The operation employed the same strategy an earlier suspected Russian disinformation operation

One-off accounts used English and Russian self-publishing platforms to spread a forged letter suggesting that Greenland is striving for independence from Denmark and greater cooperation with the United States.

Attempting to pass off forged letters is a tactic of deceit that has been around since the invention of writing. With the advent of the internet and the increased sophistication of image editors, such deceit can now be perpetrated in a targeted and more seemingly authentic way that nevertheless has the opportunity to go broadly viral. In this circumstance, as a possible means of political subversion, the perpetrators gin up official-looking documents likely to try to inject chaos into diplomatic relationships.

In June 2019, the DFRLab uncovered the strategy of using one-off “burner accounts” on self-publishing platforms to promote forged letters in the context of a suspected Russian intelligence operation, nicknamed “Secondary Infektion.” In this earlier operation, the forged letters supported a series of broader disinformation narratives, including false allegations that the “radical opponents of Brexit” were planning to assassinate British Prime Minister Boris Johnson, that the pro-Kurdish opposition in Turkey had lost the support of the European Union, that “liberal forces” in the European Union had launched a “war against the right,” and that the United States was planning a chemical attack in Venezuela to justify a military intervention.

While the operation appears similar in structure to Secondary Infektion, as the publishing and amplification patterns seem eerily close, there is no clear evidence that this incident is related to the earlier operation.

The story

A copy of a forged letter allegedly signed by Ane Lone Bagger, Greenland’s Minister of Education, Culture, Church, and Foreign Affairs, and addressed to U.S. Senator Tom Cotton appeared on the English self-publishing site Indybay and a number of Russian-language forums. The letter suggested that Greenland is ready to “overcome all legal and political barriers on that way and to organize the referendum of independence of Greenland from Denmark as fast as possible.” In the letter, Bagger allegedly asks Cotton for a 30 percent increase in financial support for organizing the referendum.

As with the forged documents in Secondary Infektion, the letter contained many grammar errors and stylistic mistakes that are not characteristic to official correspondence and that resemble those commonly made by native Russian speakers with an intermediate grasp of English. (The Russian embassy in Denmark denied responsibility for the letter in a Facebook post.)

Danish media outlet Politiken reached out to the Minister’s office, which stated that the letter was a forgery. A couple of experts interviewed by Politiken suggested that the forged letter likely came from Russia. For example, Steen Kjærgaard, a military analyst with the Defense Academy in Denmark, told Politiken that Russia has an obvious interest in “separating Greenland from Denmark and sewing distrust between Denmark and the United States.” Open-source evidence discovered by the DFRLab corroborated the attribution.

The source

The false article originally appeared on the self-publishing platform Indybay.org on November 5, 2019, under the name “Kirk Miller.” Indybay.org was also used as a part of Secondary Infektion, but, because it is a self-publishing platform, it is insufficient as proof of a relationship to that earlier operation. This piece was the sole article by this author on Indybay. The same day, a Reddit account under the same name was created, published the same story, and never posted again.

The amplifiers

According to social media listening tool BuzzSumo, Kirk Miller’s publication on Indybay amassed very little engagement.

Besides Reddit, the article garnered some engagement on Facebook. An anonymous Facebook user named Ruslon Belyi posted a link to Miller’s article on Indybay with the accompanying text in Russian. Soon after, he posted a link to another publication — a Russian translation of Miller’s article. The translation was hosted on the website Perevodika.ru.

Google Search results returned six publications with the same title as the one Perevodika.ru used.

The translator of the Perevodika article was a user named “alinadushanina.” Google search results showed the translation was this user’s only publication on the Perevodika website.

A user named “Bazon Hiksa” shared alinadushanina’s article on Yandex Zen, a content aggregation and sharing platform by Yandex, a search engine owned by a Kremlin-linked entity and Google’s main competitor in the Russian market. Unlike “alinadushanina,” “Bazon Hiksa” had a prior posting history on Yandex Zen. On its profile, the account indicated that it shares content about the “Arctic, Africa, South America, and Caribbean.”

Furthermore, on November 8, a user named “svetnikity” posted an article with the same title on a Latvian regional website in Russian, D Fakti, and an Azerbaijani web forum, Disput.az. On Disput.az, the user posted under the name “Svetlana Nikityuk” and claimed to be based in the city of Baranavichy, Belarus. On both websites, the article was the only publication the user had ever posted.

Finally, a persona named “Platon Butyko” published the title and the lead sentence of the article in Russian on the Ukrainian regional media outlet Berdichevsky Poglyad, which also included a link to the same story on another Ukrainian regional blogging platform Gorod.dp.ua. Both publications appeared on November 11. On both platforms, it was the only post this user had ever published (yellow boxes). “Platonbutko’s” account on Gorod.dp.ua was created the same day as the article was published (blue boxes).

Conclusion

The tactic used here — the creation of one-off accounts to host content on self-publishing platforms — suggests that the coordinators of this operation maintained a degree of operational security (OPSEC). OPSEC, which describes measures taken to keep activity covert, is of chief importance to intelligence operations but less critical to social media marketers or influencers. The high degree of OPSEC was one of the forensic clues the DFRLab used to identify the earlier operation as emanating from a well-resourced and sophisticated actor. If this is an intelligence operation, which — as mentioned — would necessitate OPSEC, the perpetrators are unlikely to achieve much success, as the OPSEC itself means that these one-off accounts will not have a built an audience for which the forged letters can be posted and therefore will likely fail to gain much traction.

Another tactic — the planting of forged letters across multiple platforms — also suggested that a similar actor may have been behind both operations. In the operation the DFRLab uncovered in June, forged documents featured in five of the seven disinformation campaigns the DFRLab identified. While the open-source evidence did not conclusively point to a single actor behind both operations, the tactics underlying both were similar.

Follow along on Twitter for more in-depth analysis from our #DigitalSherlocks.