Cybersecurity software company Symantec took a deep dive into the datasets Twitter released last October, detailing efforts on its platform by Russia’s Internet Research Agency to interfere with the 2016 presidential election in the U.S.
Symantec researchers found that the IRA’s propaganda campaign on Twitter was not an ad-hoc response to political events in the U.S.: Instead, it was a carefully planned and coordinated operation, with some of the groundwork occurring months in advance.
In fact, the average time between the creation of accounts and the first tweets from those accounts was 177 days.
Not surprisingly, activity heated up on these accounts as the election approached. Symantec saw a “marked increase” in activity from January 2016 through November 2016—771,954 English language tweets—and a flurry as Election Day drew nearer.
Symantec divided the Twitter accounts it studied into two main categories: main accounts and auxiliary accounts.
Main accounts had 10,000 or more followers, but followed far fewer accounts, and they were used mainly to publish new tweets.
They were generally fake news outlets posing as regional news outlets—New Orleans Online, El Paso Top News, San Jose Daily—with some posing as political parties or hashtag games (which encourage Twitter users to share anecdotes or jokes based on a single theme, such as #5WordsToRuinADate).
Most main accounts were created individually or in small batches, with English or Russian as the default language, and the majority were created between May2014 and August 2014 but did not begin tweeting until January 2015.
Symantec found that 96% of these fake news accounts were fully automated, using services to monitor activity on blogs and automatically push new posts to Twitter. Also, 2% queued tweets for publication at scheduled times.
According to Symantec, the most retweeted account within the dataset was @TEN_GOP.
@TEN_GOP posed as a group of Republicans in Tennessee, and Symantec said it appeared to have been manually operated. In fewer than two years, it tallied almost 150,000 followers. The account tweeted just 10,794 times, but it managed to spark over 6 million retweets, nearly all of which came from accounts outside of the dataset, meaning that they could have been actual Twitter users.
Symantec said the popularity of @TEN_GOP spurred the IRA to create backup accounts @ELEVEN_GOP and @realTEN_GOP in the event that @TEN_GOP was shut down.
The reverse was true for auxiliary accounts, which had fewer than 10,000 followers but followed more accounts. Auxiliary accounts were used to retweet messages from other accounts, as well as to publish original tweets.
Auxiliary accounts tended to pose as individuals.
Symantec said its analysis of the Twitter dataset turned up 123 main accounts and 3,713 auxiliary accounts.
Other findings by Symantec included:
- Propaganda was directed at both liberals and conservatives, with a focus on the more disaffected elements of both sides of the political spectrum.
- While most of the accounts were primarily automated, they frequently showed signs of manual intervention—posting original content, slightly changing the wording of reposted content—likely to make them appear authentic enough to avoid being deleted.
The company wrote in its report, “While this propaganda campaign has often been referred to as the work of trolls, the release of the dataset makes it obvious that it was far more than that. It was planned months in advance and the operators had the resources to create and manage a vast disinformation network. It was a highly professional campaign. Aside from the sheer volume of tweets generated over a period of years, its orchestrators developed a streamlined operation that automated the publication of new content and leveraged a network of auxiliary accounts to amplify its impact.”
Symantec concluded, “The sheer scale and impact of this propaganda campaign is obviously of deep concern to voters in all countries, who may fear a repeat of what happened in the lead-up to the U.S. presidential election in 2016.”