Suspected Russian operatives tried using forged diplomatic documents, social media to create divisions

New research follows similar findings first made public last year.
The Russian flag flies above Russian parliament. (Getty Images)

A Russian information operation relied on forged diplomatic emails and planted articles on a number of social media sites in an attempt to undermine multiple governments and impersonate U.S. lawmakers, according to a new analysis of recent social media activity.

Massachusetts-based Recorded Future on Wednesday published findings detailing how Russian-language operatives spent months using popular internet services to try to interfere in Estonia, the Republic of Georgia and the U.S. The effort appears to be a continuation of a prior Russian campaign, dubbed Operation Secondary Infektion, that utilized Facebook and dozens of online platforms to sow division in the West and discredit political efforts.

The ongoing covert influence effort revealed Wednesday, known as Operation Pinball, involved activity on discussion sites like Reddit, LiveJournal, an array of self-publishing sites, falsified social media profiles that prioritized strong operational security over reaching a large audience. In one instance, Recorded Future detected a Reddit account involved in distributing leaked documents from trade talks between the U.S. and U.K. in November 2019.

While attempts to reach a large number of social media users apparently was not successful, Operation Pinball is the latest evidence that information operations are utilizing multiple social media platforms at once, making them harder to detect and then remove. Facebook and Twitter last week said they each removed accounts which appeared to be active on both sites.


“The more integration on the different services we see, the more concerned I get, because all of these platforms are working on this problem on their own,” said Priscilla Moriuchi, director of strategic threat intelligence at Recorded Future. “As we study this, we see over and over that this cross-platform strategy is evolving. It’s becoming too much for one platform.”

The best representation of these disinformation tactics is a June 10 letter that appears to be from U.S. Secretary of State Mike Pompeo, and addressed to Vladimir Plahotniuc, former president of the Democratic Party of Moldova. In the letter, Pompeo appears to say Maia Sandu, the country’s new prime minister, was “unconstitutionally appointed” and this is “worthy of condemnation.”

However the letter was a forgery, according to Recorded Future researchers who cited awkward phrasing and difficulty with the English language as evidence of its inauthenticity. In fact, the U.S. State Department said on June 14 that Sandu’s appointment to prime minister reflected “the will of the people of Moldova.” Yet it’s a reflection of how an apparent Russian intelligence operation is experimenting with fabricated diplomatic documents and other tactics to create international confusion.

A primary goal of Operation Pinball, for instance, was to undermine the governments of Estonia and the Republic of Georgia.

In another case, researchers discovered a Dec. 18, 2019 article published on the German self-publishing site The article argued that Europe was not ready to accept refugees, and went on to blame the U.S. for wars in the Middle East and Africa which created instability, resulting in a migration to Europe. The author cited a letter from Taavi Aas, Minister of Economic Affairs and Infrastructure of Estonia, addressed to the European Commission for Migration, Dimitris Avramopoulos, in which Aas appeared to criticize the European Union.


However, Recorded Future declared with “high confidence” that the letter was inauthentic, and an apparent attempt to create political divisions between Estonia and the European Union, a frequent target of the Kremlin. The message contains sloppy grammar, colloquial language unlikely to appear in a legitimate political letter (such as “totally ready” and “scoring political points”), and a forged signature, based on a comparison of Taavi Aas’ true signatures with the document in question.

A Recorded Future analysis determined that Russian attackers used a forged signature (left) to impersonate Taavi Aas.

Shortly after the author published the article on, a Reddit profile with the same name, “Flokortig,” registered an account on the discussion site, and posted a link to the Homment article in an attempt to attract more readers. Within weeks, however, other social media accounts, including an “Elena Frolova,” also began disseminating the article, resulting in the re-publication by apparently unwitting news aggregation sites.

The discourse involving Georgia followed many of the same tactics as the Estonian efforts.

In one case, a Reddit user who went by “TarielGeFr” published a post in a forum dedicated to France titled “A True Georgian Dream.” The author claimed to be a native Georgian living in exile who agreed with a recent editorial arguing that the Georgian government should granted sovereignty to the disputed region of Abkhazia. (Georgia classifies Abkhazia as part of Georgia, while Russia has recognized Abkhazia as an independent state.)


The author goes on to cite another forged letter, apparently addressed to NATO’s general secretary from Georgia’s defense minister, which falsely claims Georgia intends to grant Abkhazia property rights to a hydroelectric power plant. “Specifically, it is planned to handover them to Abkhazia for a symbolic amount of money,” the letter states. The research team Recorded Future, which included two full-time researchers and two linguists, determined the letter written “by someone with a poor command of English as well as Georgian.”

Techniques and procedures detailed in the Operation Pinball report match a June 2019 report from the Atlantic Council’s Digital Forensic Research Lab called Operation Secondary Infektion.

Operation Secondary Infektion was an attempt to amplify fabricated news stories, most notably a narrative that British citizens had planned to assassinate Prime Minister Boris Johnson. The campaign also included fake tweets, including one that appeared to be from Sen. Marco Rubio, R-Fla., accusing British intelligence agencies of helping Democratic political candidates during the 2018 elections.

The Atlantic Council’s DFR Lab caught a fake tweet that appeared to be sent by Sen. Marco Rubio in 2018.

“From using blog platforms to posting forged government letters, the tactics closely match with the ones used in the Secondary Infektion,” Kanishk Khan, a researcher at DFR Lab who verified Recorded Future’s research at CyberScoop’s request, said of the disinformation campaigns. “The primary goal of Secondary Infektion was to create division between Western countries, and Operation Pinball suggests the same – to destabilize relations between some countries.”

Latest Podcasts