Pro-Kremlin Network Impersonates Legitimate Websites and Floods Social Media with Lies

29 September 2022

ISD has uncovered a large-scale Russian influence operation which has been targeting European audiences with disinformation and pro-Kremlin messages.

________________________________________________________________________

On September 27, Meta announced a takedown of a Russian network engaged in coordinated inauthentic behavior, describing it as “the largest and most complex Russian operation” the company has disrupted since the start of the full-scale invasion of Ukraine. The operation was initially exposed by the German media outlet t-online; – ISD contributed to this research and subsequently conducted an independent investigation into the network.

ISD can corroborate the findings of Meta and other disinformation researchers identifying an operation targeting European audiences. This operation was carried out across Meta platforms, Twitter, Telegram, YouTube, petition websites, and cloned websites of established media. In particular, the campaign focused on German audiences. The content spread by social media profiles and websites aimed at undermining support for Ukraine in Europe, exaggerating the negative effect of the sanctions against Russia, promoting social unrest, denying atrocities committed by the Russian army in Ukraine, inciting hatred toward refugees from Ukraine, and polluting the information space with low-quality content.

The actors behind the operation used various technical means to conceal their identities, which could not be established from open sources. However, the content, the linguistic errors, the Russian-language file and folder names in the video metadata, as well as connections with other pro-Kremlin disinformation outlets suggest that this campaign may have been run by a Russian organisation or company acting in the Kremlin’s interests.

Despite the removal of these assets by Meta, the influence operation is still ongoing on several platforms including Facebook and Telegram . The actors responsible will likely develop new tactics, which it will continue to be necessary to investigate and expose.

Impersonating legitimate news websites

Meta has identified more than 60 websites impersonating legitimate news sources, with new domains continuing to be registered. ISD’s investigation identified and analysed 28 domains mimicking domain names of popular news outlets in Germany, the United Kingdom, France, Ukraine and Italy. The false URLs used a different extension (e.g. www[.]spiegel[.]ltd instead of www.spiegel.de or www[.]theguardian[.]co[.]com instead of www.theguardian.co.uk) or misspelled original URLs (news[.]t-onlinl[.]today instead of www.t-online.de). The domains used different subdomains such as video[.]bild[.]asia, wvw[.]bild[.]asia and www-bild-de[.]bild[.]asia for the domain bild[.]asia. The actors behind the operation have created clones of The Guardian, Daily Mail, Der Spiegel, BILD, WELT, t-online, Neues Deutschland, FAZ, Sueddeutsche Zeitung, Der Tagesspiegel, ANSA, RBC Ukraine, and 20 Minutes.

The domains identified by ISD were all registered in the period from 6 June to 23 August 2022. Meta identified domains registered up to 14 September. The cloned websites were visually similar to their legitimate counterparts, and their homepages redirected to the legitimate websites of the relevant media outlet. For example, 20minuts[.]com redirected to 20minutes.fr; the actual website for French media outlet 20 Minutes.

The operation has been targeting European audiences using topics connected to the Russian war in Ukraine that are likely to resonate, such as the grain crisis, inflation, rising energy prices, refugees from Ukraine arriving in Europe, and Western weapon supplies to Ukraine. Articles claimed that sanctions against Russia are leading to drastic consequences for European countries that have imposed them, portrayed refugees from Ukraine as a threat to host countries, campaigned against supplying Western arms to Ukraine, and denied that the Russian army committed atrocities in Ukraine.

Most of the evaluated texts and videos lacked sophistication and contained grammatical mistakes. Some of the claims were obviously absurd, such as claims that the UK is going to microchip all migrants or that former UK prime minister Boris Johnson had to resign because of a video found on an abandoned phone in the Ukrainian city of Lysychansk occupied by the Russian army. The authors of the articles appear to have prioritised spreading high volumes of low-quality content that appeals to emotions or stereotypes.

For a sample of 25 articles in English, German, Italian or Russian, ISD used Google to search for headlines or distinctive sentences from the text to identify where the content could have originated. In the case of 25 articles:

• 7 had identical texts published by the disinformation website RRN (Reliable Recent News), which is related to the operation;
• 5 were identical to texts published by two German-language disinformation blogs, which may be part of the same operation;
• 1 text was a German version of an article published by a Russian-language pro-Kremin outlet Readovka;
• 2 used content directly copied from news agencies together with some additional sentences in the lede;
• 9 articles used seemingly original text content or video content created from repurposed publicly available older videos with logos of established media added.

For example, a fake Guardian article titled “Video: False Staging in Bucha Revealed!” falsely claimed that the massacre in the Ukrainian town of Bucha was a “provocation” by the Ukrainian military. The same article further falsely claimed that the resignation of the former UK prime minister Boris Johnson was connected to “evidence” that the Bucha massacre was staged by Ukraine, that had been found on an abandoned phone in the Ukrainian city of Lysychansk. An identical English-language text of the article was published by the disinformation website RRN. The source of the false claim was a Russian-language pro-Kremlin Telegram channel.

A clone of the German media outlet WELT published an article criticising sanctions against Russia with the headline “Who is benefiting from a weak Germany?” The article claimed that the United States is the only country not interested in a “strong” Europe and that the economic sanctions against Russia are not efficient. It also called European countries “servants” of the US.

ISD did not identify a German-language source of the article, however the text seems to be an exact translation of a Russian-language article published by a Russian pro-Kremlin website Readovka under the name Vyacheslav Sokolov. Notably, there were no other articles published on Readovka by the same author.

Video metadata analysis

ISD accessed metadata for one of the fake videos, which was posted not just on a fake website and Facebook, but also by a Telegram channel posing as a channel with news about Hamburg.

The video centered around a particularly absurd claim: because of the rising gas prices, German crematoriums raised the prices for cremations, so German pensioners are afraid of dying because they might not be able to afford a cremation. As with many other videos, it used the brand elements and logo of a popular German tabloid, BILD, and used a design deceptively similar to BILD’s own.

The video title “2507OKGBB Einäscherung.mp4” combined the German word “Einäscherung” (cremation) with the code 2507OKGBB, which presumably stands for 25 July and a code, in which the last letter marks the forged media outlet BILD. The combination of numbers and letters was similar to those seen in several other fake URLs:

ww3[.]spiegeli[.]life/article/2607OKGBS.html – a fake Der Spiegel article

news[.]t-onlinr[.]today/article/2307OKGBT.html – a fake T-Online article

video[.]bild[.]pics/article/2607OKGBB.bild.html – a fake BILD article

wvw[.]bild[.]pics/article/2407OKGAB.bild.html – a fake BILD article

video[.]t-onlinr[.]live/article/0408OKGCT.html – a fake T-Online article

The video was created with Adobe Premiere Pro 2019.1 on a Windows computer. The metadata contained information about the 35 clips from which the final video was put together. Several clip names mentioned the original sources – German TV programmes such as “Die Story _ Kontrovers _ BR24” or “RTLZWEI Dokus”. Two identical clip names were in Russian: “Олаф Шольц выступил в защиту поставок тяжелых вооружений Украине (5).mp4” (“Olaf Scholz defended supplying heavy weapons to Ukraine”).

ISD was able to verify the original sources of some of the mentioned clips on YouTube, confirming they contained video elements used in the fake video. This shows that the actors who created this and similar videos used publicly available material that they reassembled and edited.

Other folder names found in the video metadata contained colloquial Russian words: “J:\ЧЕРНУХА_СТРАННАЯ\BILD\bild.aep” and \\?\D:\_Premier\МСК Ф-Коротыши.prproj”. “ЧЕРНУХА_СТРАННАЯ” means “CHERNUKHA_WEIRD”. “Chernukha” is a Russian term for content about dark and depressing topics such as death, diseases and poverty. The video project file was called “МСК Ф-Коротыши.prproj” – “MSK F-Shorties”, presumably referring to “short videos”.

Our findings corroborate the metadata analysis undertaken by Quirum, which found Russian-language names of the video project files: МСК Ф-Германия.prproj and МСК Ф-Германия-2.prproj. The metadata analysed by ISD also indicated that the clock on the computer that the cremation video was produced on was set to GMT+8.

Amplification on Facebook and Instagram

Meta has identified 1,633 accounts, 703 pages and one group on Facebook, and 29 accounts on Instagram associated with this operation.

In our independent research, ISD analysed 123 Facebook pages, two groups and a number of profiles, with new pages and profiles being constantly set up, as the operation was ongoing. In terms of the depiction of these pages, one group of them used names such as “Offene Meinung”, “Opinione aperta” or “Opinion ouverte” (“Open/free opinion” in German, French and Italian). Other pages used names such as “Delicate rk4”, consisting of an English word, two letters and a number; or fictitious names such as “Koch Glover”.

The pages were categorised as “personal blogs”, “beauty salons”, “video game artists” or “restaurants”. The actors who set them up prioritised the amount of pages to an authentic appearence, as Mmany of them also shared exactly the same logo – “F” as in the logo of the German newspaper Frankfurter Allgemeine Zeitung. Most of the reviewed pages had little to no followers and published only a few posts.

Administrators of 11 pages were allegedly based in Ukraine, one page was allegedly administered from France, one from Latvia and three from the United States.

These pages were posting links to the cloned websites, the disinformation outlet RRN and other pro-Kremlin content, as well as running ads for their posts.

Advertising on Facebook

According to Meta, the actors behind the operation spent $105,000 on ads on Facebook and Instagram.

ISD was able to independently identify and analyse 29 Facebook ads. Those identified targeting French audiences received between 1.46 and 1.73 million impressions in total, whereas ads targeting Germany received between 248,000 and 299,000 impressions, and those targeting Italy received between 100,000 and 125,000 impressions.

The pages were running advertisements for the cloned media websites, posts without any media branding, the disinformation outlet RRN, and the website truemaps[.]info.

“Truemaps” is a part of a campaign against supplies of Western weapons to Ukraine run by pro-Kremlin Western influencers. The website truemaps[.]info lists names of children in Eastern Ukraine claiming that they were killed by Western weapons and shows a map of countries supporting Ukraine and supplying weapons. The website was registered on 30 June 2022, and the public part of the campaign started on 8 July, with the German pro-Kremlin blogger Alina Lipp and the Spanish blogger Liu Sivaya recording videos about the map. The videos and the link to the map was published by RRN and later widely shared by pro-Kremlin Telegram channels.

Topics of other ads included: rising energy prices in Europe, the grain crisis, alleged discontent with sanctions against Russia in Germany, supplies of Western weapons to Ukraine and topics around the arrival of refugees from Ukraine in Europe. While some of the ads were removed for violating Meta’s advertising policies, others stayed on Facebook and received up to 500,000-600,000 impressions.

Promoting petitions, campaigns and offline protests 

On 14 July, a Facebook page with the German-language title “Offene Meinung” called for an in-person protest in Riga, Latvia, against the planned return of military conscription. The post, which is now deleted together with the page, was shared in two public pro-Kremlin groups in Latvia, but has not received a large number of shares or interactions.

On 28 July, the page “Tasteful md5”published a post about a protest that allegedly took place in Germany against Western arms  being supplied to Ukraine as a part of the “Truemaps” campaign. The post contained a link to the Truemaps website and a link to a fake BILD article about the protest. Notably, the post contained a mistake in the title of the rally, calling it “Kill children”.

The post presumably aimed to promote the Truemaps websites and inspire similar protests. ISD found that the pictures and videos of the protest that allegedly took place near the defence factory Diehl Defence near Nuremberg were published on 19 July 2022 by the German-language pro-Kremlin Telegram channel of the website ana-de[.]info and widely shared in Russian-language pro-Kremlin Telegram channels and some German-language Telegram channels.

As a part of the campaign, the actors have been sharing petitions, as also identified by DFRLab and Meta. The petitions in German, French, English and Italian were calling for a cessation of arms supplies to Ukraine, a reduction in spending on refugees, and introduction of state control over food prices, blaming the cost of living crisis on a “useless confrontation with Russia”.

Inauthentic profiles

Meta identified 1,633 Facebook profiles in this network. As noted by other researchers, many accounts were using AI-generated profile pictures or pictures stolen from users of other social media platforms.

The profiles that ISD analysed were posting links to the cloned websites or videos with logos of well-known media outlets. They did so either directly on their own profile pages or in comments on posts by popular pages, such as pages of media outlets, private companies and government institutions. The profiles also shared posts by pages from the same network and left comments under these posts to create an impression of an authentic discussion and increase the number of interactions for the posts.

Shares by authentic pages

In several instances, links to the fake domains were shared on Facebook by authentic public pages. On 27 July, local AfD politician Thomas Fetsch shared a link to a fake BILD article on his Facebook page with 990 followers. The article falsely claimed that the majority of Ukrainians want to live in Russia and was based on a forged “survey” published on a fake RBC Ukraine website. The post was later deleted.

On 28 August, an anti-migration page from Saxony with 29,970 followers shared a link to a fake WELT article. This post was also later deleted. It is impossible to identify from open sources whether the admins of this pages shared the fake domains deliberately, or if they fell for the forgery, or noticed it but decided to share the links regardless. Both pages had been previously sharing pro-Kremlin content, and it is possible their audiences are receptive to this messaging.

Activity on Twitter 

The types of accounts could be broken down into two key categories. Firstly, “named accounts,” which appeared more legitimate and used a full name as the Twitter handle; and secondly, “default accounts,” which appeared low-effort in their creation and used the default first name followed by a string of numbers that Twitter initially suggests as a handle upon account creation. Of the “default accounts”, around a quarter posted these links exactly 10 times.

RRN

Actors setting up cloned media websites and inauthentic social media profiles were, in many instances, sharing content from the disinformation website RRN and closely related to it. The website, which was initially registered as “Reliable Russia News” and later renamed into “Reliable Recent News”, publishes pro-Kremlin content in English, German, French, Italian, Chinese and Arabic. It has published debunked false claims on multiple topics including alleged US bioweapon programme in Ukraine and Russian atrocities in Bucha. 

The domain rrussianews[.]com was registered with Russian registrar RU Center on 10 March 2022. Shortly after that, it was promoted on social media by Russian state-affiliated accounts of Rossotrudnichestvo, a government agency responsible for cultural exchange and foreign aid, and also reportedly serving as a cover for Russian spies abroad. On 15 March 2022, a link to one of the articles published by RRN was shared in the Telegram channel associated with Rossotrudnichestvo and by 17 Facebook accounts of “Russian houses” (Russian cultural offices, which are part of Rossotrudnichestvo) in English, Russian, Bulgarian, Spanish, Arabic and Croatian. On 16 March, the same link was shared by four additional Facebook accounts of “Russian houses”. These were the first social media mentions of the domain rrussianews[.]com that ISD could identify.

The domain rrn[.]world without reference to Russia in its name was registered on 6 June 2022. Currently rrussianews[.]com redirects to rrn[.]world and the websites share the same Google Tag Manager ID.

In several instances, content published in German, Italian and English on the cloned media websites imitating The Guardian, Ansa, FAZ or WELT, was identical to the content published by RRN. Inauthentic profiles on Facebook and Twitter were sharing direct links to RRN content and running ads for RRN content. This included not only pro-Kremlin content, but also a link to a quiz posted by RRN and a link to RRN’s Telegram channel. This leads us to the conclusion that RRN is closely related to this influence operation, and might be run by the same or related actors.

Conclusion

The actors behind this aggressive influence operation have invested significant resources into producing large volumes of disinformation content, creating cloned websites and videos with logos of established media, setting up inauthentic profiles, amplifying their content across social media platforms and paying for advertising. Meta’s report noted the persistence with which the actors behind the campaign were setting up new websites as the old ones were blocked, and “an unusual combination of sophistication and brute force”.

Despite these extensive efforts, the impact of the campaign has been limited. According to Meta, a proportion of these pages and ads were detected and removed by automated systems. The actors behind the operation have expended little effort on  making the content look authentic and seem to have concentrated on distribution volume instead. Most of the posts that ISD analysed on Facebook and Twitter have received little to no authentic interaction. Compared with the effort put into creating cloned websites, fake videos and inauthentic accounts, this part of the operation has been largely inefficient.

The actors behind the campaign continue their operation on various platforms. Pro-Kremlin disinformation efforts in Europe at present are concentrating on using the energy crisis particularly in Germany to undermine support for Ukraine, sow discontent and unrest. State authorities, social media platforms and researchers must increase their efforts to investigate and expose these influence campaigns.