it was the right place at the right time,” Moriuchi said, “and it's highly likely there will be another right place at the right time.”