Twitter Removes Russian Disinformation Accounts

On Feb. 23, Twitter booted a gaggle of accounts from its platform, including those determined to be associated with the Russian government and the well-known disinformation machine Internet Research Agency (IRA). Twitter regularly culls users; this isn’t rare – those who violate their terms of service, including the former U.S. president, are banned. What’s unusual is that, usually, these are one-off events involving individuals or small groups.

On Feb. 23, however, Twitter expelled 373 accounts for violating their platform manipulation policies. Within the group expelled, Twitter Safety tells us via a blog post, there were four account networks linked to state information operations which were associated with Armenia (35 accounts), Russia (69 from the GRU and 31 IRA accounts) or Iran (238 accounts).

We will limit our deep dive today to the Russian accounts.

Russia’s Accounts

Twitter characterized the two Russian networks discovered as:

  1. “Our first investigation found and removed a network of 69 fake accounts that can be reliably tied to Russian state actors. A number of these accounts amplified narratives that were aligned with the Russian government, while another subset of the network focused on undermining faith in the NATO alliance and its stability.

  2. As part of our second investigation in this region, we removed 31 accounts from two networks that show signs of being affiliated with the Internet Research Agency (IRA) and Russian government-linked actors. These accounts amplified narratives that had been previously associated with the IRA and other Russian influence efforts targeting the United States and European Union.”

In 2017, I described Russia as a skilled political warfare adversary, a country which would continue to attempt (and, many times, succeed) to shape the global narrative with an onslaught of disinformation. Indeed, probable key performance indicators were identified against which the Russian active measures teams were scoring high marks. These KPIs being:

  • KPI 1 – Shape the U.S. election discourse and feed divisiveness in the United States.
  • KPI 2 – Frame the dialogue via ads and fictitious personas.
  • KPI 3 – Divide the United States and NATO.
  • KPI 4 – Silence opposition, both foreign and domestic.

Based on Twitter’s two paragraphs discussing the Russian information operations efforts, the probable KPIs of 2017 continue to be germane in 2021.

Internet Research Agency

The “Trolls of Ogino” haven’t disappeared. While the IRA may not be operating in the exact same manner that Project Lakhta (2018) did, their activities, archived by Twitter, serve as evidence that they remain fully operational. Twitter identified 31 accounts which were associated with Russia’s IRA. The linguistic distribution was pretty evenly distributed between English (15) and Russian (16) language accounts. Interestingly, the IRA uses a variety of Twitter clients to post their tweets. They are using the Twitter web app, iPhone/iPad/Andriod app, Facebook, TweetDeck, Twitter’s web client, LinkedIn, vk, WordPress, networked blogs, Instagram and even Foursquare, an app we’ve not seen in ages.

The IRA also favors hashtags, and of the thousands of hashtags used by these 31 accounts, the hashtags #trump, #Turkey, #Ukraine, #NSA, #Venezuela, #Russia, #NATO and #USA make repeat occurrences – this isn’t surprising.

Content-wise, it should surprise no one that “Biden” finds its way into more than a thousand of their tweets.

GRU Involvement

Similarly, cyber shenanigans attributed to Russian military intelligence (GRU) continue apace, and these revelations continue to be treated as a surprise by many. Looking into the available dataset, the GRU’s linguistic division of the accounts wasn’t skewed heavily one way or another, though languages were limited to English (31) or Russian (38).

The GRU’s posts use of many of the same Twitter clients as the IRA, which may be noteworthy, but is probably more coincidence than by design.

The GRU also wove multiple hashtags into their information operations, and with a decidedly geopolitical bent; #syria, #turkey, #usa, #eu, #france and, of course, #trump all found their way into the content frequently.

Looking Forward

The Russian active measures efforts aren’t going to wane. The work of Twitter and other social networks to keep them in check will continue to evolve, as will the M.O. of the GRU and IRA. The proffered KPIs should be kept in mind when consuming content on the web which is suspected to come from Russia.

For those who want an even deeper dive into the data, you’ll find it in the Twitter Information Operations datasets in csv format.

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 186 posts and counting.See all posts by burgesschristopher