Russian nationalistic or state sponsored trolling and/or hacking of XenForo forums


Well-known member
Hi, folks,

Suppose you were a near dictator in a large corrupt country and you wanted to annex smaller countries like Crimea and the Ukraine. When large countries annex small countries in Europe after military conflicts, it may remind many people of World War II and the Germans. To keep your opponents from putting up effective resistance and to keep your own country behind you, you might be tempted to organize online trolls to sow fear, uncertainty and doubt among those who might oppose you.

Recently there has been several news reports in respected news outlets about a "troll factory" in Russia:

I never imagined that as a webmaster I would have to face anything like state-sponsored trolling. But recently, I've been wondering if our fellow XF admin, @RichardGaspa has been the victim of trolling by Russian professional trolls and possibly hackers. His forum serves veterans of the US armed forces.
For the past couple of weeks, I have been bombarded by new user registrations. The new user registration information entered are all American names, and the cities and states are all in the United States. (location information entered in new user registration)

A large number of the new users have an IP address in Russia and the Ukraine even though the registration information is American. Name, city, state, etc.

After confirming email address and granted a full account, these new users start Anti-American, anti-American-military content thread. Many times there are hidden links in the thread. I clicked a couple to see where it took me and all I found was an empty page. I could not see where it was attempted spam by the user trying to sell anything, just an empty page. No one has ever tried selling any items.

All the new users were using a different IP address. However, a check revealed all the IP's were from Russia and the Ukraine. Now I found a user that was granted administrator access and not be me. I always delete the user and ban the IP address after reading the anti-American related posted threads. I have all guests posting moderated. I have had no less than thirteen new users with a Russian and Ukraine IP in the last couple of days.
Another personal experience I had on his site makes me suspect politically motivated hacking. I made an account on his forum maybe a month ago to check it out, but never made a post. Then, a couple of days ago, I get an email saying that someone had replied to a post I made.

Strange. I've never made a post on the site.

Come to find, the post that was made with my account was trollish, perfectly designed to mess up the morale of a veteran.
Going to any lengths to preserve freedom and improve our economic standing; now, that's the America I fought for, HA!
(I'm not a veteran, but the troll probably neither knew nor cared. Just to be clear, I did not make that post. Someone else hacked my account and made the post.)

I'm a pretty liberal guy who likes to think of himself, as much as possible, as a "world citizen," but I do love my country, and this made my blood boil, as the veterans of every country make great sacrifices to protect us.

Next, Richard made the following post about getting file health check errors, another possible symptom of hacking:
I am getting errors after running File Health Check (please see below) Anyone have an idea what these errors mean? Still learning XenForo so they are like a new language to me. I am thinking they are from an addon I am running but can't tell which one from looking at the errors. Thanks in advance - Rick

View attachment 108246
So, with that as background, here are my questions:
  1. Do you think that this could have been related to activities by organizations like "Internet Research," the so-called "Russian troll factory" profiled in the above articles?
  2. What steps should Richard take to protect himself and his site? I hate to see trolls of any sort win.
  3. Would any of the experts here be willing to volunteer to help him conduct a security audit of his site?
  4. Does anyone else have experiences with what they believe to have been state sponsored trolls posting inflammatory content or state-sponsored hackers disrupting their site or compromising accounts?
I know that all sorts of state sponsored bad stuff happens out on the internet, and it all has been discussed to death, so let's focus on state-sponsored trolling and state-sponsored hacking that specifically supports trolls posting inflammatory or propagandistic content. Also, let's focus on how we, as forum admins, can defend ourselves and our communities from this.
Do you think that this could have been related to activities by organizations like "Internet Research," the so-called "Russian troll factory" profiled in the above articles?
All the new users were using a different IP address. However, a check revealed all the IP's were from Russia and the Ukraine. Now I found a user that was granted administrator access and not be me. I always delete the user and ban the IP address after reading the anti-American related posted threads. I have all guests posting moderated. I have had no less than thirteen new users with a Russian and Ukraine IP in the last couple of days

Do Russia have money to pay the trolls and not have money to use proxies from other countries such as France, Spain, etc. ?
They don't know anything about IP addresses?
It could be someone using Russian proxy server or botnet, or maybe US gov to create propaganda, or maybe it is really Russian! :D

It's internet, anything could be happen.
TL;DR: When I wrote state-sponsored, I didn't mean to imply state control or financing. Rather, it might just be done to curry favor. According to reputable accounts, many governments do finance and control internet sock puppets. Also, according to reputable news sources, there does seem to be a very well financed "troll factory" in St. Petersburg. Chances are it wasn't the "troll factory" that hacked my account on Richard Gaspa's forum and is otherwise harassing him. Who was it then? And more importantly, how do we, as independent Xenforo forum owners, protect ourselves from politically motivated or state-sponsored trolling? Certainly learning what it looks like is a good first step. Politically motivated trolling is a form of censorship and propaganda, and is wrong. If Richard posts threads asking for help, we should try to help him.

Yup, completely serious. I should say that I meant the phrase "state-sponsored" very loosely, though. It seems pretty clear from the news reports that I linked to that there is a well-funded organization in Russia that is spreading propaganda via social media and forums on the web. It's not clear, however, that this organization receives direct funding from the Kremlin. I should have made that clear in my OP.

What is clear, however, is that a number of countries, including my own, do engage in state-sponsored trolling that is paid for by the central government. From the Wikipedia page on "State-sponsored Internet sockpuppetry:"
State-sponsored Internet sockpuppetry
State-sponsored internet sockpuppetry is a government's use of sockpuppets with the intention of swaying online opinion, undermining dissident communities, or changing the perception of what is the dominant view (often via astroturfing).

The following is a list of the known or alleged examples of state-sponsored internet sockpuppetry:​
This website has visitors from all over the world and I want this thread to be about the general topic of nationalistic and state-sponsored internet sockpuppetry and harassment (and not about nationalist rivalries or jingoism), so let me start by talking about things that happen in my own country. From the Wikipedia article on Operation Earnest Voice:

Operation Earnest Voice
Operation Earnest Voice is a astroturfing campaign by the US government. The aim of the initiative is to use sockpuppets to spread pro-American propaganda on social networking sites based outside of the US.[1][2][3][4] According to the United States Military Central Command (CENTCOM), the US-based Facebook and Twitter networks are not targeted by the program because US laws prohibit US state agencies from spreading propaganda among US citizens.​

If you want more examples (including of the UK, here's an article from The Guardian entitled, "From Britain to Beijing: how governments manipulate the internet: The Kremlin’s ‘cyber army’ is gaining increasing notoriety, but similar tactics are used to influence opinion around the world."

Anyway, putting aside the sockpuppetry that is known to be funded by central governments, it's pretty clear that there is some sort of Kremilin cyber army like the one that the title of the Guardian article referred to. The sources that I linked to above aren't of the tin-hat variety. They are from the New York Times and The Guardian (and while the third one was from Radio Free Europe/Radio Liberty, it didn't seem any crazier than the other three. Plus it had an interesting interview describing tactics the trolls use to sow doubt):

I can't claim to be an expert about such things because normally I don't bother to read about them. But here are four things that really piss me off (hopefully you can relate to some of them)
  • getting hacked and having someone post something in my name, using my reputation (it's the first time I've ever had an account hacked in my life)
  • when veterans get harassed for their service to their country
  • when small independent forums get harassed
  • trolls and spammers (other people are laid back, but I'm pretty militant with people whom I believe have ill intentions)

Here's the title and subtitle of the June 2 New York Times feature: "The Agency: From a nondescript office building in St. Petersburg, Russia, an army of well-paid “trolls” has tried to wreak havoc all around the Internet — and in real-life American communities."

The four articles that I linked to above all refer to the same organization, which appears to exist. Let's call it the St. Petersburg Troll Factory, as that name seems to have stuck:

We can debate all we want about whether the St. Petersburg "troll factory" is controlled and financed by the Kremlin. According to the New York Times, "One Russian newspaper put the number of employees at 400, with a budget of at least 20 million rubles (roughly $400,000) a month. During her time in the organization, there were many departments, creating content for every popular social network: LiveJournal, which remains popular in Russia; VKontakte, Russia’s homegrown version of Facebook; Facebook; Twitter; Instagram; and the comment sections of Russian news outlets. One employee estimated the operation filled 40 rooms."

So, if one believes the accounts in the NYTimes and the Guardian, it looks like the troll factory has a lot of money. And, if you are in the business of annexing smaller countries and run a nontransparent government, you stand to benefit greatly from this type of misinformation, so it would make sense that you might be willing to send some funding to the direction of the troll factory. On the other hand, you might want to maintain some distance. Given how the Kremlin has become more and more involved in picking favorites from among the oligarchs, running a troll factory might just be a terrific way to curry favor with the Kremlin and assure the success of your business empire. But, of course, this is all hypothesis. Of course, post-Snowden, we do know that crazy things can happen even in relatively more transparent countries.

Or maybe it's just a very patriotic Russian who is funding it. :)

(If it sounds like I put on a tin hat in the last 2 paragraphs, I'm actually just a passionate NPR listener who has had an interest in political philosophy after a great college class in the 90s. I also studied the Russian language for many years and even visited the country twice. Crazy and sad things have been happening there recently.)

But while the attack on Richard's site has lasted several weeks and may have involved hacking, the fact that it didn't involve proxies suggests that it was most likely nationalistic rather than state sponsored. I've changed the title of this thread to reflect that fact. Of course, according to the subtitle of the New York Times article, "an army of well-paid “trolls” has tried to wreak havoc all around the Internet — and in real-life American communities." They do appear to be trolling up a storm somewhere. It would make sense that some XenForo communities might be affected in the future, particularly if the forum serves a community of armed forces personel and/or veterans, as Richard's does (it's called Veteran's Briefing).

I mean, I haven't investigated it much, but Veteran's Briefing seems like a pretty polite place. The list notice states, "Welcome to Veterans Briefing. A friendly place to discuss active military and veteran issues," and I think that that pretty much sums up the place. I hate the idea of them just minding their business, putting their energy into their own community, and then people systematically coming over from Russia and the Ukraine and attempting to disrupt the forum. I'll admit that feelings on the issue may be swayed by the fact that I hate what I believe Russia is doing in the Ukraine. I won't go into details, but what Russia is doing really strikes me as flat out cynical and evil.

I'm about to lose wifi until Monday, so if you all want to pile on to me, now is the time. ;) I will say, though, that 24 minutes after I made my post with a title designed to draw attention to something that really bugs me, Mike posted in a thread in which Richard was asking about Health File Check problems and suggested that Richard PM him a couple of files. If that's the only result that comes out of this thread, I'll be happy.

And please, folks, if Richard posts a thread asking for help, let's follow Mike's lead and help him out. No matter what your political views, it's hard as hell to start a new forum, and no one should have to face political persecution from another country while trying to set up a site that they have obviously put so much work into. Hopefully it's all just a big coincidence, but I've never had one of my accounts hacked before in my life, so that certainly got my attention.

Plus, we know that state sponsored trolls/sockpuppets are out there from multiple countries. Eventually they will hit a XenForo forum if they haven't yet.
PS. I know that my last post is really long, but if you're going to attack my position, please do take the time to read it and some of the linked articles. The linked articles really are fascinating, and, as forum admins, we all are in a special position to appreciate them.
I thought I might add something to this, if it may be helpful for context.

I was working as a moderator for one of the larger conspiracy sites online during the opening of the Ukraine conflict. The site is very much international in nature, and we happened to have the luck of someone on the Eastern side of the Ukraine with net access and a personal zeal for sharing what he saw and could share. Of course, I'd add that his IP matched up as did some other specific information to confirm the basics of what he claimed, and we were satisfied about it.

He wasn't posting more than a few days before we (the staff) were advised to be careful, watch ourselves online and report any suspicious contact or approach by people seemingly interested in getting inside information about the site. Now, we were all a little put off and unsure whether to take it seriously or not. It sounded like movie stuff when the owners made it clear they were concerned about official Russian interest and Russian nationals working our site to get that man's identity and enough information to find him.

Sure enough, we all began seeing the IP's come up and the trolling began (singular focus on the Ukraine topic, and one side of it, to the full exclusion of all else). Now I don't know how these guys are when they are about being sneaky or not advertising who they are, but they made no such effort in most cases there. The IP's came back to major Russian cities, and the majority of them came to an area of Moscow and another location that was close to but not actually inside St Petersburg. Some of the accounts we came to recognize for this would also come on IP's that came back, oddly enough, to a spot almost dead center in the Mediterranean Sea for North/South position and just a short distance East from the Strait of Gibraltar. I recall it being so odd at the time, and consistent for coming up occasionally on different accounts that had this all in common, I joked to other staff that they must have quite computer center on a submarine or something. Of course, I know the technical issues for why an IP check returns to open water that way, but the quirk of it here made it notable to recall.

Anyway... I resigned a few months after that for very different reasons, and they had some serious problems with DDOS and other issues during and building more after I left. How much was related? I have no idea, but to say the more they had us try and watch for and action the 'Russian accounts', the more determined and obnoxious they got in numbers and behavior. That whole 'challenging' concept was probably one of the worse ideas they came up with, but it is what it is for all that.

This IS NOT to be confused with 'shills' or paid trolls. I think I actually saw ONE of those in the years I was a member and then a staff member of that site...maybe. Those guys struck me as something like the online version of a Unicorn. However, the Russian's aggressive stance online and wide reach for daily presence on discussion/social sites that cover news or other topics related to their national interest is simply a factual situation I saw and worked around on a daily basis. Don't ask me what they hoped or still hope to gain by the effort and presumably the money expended on that whole thing, but whatever it is, they sure seem to think its worth the cost.
When you get trolls, you just ban at the block level. Russia... the whole country could go with one simple two letter identifier to the firewall. CN is in mine... no china spam at my place :)
Top Bottom