Thursday September 24, 2020
GRU and the Minions
Ben Nimmo, Camille Francois, C. Shawn Eib, Léa Ronzaud and Joseph Carter
Further Exposures of Russian Military Assets Across Platforms, 2013-2020
On September 24, Facebook took down some 300 assets that it attributed to members of Russia’s military, including the military intelligence services. Several other social media platforms took down related assets at the same time.
Russian military units have been exposed for running numerous influence operations in recent years. Most notoriously, the military intelligence service known as the GRU interfered in the 2016 U.S. presidential election by hacking emails from the Democratic National Committee and the Clinton campaign and releasing them online. Other known Russian military operations have focused on the Ukraine and Syria conflicts, Russia’s regional rivalries with Japan and in the Arctic, President Emmanuel Macron’s emails in 2017 in France, the poisoning of former spy Sergei Skripal in the UK in 2018, and the World Anti-Doping Agency, among others.
Facebook said that the networks it took down were “linked to the actors associated with election interference in the US in the past, including those involved in ‘DC leaks’ in 2016,” but underscored that it had “not seen the networks we removed today engage in” hack-and-leak efforts. In 2016, the GRU used a persona that had largely posted about geopolitics and conflict, Alice Donovan, to create the DCLeaks Facebook page.
The assets that were taken down formed several distinct clusters, widely different in targeting and timespan, and running in Russian, English and Arabic: as such, this takedown appears to represent a range of different Russian operations run by different entities in different locations, rather than a single operation. Some of the assets were left over from efforts that ended in mid-2014; their detection is likely a result of the platforms’ increased ability in uncovering such operations. Others were recent creations and may have been set up to replace earlier assets.
Shortly before the takedown, Facebook shared a list of the assets with Graphika for independent analysis. This report presents an initial overview of the findings.
The assets in this takedown aimed at targets beyond Russia’s borders to the North, East, South and West. As with earlier operations from various Russian actors, different clusters posted about the Arctic; security and territorial claims in Japan and North Korea; the Syria and Ukraine conflicts; Russia’s rivalry with Turkey; and NATO’s presence throughout Eastern Europe. A very small proportion of the activity focused on U.S. domestic politics, notably by creating a fake outlet designed to appeal to Black audiences. Only the earliest assets, which focused on Ukraine in early 2014, were associated with hack-to-leak operations.
Most of the clusters in the takedown operated across multiple platforms. Beyond Facebook and Instagram, Graphika discovered related accounts on Twitter, YouTube, Medium, Tumblr, Reddit, Telegram, Pinterest, Wordpress, Blogspot and a range of other blogging sites. The majority of the content consisted of long-form articles, typically supporting Russia and its allies while attacking NATO, the United States, Japan, Ukraine and/or Turkey.
None of the clusters built a viral following. The largest group on Facebook, which posted in English on the Syrian conflict, had 6,500 members; the largest page, which posted in Russian about political and military news, had 3,100 followers.