UPDATE: On September 1, 2023, SouthFront, writing from its new domain, published an article explaining what happened to the original website. “On the night of 18 August, the ‘international domain name registry’ blocked southfront.org without any warning or explanation.”
Well-Known Disinformation Outlets Down
At least nine websites linked to Russia’s intelligence agencies have encountered significant technical issues. These disruptions, manifesting as RSS and in-browser failures, occurred in a narrow time window and affected the entities similarly. The websites remain offline as of August 25, 2023, which raises questions about what explains it, its implications, and the possible entities behind it.
The impacted websites are not ordinary media platforms. They are closely associated with Russia’s Foreign Intelligence Service (SVR), Federal Security Service (FSB), and Main Directorate (GRU/GU). The disrupted list includes:
Researchers, governments, and journalists have flagged these platforms for disseminating conspiracy theories, disinformation, and misleading geopolitical narratives. Due to their ties with Russian intelligence, the US Treasury sanctioned many of these platforms in 2021 and 2022. The near-simultaneous disruptions across these platforms suggest something more intentional than random technical glitches.
Notable Exceptions
Not all websites linked to Russian intelligence faced disruptions. Websites that had links to Russian intelligence and used unethical influence tactics were spared in cases where Russians were the primary audience. The unaffected websites could be a byproduct of the Russian websites not interacting with or sharing resources with the other websites, or it could reflect the target criteria.
Major state-affiliated media outlets like RT and Sputnik and oligarch-controlled media platforms remained operational. Unaffected websites include Oligarch-owned entitles like United World International (UWI), founded by Evgeny Prigozhin in 2020 and led by Darya Dugina until she died in 2022.
Geopolitika[.]ru, sanctioned because a sanctioned individual controls it, Alexander Dugin, appears unscathed. Katehon remains unaffected, too. The sanctioned oligarch and international financier of fundamentalist religious groups, Konstantin Malofeev, owns the website. The US described him as “one of the main sources of financing” Russia’s 2014 invasion of Ukraine.
Websites like Fonsk and Antifashist have ties to Russian intelligence but appear unaffected. These two differ in another way. Fondsk and Antifashist are primarily accessed by Russians as opposed to international readers. At the same time, Odna Rodyna and Rhythm of Eurasia are down, while Journal Kamerton and Politnavigator appear unscathed. All four outlets are in Russian language.
Politnavigator wasn’t sanctioned, or at least doesn’t appear in the sanctions database like the other three. Journal Kamerton, Odna Rodyna, and Rhythm of Eurasia are. In 2022 the US Treasury stated:
Since then, SCF has continued to make attempts to reach an audience, despite being banned on many social media and payment platforms following U.S. sanctions. SCF has created additional media outlets to promote its narratives, including Odna Rodyna and Rhythm of Eurasia. In 2021, SCF used Odna Rodyna to reach Ukrainian audiences. In 2021, SCF posted content alleging that the United States was supporting Ukraine in order to “debilitate Russia.” The SVR and SCF work to promote another affiliated media outlet, Journal Kamerton, which hosts a litany of articles denigrating Ukraine.
Here, the text groups Odna Rodyna and Rhythm of Eurasia together as sites created to evade US sanctions. Speculatively, given that Journal Kamerton remains online, it might suggest that this was not the work of Ukraine but instead of the US.
The Case of CyberBerkut
CyberBerkut, a hacking group known for malicious cyber activity, stands out among the affected websites. It is not typically associated with the websites mentioned above; however, UK intelligence says it is a front for the GRU. In 2017, CyberBerkut spread a false story about Ukraine creating bioweapons. The details are remarkably similar to the story reappearing in early 2022. An earlier iteration of the story involved Georgia, which Russia attacked in 2008, and dates back to at least 2011.
Identifying the Commonalities
The InfoEpi Lab does not have expertise in cybersecurity, so we will keep the commentary in this section limited to observations about the websites. The overlapping traits among the affected websites, their histories, and the short time window in which the sites failed suggest something intentional.
Based on these results, more than one explanation is possible. The affected websites might have been determined by an imprecise attack mechanism that relied on connections between the websites for transmission. Another possibility is that additional or alternate criteria were used to select the websites.
The affected websites have the following traits:
A direct link to Russian intelligence agencies.
A track record of malicious activities, such as disseminating disinformation and interfering in foreign elections.
While these traits exist in every website identified, some websites that fit that description remain online. Still, not all domains with these characteristics were impacted.
Other Considerations
ODNI Down
The RSS feed for ODNI failed on August 23rd, 2023, at 3:17 a.m., exactly 24 hours after the logs show a second website associated with Russian intelligence failed. While the website still works, the RSS feed shows an error page. It had previously worked, and the feed was successfully used for content collection until then.
A cursory review of other websites doesn’t show anything remarkable. It may be unrelated. RSS Feeds fail regularly, and I have tracked many of these sites for several years; any single website would not have struck me as noteworthy.
The time frame and overlapping traits among the affected websites make it noteworthy. Still, there might also be a more coincidental explanation, especially if this is the only affected website.
stoppropaganda.exe
The InfoEpi Lab does not specialize in cyber security or software development, so we will limit commentary to concrete details to share what we know.
The Lab received an anonymous tip that the failures might be related to “stoppropaganda.exe.” One can infer what it’s designed to do. While a DDoS attack could take down several large websites, how long it could do so is tied to the resources and scale behind the attack.
The software can be found in an archived GitHub account. “Added new targets from IT Army of Ukraine,” one software update reads. The repository appears, at least on the surface, to belong to a Lithuanian who recently graduated from a school for information and cybersecurity.
The statement doesn’t indicate whether the Ukrainian IT Army created the software, only that the GitHub repository owner used the list of targets provided publicly by the Ukrainian IT Army. Websites targeted by Ukraine primarily belong to the Russian state, its military, and banking websites. A search of the Telegram channel associated with the Ukrainian IT Army shows they discussed the software early in the war through May 2022.
The failing websites did not appear in the Ukrainian IT Army’s Telegram channel either. The recently failed websites are well-known for their malign activity, so anyone wanting to compile a list of propaganda outlets would likely include many currently ailing websites.
Further suggestive of something else at play is that the stoppropaganda.exe targets specific websites, and they don’t appear to overlap with the list examined in this report. The initial target websites appear in the data visualization below.
Appendix: Failing Websites
As of 8:00 p.m. on August 26, 2023.
Additional Outlets with Issues
New Eastern Outlook
New Eastern Outlook (NEO) began failing on August 22, 2023, at 3:12 a.m. NEO has promoted false and misleading claims and is allegedly directed by Russia’s foreign intelligence service (SVR).
The site is associated with the Russian Academy of Science’s Institute of Oriental Studies. It combines pro-Kremlin views of Russian academics with anti-US views from Western fringe voices and conspiracy theorists.
SouthFront
SouthFront, an outlet that receives direction from Russia’s FSB, failed on August 22, 2023, at 3:17 a.m. The site has been linked to pro-Assad conspiracy theories and has been accused of promoting voter fraud claims during the 2020 US presidential election.
NewsFront
According to my logs, NewsFront began failing on August 23rd, 2023, at 7:38 p.m.. The US Treasury wrote of NewsFront and its connections to Russia’s Federal Security Service (FSB):
NewsFront is a Crimea-based disinformation and propaganda outlet that worked with FSB officers to coordinate a narrative undermining the credibility of a news website advocating for human rights. NewsFront was also used to distribute false information about the COVID-19 vaccine.
Oriental Review
Oriental Review is a disinformation outlet directed by Russia’s Foreign Intelligence Service (SVR). It spreads many types of disinformation about international organizations, military conflicts, protests, and divisive issues it can exploit. The Oriental Review feed began failing on August 22, 2023, at 3:27 a.m.
Odna Rodyna
Odna Rodyna failed on August 22, 2023, at 4:05 a.m. US officials speaking to AP said, “Vladimir Maximenko has met with SVR handlers multiple times since 2014.” In 2022, the White House addressed Odna Rodyna in a sanctions announcement:
Treasury will designate seven Russian entities, SDN Strategic Culture Foundation and associated outlets Odna Rodyna, Rhythm of Eurasia, and Journal Kamerton; SouthFront; SDN InfoRos; New Eastern Outlook; Oriental Review; United World International; and Geopolitical.
Strategic Culture Foundation
The Strategic Culture Foundation (SCF) also appears to be failing. Our logs show the first recorded failure occurred on August 22, 2023, at 4:45 a.m. SCF is a digital publication based in Russia that is “controlled by the SVR’s Directorate of Active Measures and is closely affiliated with the Russian Ministry of Foreign Affairs.”
The outlet is known for publishing election-related conspiracy theories, and it amplifies conspiracy theorists and pseudoscience profiteers living in or from democratic nations, broadening the reach of people who may ordinarily have a more limited audience while benefiting from their local voices.
InfoRos
Although this is not new, the GU website InfoRos and its network have been on- and offline since 2022. A study of InfoRos’ network of websites inside Russia seems to have prompted a significant portion of them to go offline shortly before Russia’s 2022 invasion of Ukraine.
InfoRos abruptly stopped registering new domain names between January 17 and February 21, 2022, the longest operational hiatus observed since late 2019. Unfortunately, the registration of new sites has resumed at a higher rate in May 2022.
– OpenFacto, Jan 17, 2023
One World Press
One World Press also appears to be failing. It is closely associated with InfoRos, which is its registered domain owner.
Outlets Still Online
Journal Kamerton, Veterans Today, United World International, and Antifashist appear to be working and accessible as of 1:00 p.m. on August 24, 2023.
Antifashist
Antifashist is online but has a notice that states the website is experiencing DDoS attacks. According to AP News, the “managing editor of Antifashist allegedly was directed at least once by the FSB to delete material from the site.”
Journal Kamerton
Journal Kamerton is currently online. The US Treasury sanctioned the journal for spreading election-related disinformation. As mentioned in the White House Briefing on March 3, 2022, Journal Kamerton and other listed entities have spread false narratives attempting to justify the Russian invasion of Ukraine.
InfoBRICS
InfoBRICS remains online. It is an online platform focusing on news and developments related to the BRICS nations (Brazil, Russia, India, China, and South Africa). It publishes content that advances conspiracy theories, unrealistic, misleading, and nationalist content often written by state-affiliated outlets. The Alliance for Securing Democracy wrote about InfoBRICS publishing COVID disinformation:
An outlet known as InfoRos, including sites InfoRos.ru, Infobrics.org, and OneWorld.press, has reportedly been publishing disinformation surrounding the COVID-19 pandemic with influence from Russian intelligence services. Multiple individuals affiliated with the outlet, including Denis Valeryevich Tyurin and Aleksandr Gennadyevich Starunskiy, appear to have previously worked in a GRU unit specializing in psychological intelligence and operations.
United World International
United World International (UWI) is a Russian-backed propaganda organization sanctioned by the US, Canada, and European allies due to its involvement in spreading disinformation. As highlighted in the White House Briefing on March 3, 2022, UWI spread false justifications for the Kremlin’s invasion of Ukraine and attempted to influence elections.
Evgeny Prigozhin, believed to have died following a plane crash on August 23, 2023, founded UWI in 2020 via Project Lakhta. Project Lakhta is known for interfering in democratic elections. Darya Dugina oversaw OWI until she died following a car bombing in 2022. Most recently, UWI attempted to influence Turkish elections.
Veterans Today
As stated earlier, Veterans Today appears to be online now. The site was checked because of its relationship with New Eastern Outlook, which is down, and Colonel Evgeny Khruschev, a Russian psychological operations officer and RT employee who sat on the Veterans Today Board of Directors starting in 2010.
UPDATED: Added alt text to images.
Citation
@article{li2023,
author = {Li, E. Rosalie},
publisher = {Information Epidemiology Lab},
title = {Disinformation {Interrupted}},
journal = {InfoEpi Lab},
date = {2023-08-28},
url = {https://infoepi.org/posts/2023/08-28-disinfo-interrupted.html},
langid = {en}
}