September 30, 2019 • Insikt Group®
Click here to download the complete analysis as a PDF.
Insikt Group® used the Recorded Future® Platform, proprietary sources, and underground forum analysis to provide deeper insight into the operations of two of the more sophisticated disinformation vendors on Russian-speaking underground forums. To test the operational capabilities of these vendors, Insikt Group engaged with one threat actor to generate positive disinformation and the other for negative disinformation, both directed at a fictitious company we created.
This report will be of interest to private, public, and political organizations concerned with disinformation campaigns, as well as those interested in how threat actors create and distribute disinformation content throughout the internet.
Editor’s Note: In order to protect Recorded Future sources and operations, this report will use pseudonyms for all involved parties, identifying the threat actors involved with the code names “Raskolnikov” and “Doctor Zhivago,” while the fictitious company involved will be identified as “Tyrell Corporation” for the purposes of this report.
Insikt Group analyzed the operations of two threat actors who were offering disinformation as a service on Russian-speaking underground forums in order to understand the business model of how disinformation is used by cybercriminals, as opposed to nation-states. To do so, we created a fictitious company and commissioned two different threat actors to generate intentionally false narratives across the web.
One threat actor created propaganda in the form of positive PR to make our company seem appealing, while the other generated malicious material accusing that same company of unethical business practices. In the end, we were able to launch both campaigns in less than a month for only a few thousand dollars.
- Disinformation services are publically available on underground criminal forums and are run by criminal threat actors and nation-states.
- Disinformation services are highly customizable in scope, costing anywhere from several hundreds of dollars to hundreds of thousands of dollars, or more depending on the client’s needs.
- Disinformation service providers have the ability to publish articles in media sources ranging from dubious websites to more reputable news outlets.
- Disinformation service providers have the ability to create and maintain social media accounts in bulk and use a combination of both established and new accounts to propagate content without triggering content moderation controls.
Disinformation has been a tactic used in information warfare commonly associated with the statecraft of the Soviet Union throughout the Cold War. Disinformation, or “dezinformatsiya,” is defined by the Great Soviet Encyclopedia as false information with the intention to deceive public opinion. The term was coined by Joseph Stalin, and even the word itself was a form of disinformation; according to Soviet defector Ion Mihai Pacepa, Stalin deliberately gave it a French-sounding name in order to claim that both the term and the tactic originated in Western Europe and was a tool used by the “Capitalist Imperialists” to destroy Communism and the workers’ paradise.
Disinformation operations have existed throughout history and have been used by kings, dictators, and governments throughout the world. Octavian wielded propaganda to destroy the reputation of Mark Antony during the last of the Roman civil wars. The Soviet Union launched a multitude of campaigns slandering Pope Pious XII as “Hitler’s Pope” and distributed copies of the antisemitic “Protocols of the Elders of Zion” throughout Islamic regions of the world to foster religious tensions.1 In another campaign, the USSR spread a conspiracy theory via Indian news outlets that the United States had developed the AIDS virus in a laboratory as a biological weapon.2 The Reich Ministry of Propaganda and Public Enlightenment headed by Joseph Goebbels in Nazi Germany spread propaganda throughout Germany and its occupied territories. Recent disinformation campaigns include attacks against the 2016 and 2018 U.S. elections by the Russian intelligence services, including the GRU and SVR, along with Kremlin-backed media sites RT and Sputnik News.
While in recent years there has been an increased focus on state-sponsored disinformation campaigns, Recorded Future identified that there is also a private-sector market for disinformation and threat actors who are ready to provide the services to those who are willing to pay. In particular, Recorded Future analysts have identified established threat actors operating in the Russian-speaking underground forums offering these services. There, Insikt Group discovered two threat actors advertising such services. For the sake of this report, we will refer to them as “Doctor Zhivago” and “Raskolnikov.” To put their skills to the test, we decided to create a fictitious company located in a Western country to use as our target. We will refer to this company as “Tyrell Corporation.”
We wanted to investigate both aspects of the disinformation spectrum, so we hired Raskolnikov to market Tyrell Corporation with positive PR, and Doctor Zhivago to do the opposite. In Doctor Zhivago’s case, they proposed spreading invented stories of misconduct and poor business practices to damage the reputation of Tyrell Corporation. In the end, both Raskolnikov and Doctor Zhivago delivered on their promises, and Insikt Group discovered that disinformation campaigns, even against a Western company using Western media, could be launched in a timely and affordable manner.
Launching a disinformation campaign was a simple process, and both Raskolnikov and Doctor Zhivago were very informative and helpful. Their services were advertised on popular Russian-language underground forums, where they listed their Jabber and Telegram handles for all to see. Both actors had pricing models showing the cost of content generation so you could budget out your disinformation campaign. Doctor Zhivago’s services were priced very specifically, as seen below:
- $15 for an article up to 1,000 characters
- $8 for social media posts and commentary up to 1,000 characters
- $10 for Russian to English translation up to 1,800 characters
- $25 for other language translation up to 2,000 characters
- $1,500 for SEO services to further promote social media posts and traditional media articles, with a time frame of 10 to 15 days
Raskolnikov, on the other hand, had less specific pricing:
- $150 for Facebook and other social media accounts and content
- $200 for LinkedIn accounts and content
- $350–$550 per month for social media marketing
- $45 for an article up to 1,000 characters
- $65 to contact a media source directly to spread material
- $100 per 10 comments for a given article or news story
We contacted Raskolnikov claiming to be a business owner who needed some media attention for their new company: Tyrell Corporation. Shortly thereafter, we used a different alias to contact Doctor Zhivago, claiming to have a personal grudge against the Tyrell Corporation, who we competed with, and needing Doctor Zhivago’s services accordingly.
Both Raskolnikov and Doctor Zhivago were true salespeople. They patiently answered question after question about what they would do and how they would do it, even providing samples of what they had done in previous operations. After our objectives were agreed upon and payment was made, first our positive and then our negative disinformation campaigns were launched targeting the Tyrell Corporation. In all, the process took less than a month.
Raskolnikov created accounts for Tyrell Corporation on several social media platforms and gathered a following of over 100 users for each account on various platforms. The profiles generally appeared authentic, using images and names of managers from Tyrell Corporation’s website. At this time, we are unsure how many of the followers were trolls or bots, but we did see what appeared to be comments from real people asking questions about the company. This led us to believe that it was probably a combination of both: bots, or trolls, spreading disinformation content that was picked up by real users. There is really nothing suspicious about the Tyrell Corporation’s social media accounts aside from it being a new company.
The next step was publishing articles in the media. Raskolnikov informed us that we could essentially publish as many articles praising our new company as we wanted, so we chose to start with two. Raskolnikov wrote up two separate articles with essentially identical content, and sent them to us for review before publication. The articles were generic, announcing our new, wonderful company — Tyrell Corporation — to the world, and why we were better than the rest. However, the writing was not at the level of a native English speaker and we had Raskolnikov rewrite the articles multiple times until we felt the language could pass for a genuine article in an English-language media outlet.
Raskolnikov provided the following price list for publications where articles could allegedly be published for a U.K.-based disinformation promotion campaign:
In two weeks, the Tyrell Corporation was in the “news” — one of the media sources was a less established media outlet, though the other was a very reputable source that had published a newspaper for nearly a century. While creating and publishing disinformation content with Raskalnikov was bumpy, in the end, the actor delivered, confirming the claim of being able to operate disinformation campaigns in Western countries.
However, of these two threat actors, Recorded Future analysts believe Doctor Zhivago to be the more experienced. This threat actor had been on the underground forums longer than Raskolnikov and had a well-established status. Based on discussions we had with Doctor Zhivago, we believe our primary contact was a Russian national and native Russian speaker, similar to Raskolnikov. In our communications, Doctor Zhivago was politely formal, as well as informative, even providing examples showing publications in some very reputable Russian-language media sources. Doctor Zhivago claimed to work with a team that included journalists, editors, translators, search engine optimization (SEO) specialists, and hackers. Doctor Zhivago maintained that this organization could spread disinformation accusing an individual or company of everything from business misconduct to criminal activity — whatever it took to permanently destroy a reputation.
Since the Tyrell Corporation now had a positive presence on the internet, it was time to see if it could be destroyed. We decided to use Doctor Zhivago to discredit our company’s business practices, staying away from any criminal accusations that could theoretically have real-world implications. Doctor Zhivago estimated that our campaign would take a month or two to go into full effect because a successful disinformation operation happens in phases by gradually introducing an intentionally false narrative in an organic manner. The “proof” for our disinformation needed to come from “real people,” so Doctor Zhivago created them in the form of individual and group accounts on the same major social media platforms that Raskolnikov had used.
Since the Tyrell Corporation was both new and fictitious, there wasn’t any publicly available information for Doctor Zhivago to manipulate. The group submitted a few articles for our review that accused the Tyrell Corporation of manipulating its employees by putting them in compromising situations. The articles stopped just short of accusing the company of criminal offenses, but anyone reading the articles would likely come to the conclusion that the Tyrell Corporation was not reputable and treated its employees as disposable objects. The content was written in much better English than what Raskolnikov had provided us, though there were a few awkward sentences that suggested this too wasn’t the writing of a native English speaker. But like Raskolnikov, Doctor Zhivago was quick to correct these linguistic issues after we provided our feedback. With the articles published, it was now time to spread them throughout Doctor Zhivago’s social media apparatus.
Doctor Zhivago had an organic, layered approach to propagating material throughout social media. First, a group of older accounts — referred to as “aged accounts” — that posted links to the articles they had published in media sources was employed. Then, a new batch of accounts that reposted content from the aforementioned aged accounts to amplify the messages was used. These new accounts befriended citizens living in the same country the Tyrell Corporation was located in to make the campaign more effective by targeting the audience. Doctor Zhivago explained to us that they usually create a few thousand social media accounts when engaging in these types of operations, as only a percentage of them would survive without being banned. Once the operation began, the articles went live on a number of media sites and were referenced throughout the social media platforms by accounts controlled by Doctor Zhivago.
Doctor Zhivago’s list of media resources available for a U.K.-based disinformation campaign can be seen below. Doctor Zhivago broke up the media resources into categories they identified as “low profile,” “medium profile,” and “top level.”
|Low Profile||Medium Profile||Top Level|
|viennatimes[.]com — $600||aboutmanchester[.]co[.]uk — $1,340||reuters[.]com — $8,360|
|amiranews[.]com — $500||stories[.]swns[.]com — $1,340||dailypioneer[.]com — $6,350|
|dailyreleased[.]com – $500||abcmoney[.]co[.]uk — $1,340||econotimes[.]com — $6,685|
|xulnews[.]com — $500||calculator[.]co[.]uk — $1,340||mashable[.]com — $13,370|
|thesocialmagazine[.]com — $600||fortuneherald[.]com — $1,340||chamberofcommerce[.]com — $6,020|
|westernrelease[.]com — $600||newstoday[.]co[.]uk — $1,340||newsmax[.]com — $6,685|
|broowaha[.]com — $500||techradar[.]com — $18,385|
|srjnews[.]com — $650||techtimes[.]com — $4,010|
|lovebelfast[.]co[.]uk — $560|
|talk-business[.]co[.]uk — $600|
|15zjazd.whus[.]pl — $100|
|businessexponow[.]co[.]uk — $400|
|esrel2016[.]org — $400|
|internet-directory-web[.]com — $400|
From our research, Insikt Group discovered that launching a disinformation campaign is alarmingly simple and inexpensive. Recorded Future spent a total of $6,050 on both campaigns, with $1,850 going to the initial promotion by Raskolnikov, and $4,200 going to Doctor Zhivago for the negative disinformation to discredit our fictitious company.
Disinformation services are publically available on the underground criminal forums, and accessible to private sector clients — not only nation-states. These services are affordable and customizable. Their operators work in teams to publish articles on media websites and to propagate that material throughout social media accounts under their direct control.
They are willing to go to extreme lengths to accomplish their tasks, including filing false accusations with law enforcement against target entities. In the case of Doctor Zhivago, the threat actor offered to file a complaint against our fictitious company for involvement in human trafficking. And even though we used the Raskolnikov threat actor to promote Tyrell Corporation, Raskolnikov also offered a “takedown service” should we ever need to get even with another individual, set someone up at their place of work, destroy a competitor’s reputation, counter an opponent’s disinformation attack, or even “sink an opponent in an election.”
Today, the Tyrell Corporation lives on in social media and search engine results. Googling the domain name will present the unfavorable content created by Doctor Zhivago, though searching the company name directly will produce the positive articles and social media accounts created by Raskolnikov. If our experience is any indication, we predict that disinformation as a service will spread from a nation–state tool to one increasingly used by private individuals and entities, given how easy it is to implement.