#TrollTracker: Russia’s Other Troll Team

Mueller points to existence of second Russian troll operation focused on activist groups and foreign policy

@DFRLab
· 17 min read
Identical memes tweeted by (left to right) @uritogee8, @jutysyko and @reyisud, amplifying the #BlacksAgainstHillary hashtag. All archived on July 19, 2018. (Source: Twitter / @uritogee8 / @jutysyko / @reyisud)

Special Prosecutor Robert Mueller’s indictment of 11 Russian military intelligence operators intensified the debate over Russian interference in the United States, but it also pointed to the existence of a separate Russian troll operation, outside the infamous Internet Research Agency troll farm.

The operation combined hackers, a fake grassroots campaign, fake social media accounts, non-existent journalists, and a dedicated website, to undermine the presidential campaign of Hillary Clinton, promote the foreign-policy priorities of the Russian government in general, and promote the Russian Ministry of Defense (MoD) in particular.

This operation appears to have interacted with the Internet Research Agency, but to have been separate from it, with different goals, priorities, and methods.

Mueller’s indictment therefore indicated that the United States was the target of, not one, but at least two separate troll operations during the 2016 election, and one of them was directly linked to the Russian government.

The Indictment

The indictment alleged that the GRU, Russia’s military intelligence, hacked emails from Democratic Party staff and allies, published them on a website called “DCLeaks,” and promoted them through “social media accounts in the name of fictitious American persons.” @DFRLab examined the role of DCLeaks in a separate post.

The indictment listed a number of names attributed to these “fictitious American persons.” The best known was “Alice Donovan;” others included “Jason Scott,” “Richard Gingrey,” “Carrie Feehan,” “Kate S. Milton,” “James McMorgans,” and “Karen W. Millen.”

Excerpt from Mueller’s indictment, identifying “Alice Donovan,” “Jason Scott” and “Richard Gingrey” as fictitious characters. (Source: US Department of Justice)

The indictment also stated that the GRU agents used a specific computer to create a Twitter account called @DCLeaks_, and the same computer to run a Twitter account called @BaltimoreIsWhr. The latter account allegedly pushed the hashtag #BlacksAgainstHillary.

Paragraph 39 of the indictment. (Source: U.S. Department of Justice)

The #BlacksAgainstHillary hashtag did not appear to have performed well online. A Twitter search (archived here) for the hashtag from June 5, 2016 through June 8, 2016 returned 39 posts. Some just consisted of the hashtag.

Posts on #BlacksAgainstHillary on June 6, 2016. All posts archived on July 19, 2018. Search archived on July 19, 2018. (Source: Twitter)

Others featured the hashtag and a single meme.

Identical memes tweeted by (left to right) @uritogee8, @jutysyko, and @reyisud, amplifying the #BlacksAgainstHillary hashtag. All archived on July 19, 2018. (Source: Twitter / @uritogee8 / @jutysyko / @reyisud)

Almost all the tweets were posted by accounts which had only tweeted once.

Left to right: Profiles of @euyy450, @meqypiwute, and @vriwyt, all archived on July 19, 2018. (Source: Twitter)

The only exception was the first surviving account to have posted the hashtag and the meme. Called @DaWash3241 (screen name “David Washington”), this account (archived here) posted 565 times between its creation on February 19, 2015, and its last post, on November 9, 2016 — the day after Trump’s victory.

Most of its posts consisted of shortened links leading to a Facebook page, david.washington.37017, which appeared to have been deleted. Some used shortened links to share a range of anti-Clinton news articles.

Tweets by @DaWash3241 in August 2016, archived on July 19, 2018. (Source: Twitter / @DaWash3241)

Many of its earliest posts, in March 2015, shared the headlines of articles criticizing the police and their handling of African-Americans. Each was shared via a fb.me URL shortener; posting of this type often indicates automated behavior.

Shares by @DaWash3241 on March 2, 2015, archived on July 19, 2018. (Source: Twitter / @DaWash3241)

The overall Twitter traffic on #BlacksAgainstHillary was clearly not organic; the @DaWash3241 account displayed signs of at least partial automation, most likely through the now-suspended Facebook account.

This therefore looked like an operation carried out by fake accounts to promote anti-Clinton messaging.

Where Is Baltimore?

The accounts involved gave too little information to be able to judge whether they, too, were run by the GRU. However, a cross-reference makes it likely that they were. On June 9, 2016, website wearechange.org ran an article about the hashtag, headlined, “#BlacksAgainstHillary Initiative Joined Hundreds of Black People Across America.”

The article was attributed to “Alice Donovan,” one of the main GRU-run personality accounts named by the indictment.

Headline and byline from wearechange.org. (Source: Wayback Machine)

The article stated that the hashtag was launched by a movement called “Baltimore is Everywhere,” and wrote:

The Baltimore Is Everywhere movement was created by young Black social media activists in May 2015. Its goal is to coordinate efforts of different human rights activists all over the country. The movement closely cooperates with regional BLM organizations and National Association against Police Brutality (NAAPB).

The article also alleged that the president of the NAAPB, Jonathan Newton, had posted a message to the NAAPB page which promoted the hashtag, attacked Clinton and praised her Democratic rival, Bernie Sanders. It presented an image (not a link) of the post as evidence.

Left: The embedded image in the article. Right: Enlargement of the image. (Source: Wayback Machine)

On the same day, Mr. Newton changed the profile picture on his personal Facebook account to the #BlacksAgainstHillary meme.

The change posted by Mr. Newton, reproduced here with his permission. Archived on July 19, 2018. (Source: Facebook / Jonathan Newton)

@DFRLab contacted Mr. Newton. He confirmed that he adopted the hashtag on his personal Facebook page, but denied having made the post to the NAAPB page. He stated that he would never have published something that inflammatory on the public page, because that would have undermined the page’s legitimacy.

A search of the NAAPB page and Mr. Newton’s own page did not turn up the post attributed to him. The fact that the Donovan article only provided a screenshot, rather than a link, would have made it much easier to fake the post.

He also vehemently denied any connection or coordination between the NAAPB and the “Baltimore is Everywhere” group, one of the key claims the “Alice Donovan” article made.

Indeed, the “Baltimore is Everywhere” group left remarkably little trace online. It was the name of a public group on Facebook. As of July 19, 2018, it had no moderators or administrators, and had not posted since 2017, although it did boast over 4,000 followers.

Members of “Baltimore is Everywhere” Facebook page; screenshot and archive from July 19, 2018. (Source: Facebook / Baltimore is Everywhere)

According to one user who posted to the page repeatedly, the page lost all its moderators before June 24, 2017, and had not approved submissions since December 2016, shortly after Trump’s election.

Post and comment on the “Baltimore is Everywhere” Facebook page. Archived on July 19, 2018. (Source: Facebook)

The group’s About page described its mission in clumsy English, which appeared to struggle with the word “the,” a grammatical error often made by Russian speakers.

#BaltimoreIsEverywhere

Hi truth seekers! Baltimore is Everywhere is a group created to coordinate the efforts and inform Black People and all Americans in their struggle against police state and lawlessness. Join us to fight against lawlessness and tyranny of the corrupt Police and Government!

One account claimed to represent the group. On June 3, 2016, an account called “Nayshya Lowe” posted a message to the Black Lives Matter group in Asheville, North Carolina. The account featured the face of an African-American woman, but its use of language featured the same grammatical difficulties as the Baltimore is Everywhere page; for example, the opening phrase:

“I’m the one of representatives of ‘Baltimore Is Everywhere’ movement.”

Post by “Nayshya Lowe” to the Asheville BLM group, archived on July 19, 2018. (Source: Facebook / Nayshya Lowe)

The account posted its first profile picture and banner on June 2, 2016, changed to the anti-Clinton meme on June 5, changed to a new picture on June 22, and, as of July 23, 2018, had not changed profiles again. @DFRLab reached out to the account to verify whether there was a real person behind the account, but received no reply. The combination of linguistic telltales and account behavior lead us to conclude that this, too, was part of an influence operation.

Like the #BlacksAgainstHillary movement, “Baltimore Is Everywhere” featured on Twitter, as well as Facebook. Shortened to “BaltimoreIsEvrywhr,” the group’s name was attached to the Twitter handle @BaltimoreIsWhr, attributed by Mueller to the GRU.

The @BaltimoreIsWhr account has been suspended. One of its tweets — a quote of an anti-Clinton post by TV personality Tim Black, with the #BlacksAgainstHillary hashtag added — was shared on Facebook.

Facebook share of tweet by @BaltimoreIsWhr, archived on July 19, 2018. (Source: Facebook)

One account did promote its content, albeit unsuccessfully: @DaWash3241, which tweeted a Facebook post about it in May 2015.

Archived on July 19, 2018. (Source: Twitter / @DaWash3241)

A Twitter search for mentions of the @BaltimoreIsWhr handle only returned five results before the indictment was published; a search for the hashtag #BaltimoreIsEverywhere returned only a handful more. This level of activity was so low that it suggested that the “movement” was not a genuine grassroots one, but a mock-up.

On the basis of this evidence, cross-referenced with Mueller’s indictment, the “Baltimore Is Everywhere” accounts on Facebook and Twitter appear to have been an attempt by Russian intelligence to infiltrate the BLM community, in the same way that the “Black Matters” Facebook page, run by the troll farm, targeted race issues.

However, according to an archive of over 200,000 tweets from the main Russian troll farm preserved by NBC News, the troll farm did not use the #BlacksAgainstHillary hashtag. The “Baltimore Is Everywhere” group therefore appeared to belong to a separate operation, whose leading voice was the fake persona, Alice Donovan.

That persona left many traces online.

Alice Through The Looking Glass

The “Alice Donovan” account did not focus primarily on social media, but on fringe media sites, especially with a left-leaning or anti-U.S. stance.

The name was associated with Russian troll operations relatively early. According to a New York Times article in September 2017, a Facebook page called “Alice Donovan” was one of the first to advertise DCLeaks’ publications, writing in stilted English that the leaks:

“Describe eventual means and plans of supporting opposition movements, groups or individuals in various countries.”

When the New York Times raised the account with Facebook, the platform challenged the account to prove its authenticity; it failed and was removed.

The name “Alice Donovan” also featured in a Twitter account, and as the email address of a self-styled “freelance journalist.” The email was used to submit articles to left-wing or anti-U.S. sites such as Counterpunch, Veterans Today, groundreport.com and WeAreChange.org; over two dozen were published. The articles were largely critical of American foreign policy and supported the Syrian regime.

Stubs of articles by “Alice Donovan” on Counterpunch and Veterans Today, captured by Medium user @UsHadrons. The headlines cross-check against headlines captured by Counterpunch in its own investigation of the Donovan persona. (Source: Medium / @ushadrons)
Articles attributed to “Alice Donovan” on groundreport.com; note her name in the URL. (Source: groundreport.com)

Since “Alice Donovan” is not a unique name, it is important to assess whether these accounts were connected.

The first confirmation of the link came from Counterpunch, to which “Alice Donovan” had submitted various articles, using the email of that name. After reports that the “Alice Donovan” persona was fictitious, Counterpunch launched its own investigation, emailing the Donovan address to ask for verification.

According to Counterpunch, the email user replied in late 2017, writing that “she was indeed the Alice Donovan referred to in the New York Times story.”

Unless this was an attempt to impersonate an account which had been found to be inauthentic, this connects the Facebook account with the email address and the Counterpunch articles.

Some of the articles bylined “Alice Donovan” appeared on multiple websites, including Counterpunch, further connecting them to the email and Facebook accounts.

List by Counterpunch of publications by “Alice Donovan.” The articles have been deleted, but the Wayback Machine web archive has captured the version from Global Research, while a tweet from Veterans Today promoting the article is still online. (Source: Counterpunch)

The Twitter account, which was barely active (just 28 posts, according to Counterpunch), promoted an article which accused former President Obama and presidential candidate Hillary Clinton of supplying arms to the Islamic State terrorist group, with the words, “My article.”

Tweet by @_alicedonovan_, preserved by Medium user @ushadrons. (Source: Medium / @ushadrons)

The original article, on WeAreChange.org, has been deleted, but it has been preserved on the Wayback Machine archive, with the “Alice Donovan” byline, and the same URL as that posted in the tweet.

Headline, banner, and lede of the “Alice Donovan” article referenced in the tweet. Note the insistence that the leaked emails are real, and the complaint about the lack of reporting. (Source: Wayback Machine)

Again, unless the tweet was an attempt to impersonate a (fictitious) writer and take credit for a post on a fringe outlet, this connects the Twitter account with the online articles, and through them, the Facebook page.

Counterpunch’s investigation found that the “Alice Donovan” articles were heavily plagiarized, and that it was impossible to confirm “her” identity. Facebook’s suspension of the account also appears to confirm that there was no Alice Donovan behind the account.

The overwhelming likelihood is that “Alice Donovan” was not a real identity, and that the Facebook, Twitter, and email accounts, and the news articles, were produced by the same person or group of people (Counterpunch concluded that there was “probably not” one single person behind the persona).

According to Mueller’s indictment, that group was Russian military intelligence.

What Alice Wrote

The content which “Donovan” shared was consistent with the theory that the operation was run by the Russian military. According to the New York Times article, one of the “Donovan” Facebook account’s roles was to promote the emails leaked by DCLeaks.

Independent analytical company ThreatConnect identified DCLeaks as a probable front for the “Fancy Bear” hacking team, itself attributed to the GRU, in August 2016.

One article attributed to “Donovan” and posted on WeAreChange.org certainly boosted DCLeaks, focusing on emails from former U.S. Secretary of State Colin Powell, which “the hacker group DC Leaks” had posted online.

Article attributed to Donovan on WeAreChange.org. (Source: Wayback Machine)

The article on alleged U.S. supplies of arms to Islamic State also focused on leaks, beginning, “There’s no denying the emails Julian Assange has picked up from inside the Democratic Party are real. The emails have exposed Hillary Clinton in a major way — and almost no one is reporting on it.”

This referred to a Wikileaks dump of emails hacked from the Democratic National Committee in early 2016. The hack was carried out by a persona known as “Guccifer 2.0;” ThreatConnect identified the Guccifer 2.0 persona as linked to Russia, while analysts at CrowdStrike concluded that the DNC was breached by “Fancy Bear” in April 2016.

The “Alice Donovan” persona’s amplification of DCLeaks and Wikileaks therefore served the broader GRU mission of hacking and leaking mails from Democratic figures during the election period.

Its publications ranged more widely, however. Both Counterpunch and online researcher @UsHadrons have produced lists of its output; these tally with one another, and with online archives, allowing for reliable verification.

Some of the “Donovan” oeuvre was squarely aimed at Hillary Clinton, paralleling the anti-Clinton content posted by the Internet Research Agency. However, it focused on the very specific issue of emails, in an echo of the promotion of DCLeaks and Wikileaks.

Tweets by @_alicedonovan_, preserved by @ushadrons. (Source: Medium / @ushadrons)

Other articles focused on Russian foreign-policy issues of the moment. The first “Donovan” byline, published by pro-Kremlin site Veterans Today on February 25, 2016, was an attack on Turkey’s President Recep Tayyip Erdogan, headlined, “Does America need such friends?”

The post was made during a sharp chill in Turkish-Russian relations, caused by Turkey’s downing of a Russian aircraft in November 2015; Kremlin anti-Turkish propaganda was intense at the time, and included reporting from Russia’s state-funded RT, which violated basic standards of journalism.

According to an archive of the post, it began with the Russian point of view, and characteristically Russian grammatical errors:

Not long time ago the world witnessed an unprecedented air accident since the Cold War. Turkish Air Force has shot down Russian military aircraft which allegedly had violated the border and invaded the country’s airspace. Moreover one of the pilots who bailed out was shot dead by gunmen of Syrian moderate opposition, which is also supported by Turkey. Did someone decide to play around with Russian bear and challenge it to a duel? Moreover — why? Maybe there is some other game? Let’s try to understand.

Its main theme was a personal attack on Erdogan:

The Turkish leader Recep Tayyip Erdogan is known not only for his desire to Islamize Turkey which had chosen the secular path of development during the reign of Mustafa Kemal Ataturk, but also for his imperial ambitions. Some even believe that he sees himself as the new sultan of Ottoman Empire.

Another piece, posted on Veterans Today a month later, again focused on Syria, and again promoted Kremlin views in non-native English:

Not only regional players’ pitfalls could complicate the ceasefire agreement implementation but also the actions of Washington Hawks who didn’t give up the plan to overthrow the Bashar Assad’s regime.

Even the headline contained a grammatical error, omitting the genitive in a way characteristic of native Russian speakers, whose command of English is patchy.

Headline of the March article by “Alice Donovan” in Veterans Today. (Source: Wayback Machine)

The article was resoundingly aligned with Russia’s foreign policy, and, in particular, with the stance of the Ministry of Defense:

This month the Russian president Vladimir Putin ordered the Russian forces to begin withdrawal from Syria. However, Russian aircraft will keep bombing Syrian terrorist groups designated by the UN Security Council despite the best efforts of U.S. diplomacy to save their puppets from defeat. “I would like to emphasize that concluded U.S.-Russian agreement on the cessation of hostilities does not apply to militants of ISIS and Jabhat al-Nusra and others designated as terrorist by the UN Security Council. Therefore, the Russian Air Force continues bombing the international terrorists groups in the former regime” — Igor Konashenkov, the Russian Ministry of Defense spokesman reminded. The exclusion of the terrorist groups from the truce makes it possible to suppose the fight against terrorists will continue until their irrevocable defeat.

The timing, and the focus on Syria, are significant. According to the NBC archive of 200,000 troll factory tweets, the main Russian troll operation that day was focused on the hashtags #BlackLivesMatter and #tcot (short for “top Conservative on Twitter”).

Instead of aligning with that operation, the Donovan persona focused on the military theater of Syria, and the stance of the Russian MoD. This reinforces the impression that it was part of a similar, but separate, operation.

Throughout its career, the Donovan persona was to keep a focus on Syria — far more so than the main troll-farm accounts. On July 20, 2016, it published an article on Veterans Today claiming that the U.S. was “supporting child beheaders” in Syria; on August 15, as the siege of Aleppo intensified, it published an article on WeAreChange.org proclaiming that Russia would “destroy terrorists” in Aleppo.

The “Alice Donovan” headline on Aleppo. (Source: Wayback Machine)

The article provided considerable detail on the types of Russian weaponry and ships to be deployed, including Kalibr-NK cruise missiles and submarine-launched 3M-54 Kalibr missiles. Yet again, it featured linguistic errors characteristic of Russian speakers, especially clumsiness with the genitive and definite article (“Look at the previous Russia’s naval attacks”), and used language which would not have been out of place in an official press release.

Excerpt from the “Alice Donovan” article on Aleppo. (Source: Wayback Machine)

Neither of these matched other troll farm outputs. On July 20, 2016, the main troll farm operation was focusing on the Republican Convention; on August 15, it was focusing on the two U.S. presidential candidates.

The Donovan articles, and others like them on Syria, therefore did not fit into the main Russian troll operation; instead, they dovetailed with the Russian Ministry of Defense’s main theater of kinetic operations in Syria.

Not all the Donovan posts focused on Syria. An article on WeAreChange.org on November 18 attacked protesters against U.S. President Donald Trump; a month later, “Donovan” was writing on Trump’s policy towards Ukraine.

A particularly widely-copied article, published in October 2017 on sites including disinformation hub globalresearch.ca, accused the U.S. of working with Colombia to undermine Russia’s long-standing ally, Venezuela.

Headline of the “Alice Donovan” Venezuela article. (Source: Wayback Machine)

Again, the tone was anti-American, and the language non-native. For example, “the Secretary Tillerson, one of the most influential figures of an oil lobby … able to take any measures for achievement of goals.”

Excerpt from the “Alice Donovan” article on Venezuela. (Source: Wayback Machine)

The timing is striking. Two weeks before, Venezuelan President Nicolás Maduro had raised the possibility of seeking Russian military help to oppose Trump’s threat of force against his nation. A month later, Russian President Vladimir Putin reportedly broached plans to agree on a basing agreement for warships in the Latin American state.

The “Donovan” article therefore dovetailed closely with a news item of particular concern to the Russian military.

Allies in Wonderland

None of the other GRU personality accounts mentioned by the Mueller indictment left as clear a trail as “Alice Donovan.”

One article on groundreport.com was attributed to “Richard Gingrey,” also named in the indictment as an amplifier of the DCLeaks material. The article dealt with U.S.-Russia relations in the Arctic, and, despite the attribution, was in fact published by Kremlin communications site Sputnik two weeks earlier.

The groundreport.com editorial staff, if such there be, failed to spot the plagiarism, even though the second paragraph made clear that the quote had been given to Sputnik.

Top left: Stub from groundreport.com, naming Richard Gingrey as the author in the URL. Bottom left: The text of the groundreport.com article. Right: Sputnik version. (Source: groundreport.com / Sputnik)

A third name, “Jason Scott,” was listed alongside Donovan and Gingrey. It is too common a name to leave a defined trace online, but the username @JassScott featured on the original list of troll-farm accounts which Twitter shared with the U.S. Congress.

According to the NBC archive, this account largely posted election-related content, some pro-Clinton, some pro-Trump. It is therefore unclear whether the Twitter handle is related to the persona identified by the indictment.

Another name, “Den Katenberg,” was tied directly to the hacking attempts. According to the indictment, this was a pseudonym of Senior Lieutenant Aleksey Viktorovich Lukashev of the GRU.

The name also featured on a list of hackers shared with the Associated Press by security firm Secureworks. AP journalist Raphael Satter deduced that the email address was used to test malware, and traced it to related Twitter and Facebook pages, the former dormant, the latter now deleted.

(Source: Twitter / @razhael)

Neither account appears to have posted; the Twitter account followed a curious combination of celebrities, French accounts, and accounts using the initials “SD,” either for San Diego or South Dakota.

Accounts followed by @denkaten, archived on July 13, 2018. (Source: Twitter / @denkaten)

This social media footprint is vestigial, but shows one more small thread in the web of false accounts which the GRU unit spread online.

Conclusion

With the possible exception of “Jason Scott,” none of these false personas featured in, or interacted with, the posts shared by the Internet Research Agency. The pattern of activity was also different, with a greater emphasis on online publications, rather than social media accounts.

The #BlacksAgainstHillary hashtag was clearly driven by fake accounts, although with some genuine American buy-in. It was amplified by “Alice Donovan” despite the minuscule traffic, making it appear likely that the purpose of the Donovan article was, at the time, to amplify the hashtag.

Other articles supported the Russian government’s strategic messaging in its main theater of military operations — Syria — rather than in its attack on the U.S.

The GRU campaign appears to have had two main goals: to mobilize American opinions, especially African-American opinions, against Clinton, and to spread propaganda which served Russian military interests.

It was much smaller and more focused than the Internet Research Agency operation. It seems to have worked much more closely with the hacking units, although its ability to amplify their leaks was limited. Above all, unlike the troll farm, it was conducted by serving officers in Russian military intelligence.

Mueller’s indictment therefore reveals that the U.S. was targeted by two separate Russian troll operations during the 2016 election, and one of them can be traced directly to the Russian authorities.


Ben Nimmo is Senior Fellow for Information Defense at the Atlantic Council’s Digital Forensic Research Lab (@DFRLab).

Nicholas Yap, Assistant Director of the @DFRLab, and Christina Apelseth, Research Intern at the @DFRLab, also contributed to this report.

Follow along for more in-depth analysis from our #DigitalSherlocks.

DFRLab

@AtlanticCouncil’s Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.

@DFRLab

Written by

@DFRLab

@AtlanticCouncil's Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.

DFRLab

DFRLab

@AtlanticCouncil’s Digital Forensic Research Lab. Catalyzing a global network of digital forensic researchers, following conflicts in real time.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade