Monday, April 15, 2024
No menu items!
HomeCloud ComputingLife After Death? IO Campaigns Linked to Notorious Russian Businessman Prigozhin Persist...

Life After Death? IO Campaigns Linked to Notorious Russian Businessman Prigozhin Persist After His Political Downfall and Death

Written by: Alden Wahlstrom, David Mainor, Daniel Kapellmann Zafra

 

In June 2023, Russian businessman Yevgeniy Prigozhin and his private military company (PMC) “Wagner” carried out an armed mutiny within Russia. The events triggered the meteoric political downfall of Prigozhin, raising questions about the future of his various enterprises that were only underscored when he died two months later under suspicious circumstances. Up to that point, Prigozhin and his enterprises worked to advance the Kremlin’s interests as the manifestation of the thinnest veil of plausible deniability for state-guided actions on multiple continents. Such enterprises included the Wagner PMC; overt influence infrastructure, like his media company Patriot Group that housed his media companies, including the “RIA FAN” Federal News Agency; covert influence infrastructures; and an array of businesses aimed at generating personal wealth and the resourcing necessary to fund his various ventures.

Mandiant has for years tracked and reported on covert information operations (IO) threat activity linked to Prigozhin. His involvement in IO was first widely established in the West as part of the public exposure of Russian-backed interference in the 2016 U.S. presidential election—this included activity conducted by Russia’s Internet Research Agency (IRA), which the U.S. Government publicly named Prigozhin as its financier. Subsequently, Prigozhin was publicly connected to a web of IO activity targeting the U.S., EU, Ukraine, Russian domestic audiences, countries across Africa, and further afield. Such activity has worked not only to advance Russian interests on matters of strategic importance, but also has attempted to exploit existing divisions in societies targeting various subgroups across their population. 

Throughout 2023, Mandiant has observed shifts in the activity from multiple IO campaigns linked to Prigozhin, including continued indicators that components of these campaigns have remained viable since his death. This blog post examines a sample of Prigozhin-linked IO campaigns to better understand their outcomes thus far and provide an overview of what can be expected from these activity sets in the future. This is relevant not only because some of the infrastructure of these campaigns remains viable despite Prigozhin’s undoing, but also because we advance into a year in which Ukraine continues to dominate Russia’s strategic priorities and there are multiple global elections that Russia may seek to influence.

Mandiant and Google’s Threat Analysis Group (TAG) work together in support of our respective missions at Google. TAG has likewise been tracking coordinated influence operations linked to Prigozhin and the Internet Research Agency (IRA) for years; and in 2023, Google took over 400 enforcement actions to disrupt IO campaigns linked to the IRA, details of which are reported in the quarterly TAG Bulletin. TAG has not observed significant activity from the IRA or other Prigozhin-linked entities specifically on Google platforms since Prigozhin’s death, which is in line with Mandiant’s findings that have tracked different aspects of this broader set of threat activity.

Figure 1: Image of Prigozhin delivering an address at the Cyber Front Z headquarters in Saint Petersburg, Russia following a bombing that occurred there in April 2023

Prigozhin-linked IO Infrastructure Persists Post-Death

Mandiant closely tracks multiple IO campaigns that have variously been linked to Prigozhin, and we have observed shifts in these activity sets over the course of 2023, some of which likely were precipitated by Prigozhin’s political downfall and death. We have observed uneven degrees of change between campaigns, which may suggest variances in their original proximity to Prigozhin’s core operations or other campaign differences, such as management models or targeting focus, that have somehow influenced their respective degrees of continued viability thus far. However, we lack the visibility to assess the reason for this.

At least some components of these campaigns’ assets and infrastructure have remained viable since Prigozhin’s death, and we assess with moderate confidence that they will remain operational for the medium-term. These components will likely be leveraged by either their original, or appropriating operators, to influence public opinion on issues including those related to the Russian invasion of Ukraine, U.S. elections and politics, and developments in Africa’s Sahel region. 

We conducted an analytical review of three significant Prigozhin-linked IO campaigns that we track: the “Newsroom for American and European Based Citizens” (NAEBC) Campaign, Cyber Front Z, and a campaign linked to the Togo-based Groupe Panafricain pour le Commerce et l’Investissement (GPCI). 

The campaigns’ targeting aligns with core geographical regions known to be targeted by Prigozhin-linked IO: the U.S., Europe, Ukraine, Russia, and countries in Africa. 

Following the June 2023 mutiny, the swift closure of Prigozhin’s overt influence arms such as his Patriot Group demonstrated the Russian Government’s intent to publicly dismantle at least components of Prigozhin’s operations. Reports also indicated that Prigozhin’s “troll factory” was likewise closed as a result. 

Given the well-established nature of the campaigns detailed in this report, we find it unlikely that they could have been overlooked or that formal or informal Russian Government enforcement measures would have been incapable of stopping them—specifically as regards to Russia-based operations. 
We have traditionally prioritized externally focused Prigozhin-linked IO in our tracking and thus lack the visibility to formally assess potential differences in outcomes for domestic Russia focused operations. However, it is plausible that efforts to dismantle Prigozhin’s influence capabilities may have centered on domestically focused operations. 

Narratives recently promoted by each of these campaigns largely correspond with the campaigns’ established focuses; this also includes topical overlaps between campaigns’ promoted narratives on general pro-Russia topics and/or narratives that mutually promote Russian interests and those of Prigozhin’s foreign business ventures.

Prigozhin’s businesses often served as a mechanism for promoting Russian interests abroad. Also, Prigozhin’s business holdings often appeared to concurrently operate in a target region. For example, Prigozhin-linked IO activity targeted African nations while his Wagner PMC also operated in the region (Figure 2).

Figure 2: Cyber Front Z has consistently disseminated content promoting Prigozhin’s interests. This includes content directly supporting Prigozhin and Wagner during and immediately after the June mutiny, as well as content promoting Wagner’s presence in Africa. These posts have been machine translated from Russian.

Three Prigozhin-linked IO Campaigns

Mandiant reviewed activity associated with assets attributed to the NAEBC, Cyber Front Z, and GPCI campaigns following the political downfall and death of Prigozhin. While our visibility into each campaign is neither equal nor complete, each displays at least continued activity showing how the campaigns and/or the auxiliary infrastructure leveraged to support them have endured. Additionally, each of these three campaigns represents one of a range of models leveraged for covert Prigozhin-linked IO (Figure 3).

Figure 3: Prigozhin-linked IO activity has employed at least three different models for campaigns

NAEBC presents as a completely covertly managed campaign.
Cyber Front Z is an overt nominally third-party Russian organization established to obfuscate and administer IO activity.
GPCI is an independent, domestically-focused foreign organization with some reported financial links to Prigozhin. 

Covertly Managed Campaign: NAEBC 

Since October 2020, Mandiant has tracked and reported on the NAEBC IO campaign, which has persistently attempted to influence right-leaning U.S. audiences on issues related to U.S. politics and elections, as well as significant geopolitical events. The campaign is named for the now-inaccessible inauthentic news site “Newsroom for American and European Based Citizens” (NAEBC), which according to an October 2020 Reuters article was attributed by a U.S. Federal Bureau of Investigation investigation as being run by individuals linked to the IRA. NAEBC has evolved and shifted its tactics over time. Its operators have continued to use established campaign infrastructure after repeated public exposure, including the repurposing of social media assets once used to backstop and promote the inauthentic NAEBC news site to form the core of an effort to promote content furthering the campaign’s objectives through coordinated and inauthentic means. 

If leveraged to target upcoming U.S. elections, the NAEBC campaign may only be one component of pro-Russia activity collectively targeting the population. Historically, IO campaigns linked to Prigozhin and/or the IRA have targeted all sides of the political spectrum to advance broader foreign influence objectives to sow division. 

Some previously attributed campaign assets on alternative platforms continue to promote content targeting right-leaning U.S. audiences on a range of issues.
The campaign has a history of fluctuating its activity levels between key events such as U.S. elections. Its current levels appear to be reduced from those during the 2022 U.S. midterm elections, when the campaign had a focused operation, but are similar to what was observed preceding Prigozhin’s downfall. 
NAEBC personas recently promoted pro-Russia narratives appear consistent with past activity, including narratives targeting U.S. domestic politics and elections, the Russian invasion of Ukraine, and geopolitical developments, such as the Israel-Hamas conflict (Figure 4). 
It is possible that the controversy surrounding Prigozhin has affected the campaign; however, given limitations in our current visibility and the identified consistencies in recent campaign activity, we are currently unable to assess to which degree this may be so.
NAEBC’s ongoing activity may be an indicator that the campaign operators intend to leverage campaign assets in the upcoming U.S. election season—the campaign has previously mobilized around such events—even if only as an attempt to bolster the perception that pro-Russia IO is persistently influencing the U.S. electorate.

In the 2022 midterm elections, the campaign launched their main operation closer to election day, thus it may be too early to assess this scenario. 

Historical activity linked to Prigozhin and/or the IRA show that their tactics often appear foremost intended to exacerbate existing divisions in society, often targeting both sides of the political spectrum. Accordingly, we highlight as context an example of related IO activity that occurred contemporaneous to NAEBC’s emergence in 2020, which illustrates how this dynamic can manifest. 

In August 2020, Mandiant identified and reported to customers a website named “Peace Data,” which promoted content that appeared curated to influence left-leaning audiences, including some content related to U.S. domestic political issues and the then-upcoming 2020 presidential election (Figure 5). 
Subsequently, Meta reported publicly in September 2020 that it had removed a network of coordinated and inauthentic accounts promoting Peace Data—it attributed this activity as being run by individuals with links to the IRA. Shortly after public exposure, the Peace Data website posted a message indicating that it was ceasing operations. 
The Peace Data comparison with NAEBC likewise provides an example of how even nominally similar IO campaigns can leverage different tactics to target subsets of the same populations. For example, Peace Data reportedly engaged in the paid solicitation of unwitting real individuals to write articles for dissemination.

Figure 4: Example post by NAEBC persona that disseminated content that promoted commentary from Putin regarding the Israel-Hamas conflict that positively framed Russia’s actions in Ukraine

Figure 5: Example of article published in 2020 to the “Peace Data” domain, which promoted content on a range of issues including some pertaining to U.S. domestic politics and elections. Notably, its operators leveraged some different tactics than the NAEBC campaign, reportedly including the paid soliciting of content from unwitting contributors

“Third-Party” Front Organization: Cyber Front Z

Cyber Front Z first emerged as a Russian-language pro-Russia Telegram channel (Russian: Кибер Фронт Z) in the days following Russia’s launch of its full scale invasion of Ukraine in late February 2022. We first publicly reported on our tracking of Cyber Front Z in May 2022, noting its overt efforts to coordinate the promotion of invasion-related pro-Russia content and that Russian investigative reporting suggested it was linked to individuals from the IRA who were running a troll factory—Meta seemingly confirmed this in public reporting from August 2022. 

In an August 2023 update to customers following Prigozhin’s death, we identified expansions in Cyber Front Z’s activity and several indicators that more clearly established Cyber Front Z’s IRA links and suggested the group had plans to expand operations leading up to Prigozhin’s mutiny. This activity has been significantly curtailed since then, though the Telegram channel has remained somewhat active and limited indicators suggest it may still be planning for expanded future activity. 

In Spring 2023, Prigozhin announced a new head of Cyber Front Z, a woman named Asiya Aminovna Sadrieva who we judge to be a former IRA employee. Prigozhin then directed Sadrieva to register Cyber Front Z as a public organization—business records show this was done in early June—suggesting plans for Cyber Front Z’s continued activity and growth leading up to the mutiny.

Throughout this time Cyber Front Z was posting job solicitations including for “activists…who are ready to defend their Motherland in the information field with the help of comments (VKontakte, Telegram)” (translated from Russian) (Figure 6). 

Cyber Front Z organized grassroots activity and in-person events, often focused on invasion related topics, that appeared to cease post-mutiny. However, in early December 2023, the group’s VKontakte (VK) page, where they traditionally promoted events, began posting about past events and implying considerations for future organizing (Figure 7).

The halting of in-person events indicates that Cyber Front Z was at minimum indirectly hampered in some of its activity by Prigozhin’s political fallout; its nascent reactivation on this front suggests such effects may not be final.
The grassroots activity organized under the Cyber Front Z brand demonstrates how the campaign, which has centered on promoting invasion-related messaging, dually maintained an element focused on domestic Russian populations. 

Cyber Front Z’s Telegram channel has remained operational throughout the process of Prigozhin’s undoing and since his death, though it appears less active and is now primarily focused on publishing and cross-promoting content related to developments in Ukraine and other domestic Russian and global developments.

Cyber Front Z’s Telegram channel continued to promote content supportive of Prigozhin and Wagner throughout the insurrection and since.
A New Year’s Eve post published to both the Cyber Front Z Telegram channel and VK page reflected on the group’s 2023 activity, including noting that it had organized “raids” on social media pages—likely describing what is known as “brigading”— spotlighting its efforts coordinating online activity as one of the group’s key accomplishments.
We currently lack the visibility to determine if and/or when the coordinated and inauthentic activity previously attributed to the group by Meta ceased. However, this Telegram channel has at least previously served as a component of that activity.

Figure 6: Cyber Front Z posted job solicitations in the period preceding Prigozhin’s June mutiny (these posts have been machine translated from Russian)

Figure 7: An advertisement for an in-person Cyber Front Z event held at the group’s headquarters (left); a December 2023 post to Cyber Front Z VK page announcing interest in resuming in-person events (machine translated from Russian), the text of the included graphic reads “We are with you again!” (right)

Likely Paid Partnership: GPCI

In August 2023, before Prigozhin’s death, we identified, and subsequently reported to customers, recently registered infrastructure and newly created social media accounts that we attributed with high confidence to Groupe Panafricain pour le Commerce et l’Investissement (GPCI), a Togo-based political marketing consultancy recently outed by Meta for its involvement in continued information operations targeting domestic audiences primarily in the Sahel region of Africa. According to multiple sources, GPCI and its founder Harouna Douamba allegedly maintain ties to the now-deceased Yevgeniy Prigozhin.

The identified websites, which we assessed to be inauthentic, present as media entities targeting different countries in Africa’s Sahel region. Additionally, we identified a number of Facebook pages and accounts leveraged to seed and disseminate content—some pages correspond directly to media outlets attributed to GPCI. 

Facebook pages published content and then regularly shared that content across different Facebook groups. 
Additionally, the suspected inauthentic Facebook accounts, which most commonly presented as regionally based individuals, inorganically boosted engagement with the GPCI-associated Facebook pages (Figure 8). 

Messaging promoted by this network has included narratives related to political dynamics and events within the Sahel region, such as criticizing France’s regional presence.
According to public reporting by Meta, GPCI is linked to Aimons Notre Afrique (ANA), a non-governmental organization (NGO) based in the Central African Republic (CAR) that has previously been exposed for supporting information operations. Notably, separate public reporting has indicated that GPCI/ANA, as well as its founder Harouna Douamba, maintain various ties to Prigozhin. These links include alleged financial connections to a company called Lobaye Invest, which the U.S. Department of Treasury previously sanctioned as controlled by Prigozhin and used to consolidate PMC Wagner’s operations in the Central African Republic; and claims that Douamba managed Russian propaganda out of the “Office of Information and Communication in the Central African Republic,” a center of influence established by Wagner within the Central African presidency.
GPCI exhibited an upward trend in its activity throughout the period of Prigozhin’s downfall and subsequent death, during a time when some other Prigozhin-linked IO activity sets appeared to be at least hampered by the political fallout surrounding him. One possible explanation for this is that GPCI represents a third model for how Prigozhin managed his IO activity. 

In addition to being located outside Russia, and thus potentially beyond the reach and care of the Russian Government, GPCI is an organization local to the target region under local management. It is possible that GPCI has conducted influence activity in the pay of Prigozhin-linked entities and also is engaged in separate activity reflecting local initiatives that in instances also has alignments with Russian interests.
We lack the visibility that would confirm this possible dynamic. However, if true, such a paid-local partnership model could explain the resurgence of GPCI activity during this tumultuous period. Likewise, its purported history of partnering with Prigozhin would suggest that it could be leveraged by surviving Prigozhin legacy organizations or other Russian actors in future.

Figure 8: Suspected inauthentic account attributed to GPCI engaged in concerted sharing of campaign content while using #Abonnez_Vous_a_la_Page (machine translation: Subscribe to the page) for audience building

Promoted Messaging

The NAEBC, Cyber Front Z, and GPCI campaigns’ recently promoted narratives largely appear to be consistent with past activity. Each campaign has a distinct regional focus that directly corresponds with the majority of its promoted content. However, the campaigns have also promoted messaging targeting other countries or issues, including issues relevant to Russian strategic interests and/or Prigozhin’s diverse business investments. What follows are some examples of narratives promoted by these campaigns organized by some of the regions they have variously targeted. 

The U.S. and Europe

NAEBC’s central narrative focus remains related to U.S. politics and elections. This includes narratives promoting issues that appear aligned with the Republican Party, specifically supporting former U.S. President Donald Trump and criticizing the current administration and the Democratic Party (Figure 9).

Promoted content has supported Trump’s candidacy in the 2024 U.S. presidential election, and it has questioned the 2020 U.S. presidential election results.
Other narratives promoted controversial narratives, such as alleging that the congressional committee established to investigate the events of Jan. 6 was engaged in a cover-up, or promoting narratives related to allegations against President Biden’s son Hunter.
Narratives that appeared to criticize the Administration include those that framed Biden as unfit for leadership and those that implied he and other officials are corrupt and ignore the problems facing the American people.
In some instances, NAEBC promoted content more broadly criticizing major institutions, such as NATO or the UN, suggesting they should be dismantled. Such narratives appear to generally support an idea that a Western-led global order should be broken up in favor of a multipolar world where Russia has a larger share of influence.

Figure 9: Example NAEBC content that promoted narratives related to U.S. elections (top) and criticizing NATO (bottom)

Russian-language content published to the Cyber Front Z Telegram channel regularly criticizes “the West” and individual Western countries.

Often this is in the context of the Russian invasion of Ukraine, though Western countries also are targeted on unrelated issues. This includes content that is critical of U.S. and European leaders. 
Additional narratives critique what are labeled as “Western values,” including the repeated promotion of anti-LGBTQ+ content. 

Ukraine and Russia

Cyber Front Z’s core focus remains the promotion of pro-Russia content related to the Russian invasion of Ukraine, though it does comment on other topics (Figure 10).

Promoted narratives support the Russian war effort, including explicit support for Wagner; they also include anti-Ukraine messaging, criticizing Ukraine’s war effort and leadership, as well as disinformation narratives and pro-Russia talking points like falsely calling Ukrainians “nazis” and the war a process of “denazification.” 
Additional content has promoted Russia and Russian President Vladimir Putin more generally, such as praising Putin for his purported candor at media events.

Figure 10: Example Cyber Front Z content promoting narratives related to the Russian invasion of Ukraine (these posts have been machine translated from Russian)

NAEBC assets have incorporated invasion-related narratives as another core component of its recent activity. Such anti-Ukraine narratives have consistently appeared intended to diminish support among its target audience for foreign aid sent to Ukraine (Figure 11).

Promoted narratives criticize U.S. support for Ukraine, alleging the U.S. Government deprioritizes U.S. domestic issues as a result, and they frame Ukraine’s war effort as futile and its leadership as corrupt. 
A more limited number of narratives promoted Vladimir Putin, including those that framed him as a force for good working to counter Western values that are presented as detrimental to those living under them.

Figure 11: Example NAEBC content that promoted narratives related to the Russian invasion of Ukraine

Africa 

GPCI primarily promotes content targeting countries in the Sahel region of Africa, most frequently focusing on domestic audiences in Burkina Faso though sometimes pivoting to target other regional events and issues (Figure 12). 

Messaging has frequently praised and supported Captain Ibrahim Traoré (the military leader and transitional president of Burkina Faso) and the role of Burkina Faso’s Defense and Security Forces (FDS) and the Patriotic Movement for Safeguard and Restoration (MPSR).
Some narratives praised strengthened Russo-Burkinabe relations, such as touting Traoré’s involvement in the July 27, 2023, Russia-Africa Summit where he stated that “Russia is a part of the family for Africa.” Additional narratives praised Wagner’s involvement throughout the region. 
Promoted narratives also included topics such as the July 2023 coup d’état in Niger. Such messaging most frequently supported the coup leader General Abdourahamane Tiani; and it was critical of the role of France in the region and regional bodies like the Economic Community of West African States (ECOWAS).

Figure 12: Content promoted by GPCI criticizing ECOWAS (left); and content promoted by in-network GPCI accounts promoting pro-Russia messaging (right)

Cyber Front Z has also promoted Africa-related narratives via its Telegram channel. Interestingly, in the interlude between the Prigozhin-led mutiny and his death, it promoted content supporting Wagner’s role in several African countries, including content presenting Wagner as important to regional security and defending Russia’s interests abroad.

Outlook and Implications

Throughout his long tenure as a funder of IO activity, Yevgeniy Prigozhin and his affiliated entities not only established a range of campaigns targeting different geographies but also leveraged multiple models for managing and executing IO as is exemplified by the case studies detailed in this blog post. We currently lack the visibility necessary to assess the total implications of what the differences between Prigozhin-linked IO campaigns may mean for their long-term survivability. Key indicators that we are looking for moving forward include those that might shed light on their future management: indicators suggesting a central connection between any surviving campaigns, or those suggesting that the various Prigozhin-linked activity sets are linked to different actors and thus they have been fragmented under new operators. While the outcome of this process remains unknown, analysis of these three campaigns highlights the potential that this and potentially other IO infrastructure established by Prigozhin-linked initiatives will remain available for pro-Russia threat activity at least in the medium term.

Cloud BlogRead More

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments