GRU and the Minions
On September 24, Facebook took down some 300 assets that it attributed to members of Russia’s military, including the military intelligence services. Several other social media platforms took down related assets at the same time.
Russian military units have been exposed for running numerous influence operations in recent years. Most notoriously, the military intelligence service known as the GRU interfered in the 2016 U.S. presidential election by hacking emails from the Democratic National Committee and the Clinton campaign and releasing them online. Other known Russian military operations have focused on the Ukraine and Syria conflicts, Russia’s regional rivalries with Japan and in the Arctic, President Emmanuel Macron’s emails in 2017 in France, the poisoning of former spy Sergei Skripal in the UK in 2018, and the World Anti-Doping Agency, among others.
Facebook said that the networks it took down were “linked to the actors associated with election interference in the US in the past, including those involved in ‘DC leaks’ in 2016,” but underscored that it had “not seen the networks we removed today engage in” hack-and-leak efforts. In 2016, the GRU used a persona that had largely posted about geopolitics and conflict, Alice Donovan, to create the DCLeaks Facebook page.
The assets that were taken down formed several distinct clusters, widely different in targeting and timespan, and running in Russian, English and Arabic: as such, this takedown appears to represent a range of different Russian operations run by different entities in different locations, rather than a single operation. Some of the assets were left over from efforts that ended in mid-2014; their detection is likely a result of the platforms’ increased ability in uncovering such operations. Others were recent creations and may have been set up to replace earlier assets.
Shortly before the takedown, Facebook shared a list of the assets with Graphika for independent analysis. This report presents an initial overview of the findings.
The assets in this takedown aimed at targets beyond Russia’s borders to the North, East, South and West. As with earlier operations from various Russian actors, different clusters posted about the Arctic; security and territorial claims in Japan and North Korea; the Syria and Ukraine conflicts; Russia’s rivalry with Turkey; and NATO’s presence throughout Eastern Europe. A very small proportion of the activity focused on U.S. domestic politics, notably by creating a fake outlet designed to appeal to Black audiences. Only the earliest assets, which focused on Ukraine in early 2014, were associated with hack-to-leak operations.
Most of the clusters in the takedown operated across multiple platforms. Beyond Facebook and Instagram, Graphika discovered related accounts on Twitter, YouTube, Medium, Tumblr, Reddit, Telegram, Pinterest, WordPress, Blogspot and a range of other blogging sites. The majority of the content consisted of long-form articles, typically supporting Russia and its allies while attacking NATO, the United States, Japan, Ukraine and/or Turkey.
None of the clusters built a viral following. The largest group on Facebook, which posted in English on the Syrian conflict, had 6,500 members; the largest page, which posted in Russian about political and military news, had 3,100 followers.
Ben Nimmo
Head of Investigations
Ben Nimmo was Head of Investigations at Graphika, where he led an expert team of OSINT investigators in detecting, identifying and analyzing inauthentic behavior and information operations online. He specializes in analyzing patterns of online disinformation and influence operations across varying platforms and geographical regions. He is now the Principal Investigator, Intelligence & Investigations at OpenAI.
Camille François
Chief Innovation Officer
Camille François works on cyber conflict and digital rights online. She was the Chief Innovation Officer at Graphika, where she led the company’s work to detect and mitigate disinformation, media manipulation and harassment.
C. Shawn Eib
Analyst
Léa Ronzaud
Senior Analyst
Léa Ronzaud leads monitoring and investigations into the detection and tracking of Russian influence operations and violent extremist groups. She also researches nihilistic violent extremism and hacktivism. Léa’s work has helped disrupt efforts by extremists in multiple countries to orchestrate real-world harm and exposed the inner workings of nation-state influence operations from Russia, China, and Iran.
Joseph A. Carter
Vice President, Customer Success and Operations
Joseph Carter was Vice President, Customer Success and Operations, at Graphika.
Download the complete PDF
The full report includes the complete network graph maps, raw attribution indicators, cross-platform topology analysis, and the full takedown timeline with platform-level data.
- Full network graph visualizations
- Attribution indicators with confidence scores
- Raw behavioral modeling data
- Takedown coordination timeline
Related Reports
Falsos Amigos
Network of Domains and Social Media Accounts Uses AI Tools to Launder Reports From Chinese State Media Outlet CGTN in Multiple Languages
Read the Report
How to Lose Influence and Alienate People
Examining the Activities of Russian State-Controlled Media on Facebook and Instagram One Year After the Invasion of Ukraine
Read the Report
Rumores Renovables
Analyzing the Online Ecosystem of Spanish-Speaking Communities Opposed to Renewable Energy Initiatives
Read the ReportSee How Graphika Can Help Your Team Act on This Intelligence
This report is one of 600+ investigations Graphika’s team has published. Our platform gives your analysts continuous access to the same intelligence — plus the tools to apply it to your specific threat environment.