Reddit has revealed that key U.S.-U.K. trade documents posted on its site were likely done so as part of a broader political-influence campaign that first appeared on Facebook and tied to Russia-based operatives.
The online media aggregator says it has linked documents that were leaked on its site in October from a user called Gregoratior to a “vote-manipulation” campaign originating discovered on Facebook earlier this year and dubbed “Secondary Infektion.”
“We were recently made aware of a post on Reddit that included leaked documents from the UK,” according to a statement Reddit posted on its platform. “We investigated this account and the accounts connected to it, and today we believe this was part of a campaign that has been reported as originating from Russia.”
It is likely Reddit was responding to a report released earlier this month by cyber intelligence firm Graphika outlining efforts it believes were targeting British politicians and others by Secondary Infektion. “The similarities to Secondary Infektion are not enough to provide conclusive attribution but are too close to be simply a coincidence. They could indicate a return of the actors behind Secondary Infektion or a sophisticated attempt by unknown actors to mimic it,” wrote Graphika (PDF).
The documents, among other things, suggest that United States is pressing the United Kingdom for a no-deal Brexit as part of a broader trade agreement that has the latter “practically standing on her knees” to come to a consensus, Gregoratior wrote in the post accompanying the documents.
After Gregoratior leaked the documents, they were later reposted by another Reddit user, Ostermaxnn, as well as in different regional sub-sites as well as in different languages, according to Reddit. However, “none of these accounts or posts received much attention on the platform, and many of the posts were removed either by moderators or as part of normal content manipulation operations,” the company said.
Reddit has banned 1 subreddit and 61 user accounts in response to the leak to comply with policies against vote manipulation and misuse of the platform, the company said. However, the record of the accounts will be retained so that researchers and others can learn how they operated so they can respond quickly to any future occurrences, according to Reddit.
Reddit cited a combination of indicators from law enforcement and the company’s own observation of “a pattern of coordination” links the leaks to the Secondary Infektion campaign, as key to identifying the manipulation campaign.
“We were then able to use these accounts to identify additional suspect accounts that were part of the campaign on Reddit,” according to Reddit. “This group provides us with important attribution for the recent posting of the leaked UK documents, as well as insights into how adversaries are adapting their tactics.”
In addition to the Facebook/Reddit leaks, Russia-based threat actors have also been found interfering with other political processes this year. Russia-based APT group, Fancy Bear (also known as “Sofacy”, “Sednit”, “STRONTIUM” and “APT28”), additionally targeted journalists, think-tanks, non-governmental organizations and others in an attempt to disrupt the European Parliament elections that were held in May, according to a report by Microsoft.
In December 2016, the Federal Bureau of Investigation and the US Department of Homeland Security implicated Russian hacking group Fancy Bear in attacks against several election-related targets.
Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.