Operation Secondary Infektion Targets Democratic Institutions
Get Trending Threat Insights with Cyber Daily Subscribe Today

Operation Secondary Infektion Continues Targeting Democratic Institutions and Regional Geopolitics

August 17, 2021 • Insikt Group®

Insikt Group

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

The following report is an update to Insikt Group’s April 2020 publication “Intent to Infekt: ‘Operation Pinball’ Tactics Reminiscent of ‘Operation Secondary Infektion”, which investigates a long-running, Russian-linked information operation coined by the broader research community as “Operation Secondary Infektion”. This report examines new findings, recent case studies, and analysis into the Tactics, Techniques, and Procedures (TTPs) as well as motivations of those responsible for this information operation against international audiences. This report contains information gathered using the Recorded Future® Platform as well as several OSINT enrichment tools.

Executive Summary

Operation Secondary Infektion is a longstanding information operation of likely Russian state-sponsored origin. First appearing as early as 2014, the campaign received its name from Operation Infektion, also known as Operation Denver by the East German Stasi in the 1980s, which was an information operation intended to convince the international community that the US military developed HIV/AIDS at a biolab research facility located in Fort Detrick, Maryland. According to Soviet KGB cables, the influence effort was to demonstrate that the biolab-developed virus ultimately “spun out of control” and was released into the wild. It was only in 1992, after the fall of the Soviet Union, that then-Foreign Intelligence Service (SVR) Director Yevgeny Primakov admitted that the Russian KGB was behind Operation Infektion.

Like Operation Infektion, Secondary Infektion relies on forgeries and fake media that attempt to enter local sources and penetrate mainstream news, typically targeting democratic governments and institutions abroad with stories intended to generate rage, confusion, and doubt in regional geopolitics. The operators behind Secondary Infektion take a keen interest in the affairs of governments operating in the former Soviet Bloc as well as those governments’ domestic challenges. We believe that, with these intentions in mind, Secondary Infektion directly supports the pillars of what is known as Russian Active Measures information operations (активные мероприятия), which are commonly at the behest of Russian security services and the Kremlin.

Over the last several years, as documented by both Recorded Future and other researchers, Secondary Infektion has demonstrated persistence in its messaging and an ability to organize and repeat a process that we believe is highly likely to be manufactured by nation-state sponsored influence actors. Furthermore, the consistent narrative of other regional powers as aggressors interfering in the affairs of sovereign governments and territories supports historical Russian state rhetoric of “Russia as regional protector”. This concept is manifested through diplomatic involvement and military intervention, with Russia’s self-designated role as a force ensuring self-determination and justice in the “near abroad”, although these objectives are often fueled by Russia’s interest in countering the West.

These narratives are manufactured to achieve Russia’s greater strategic and geopolitical objectives. We judge that a combination of these factors, including strategic geopolitics, interest in regional affairs, and target language(s), including Russian, point to an information operation of Russian state-sponsored origin. 

Key Findings

  • Operation Secondary Infektion remains an ongoing information operation in present-day 2021, though the intensity of forgeries and articles has declined from its peak of activity between 2014 and 2020. Nonetheless, we expect that these influence activities will almost certainly continue. 
  • We believe that it is highly unlikely that Secondary Infektion affected the 2020 US election cycle. The election did not appear to be a priority for this operation, which rather seemingly prioritized influencing regional Eastern European geopolitics. Despite this, Secondary Infektion operators used politically and socially divisive narratives found prominently in US society to advance their strategic objectives on said European audiences and populations, particularly those that speak Russian, Ukrainian, and other regional languages. 
  • We identified strong evidence to indicate that Secondary Infektion operators attempted to infiltrate and influence individuals associated with, or ideologically aligned to, the far right in the US in at least 1 event on 4chan, through attempting to fuel anti-Muslim sentiment and exacerbate COVID-19 disinformation. 
  • Though to date Secondary Infektion has exclusively used single-use personas to disseminate disinformation, we have identified at least 2 personas used more than once; 1 imitating a branch of the Anonymous collective, and the other a self-described French-speaking Armenian blogger. 
  • Secondary Infektion largely remains ineffective in penetrating the mainstream (including social media like Reddit, and prominent news outlets), in part due to the rigor of platform-based suspension features, the alertness of forum moderators, and the visibility of these tactics to the broader research community.
  • Prominent US political figures are likely to remain unwitting subjects of attempted Secondary Infektion disinformation efforts against European audiences. Furthermore, there is little doubt that US and Western allies are, and are likely to remain, the primary focus of Secondary Infektion messaging and are likely themselves targets.
  • Thus far, Secondary Infektion’s tactics, techniques, and procedures (TTPs) continue to use, almost exclusively, static media, meaning “photoshopped” screenshots and images of forged documents. Although there is no evidence of their use at this time, it is possible, although unlikely, that individuals behind this operation will produce deep fakes, altered video, and edited audio.
  • We strongly believe that Secondary Infektion remains a consistent but stagnated information operation, with little innovation or significant changes in its TTPs. In many ways, these repeated processes, with little change to alter their results, are representative of a concerted, organized, institutional effort.

Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

New call-to-action

Related Posts

Magecart Groups Abuse Google Tag Manager

Magecart Groups Abuse Google Tag Manager

December 6, 2021 • Gemini Advisory

Editor’s Note: The following post is an excerpt of a full report by Gemini Advisory To read the...

Cyber Threats to Veterans in 2021: Spam and Scams Exploit Support for Veterans

Cyber Threats to Veterans in 2021: Spam and Scams Exploit Support for Veterans

November 16, 2021 • Insikt Group®

Editor’s Note: The following post is an excerpt of a full report To read the entire analysis,...

The Business of Fraud: Botnet Malware Dissemination

The Business of Fraud: Botnet Malware Dissemination

November 12, 2021 • Insikt Group®

Editor’s Note: The following post is an excerpt of a full report To read the entire analysis,...