How Russia runs its Internet disinformation post-Ukraine Invasion
On March 4, 2022, 8 days into the largest military assault on a European state since World War II, the Russian state communications regulator, Roskomnadzor, blocked access to Facebook and Twitter, in retaliation for the platforms placing restrictions on state-owned media abroad such as Russia Today (RT) and Sputnik News.
However, Russian state-sponsored anonymous Internet disinformation continues to operate unabated through foreign cloud hosting services. This article explores how Russian disinformation networks use VPSs and VPNs to hide their operations, and what role certain European cloud companies may play unwittingly.
The Ukrainian Government Gets Blocked
On March 7, 2022, the Ukrainian Ministry of Foreign Affairs (MFA) released a tweet in regards to German hosting provider Hetzner Online blocking access to Ukrainian government websites on the Ukraine Invasion.
You might wonder now about two things: How is this related to Russian disinformation? Also: Why is a random German hosting provider blocking websites of the Ukrainian government without a court order, notification, or any form of explanation?
What is Hetzner Online?
Hetzner Online is a mid-tier German data center operator with facilities in Germany (Nuremberg, Falkenstein) and Finland (Helsinki). Compared to firms like Amazon Web Services, Microsoft Azure, Google Cloud, or larger European competitors such as Deutsche Telekom, or OVH, it is a lesser-known company to the public. However, it traditionally has a large customer following in Eastern Europe and Russia as an inexpensive German hosting provider.
On March 9, 2022, Hetzner released a press release apologizing for the shutdown of the war.ukraine.ua governmental website. Hetzner claimed
“… anomalies were discovered that led (an) employee to decide to block the server (…) At no time are or were our actions politically motivated, nor were there any external influences on our actions.”
However, research into the firm’s history shows unusual behavior over the past 10 years concerning Russia and Ukraine.
Hetzner’s Record in Russia
On January 11, 2016, Hetzner Online shut down the website of Novaya Gazeta, a major oppositional newspaper in Russia with critical investigative coverage. Since its inception, 5 journalists of Novaya Gazeta were murdered, while others were injured as a result of their work. Dmitry Muratov, the founder of Novaya Gazeta, received the 2021 Nobel Peace Prize for his independent reporting. On March 28, 2022, Novaya suspended its publication in Russia.
Famous Russian journalist and human rights activist Anna Politkovskaya reported on political events in Russia throughNovaya. Her outstanding investigative journalism about the Second Chechen War (1999–2005) and Russian corruptionled to death threats, poisonings, and her unsolved murder in 2006.
According to the editor-in-chief of Novaya at the time, Alisa Kustikova, Hetzner and the newspaper’s editorial office received nonsensical, anonymous libel complaints by a user under the generic pseudonym “Ivan Ivanov”. The complainant demanded the removal of certain articles over libel claims, citing article 290 of the Criminal Code of the Russian Federation.
Strangely enough, Article 290 pertains to sentencing ranges for bribe-taking, completely unrelated to any form of civil libel action law or media matters. However, Hetzner responded to the Roskomnadzor request swiftly by blocking Novaya Gazeta until the articles were deleted.
Hetzner and Ukraine
In August 2014, at the height of the Donbas War, Roskomnadzor sent an urgent take-down request to news agencies, including the BBC, prohibiting any mention of demonstrations in support of federalization in the Siberian city of Novosibirsk.
Such messages were also sent to Ukrainian media outlets such as glavcom.ua. and their Internet provider, Hetzner Online, demanding the removal of related news items. Hetzner Online complied with the Roskomnadzor demands by taking glavcom.ua offline.
The Ukrainian Ministry of Foreign Affairs issued a statement expressing strong surprise over Hetzner Online’s compliance with the Russian complaint and solidarity with glavcom.ua and its journalists.
Russian Disinformation Right Now
You can go on Twitter or Facebook, visit the comment section of any leading media outlet with articles relating to the Russian invasion of Ukraine and find a flock of particularly engaged users. Some may have unusual user names with lots of digits or even a Russian flag emoji in their usernames.
In their comments, you can read that “(…) the US is just as bad, if not worse than Russia”, that Ukrainian President Zelenskyy “(…) is a charlatan/war criminal/puppet master”, that “(…) Russia is a world power” soon to be victorious, that “(…) Europe will deeply regret” its support of Ukraine, and that the Bucha massacre “(…) was staged” supposedly by the United States, Ukraine, and NATO.
Most accounts are brand new, registered within the past week while others have been posting for years on European separatist movements, identitarian ideology, and American social justice causes. You can see the same pattern of replies: varying degrees of aggressiveness, circular logic, and the unshakeable sentiment that “Russia has a point”.
Early March I wondered whether these hostile Twitter replies were part of a broader, basic Russian disinformation campaign, or genuine internet users with anti-Western sentiment, more or less legitimate personal grievances, and a lot of time on their hands.
A Quick “Bot Catcher” Experiment
To figure out whether these accounts were genuine, I set up a little experiment: create a robust list of suspicious pro-Russian accounts on Twitter, built a script to engage suspicious accounts in short interactions, and plant disguised honeypot tracking links in the reply interactions that log IP browser information, and potential VPS/VPN use.Users who click would then get redirected (via a MetaRefresh/JS) to the final end destination, in this case to a news article of a traditional media outlet like the New York Times or The Guardian.
To avoid false positives, such as web crawler bots or other users, I ran each experiment three times, and included obstacles like fake GDPR banner pages with unusual formatting to ensure that an actual human had to interact with my honeypot links. To validate the final results, I used paid services like ipdata and the excellent open-source solution GetIPIntel.
Explainer: What’s a Crawler Bot? What’s a VPS?
Keep in mind that every tweet, even if it is just your Auntie Doris posting about her latest culinary creation on Sunday or posting a link about her church blog’s local bake sale, gets crawled through almost instantly. What does that mean?
Any website of interest, including online platforms such as Twitter, gets inundated with bots crawling through every page and text. These can be “good bots” for commercial purposes that index websites for search engines (SEO — search engine optimization), survey sites for web metric services, or “bad ones” that flood websites with requests to slow them down or collect data beyond the usual scope.
A VPS, or virtual private server, on the other hand is a form of multi-tenant cloud hosting. You can think of it as a virtual computer: virtualized computing resources are provided through physical servers in a server farm, made available to an end user over the internet.
The Mask Slips Right Away
I started the experiment and after 90 minutes, and 15 attempts in, I started reviewing my server logs. 14 out of the 15 unique access attempts seemed to have two things in common: each of them had 3–4 access attempts by Virtual Private Servers (VPS) with a German IP adress. All of them were routed through a third-country proxy adress in Asia.
And every VPS was hosted on Hetzner Online infrastructure. So I ran a control experiment without any crawler obstacles, on trending subjects of the day with random Twitter users. A few access attempts by Hetzner Online-hosted crawler bots in total. But no access attempts with a VPS based on Hetzner infrastructure and no third-country proxy adresses. So I repeated the experiment a few times.
After some tweaks, another round of testing showed a direct connection to Russia. Two viewing attempts with Android devices with a Moscow IP adress, both using the Yandex internet browser. For both attempts, two Hetzner VPSs with the distinct third-country proxy accessed the link right at the exact same second both times.
Conclusion: It may not matter. Or it might.
This quick experiment marks another entry into a long list of brazen disinformation efforts by the Russian government. When it comes to the covertness of these efforts, the Russian government does not seem to care. We all know that already. It is mirroring Russia’s geopolitics.
Putin antagonist Boris Nemtsov got assassinated in 2015 on the Bolshoy Moskvoretsky Bridge, immediately east of the Kremlin. The FSB intelligence agents involved in the 2018 Poisoning of Sergei and Yulia Skripal had consecutive passport serial numbers. In February 2022, Putin insisted that Russia was merely carrying out a “special military operation,” while ordering a full-scale attack on a sovereign country.
While there seems to be a high degree of operational sophistication in these disinformation campaigns, there is always a big, stunning mistake in covering it up. Run the entire Twitter disinformation campaign through one single Western cloud hosting provider? Using overtly aggressive language in Twitter replies to antagonize unsuspecting Twitter users by the hundred-thousands?
It all may not matter. Or it may. The brazen display of disinformation, aggressive bullying, and creating a barely audible background noise of doubt might be the goal.
Thank you for reading!
If you enjoyed this article, please follow me on Medium and Twitter.
If you really enjoyed this article and have the means, please consider donating to World Central Kitchen (WCK), a humanitarian non-profit organization by chef José Andrés. WCK currently runs the #ChefsForUkraine initiative that already gave out millions of meals to families across Ukraine, Poland, Romania, Moldova, and Hungary. Donate here!
Email: fabianhutter@pm.me (PGP Public Key)
