Kremlin’s disinformation policy bears the imprint of a large-scale hybrid campaign

This post was published in CyberDefence24. The point of view expressed in this article is authorial and do not necessarily reflect BM`s editorial stance.


WARSAW, (BM) – We have known for a long time that Russian disinformation uses fabricated content published in Poland, Lithuania and Latvia. FireEye has conducted an analysis of publications appearing on the web since March 2017 and concludes – these are elements of a wider campaign of influence.

The report prepared by FireEye shows operations that were previously also analyzed by our editorial office. Most of the activities surveyed by the experts were narratives targeting NATO that used hacking websites or fake email accounts to distribute fabricated content, including fake correspondence from military officials.

The operations examined for the purposes of the report were aimed at the information area of ​​Poland, Lithuania and Latvia, but, as we have repeatedly informed, similar operations also occur in other countries. For the purposes of the report, experts called this operation “Ghostwriter”.

As part of the report, FireEye analyzed the use of non-existent content authors who were supposed to “pretend” to local journalists to publish material based on fabricated material as sources of information. As the company indicates, the analyzed cases may be elements of a wider campaign that lasted at least from March 2017.

As indicated, it was aimed at the information area of ​​Lithuania, Latvia and Poland. The campaign also used anti-US and coronavirus-related narratives as part of a broader campaign against the Alliance.

Examples of such an operation include attack on the Academy of War Art. As part of the attack, on the home page of the university website on April 22 this year. a fabricated letter from Ryszard Parafianowicz, the rector-commandant, was placed, addressed to the military, in which the general accused the ruling party of an irresponsible policy towards the United States.

Its content also hit the American presence on the eastern flank, where there are attempts to “demonstrate its military strength”, as well as the accusation of building unfair accusations against Russia. As it resulted from the analysis conducted by our editorial office about which we write here, the fabricated letter turned out to be only an element in a wider disinformation operation. Its placement was the first step to spreading content on Polish and foreign portals, including The Duran, which FireEye experts indicate in their analysis.

Most of the cases studied by FireEye used hacking websites or fake e-mails to spread crafted content. FireEye detected 14 “people” who are created authors and were used to “publish” content, mainly in English.

The scheme of operation, using hacking into local news portals in order to insert specially prepared articles on them, was also used during the alleged organization of the “patriot” march in the Orzysz commune “Not for US troops in Poland!”. To authenticate this operation, fabricated e-mails were used, which were sent impersonating a member of the team. The text of the message contains a link to an article published as a result of hacking activities on the local portal “Tygodnik Działdowski”.

Tygodnik was not the only victim, but only one of the links through which an attempt was made to reach a wider audience. The article with the same title also appeared on other local portals –, and

However, the real publicity of the information was certainly due to a request for a comment on the case, sent from an employee of the largest security and defense portal in Poland and Europe,, which was pretended by cybercriminals. We write more about this operation here.

According to the FireEye analysis, the activities carried out in the analyzed cases were aimed at violating relations with NATO and pointing to the Alliance’s activities as aggressive and dangerous to local populations. Much of the focus was on military exercises, which also addressed the spread of coronavirus by soldiers.

As indicated by the authors of the report, the cases studied by them used hacking into news portals in order to place crafted content and e-mail messages on them to disseminate this content and encourage readers, and as shown by numerous examples in which attempts were made to engage editorial offices of news portals to familiarize themselves with these contents.

A similar scheme of operation with the use of e-mails was used during the operation in the information space of Poland and Lithuania carried out at the end of July (the mention also appeared on German portals), under which a prepared press release was sent out impersonating the Internal Security Agency.

Fake news about the alleged detention of a Lithuanian spy by the Internal Security Agency was attempted to convey to the editors of Internet portals in Poland – and several editorial offices managed to “trick” the message and the content of the prepared message appeared on news portals.

A message with similar content, very ineptly translated, also appeared in the Lithuanian information space and was officially denied by the Ministry of National Defense of Lithuania quite quickly.

The analysis of the content tested by FireEye did not show a model operation as part of the operation, however, some characteristic elements were indicated. The content was created on the basis of crafted sources, such as quotes that were attributed to government officials, manipulated images or fabricated official correspondence.

The authors of the report show that, in the initial phase, the prepared content is published in English on a small number of websites. After the analysis, the authors indicated, BalticWord.ue and as the most popular portals.

The Duran portal appears many times in analyzes of information activities also conducted by our editorial office. In February this year. it was used to hit the Defender Europe 2020 exercise, when he published an article based on completely false quotes attributed to General Hartmut Renk.

The authors of the text attributed false words to the general, among others on cooperation with the Polish army, according to which he was to judge that the preparations of the Polish army look like a “real catastrophe”. He also had to admit that the security system, location and technical support did not meet the requirements of the exercise.

The general also described the conditions at the military training grounds in Ustka and Drawsko Pomorskie with the words: “It is terrible that American soldiers will live in such conditions. The barracks look like ruined stables. Mice and rats prowl the concrete floor. It’s cold and wet. In Germany, pigs are kept in better conditions. Technical support is at the level of crowbars and hammers”.

The authors were also to assign words to the general describing the Polish army – “the lack of professionalism and total irresponsibility that the Polish Army command demonstrates year after year may be a reason for canceling the planned activities during the” Defender 20 “exercise” Renk concluded. The topic of the alleged statements of the general was immediately picked up by a Polish source – “Dziennik Polityczny”, which devoted quite a long article about the words attributed to the commander. We informed about the case in February.

What does the FireEye report show? The analysis shows that the actions identified by the authors of the report as “Ghostwriter” use information operations tactics that aim to promote narratives that interfere with NATO cohesion and weaken local support for the stationed troops.

Although these activities focused on Poland, Lithuania and Latvia, they can also be applied in other geographically remote regions, the authors of the report indicate. The cases analyzed by our editorial office also confirm this thesis.


Follow us everywhere and at any time. has responsive design and you can open the page from any computer, mobile devices or web browsers. For more up-to-date news from us, follow our YouTube, Reddit, LinkedIn, Twitter and Facebook pages. Do not miss the chance to subscribe to our newsletter. Subscribe and read our stories in News360App in AppStore or GooglePlay or in FeedlyApp in AppStore or GooglePlay

Subscribe to Google News

>>Be a reporter: Write and send your article.<<
Editorial team