Secondary Infektion also ran disinformation campaigns on a notably large array of digital platforms. While the IRA in particular achieved virality by focusing its energy on major mainstream social networks like Facebook and Twitter, Secondary Infektion took more than 300 platforms in all, including regional forums and smaller blogging sites. The combination of widespread and endless burner accounts has helped the group hide its campaigns—and its motives—for years. But the approach also made the actor less influential and seemingly less effective than the IRA or GRU. Without being able to build a following, it's difficult to get posts to take off. And many Secondary Infektion campaigns were either flagged by platform anti-abuse mechanisms or simply pilloried by regular users.
"The main thing is that this really adds a large-scale, persistent threat actor into the mental map we have of Russian information operations," says Ben Nimmo, director of investigations at Graphika. "All the while you have the IRA running its operations, all the while you have GRU running its operations, you had Secondary Infektion running its own brand of operations, which had a very different style, had a very different approach. This was all running at the same time, and quite often they were all homing in on the same targets."
Secondary Infektion has a familiar hit list. The group has been active in running disinformation campaigns related to world elections, has attempted to sow division between European countries, and has highlighted US and NATO dominance and aggression. Domestically, the actor has run campaigns in defense of Russia and its government, targeted activists and groups critical of the regime—like the reporting group Bellingcat and anti-corruption advocate Alexei Navalny—and tried to discredit the World Anti-Doping Agency. Secondary Infektion has also painted Turkey as a villainous rogue state and sown division over issues of global migration, particularly Muslim displacement. It has run relatively few campaigns related to Syria and its civil war but is devoted to a common priority for Russia-backed digital actors: undermining and destabilizing Ukraine .
"We are exposing here the cyber tools (APT34 / OILRIG) that the ruthless Iranian Ministry of Intelligence has been using against Iran’s neighboring countries, including names of the cruel managers, and information about the activities and the goals of these cyber-attacks," read the original message posted to Telegram by the hackers in late March.
Though Secondary Infektion's activities are difficult to track, Graphika researchers were able to piece the its activity together by looking at rare occasions where the group reused an account a few times, and identifying patterns in sets of blogs and forums the group would post to. Secondary Infektion also has a particular tendency to build its campaigns around "leaked" documents that are really just fabricated by the group but claim to reveal, say, corruption among the Kremlin's critics or an anti-Russian plot from the US. Graphika did not see evidence that Secondary Infektion used ads to promote its content, but after months of investigation the researchers did find a sort of digital fingerprint they could use to track Secondary Infektion campaigns at a much larger scale and link many more digital posts to the actor. Graphika would not comment on the nature of this tell, though.
Facebook was the first to discover a group of Secondary Infektion accounts in May 2019, and provided the data to disinformation researchers along with the initial attribution to Russia. Since then other social networks and researchers have gathered more examples of the actor's activity and reinforced the attribution. The group seemingly reduced its operations or went further underground after being publicly named in 2019. But it was still operating as of at least March 2020. Graphika is clear, though, that Secondary Infektion has not been tied to a specific organization or apparatus within Russia. Based on the available evidence and the group's distinctive techniques and behaviors, the researchers don't believe that Secondary Infektion operates under the purview of the IRA or GRU. But that remains possible.
"To do that work from Russia takes a remarkable amount of courage." John Hultquist, FireEye These are just the latest in an ongoing series of revelations the Insider and Bellingcat have made about the GRU, an agency now believed to be responsible for everything from the Skripal assassination attempt to the hacking and leaking operation targeting US and French elections.