Russia-related accounts and a cyberattack in Poland

Shutterstock

From a forged letter by a high rank army official, to fake personas from a small pro-Russian website, to a Cyprus media company known for spreading pro-Kremlin content: a picture from the Poland disinformation space.

This story is  a shortened version of the Stanford Internet Observatory report by Daniel Bush, Anna Gielewska, and Maciej Kurzynski. The report is a part of the project on monitoring disinformation in Polish elections.

A forged letter appeared on the website for the Polish War Studies Academy on April 22. Hackers broke into the site easily. The document, a fake letter by Brigadier General Ryszard Parafianowicz that denounced the ruling party (Law and Justice) and called upon Poles to reject the “American occupation” of their country, was the first link in a disinformation campaign intended to undermine support for NATO in Poland. 

The Polish Special Services noted that the attack “corresponds to Russian actions”, though they did not give any more details about attribution. The background for the operation is clear: the Defender-Europe 20 military exercise, in which Poland was involved and to which the Russian government has been openly hostile. Provoking and creating divisions around Poland and the US alliance and undermining NATO’s position in Eastern Europe has been a long-standing priority for Russian foreign policy, and it has pursued this aim through overt and covert means. 

This cyber attack caught our attention. We noticed some similarities between the tactics described in the Polish government’s description of the operation and those Stanford Internet Observatory observed on one of the Facebook Pages that we have been monitoring in the run-up to Poland’s presidential election: “Niezależny Dziennik Polityczny” [Independent Political Journal] (NDP). We dug further and found that NDP, which has been accused many times of being connected to the Russian security services, had a larger role in this cyber attack than has previously been reported. But first let’s have a closer look at NDP itself.

It is primarily a Polish-language website that purports to “present a modern political vision that clearly addresses the challenges and problems of modern times and the security of [Poland].” In many ways NDP resembles other “news” websites existing on the fringes of the Polish media ecosystem: it is built on WordPress; it publishes very little original content, relying instead on material taken from other sources and refurbished; and it does not identify any of the people or journalists responsible for the site and its content. There is no indication that any of NDP’s authors are real people.

 

The Niezależny Dziennik Polityczny homepage on May 6, 2020. The featured article is titled “How Lithuania Discriminates.” Credit: Stanford Internet Observatory

NDP has also been repeatedly accused by Polish journalists of being connected with the Russian intelligence agencies—specifically of being a facet of the Russian government’s influence operations directed at Poland.

There are a few things that support this conclusion. First, NDP has a consistent track record of concocting and publishing content that is directly aligned with Russia’s influence strategy towards Poland. Specifically, NDP consistently publishes false documents and inflammatory content designed to undermine NATO, to stir up hatred and distrust toward Ukraine, and to boost pro-Russian political movements in Poland. What’s more, NDP’s tactics are sophisticated. Often, NDP bolsters its narratives by creating false documents—such as a fabricated Facebook post—and doctoring images and videos in ways that can mislead even attentive readers. NDP expends more effort on these posts than a typical clickbait site expends on content. Pro-Russia narratives are one thing; but it is their combination with fake accounts and repeated involvement in disinformation operations that makes attribution to Russia more convincing.

NDP page does not pretend to be completely anonymous. It lists a staff of five on its “contact” page, and its Facebook Page lists two “team members,” Adam Kamiński and Wojciech Brozek.

Credit: Stanford Internet Observatory

The Facebook activity for these two profiles consists almost entirely of posting links to NDP content with comment; nowhere have we observed them writing in Polish (or any other language). The Oko.press journalists tried to interview Kamiński in 2017 and received only evasive answers. Before then, in 2016, the Twitter user @lostson_ showed that Kamiński’s profile picture was stolen; a quick search shows that Brozek’s is as well. Stolen profile pictures and fabricated content are not the only thing about NDP that suggest inauthenticity. We could not find an online presence for two other authors with bylines in NDP, Jan Radžiūnas and Marcin Szymański, and some of NDP’s YouTube videos appear to feature text-to-speech voice overs in mistake-prone Polish instead of real speakers. Furthermore, an analysis of the NDP Facebook Page’s interaction statistics shows anomalous early spikes in share counts that could indicate inauthentic engagement:

Likes and shares counts for the NDP Facebook Page from 2015-2020. Several posts received large share counts in 2015 (circled in yellow) without receiving substantial numbers of likes. This might indicate that the shares were obtained inauthentically. Credit: Stanford Internet Observatory

Even if Kamiński, Brozek, Radžiūnas, and Szymański are not real persons, the actors behind these profiles have the work habits of real journalists. From January 1, 2018 to April 25, 2020, when the site was most active, it averaged 34 articles per week. Most articles are not original but instead cobbled together from other Polish sources and then altered. The people behind NDP generally stick to a typical workweek, suggesting that they are not hobbyists. 

In addition to the website and Facebook profile, there is a Twitter profile, a YouTube channel, and a neon24 page to maintain—nevertheless, it is not clear how the website makes money. It does not show ads, sell merchandise, or ask for donations. NDP’s lack of a commercial dimension combined with its sustained level of output suggests that there is another source of funding behind it.

Finally, while the largest occupation of the fake accounts associated with NDP on Facebook (Kamiński, Brozek, and a few others) is sharing NDP content, they occasionally share other content as well. This is how we noticed that the NDP accounts had a role in the April 22 cyber attack.

Shortly after the document appeared on the hacked site of the War Studies Academy, at least three articles appeared with a picture of Brigadier General Parafianowicz and identical headlines, which read “A Scandalous Letter by the Rector of the War Studies Academy: PiS Politicians Are Leading Us to Disaster.” These articles appeared on at least three web publications: prawy.pl, lewy.pl, and ono24.info. Afterward, the articles were removed, and the owner of lewy.pl and prawy.pl claimed that the sites had been hacked. There is evidence for this claim: the “new” articles that appeared on the sites were actually edited versions of older articles—the prawy.pl URL is still connected to a Facebook post from February 27, 2020—published with new content but old publication dates. This would have allowed the hackers to link to the articles on social media without actually “publishing” them again and thereby potentially tipping off the site administrators. Indeed, the prawy.pl, lewy.pl, and ono24.info social media accounts did not post about the new additions to their content, suggesting that they were at first unaware of their existence.

Some Facebook and Twitter users were aware of the articles’ existence, however —specifically, the Facebook accounts associated with NDP. Shortly after the appearance of the fabricated document and the articles describing it, these accounts started sharing links to the articles in various Facebook groups. 

NDP profiles sharing the fabricated articles in various public Facebook Groups. Credit: Stanford Internet Observatory

 

In all, we found at least 57 instances of NDP-associated accounts sharing the articles. Crucially, these accounts were the first accounts to share these articles on Facebook

Time of Post in CEST Author of Post Name of Group Host of Fabricated Article
1:58 PM Wojciech Brozek POLACY Prawy.pl
2:01 PM Krzysztof Papas  Nasza wspólna grupa Prawy.pl
2:01 PM Krzysztof Papas PATRIOCI Prawy.pl
2:01 PM Krzysztof Papas Polska Polaków Prawy.pl
2:01 PM Krzysztof Papas Polacy w Anglii Prawy.pl
2:01 PM Krzysztof Papas POLACY Prawy.pl
2:02 PM Krzysztof Papas Polska – Najważniejsze Informacje Prawy.pl
2:02 PM Krzysztof Papas Armia, Geopolityka, Swiat Prawy.pl
2:02 PM Krzysztof Papas Klub Prawoskrętnych Prawy.pl
2:04 PM Krzysztof Papas My Polacy Prawy.pl
2:07 PM Krzysztof Papas POLACY nie tylko w Polsce Prawy.pl
2:14 PM Wojciech Brozek PATRIOTYCZNA POLSKA Prawy.pl
2:15 PM Wojciech Brozek Fani Wolnej Polski Prawy.pl
2:17 PM Wojciech Brozek Nasza Wspólna Grupa Prawy.pl
2:18 PM Wojciech Brozek NIE DLA OBECNOŚCI AMERYKAŃSKICH BAZ W POLSCE Prawy.pl
2:18 PM Wojciech Brozek PATRIOCI Prawy.pl
2:22 PM  Adam Kamiński Polonia w USA Lewy.pl
2:34 PM Wojciech Brozek Władza jest najważniejsza Prawy.pl
2:35 PM Wojciech Brozek Polonia na świecie Prawy.pl
2:35 PM Wojciech Brozek Rozwiązać Unię Europejską Prawy.pl
2:35 PM Wojciech Brozek Walczymy o wolność Polski Prawy.pl
2:36 PM Wojciech Brozek POLITYCZNA.TV Prawy.pl
2:36 PM Wojciech Brozek KONGRES POLSKI SUWERENNEJ Prawy.pl
2:37 PM Wojciech Brozek Grupa Podaj Dalej Prawy.pl
2:38 PM Adam Kamiński PKD – Polityczny Klub Dyskusyjny*

*group created by NDP
lewy.pl
2:47 PM Wojciech Brozek Wiwat Polska! Prawy.pl
2:52 PM Adam Kamiński POLACY nie tylko w Polsce lewy.pl
3:02 PM Adam Kamiński Obóz Wielkiej Polski lewy.pl
3:06 PM Kazimierz Wolski PATRIOTYCZNA POLSKA ono24.info
3:08 PM Kazimierz Wolski Fani i Sympatycy Aleksandry Dulkiewicz ono24.info
3:09 PM Marek Litwin Polski Demokratyczny Portal Informacyjny ono24.info
3:09 Tadeusz Bartold SIŁA PONAD PODZIAŁAMI Prawy.pl
3:10 PM Marek Litwin Fani i Sympatycy Aleksandry Dulkiewicz ono24.info
3:10 PM Adam Kamiński Mieszkamy w Londynie lewy.pl
3:13 PM Marek Litwin Polityka – najważniejsze informacje ono24.info
3:15 PM Marek Litwin “Nasza wspólna grupa” ono24.info
3:15 PM Stefan Skurczymąć Stanisław Michalkiewicz Prawy.pl
3:15 PM Stefan Skurczymąć Wszyscy jesteśmy Kresowiakami Prawy.pl
3:15 PM Kazimierz Wolski Lewacy świata, precz z łapami od Polski ono24.info
3:16 Stefan Skurczymąć NIE DLA OBECNOŚCI AMERYKAŃSKICH BAZ W POLSCE Prawo.pl
3:17 PM Marek Litwin KLUB AFER PIS ono24.info
3:19 PM Kazimierz Wolski Kręgi Patriotyczne – grupa ono24.info
3:19 PM Kazimierz Wolski Rozwiązać Unię Europejską – Official ono24.info
3:20 PM Kazimierz Wolski Wolność Własność Sprawiedliwość ono24.info
3:22 PM Kazimierz Wolski Znajomi, którzy lubią stronę Sokzburaka ono24.info
3:22 PM Marek Litwin Ruch-Donalda Tuska ono24.info
3:51 PM Kazimierz Wolski Nasza Wspólna Grupa Prawy.pl
3:51 PM Marek Litwin Narodowy Front Polski Prawy.pl
3:53 PM Kazimierz Wolski Polonia w USA Prawy.pl
3:54 PM Kazimierz Wolski Fani Jarosława Kuźniara Prawy.pl
3:56 PM Marek Litwin Polska i Świat Prawy.pl
4:03 PM Marek Litwin Zjednoczona walcząca opozycja Prawy.pl
4:05 PM Marek Litwin Fani i Sympatycy Aleksandry Dulkiewicz Prawy.pl
4:24 PM Adam Kamiński Pokazujmy przekręty i kłamstwa władz PiSu lewy.pl
8:04 PM Kazimierz Wolski Polacy w Europie ono24.info
8:30 PM Marek Litwin KOALICJA OBYWATELSKA ono24.info
2:54 AM (Apr 23) Marek Litwin Veto dla PiS i kościoła w polityce. ono24.info

 

Examining the ways in which this article spread through Facebook, we can see that this operation was skillfully conceived: the headline, with its anti-PiS slant, was contrived to appeal to PiS opponents on both the left and the right (and indeed “lewy” and “prawy” mean “left” and “right” in Polish). Once the NDP accounts began sharing the articles, they caught on and began being shared by ordinary Polish Facebook users. Articles featuring the fabricated document were shared in hundreds of Facebook groups and generated more than 3,000 interactions. Because of its anti-PiS headline, the article attracted users in left and far-right groups. 

Only when the War Studies Academy and the owners of the sites realized what had happened and the articles were taken down did the operation burn out; by that time, it had received thousands of likes, comments, and shares and been seen by many thousands of Facebook users. Significantly, the comments we reviewed were not skeptical; on the contrary, many of them expressed strong agreement with the artfully crafted headline and called Parafianowicz a “man of honor” for these words, which of course weren’t his. 

Nor was the operation restricted to the Polish-language parts of the internet. On the same day, at 15:53:21 UTC +3 (equivalent to 5:53pm CEST), judging by the page source, The Duran published an article in English with the headline “Polish General Encourages Polish Soldiers to Fight Against American Occupation.” This article was then picked up shortly thereafter by the Russophile, and in the following days by other fringe websites. All of these websites are known Kremlin mouthpieces. 

The Duran website is part of DRN Media PLC, a company registered in Cyprus. It publishes conspiracy theories, and pro-Russian content. The website also links to an online shop with T-shirts and mugs with images of Putin. Alexander Mercouris, the editor in chief of The Duran, is also a Sputnik commentator. According to the registers, there are four associates of DRN Media: Mercouris, Vladimir Rodzianko, Peter Lavelle and Alex Christoforou. They are aligned with pro-Kremlin outlets.

As we have said on this program since the very beginning – Russiagate is a hoax and a fraud” – say quests of the RT’s CrossTalking anchor Peter Lavelle: Alexander Mercouris and Alex Christoforou. All of them are also affiliated with The Duran website.

So how did the fabricated document make the jump from the hacked War Studies Academy website to The Duran so quickly? The author of the article, a persona named Rod Renny, has been behind other false articles targeting Poland that have appeared on NDP. One explanation would be that Rod Renny is simply a close observer of Polish fringe websites and that, having happened on one of the fabricated articles, he translated it for the Duran. Another, likelier explanation is that Rod Renny is yet another fake persona involved in this attack. In this case, Rod Renny’s role was to help the fabricated document make the leap from Polish-language media to English-language websites.

It seems clear that Poland was targeted by a rather ingenious variation of the hack-and-leak operations we have observed in the past. Vulnerable websites, especially those that enjoy some credibility among the target audience, like the website for the War Studies Academy, can be attacked and then leveraged in sophisticated, well-planned influence operations. Inauthentic activity on Facebook performs a crucial function in such operations. The NDP page and accounts have been well known to Polish journalists for over three years, but they were never removed from Facebook. 

Vsquare asked for comment Kamil Basaj, a cyber expert from Polish Fundacja Info Ops:

The scale of this attack wasn’t the most effective in terms of reach. So the question is why it looked like that? I consider varied scenarios. It might have been some kind of test, to check out the reactions, or maybe a plan to use these fabricated materials that were published, in some future operations. For example, to share this content in some closed English speaking groups, to undermine US – Polish relations.