Russian Op 3: The Blue Man and the Mole

Fake accounts targeted Ukraine with suspect documents and “leaks”

@DFRLab
@DFRLab
Jun 22 · 8 min read

This article is part of a series analyzing the various aspects of the suspected Russian intelligence operation. Our top post summarizes these findings.

Russian First: Meet The Blue Man

The Russian operation’s oldest and most prolific persona was a Russian-language account whose profile picture was a blue-shaded picture of Russian anti-corruption campaigner Alexei Navalny. Facebook identified the account on its platform as part of the operation and took it offline.

Unlike almost all of the operation’s other assets, the “Blue Man” persona posted early and often. On Facebook, its profile picture and first posts were uploaded on March 10, 2015, indicating the likely creation date. A Livejournal account using the same name and profile picture began posting even earlier, in January 2014.

An analysis of this account shows how long the operation lasted, how consistently it amplified Russian geopolitical narratives, and how closely the operation’s different language sections worked together, once they were launched. The Russian-language operation was not a separate effort: it led to all the rest.

This persona worked across platforms. Accounts with the same name and profile picture posted bylines on a range of Russian-language blogs and forums, including cont.ws (55 articles since April 2015), politikus.ru (19 articles since February 2016), and especially Livejournal (200 entries since January 2014). The same articles appeared on multiple forums under the same byline.

The posts were routinely hostile to Ukraine’s government and President Petro Poroshenko, as well as to the West in general and NATO in particular.

The Same Techniques, Repeated

Facebook attributed this account to the Russian operation. Other evidence supports that attribution. While the Blue Man persona was far more active and repetitive than other accounts in the network and began much earlier, it employed the same essential working methods.

For example, on September 29, 2016, the Facebook page shared an article from politikus.ru headlined (in Russian) “NATO: A tradition of bioterrorism from Vietnam to Ukraine.” The article, archived here, was published on September 28, 2016. That same day, the Blue Man persona posted the identical article to Livejournal and another blog forum, actuallno.com.

The Russian-language articles claimed to be translations of an English-language source on a site called articlesreader.com. The English article, dated September 27, did not have a byline. Its use of English was distinctly non-native and contained grammatical errors characteristic of native Russian speakers, including confusion over the use of the grammatical articles “a” and “the” and over the word order in questions.

“The ensuing events remind the thriller from the 90s.”

“By the way, whether Ukraine could be considered the Convention member, if it has left behind their communist past and Soviet obligations?”

“It occurs that the USA puts in the crossfire its own NATO allies just for conducting its illegal research. (…) Everything is subjugated to interests of a militarized alliance working for benefits of a certain superpower.”

The article opened with the words “As is known,” an unlikely lede in English news writing, but one that is acceptable in Russian journalism in the form of “как известно,” as in the below articles from state news wire RIA Novosti. Overall, the English version looked like a translation from Russian, not the other way around.

While all of the Russian articles pointed to articlesreader.com as their source, the English variant appeared in one other location the same day: Medium. The Medium post was attributed to an author called “Dolan Moss.” As of May 31, 2019 — almost three years after “he” published the article — this article remained the author’s sole contribution, although a user of the same name posted the same article on quora.com, also on September 27, 2016.

This was exactly the behavior of the Russian operation in other cases: create a fake persona with no biographical details, use it to post one article to multiple locations including Medium, and then build other articles in other languages, pointing back to it.

The Secret Diary of Anonymous Mole

Many of the articles attributed to the Blue Man persona concerned Ukraine, especially in 2014–2015, as the conflict in the Donbas region broke out and Russian regular army forces fought in Ukraine. These articles were anti-Ukrainian in general and hostile to former Ukrainian President Petro Poroshenko in particular.

One of the more intriguing aspects of these anti-Ukrainian posts was their sourcing. A number of later articles and posts published by the Blue Man were based on a Telegram channel called “Кріт СБУ” (translated from Ukranian, “SBU Mole,” the SBU being the Ukrainian security services). This channel claimed to be a “serving colleague of the SBU,” offering “insider stories, leaks, and analysis” to discredit the service and Ukraine’s government.

For example, on April 12, 2019, the so-called Mole published what it alleged to be a number of satirical and anti-Semitic cartoons drawn by SBU cartoonists to attack Volodymyr Zelenskiy, then-candidate for the Ukrainian presidency (and now president). The Mole argued that the Ukrainian security services were secretly plotting to keep Poroshenko in power, despite his electoral weakness. It did not provide any means of verifying the cartoons.

The same day, the cartoons were republished on a website called sbu.ua, which claimed to be an activist site dedicated to giving Ukrainians “access to all the nuances of confidential and non-public material.” The site did not name the author.

On April 16, the Blue Man persona bylined an article that amplified the cartoons, without mentioning the Mole (it attributed them to sbu.ua). The persona posted the article on blog forums newsland.com, pikabu.ru, and the operation’s Facebook page. This was the Facebook page’s last post.

On another occasion, on April 5, the Mole posted a photo of what it claimed were instructions to the SBU to use force against demonstrators in a bid to keep Poroshenko in power. The photo showed a sheaf of brightly colored printouts on a desk. Again, there was no way of verifying the photo. (Elsewhere, this operation used similar techniques to post forged documents, that it then used as the basis for false stories.)

On April 8, an article using the same image, attributed to the Mole, appeared on an unmoderated blog site called “Я корреспондент” (translated from Russian, “I am a correspondent”), korrespondent.net. It was bylined by a user called “Forsa Leonid” (ФОРСА ЛЕОНИД) whose profile picture showed an unidentifiable male. This was the user’s only contribution.

The following day, a second Russian-language article on a blog forum called aftershock.news amplified the “leaks.” It did not mention the Mole; instead, it attributed them to “Ukrainian social networks” and linked to the korrespondent.net post. Again, the “author” did not have an identifiable profile picture and this article was its only contribution. On April 10, the Blue Man Facebook account shared the aftershock.news version of the story.

This was the same technique, but once further removed: from the Mole, through two blog posts by unidentifiable, single-shot user accounts, to the Blue Man Facebook persona.

The Blue Man persona was part of the Russian operation, as Facebook found. What remains unclear is whether the “Mole” account was part of it as well. The “Mole” account served as a source for “leaks” that may have been forgeries and, thus, enabled some of the operation’s articles; whether it was part of the same operation or a separate endeavor, however, requires further research.

Peggy Or Not

Not all of the Blue Man’s articles concerned Ukraine, and those that did not followed the same operational pattern, amplifying posts by single-shot authors who reported on unverified leaks. One case in particular highlighted the importance of the “blue man” persona to the broader Russian operation.

On April 25, 2018, the persona posted an article on newsland.com accusing the West of “refusing to support” the Azerbaijan opposition. The claim was based on a letter allegedly sent by Azeri journalist and human rights campaigner Emin Huseynov to Marc Behrendt, the Director of Europe and Eurasia Programs at Freedom House.

The Blue Man attributed the article to a separate blog forum, onkavkaz.com, where it was posted five days earlier. As so often, it was posted there by a user whose profile picture was unidentifiable (the silhouette of a skier) and who only posted once. The article did not receive any responses.

Despite the lack of response, on April 24–26, three translations of the article appeared online, in English, French, and German (since deleted). The English version was posted to Medium, yet again, by a user called “Peggy Eads,” who never posted anything else. A user with the same name posted the same article on the same day to blog sites indybay.org (since deleted), scoop.it, urban75.net (rejected by moderators as a “Putinbot”), playbuzz.com, and thestudentroom.co.uk.

This user did have a profile picture, but it was copied from an ad for cultured milk product Vitagen, featuring model Felicia Chin.

This is a textbook example of the Russian operation’s work. It used a single-shot account on a fringe blog site to post a probable forgery, alleging geopolitical plots between pro-democracy groups. It then used other single-shot accounts on other sites, notably Medium and the German mein-suedhessen.de (repeatedly used by the operation), to amplify it; and then it used the Blue Man persona for further amplification.

In articles such as this, the Russian-language operation interlocked seamlessly with the content in other languages.

Local Friends

The Blue Man persona was by far the most active used by the operation in any language. Two other personas posted in Russian and Ukrainian, but neither appears to have been highly active.

These three accounts stand out from the rest of the operation because they had substantial numbers of friends, many of them apparently associated with the separatist and/or pro-Russian communities of eastern Ukraine. One largely Ukrainian-language account had over 300 friends; the Blue Man counted around 1,000.

Curiously, two of his friends listed themselves as working for “News-Front,” a pro-separatist outlet based in Crimea that, according to a whistleblower interviewed by German newspaper Die Zeit in 2017, is funded and commanded by Russian intelligence.

These followings likely gave the accounts greater reach and the ability to spread their messaging more effectively; they may also have enabled the operation to infiltrate or recruit in these communities.


Ben Nimmo is Senior Fellow for Information Defense at the Atlantic Council’s Digital Forensic Research Lab (@DFRLab).

Michael Sheldon is a Digital Forensic Research Associate at the DFRLab.

Follow along for more in-depth analysis from our #DigitalSherlocks.

DFRLab

@AtlanticCouncil’s Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.

@DFRLab

Written by

@DFRLab

@AtlanticCouncil's Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.

DFRLab

DFRLab

@AtlanticCouncil’s Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.