First Monday

Russian information troops, disinformation, and democracy by Volodymyr Lysenko and Catherine Brooks

This research examines the contemporary landscape relative to information-driven strategies used for global gain. With Russia functioning as a case of global democratic disruption (Blackwill and Gordon, 2018), this exploratory project studies documented information-based, computational, and media-related political strategies. The findings provide a way to see patterns in tactics suggesting ‘hybrid’ warfare or information warfare identified in recent literature. Our work has found several previously unknown centers of activity related to online propaganda, in locations near Russian military and security services installations. This aligns with and supports assertions that at least some of the Russian hacking is likely the work of state-sponsored Russian operatives. This work also allows readers to connect events in recent years in order to view them together and conceive an online hybrid war and Russia’s potential role in those efforts. These findings provide scholars, practitioners, and citizens interested in democratic processes around the globe the opportunity to consider the many threats to contemporary political processes, and contributes to ongoing academic conversations about digital political disruptions and warfare.


Historic context
Pieces of Russia’s information war put together
Discussion and conclusion




Hacked data, leaked data, and disinformation are all powerful tools used alongside cyber sabotage and military force in different parts of the Western world. In recent years, information war has been considered theoretically (Ventre, 2016), and Russia has taken central stage in the scholarly analyses of new media use for the purposes of political influence (e.g., Boyte, 2017; Pasitselska, 2017). That is, a variety of scholars have analyzed election disruptions in particular (e.g., Bessi and Ferrara, 2016) and other kinds of politicized online behavior coming out of Russia (e.g., Zelenkauskaite and Niezgoda, 2017).

With Russia functioning as a potential cause of global democratic disruption, this project analyzes documented information-based, computational, and media-related strategies as an exploratory case study of publicly available documents and videos, primarily those published or found online in English or Russian. The findings provide a way to see patterns showing, overall, further evidence of ‘hybrid’ warfare or information warfare identified in recent literature (e.g., Ventre, 2016; Zelenkauskaite and Balduccini, 2017). Our work has found several previously unknown centers of activity related to online propaganda, in locations near Russian military and security services installations. This aligns with and supports assertions that at least some of the Russian hacking is likely the work of state-sponsored Russian operatives. This work also allows readers to connect events in recent years in order to view them together and conceive an online hybrid war and Russia’s potential role in those efforts. These findings provide scholars, practitioners, and citizens interested in democratic processes around the globe the opportunity to consider the many threats to contemporary political processes, and contributes to ongoing academic conversations about digital political disruptions and warfare.




Working inductively, this study follows an exploratory case study design (Dube and Pare, 2003) meaning we focused on “developing an in-depth description and analysis of a case ...” [1]. Following a case study research design (Yin, 2009), this project focused on patterns coming out of Russia as a specific site emanating information-based political disruption around the globe. Focusing on information-war strategies in Russia is a project goal that aligns with methodological guidelines on the ways case study work can be used “to explore in depth a particular phenomenon in a contemporary context” [2].

Data from this project are comprised of publicly-available documents and sources. We look specifically at Russian materials, media sources, documents and other related publications, many of which are written solely in the Russian language. These materials also include texts drawn from white papers written by representatives from global cybersecurity companies, think tanks or military organizations, as well as credible news stories and images embedded in those publications. We triangulate data from published interviews, texts from printed materials, audio and video accounts, and visual images.



Historic context

Recent Russian activity can be best understood by considering Russia’s relationships and war-time experiences with its neighbor, Ukraine. In early 2013 Russian secret services began infiltrating Ukrainian governmental information and communication networks, as well as other components of that country’s critical infrastructure, with various types of malicious spying and subversive software because Russia suspected the upcoming ousting of Viktor Fedorovych Yanukovych, Putin’s incumbent Ukrainian ally (Sanger and Erlanger, 2014). Russia’s governing officials also developed contingency plans, in case Yanukovych would be deposed, including destabilizing operations in Crimea and other territories in southeastern Ukraine that are densely inhabited by a Russian-speaking population (UNIAN Information Agency, 2015). These events have been well established in public documents and published materials (see, e.g., Kofman, et al., 2017). Earlier than anticipated by the Russians, however, were mass Ukrainian protests against Yanukovych who eventually fled to Russia in early 2014 leaving Ukraine a target of Russian physical and cyber aggression (Baunov, et al., 2015).

Alongside the occupation of Crimea and Eastern Ukraine by clandestine Russian forces and other more traditional warfare tactics was a massive disinformation campaign — it’s in the blending of physical warfare with cyber/informational attacks that has led scholars and other experts (e.g., Pasitselska, 2017; Snegovaya, 2015) to refer to a new kind of ‘hybrid’ warfare underway. Information-driven warfare approaches, in the case of Russia and otherwise, have involved cyber intrusions and also media disinformation campaigns that mirror historic efforts at public perception change and persuasion but rely on new media outlets or large news operations.

“What analysts refer to when they speak about Russian ‘hybrid warfare’ against the West are first of all Russian attempts to use information channels (media, social media and political statements) to influence public opinion or political processes in other countries, but they also include actions as diverse as cyber-attacks originating in Russia.” [3]

At the center of Russia’s early blend of attacks on Ukraine, and alongside a clandestine operation involving Russian forces landing in Crimea and appearing in eastern Ukraine, was a massive disinformation campaign conducted through all possible channels, from traditional mass media, such as TV, radio and newspapers, to the Internet-based news outlets and social media.

“Shortly after the appearance of armed groups in Crimean towns, the unfolding events demonstrated the special role of the Russian TV channels. On 6 March 2014, 10 days before the Crimean referendum, armed men broke into the building of the Simferopol Radio and TV Broadcasting Station. Consequently, the broadcasting of various Ukrainian TV channels was suspended. They were substituted by Russian TV channels — Inter was replaced by NTV, the 1+1 channel by First Channel. A Molotov cocktail was thrown in the window of Black Sea TV, the only channel covering the whole Crimea region, while the Web page of the channel suffered from a DDoS (distributed denial-of-service) attack. Overall, broadcasts of Ukrainian TV stations were replaced by seven Russian TV channels.” (NATO StratCom Centre of Excellence, 2015)

The goal of this disinformation effort — war tactics made possible via cable TV and other media (Iasiello, 2017) — was to convince audiences that the illegal annexation of Crimea and the aggression in the Eastern part of Ukraine were just and necessary responses to illegal activities happening in Kyiv.

In conjunction with this targeted disinformation campaign was cyberwarfare — Russia attacked Ukrainian governmental networks with spying software, hacked the servers of the Ukrainian Central Election Commission during the presidential election, trying to influence its outcome, and also broke into and temporarily disabled some important components of the Ukrainian critical infrastructure in the areas of communication, transportation, manufacturing, and power generation and supply (Geers, 2015). As a result of some of these attacks hundreds of thousands of Ukrainian civilians lost electricity in the midst of the harsh winter (Zetter, 2016). Given the consequences that were potentially deadly, we describe these activities as acts of cyber-terrorism.

Russia has since turned its information war tactics against Western institutions and governments to include the United States and France, while continuing a blended or hybridized kind of aggression against Ukraine — related stories continually emerge in popular news outlets (e.g., Mackey, 2017; Schindler, 2016; Watts, 2017). Concerns abound relative to the Russian intervention in U.S. affairs (see, e.g., Perez and Prokupecz, 2015; Bennett, 2015), and also governing or political institutions around the globe (e.g., Bundestag or German parliament). Indeed as we write this manuscript, questions are raised about Russia’s U.S. focused interference. With this research we do not intend to assert full knowledge on Russia’s involvements in recent electoral or other processes. Rather, we aim to synthesize existing data on Russia’s augmenting traditional physical warfare tactics with cyber war and disinformation work, activity more effective in this new media age with flash news and social media use than persuasion campaigns were historically. There are a wide variety of published works reviewing Russia’s cyber or information-based attacks on Ukraine (e.g., Iasiello, 2017; Unwala and Ghori, 2015; van Niekerk, 2015) but we provide this historic context here as a means for situating Russia’s activity taken together as a case of ‘hybrid war’ relying on increasing numbers of Russian information troops utilized to disrupt democratic processes around the globe. The next section provides a set of findings that illuminate a pattern of ‘hybrid’ war.




Our findings are comprised of information synthesized for readers to consider. Through we cannot claim first-hand knowledge of activities taking place in rural Russia, and we cannot provide direct identities of Russian hackers, we do illuminate the strong potential for continued global data disruption and also misinformation media campaigns taking place in Russia. Most of our sources pulled together in order to make these claims are in Russian. Reference to information translated from Russian to English is provided in the Notes section. In the following discussion of our findings we offer: 1) a discussion of the Eighth Directorate; 2) implied training strategies for developing a skilled cyberforce; 3) findings drawn from Google Trends, showing large proportions of politicized Internet activity occurring in rural areas; and finally, 4) a robust discussion of cybertroops as they are organized into companies.

A secretive Eighth Directorate

Given our research and efforts tied to this project, we found that there is no Seventh Directorate in the Russian General Staff, at least not one findable through open source methods [4]. Moreover, there exists the only one “numbered” Directorate — the highly-secretive Eighth Directorate which traditionally was in charge of the technical and other aspects of the safety, security, and integrity of the secret information cryptography, encoding/decoding, communication, circulation, and preservation in the Russian/Soviet military structures (i.e., everything dealing with protection of secret information). Also this Directorate was in charge of the development of the technical means and guidance, as well as coordination and licensing, to accomplish all the above tasks. This Directorate was designed to work with mass and social media and foreign militaries, trying to prevent/mitigate leaking of the sensitive Russian military information [5]. On the official Web site of the Russian Ministry of Defense (Minoborony), very limited information exists about the Eighth Directorate, but the archival search of that Web page using the Internet Archive Wayback Machine reveals that (at least in 2012) the Directorate is meant to supervise military unit 31659 [6]. Again, there is no direct information about this unit accessible via open source methods, but one can infer based on scholarly publications [7] of its personnel, that the unit is probably a military research institution dealing, particularly, with information systems defense from computer/cyber attacks. At least seven of its personnel were registered as participants at Infoforum (Russian National Forum on Information Security) [8].

We present these findings relative to the Eighth Directorate because they indicate ways that Russia has likely re-purposed its military structure to wage the new type of war — the hybrid war — which includes a huge information/cyber component. Specifically, the Eighth Directorate, which historically was used to encode/decode secret military communications, is now also being used to deploy hybrid war (as we suggest below). As we synthesize information about Russia’s information-based political activities, these explanations of the Eighth Directorate provide a historic context for Russia’s broad and purposeful international destructive activity. These activities can be best understood as a broad political strategy described in the next section.

Trainings and skills for an information war

The 2014 hybrid information campaign against Ukraine, though successful for Russia in terms of almost bloodless annexation of Crimea, brought modern security-related concerns to the Russian leadership. Creating trouble for Russia, for example, the Ukrainian security service was able to intercept communications between the Russian mercenaries and their curators in Moscow related to the downing of the Malaysian Airlines flight MH17 in the Donbas. Security breaches like this one meant that the Eighth Directorate needed to improve its work. So, in 2015 it requested a complex retraining of its personnel “necessary to mastering the modern and prospective means of information defense” [9]. Under this retraining it was requested that 35 courses totaling, at least, 1,427 academic hours (i.e., about 40 academic hours per course on average) to be delivered to the trainees.

A variety of courses were delivered to the Eighth Directorate personnel by the retraining provider [10], training center “Informzashchita” (“Information Defense”) [11], to include “Methods of analysis of malicious programs and search for the vulnerabilities in software” (at least 80 academic hours) aimed to enhance knowledge on the advanced technologies of using malicious software, crypters and packers, vulnerabilities in the systems with cryptography and applied systems, and searching for vulnerabilities in the binary programs. As another example, the course “Security of the computer networks” (at least 40 academic hours) taught trainees about vulnerabilities in the protocols and services of IP networks, mechanisms to conduct attacks in the networks based on TCP/IP, vulnerabilities in applied software used in corporate networks, and also about how to utilize hacking instruments such as Cain, Nmap, and Netcat. Based on these courses one might infer that the Eighth Directorate was retraining its personnel not only to defend information, but also exploit potential vulnerabilities in both software and hardware.

The main military university preparing cadets to serve at the Eighth Directorate is the Krasnodar General S. Shtemenko Military Institute (officially, the only Russian military academy dealing with the defense of information). This institute is also the main organization to prepare military personnel specializing in information security for the countries who are members of the Collective Security Treaty Organization (CSTO) [12]. The CSTO is a Russia-centric military alliance that currently unites six post-Soviet countries: Russia, Belarus, Kazakhstan, Armenia, Kyrgyzstan, and Tajikistan. Conscription still exists in Russia (a mandatory 12-month draft), and beginning 2013 its military started encouraging the civil universities’ best graduates to serve it in the so-called “research companies.” One such company (the Sixth research company, “military cyber-defenders”, 60 people) [13] is attached to the Shtemenko Institute and conducting applied research related to the information security. After their 12-month mandatory term, the research companies’ conscripts are strongly encouraged to continue military service as officers on contract.

This insight on Russia’s broad military strategy implies the importance for Russia to recruit top cyber talent in order to conduct an effective hybrid war with a leading cyber/info component. By pulling these aspects together, we may come to understand the ways that information-related activities bring about influential and global geo/political outcomes. These activities can be analyzed geographically and can be viewed by way of Internet traffic analyses we aim to explain next.

Considering geography, region, and Google Trends

An analysis of activities of the Sixth research company (of the Eighth Directorate of the General Staff of the Armed Forces of the Russian Federation) [14], or the whole Shtemenko Institute to which it is attached, can help us to understand data patterns that are distinct relative to general norms and trends revealed by the Google Trends. In August 2015 one of LiveJournal’s bloggers (“otakvot”) posted research [15] describing an interesting “anomaly” revealed by Google Trends — our findings are aligned with his observations a few years ago. He found several Russian small towns with abnormally high interest in contentious political matters. Specifically, he found that, according to the Google Trends, such small Russian towns as Olgino (population = 4,119), Perekatnyy (population = 244), Zelyony Gorod (population, 2,679) and Yablonovsky (30,518 people) have higher or comparable interest in searching Google on such contentious political terms as “майдан” (symbol of Ukrainian pro-democracy revolution), “санкции” (sanctions), “референдум” (referendum), “НАТО” (NATO) (after 2013), “Порошенко” (Poroshenko), as such big Russian cities as Ufa (1.075 million), Belgorod (369,815), Ryazan (526,919), Moscow (11.92 million), Khabarovsk (589,596), Saint Petersburg (4.991 million), Kaliningrad (437,456), Novosibirsk (1.511 million), Yekaterinburg (1.387 million), Kursk (425,950). At the same time, searches on more common and less politically charged Russian terms in Google Trends predictably surfaces only in the largest Russian cities. While there is a great deal of traffic around more recent politically charged terms like Trump and Hillary Clinton, we conducted our own searches in Google Trends on the term “майдан” in order to confirm otakvot’s findings (Figure 1):


A screenshot of our Google Trends search
Figure 1: A screenshot of our Google Trends search on the term “майдан”.
Note: Larger version of figure available here.


For this project we investigated the particularly-high political interest in those four small Russian towns. In his blog research “otakvot” notices that Olgino hosts the infamous Russian troll factory [16], where hundreds of paid trolls work 24/7 to praise Putin and to mire the Western values [17]. Our work aims to illuminate what may be happening in the other three small towns — Yablonovsky, Perekatnyy, and Zelyony Gorod. Finding the Shtemenko Institute on the map proved an informative early step, its address: ul. Krasina, 4, Krasnodar, Krasnodarskiy kray, Russia, 350035. With Google Maps we provide means for visualizing this location next in Figure 2:


A screenshot of the location of the Shtemenko Military Institute on Google Maps
Figure 2: A screenshot of the location of the Shtemenko Military Institute on Google Maps.
Note: Larger version of figure available here.


In Figure 2 we see that both Yablonovsky and Perekatnyy (“Perekatni”) are located within approximately a mile from the Shtemenko Institute. Google can, most likely, attribute the searches conducted at the Institute to those two locations. Moreover, if we look at the last “abnormal” town, Zelyony Gorod, on Google Maps, we find it in close proximity to another institute similar to Shtemenko, but this time belonging to the FSB (Federal’naya sluzhba bezopasnosti Rossiyskoy Federatsii, Federal Security Service): specifically, the Nizhniy Novgorod FSB Institute. This institute is likely causing the anomaly in politically focused digital traffic. With Google Maps we can “visit” this FSB Institute location (Figure 3):


A screenshot of the location of the Nizhniy Novgorod FSB Institute on Google Maps
Figure 3: A screenshot of the location of the Nizhniy Novgorod FSB Institute on Google Maps.
Note: Larger version of figure available here.


Implied by our research is that Russian cybertroops are not only paid civilians located in Olgino, but are also the full-time military and FSB personnel scattered around these rural towns. We identify and provide visualization of some of what we suggest are Russian information warfare sites. Of course, Russian information troops are located not only next to or around these four small towns. Probably, they are also located near or inside larger Russian cities mentioned earlier, so their Internet traffic is “hidden” by that generated by the population of those cities. Given our suggestion that these are Russion cybertroops trained for information warfare, the next section offers clarity, providing discussion of Russian cybertroops more extensively.

Organized cybertroops in research companies

Top Russian officials in charge of military development started talking about creating cyber troops in 2012 when the Deputy Prime Minister (in charge of defense industry) Dmitry Olegovich Rogozin at a meeting with military scientists told them that Russian authorities discussed creation of the cyber command “to ensure information security of both the armed forces and all the state infrastructure as a whole” [18]. A year later, in April 2013 Rogozin also revealed that “the means of cyber fighting come to the fore. The destruction of communication in the troops with their help can be compared with artillery preparation.” [19] As we now know, Rogozin’s vision was realized by the Russians against Ukrainian troops in Crimea. Another major prophecy by Rogozin occurred in June 2013, when he mentioned that through social network services “a powerful manipulation of public opinion occurs, because all sorts of ‘likes’ and other buttons that you press there, instantly include you into certain groups, which are then analyzed, systematized.” He added that then these groups of people can be manipulated by receiving targeted “special content that undermines the authority and values of the state.” [20] This approach also seems to have been realized given that through social media, in 2016 Russians selectively targeted and influenced American potential voters [21].

In the meantime, in March 2013, Russian Minister of Defense Sergey Kuzhugetovich Shoygu, at a meeting with professors and students of the Bauman Moscow State Technical University, said that his Ministry is considering creation of “research companies” where talented students will serve while conducting scientific and technical activities for the armed forces [22]. Just four months later, in July 2013, the first research company started functioning for the Russian armed forces, and Shoygu voiced that the project was personally approved by Vladimir Vladimirovich Putin, President of the Russian Federation. The Minister added that his Ministry is looking after St. Petersburg ITMO University students who just became world champions at the ACM International Collegiate Programming Contest — “we need them a lot” he noted [23]. Moreover, during this same period, the Ministry of Defense signed a major contract with ITMO University for software development for the Russian armed forces [24].

Also in the summer of 2013, at the meeting of the Russian Security Council devoted to the improvement of military organization in Russia through 2020, Putin mentioned that “information attacks are already being used to solve military-political problems. Moreover, according to experts, their so-called striking power can be even higher than the one of the conventional weapons.” He called for the identification of the “first steps” to complete [25]. On the same day “a source in the Ministry of Defense” told RIA Novosti (the state-owned news agency) that by the end of 2013 the Ministry will create a separate military branch which will be responsible for the information security of Russia. The main tasks of these new troops will be monitoring and processing of information coming from abroad, as well as fight against the cyber threats [26]. Their officers will be obliged to learn a foreign language, first of all English. According to the head of the Russian information security company NPO “Echelon” Alexey Markov, Shoygu announced the creation of the cyber command on 14 January 2014 [27]. Markov added that still the Ministry of Defense’s official Web site does not mention this command’s existence.

In April 2014 CNews, a French news channel, reported that the Russian Ministry of Defense had formed hi-tech units and hires cyber-fighters [28]. Specifically, its Center for Special Developments, officially in charge of the “developments to ensure security of communication and information systems” of the Ministry [29], was hiring engineers to analyze source code (reverse engineering), conduct analysis of patches, vulnerabilities, and exploits, and perform R&D in information security [30]. The Center was first registered as an employer at a popular Russian jobs search Web site in February 2013 [31]. CNews asked the Center about the numbers and purposes of these hirings, but it declined to answer.

In May 2014 TASS reported that, according to “a source in the Ministry of Defense”, the troops of information operations were created in the Russian armed forces [32]. Their goal is information and cyber combat, and defense of the military information systems from cyberattacks. Creation of the research companies was the first step to form this cyber command [33]. A year later, in April 2015, TASS informed that a separate unit of the troops of information operations will be created in the occupied Crimea in the autumn of 2015. Their tasks were “the disruption of the operation of the information networks of the probable enemy and, as a result, the disruption of the functioning of its command and control system” [34]. Based on the location of this unit, we can presume that it is mainly targeting such “probable enemy” as Ukraine.

Research companies in the Russian armed forces were created based on the spring 2013 official orders by Putin, Shoygu, and the Chief of the General Staff Valery Vasilyevich Gerasimov Gerasimov [35]. One of these orders, by Shoygu, has the telling number 404 [36]. By the mid-2016 there were already a dozen research companies, having about 60 conscripts in each [37]. Despite belonging to different branches of the Russian armed forces, a large majority of these personnel do work that is related to information security. The most mysterious and clandestine of research companies, of course, is the one belonging to the GRU (Glavnoye Razvedyvatel’noye Upravleniye, Russian military intelligence) — this fourth research company belongs to the military unit 36360 located in the town of Zagoryanskiy near a city of Shchyolkovo in the Moscow region [38]. Initially this company was explicitly mentioned on the official Web site of the Ministry of Defense, but later was removed [39]. In addition to the information security specialists, this company also looks for specialists in foreign languages [40].

There are a series of additional research companies, each of them distinct. The first research company belongs to the Navy and is located at the Naval Polytechnic Institute in Saint Petersburg. Among the company’s operational tasks are “information technologies in Navy and technologies to conduct the network-centric wars” [41]. The second research company belongs to the Air Forces and is located at the Air Force Academy in Voronezh. Among the company’s specialties are cryptography; countermeasures against technical intelligence; computer security; and, information security of the telecommunication systems [42]. The company has a platoon of electronic warfare and information protection [43]. The fifth research company belongs to the Army and is located at the Moscow Higher Military Command School. The company’s conscripts develop software for the new National Defense Control Center (NDCC), including efforts to automatize monitoring of information security of the NDCC’s database [44]. Interim head of the Ministry of Defense’s chief directorate for R&D told RIA Novosti that his Ministry conducts proactive efforts to counteract possible cyberattacks and war in cyberspace. With that he recognized achievements of the NDCC’s information system [45].

The seventh research company belongs to the Signal Corps and is located at the Budyonny Military Academy in Saint Petersburg. The conscripts at this location are mostly specialists in information security [46], with a “cyberattacks, cybersecurity, and training aids” laboratory [47]. Additionally, the Budyonny Academy in autumn 2014 created a preparation school of IT technologies, teaching the basics of information security and other IT technologies [48].

The ninth research company belongs to the Troops of Electronic Warfare and is located in Tambov. It deals with “identifying and assessing the vulnerability of networks, software and electronic information protection; [...] combat use and assessment of the effectiveness of the electronic warfare forces and assets” [49]. One of their instructors says that their main task is to study methods of cyberattacks against gas pipelines and electric power networks, as well as closed military networks [50]; these foci are in line with historic cyberattacks against the Ukrainian critical infrastructure and American military networks.

Other Russian research companies — third (aerospace defense forces, Krasnogorsk, Moscow region) [51], eighth (military medicine, Saint Petersburg) [52], tenth (military logistics, Saint Petersburg) [53], eleventh (Chemical Corps, Kostroma) [54], and twelfth (nuclear arsenal, Sergiyev Posad, Moscow region) [55] — don’t seem to be directly in charge of cyber activities, but still represent “intellectual special operations forces” of Russia [56]. For example, a journalist from Meduza tried to visit a research company for an interview; a Ministry of Defense representative noted to the journalist that it does not show them to anybody and does not talk about them to anybody in order to not disclose “how we can use them”. He added that this topic is classified by the FSO (Federalnaya Sluzhba Okhrany, security for Russsian officials) and the FSB. He finished by saying to the journalist: “Don’t risk doing anything further, don’t put yourself into the cross-hair” [57].

Russian armed forces prepare and use cybertroops well beyond research companies. For example, cybersecurity is being taught in Russian military academies and schools [58]; centers for information combat have been created in Russian military districts; information operations troops are part of Russian armed forces; cybersecurity and information combat skills are tested during maneuvers [59], and used during field operations, such as against Ukraine [60]. In the latter example, the Ukrainian artillery experienced losses as a result of hacking activities of the “Fancy Bear” group, affiliated with the GRU. The fourth research company belongs to that Directorate.

But the Russian Ministry of Defense does not limit itself to career personnel or university graduates-conscripts. Its Deputy Minister did not exclude conscription of the career hackers who, in the past, had problems with the law. He also proposed their potential use beyond his Ministry [61]. A similar approach is characteristic also for the other major player in the Russian hacking activities — the FSB. For example, we know that in Russia “people incarcerated for cybercrimes could get out before trial, in exchange for working for the government.” One of those people told a New York Times journalist that “if you do something illegal, and go to prison for eight or nine years, the FSB can help you” [62]. Jeffrey Carr from the cybersecurity consultancy Taia Global also asserts: “Russian hackers who are caught are given the choice to work for the FSB or to go to jail. The FSB also has some on contract hire.” [63] Dmitri Alperovitch from the American cybersecurity company CrowdStrike confirms that practice: cybercrime charges “suddenly disappear and those people are never heard from again,” because they start working for Russian secret services [64]. Russian Internet expert Anton Nosik confirms those above statements:

“Each [Russian] hacker, who is not in prison, has a curator. Either in FSB, or in the Directorate ‘K’ [65] of the Ministry of Internal Affairs. ... Our criminal hackers are connected with the MVD and FSB completely. [...] Because over them a general is sitting, who gives them orders. General of FSB.” [66]



Pieces of Russia’s information war put together

In August 2008 Russia conducted a five-day war aggression against Georgia. Though on the ground Russia won (Georgia lost almost 20 percent of its territory), some Russian information warfare experts claimed that then Russia lost the information war globally. For example, an influential Russian information warfare theoretician and propagandist Igor Panarin admitted in the 15 October 2008 issue of the Russian military weekly Voenno-promyshlennyi kurier that the war against Georgia “had shown our incapacity in defending our goals and interests in the global information space.” [67] Further in this article he calls for the strengthening of the Russian state capacity in information warfare, particularly by allotting enough funds for the international propaganda. Probably he, and other Russian experts, were heard. Likely, the funding for information warfare did not limit to cover only the overt Russian propagandistic channels, like Russia Today. For example, the very next year (2009) the FSB Institute located in the city of Nizhniy Novgorod modernized its video studio and capabilities to broadcast through cable TV. As a result, “a system to work with multiple sources and consumers of audio and video signals was built, while functionality of the video-studio was substantially expanded.” The Institute became capable of “creating own thematically oriented video programs.” [68]

The FSB Institute further modernized its video creative and communication capabilities using foreign hardware; in February 2016 it announced a bidding “to conduct special examination and special investigation of the foreign manufactured technical equipment” [69]. According to the bidding’s documentation, participants could be only those entities with a FSB license to conduct activities in the area of the protection of state secrets (special examination and special investigation of the technical equipment). Foreigners are not allowed on the property of the Institute. Specifically, the Institute wanted to examine its new foreign manufactured equipment to “identify possibly incorporated electronic devices to covertly obtain information” and to “detect illegitimate electromagnetic emission and crosstalk from the technical equipment.” Among the foreign-made equipment which the Institute wanted to examine were: Ethernet-commutators D-Link with 28 and 52 ports; two Ethernet-commutators Alcatel OS9700 with the module OS9 C24; one Ethernet-commutator Alcatel OS9700 with the module OS9 U24; SFP-transceiver; media converter Allied Telesys; streaming video server Datavideo NVS-20; data storage system EMS-Storage AX 4-5; data storage system’s commutator HP 4/8 SAS Switch, etc. This equipment allows us to assume that the Institute further modernized its capabilities to produce classified digital video content with simultaneous participation in its creation of the dozens of its students and employees.

Assuming that the Nizhniy Novgorod FSB Institute hosts one of the Russian clandestine troll factories, its activity can present serious danger for the West. Recall the June 2015 investigation of the New York Times Magazine journalist Adrian Chen “The Agency,” about the Russian civilian troll factory located in Saint Petersburg [70]. Chen identified several clandestine Russian online information operations happened in the second half of 2014 spreading technically sophisticated lies aimed at sowing discord and chaos in local American communities and society as a whole. These lies included a fake explosion at a chemical plant in Louisiana on 11 September, then, three months later, a fake outbreak of Ebola in Atlanta and, on the same day, a false “rumor that an unarmed black woman had been shot to death by police” [71] in Atlanta. Highly digitally driven and coordinated webs of lies gave rise and credibility to these stories aimed at increasing chaos and fear in the United States.

Chen describes the web of lies for the Louisiana hoax as

“a highly coordinated disinformation campaign, involving dozens of fake accounts that posted hundreds of tweets for hours, targeting a list of figures precisely chosen to generate maximum attention. The perpetrators didn’t just doctor screenshots from CNN; they also created fully functional clones of the Web sites of Louisiana TV stations and newspapers. The YouTube video of the man watching TV had been tailor-made for the project. A Wikipedia page was created for the Columbian Chemicals disaster, which cited the fake YouTube video. As the virtual assault unfolded, it was complemented by text messages to actual residents in St. Mary Parish. An effort of this scale must have taken a team of programmers and content producers to pull off.” [72]

As we have described, and as we suggest, the Nizhniy Novgorod FSB Institute has all the technical means to create such virtual webs of lies to undermine American and other societies.

Russian troll factories may have also participated in Russian meddling in the American presidential election in 2016. At least, in December 2015 Adrian Chen mentioned that “I created this list of Russian trolls when I was researching. And I check on it once in a while, still. And a lot of them have turned into conservative accounts, like fake conservatives. I don’t know what’s going on, but they’re all tweeting about Donald Trump and stuff.” He also added: “I feel like it’s some kind of really opaque strategy of electing Donald Trump to undermine the US or something. Like false-flag kind of thing.” [73]

Evidence also implies that the alt-right American hackers and activists are working with the Russians to undermine pro-Western and to promote pro-Russian candidates at elections in the Western Europe [74]. Moreover, after the hacked documents from the staff of the French presidential candidate Emmanuel Macron were leaked, it became clear that some of the stolen Excel documents were, at least, open by a person named Рошка Георгий Петрович (Roshka Georgiy Petrovich) [75]. This name is not very common, and not a very popular name in Russia. Nevertheless, a person with this name in 2014 represented ZAO “Evrika” at a conference on parallel computational technologies (PaCT) [76]. ZAO “Evrika” has several FSB licenses on activities related to the protection of the state secrets [77], and is a major supplier of the relevant software and hardware for the Russian Ministry of Defense and the military-industrial complex, specifically those dealing with the naval communication systems [78]. Macron’s hack was done by the Fancy Bear hackers probably sponsored by the Russian Ministry of Defense [79]. In November 2016 Meduza informed that it was told by a source in Russian information defense company that about 100 people in Russia left commercial companies for the service in the Russian cyber troops [80]. Given our findings offered here, we may presume that Roshka is one of them.

For example, his colleague from “Evrika” who also attended the 2014 PaCT conference, Зайцев Сергей Николаевич (Zaitsev Sergey Nikolaevich), in 2015 already worked for the previously mentioned Center for Special Developments of the Russian Ministry of Defense [81]. The 2014 PaCT conference was also attended by employees of FSB’s Kvant, military unit 71330 (FSB’s Center for Electronic Surveillance of Communications, which is responsible for the interception, decryption, and processing of electronic communications, also known as the 16th Center of FSB) [82], and military unit 51952, which is the 16th Center’s radio-interception unit [83]. Two of the Kvant participants at the 2014 PaCT conference, in 2006 at the SORUCOM (“Perspectives on Soviet and Russian Computing”) conference represented military unit 71330 [84]. In 2016, Roshka also attended the PaCT conference, but already as an employee of the military unit 26165 [85], which belongs to the GRU’s 85th main center of the special service, which, again, deals with cryptography [86]. Finally, at the 2017 PaCT conference he already represented the Ministry of Defense’s Center for Special Developments, probably re-uniting with his former colleague Zaitsev there.

As to ZAO “Evrika”, it has an educational center offering courses on IT-technologies. The well-informed sources of the Russian publication The Insider stress that this educational center also prepares future hackers among employees of the Russian secret services [87]. On 9 February 2017 one of the co-founders of ZAO “Evrika”, Kinal Aleksandr Viktorovich, was able to get a luxury apartment (approximate value is US$9 million) in an elite house in Saint Petersburg where the closest friends of Putin, Russian oligarchs, have apartments: Arkady Romanovitch Rotenberg, Gennady Nikolayevich Timchenko, Kirill Shamalov, Yury Valentinovich Kovalchuk, Andrey Fursenko, and others [88]. In Russia to secure a residence with high security and status requires strong support from political leadership.

Beyond foreign efforts, the Russian oppressive state also plans to create and use information troops against a variety of pro-democracy activists. In May 2017 the deputy head of the troops of the National Guard of Russia (created in April 2016, in charge of suppressing internal revolts, includes about 350,000 employees) announced that first of all his organizational plans was to develop IT technologists. According to him, these specialists would “conduct special monitoring” of new social media. He also informed that “such student groups” already work at the Perm Military Institute [89]. Further, in July 2017, the Guard announced that its own first research company would be created in the autumn. The company’s main activities would be “Internet research, multimedia technologies, and software.” [90]

In Figure 1 the city #5 immediately following the first four “anomaly” towns is Belgorod. We argue that political cyber activity in this relatively small city, which is still higher than in larger cities as Moscow or Saint Petersburg, may be explained by the activity of local “cyber-patrols”. In Russia the first cyber-patrols (“kiber-druzhina”) were formed in 2011 by the “Safe Internet League” sponsored by the Russian pro-Kremlin billionaire oligarch Konstantin Valeryevich Malofeev, closely linked as well to Russian separatist proxies in Eastern Ukraine and Crimea [91]. There are 20,000 “volunteer” [92] members of cyber-patrols in Russia. The Belgorod region is the only one in Russia to officially promote and codify activities of these cyber-patrols in its territory [93]. For example, administrations of local universities and colleges are recommended to actively engage their students in cyber-patrols. Currently there are more than 400 members of the Belgorod cyber-patrol [94]. Their activity is highly prized by the head of the Belgorod regional Security Council.

Among their tasks is to “form positive content” on the Internet [95]. The above mentioned Belgorod administrative regulation order does not specify how to “form” content that is considered “positive”, but based on our Google Trends results, we can speculate that it is anti-Ukrainian and anti-Western trolling. Other official tasks of the Belgorod cyber-patrols are to find on the Internet and to report to Russian law enforcement authorities “extremist” content. Examples of this sort of material are grievances against Putin and the ruling party “United Russia”, lamenting about the poor state of Russian veterans of World War II, appeals to help Ukraine in its struggle against Russian aggression, and skepticism about Russian activity in Syria [96]. Several individuals have already been jailed for this “extremism” thanks to reports by cyber-patrols.

A person in the Belgorod administration in charge of fighting “extremism” on the Internet considers his project as “secretive”. In 2013 he also worked as a Belgorod coordinator on a similar project called “MediaGuard” organized by the “Young Guard” of the “United Russia” ruling party. The latter project is aimed at fighting against “enemy propaganda” on the Internet, and is considered to be even more secretive [97]. The Russian network VKontakte promptly reacts to requests by cyber-patrols and Russian authorities, while Facebook usually ignores these requests.

Based on all our findings about abnormally online and politically active small Russian communities, we can predict that other Russian smaller cities in our Google Trends list as illustrated in Figure 1 (those below our #5 Belgorod but still having disproportionally high online political activity in comparison to larger cities like Moscow or St. Petersburg) may also be conceived as clandestine troll or hacker locales. While identifying all of them is beyond the scope of this paper, we assert that we can already generate new understandings of politically driven activity by utilizing widely available tools like Google Trends. Using this tool, the area to search can be rather wide since, according to informed sources in the newspaper “Kommersant,” in January 2017 there were about one thousand Russian state-sponsored professional “cyber-warriors.” Russia spends on their activity about US$300 million per year [98]. Indeed, our findings provide new insight about a pattern of operation at work on a global scale. To conclude we discuss implications for information scholars and practitioners, really for anyone interested in Russian cyberwar-related activity.



Discussion and conclusion

This work illuminates some of the activities, investments, and strategies behind a case of contemporary information war, an approach that will be ever more prevalent in this increasingly digital world. We provide evidence showing these kinds of patterns emanating from Russia, given the potential effects Russia’s information-based strategies may be having around the globe, and especially in electoral processes (e.g., in the U.S., France, and Germany). Indeed these findings show that in this exemplary case of Russian information-based activities, digital hacking is so far an “easy and cheap road” for Russia to deploy the kinds of disruptions that can interrupt democratic processes or governing efforts around the world. We investigate Russian information-based global influences or “hacks” in order to generate new ideas about disruptive digital activities that can emanate from any country and bring effects that are potentially global in size.

As part of this work we now see that Russia’s leadership pays a great deal of attention to recruitment efforts relative to its information operations both internally and abroad, recruiting and keeping tech-savvy workers within Russia’s borders [99]. Certainly there are strategies for employing Russian citizens, and there are priorities to keep strong graduates. It is reasonable to assume that Russia’s ban on media sites like LinkedIn [100] are tied to concerns about those with strong skills being recruited by Western employers instead of serving in the Russian hi-tech-related military complex.

Beyond recruiting efforts, and given what we present here, we can see an important chain of command worth reviewing. Based on our findings, we argue that Putin’s geopolitical advisors point to areas of concern and political tension, and those get translated into hacking assignments taking place in the FSB, GRU, possibly the SVR (Sluzhba vneshney razvedki, Foreign Intelligence Service), or by paid civil trolls or “unpaid” cyber-patrol “volunteers”. These assignments are sent via curators in these contexts who, in turn, distribute assignments to their subordinate hackers and trolls. Such chain of command may explain why the DNC was independently and simultaneously hacked by the APT 29 (FSB) and APT 28 (GRU) [101]. That is, the assignments were likely passed along to the FSB and GRU independently, to increase the likelihood of the successful hack.

Putin admitted in May 2017 that there may exist some “patriotic” hackers who may fight for Russia globally on their own, and may have interfered in a recent U.S. election. At the same time, he denied state-level interference [102]. We assert that this kind of reference to volunteer patriots is similar to his reasoning about Russian involvement in Ukrainian disruptions, that attacks were simply activities of average citizens and not of state-sponsored employees and troops [103]. There’s a blurring of lines we find in the case of Russia between state-sponsored workers and those can be viewed as average citizens being encouraged and rewarded for hacking activities.

The information war and related hybrid war approaches involve both hacking and disinformation campaigns. So, simultaneous to hacking activities are strong investments into news organizations like Russia Today (RT) and Sputnik. To impress upon this particular point about the power of propaganda via controlled media news sources, here is how an anonymous current employee of RT describes its real activity:

“[I]deologically it is an ordinary propaganda channel. That is, only ‘correct’ topics are covered and under the ‘right’ angle. For example, there is a lot of stories about human rights violations in the U.S., but about human rights violations in Russia — not a word. [..T]he cursed West wants to rule the whole world, and Russia, in which honest and peace-loving people live, under the guidance of an experienced leader, successfully confronts them. [...] The RT audience is basically the same target group for which the channel was created — people in the U.S. and Western Europe, who are really dissatisfied with their authorities and generally with the policy of the so-called ‘West’, but who do not know anything about Russia. [...] Almost all of the content is aimed at blackening the West, emphasizing and bulging those moments where its ruling elite is discrediting itself. RT does not talk about Russia, but about ‘the decaying West’.” [104]

Newly elected French president Emmanuel Jean-Michel Frédéric Macron, who, as we saw above, also suffered from Russian hackers, publicly, in the face of Putin, accused RT and Sputnik as “agents of [Russian] influence” spreading “falsehoods” [105]. During the 2016 presidential election in the U.S. RT also played a role. Specifically, researchers from Harvard’s Berkman Klein Center for Internet & Society [106] found, that during the American presidential campaign Russia Today was the most frequently shared on Twitter (and #5 on Facebook) media source for the center-right [107].

Though our mission is to synthesize data tied to a particular case of information war, we find this manuscript difficult to conclude given that global hacks are ongoing. For example, the global cyber attack from ransomware called WannaCry occurred in May 2017 and seemed to have negatively affected Russia the most [108] (though it may have been at least partially Russian sponsored) [109]. Russia’s Ministry of Internal Affairs (a law enforcement agency in charge of the police), one of the leading cell-phone providers, and Russian Railways suffered from the ransomware [110]. Taking into account that the Windows breach affected by the attack was patched by Microsoft two months earlier, we can come to the conclusion that the affected Russian entities either use outdated or pirated Microsoft software, or don’t have minimally qualified system administrators to install the patch (perhaps those with most qualifications are already working in capacities reviewed in this document).

Though the purpose of this paper is not necessarily to pose the many means possible for stopping a country like Russia, there are cyber-related sanctions that could ban the provision to Russia software updates by American and other Western companies. Moreover, something like the past Coordinating Committee for Multilateral Export Controls should be re-established in order to ban exporting to Russia any hardware or software which it could be using in information/cyber warfare against the West. Based on the current state of the Russian computer industry, such an export regime would seriously undermine Russian ability to harm other nations. Putin “values the importance of hi-tech and the digital economy and takes special interest in this area.” [111] So as the nature of war changes, so will the nature of sanctions around the world.

As hybrid war is on the rise — that is, war involving both physical military strategies and information/cyber tactics — new kinds of information/cyber strategies will continue to emerge. The type of attacks or disinformation efforts will shift over time, by country, and with rapid advancements in digital life. With this work, we offer an in-depth investigation of a case of hybrid war, focusing on information/cyber strategies in particular. From this case we can consider other cases underway and ideally, begin to consider the kinds of peace-keeping strategies in an information era in order to maintain a healthy geopolitical climate. End of article


About the authors

Volodymyr Lysenko is a former research associate at the Center for Digital Society and Data Studies, and holds appointments in multiple departments, including the School of Information, at the University of Arizona.
E-mail: vlysenko [at] email [dot] arizona [dot] edu

Catherine Brooks is the Associate Director and an Associate Professor in the School of Information, as well as the Founding Director of the iSchool’s Center for Digital Society and Data Studies at the University of Arizona.
E-mail: cfbrooks [at] email [dot] arizona [dot] edu



1. Creswell, 2007, p. 78.

2. Farquhar, 2012, p. 9.

3. Renz and Smith, 2016, p. 11.

































36.; HTTP error 404 usually indicates that a Web page no longer exists. Given the Russians’ pathological tendency to delete sensitive information relevant to their information troops (though with Google Cache or Web Archive we can easily “restore” that information), the order’s number is indeed telling.






42. http://академия-ввс.рф/%D0%BD%D0%B0%D1%83%D1%87%D0%BD%D0%B0%D1%8F-%D1%80%D0%BE%D1%82%D0%B0/docs/%D1%81%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D0%BE%D1%81%D1%82%D0%B8.pdf.























65. This Directorate of the MVD is officially in charge of fighting crimes in the Internet: https://мвд.рф/mvd/structure1/Upravlenija/Upravlenie_K_MVD_Rossii.






71. Ibid.











82., pp. 230–231.










92. They receive various rewards for their activities.





97. Ibid.










107., specifically p. 58, Table 14.






Russian language sources used
Note: All sources in Russian.

[Action Tube], 2016. “Zhirinovsky ‘Long live Donald Trump!’/Zhirinovsky ‘Hail Donald Trump!’ [Video File] (6 November), at

Air Force Academy named after Professor N.E. Zhukovsky and Yu. A. Gagarin, n.d. “The list of specialties, which are recruited in the research company of the Air Force Academy named after Professor N.E. Zhukovsky and Yu. A. Gagarin (The city of Voronezh),” at http://академия-ввс.рф/%D0%BD%D0%B0%D1%83%D1%87%D0%BD%D0%B0%D1%8F-%D1%80%D0%BE%D1%82%D0%B0/docs/%D1%81%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D0%BE%D1%81%D1%82%D0%B8.pdf.

N. Aleksandrov, 2015. “Ninth research,” Army Today (27 April), at

N. Aronov, 2017. “Crusader fighters: Nikita Aronov met in Belgorod with cyber-patrols and their activities,” Ogonyok (26 June), at

S. Bogdanov, 2008. “Special service of the General Staff,” Krasnaya Zvezda (14 November), at

M. Bondarenko, 2017. “Defendant in the case of the state treason in the FSB wrote a letter to the authorities” RBC (12 April), at

Cadet Corps (IT School) of the Military Academy of Communications named after Marshal of the Soviet Union S.M. Budyonny of the Ministry of Defense of the Russian Federation, n.d. “About the school,” at

R. Dobrokhotov, 2017. “Roshka and mouse. The email of the French president was hacked by the GRU,” The Insider (2 June), at

Dozhd TV Channel, 2017. “The fund of Putin’s nephew suggested limiting the right to migrate abroad for university graduates with honors diplomas” (4 July), at

Dozhd TV Channel, 2017. “‘Cryptocratic threat to the future of Russia.’ Appeal of the arrested manager of ‘Kaspersky’ to the authorities” (12 April), at

Educational center “Informzashita”, n.d. at

Federal educational and methodological association in the system of higher education on the enlarged group of specialties and areas of training ‘information security’, n.d. “List of universities belonging to the educational and methodological association,” at

A.Y. Gainov, M.V. Naumov, and R.L. Grishanenko, 2011. “Intellectual means to divide access in the automated system of information processing. Proceedings from The Fourth International Scientific-Practical Conference ‘Technical sciences — from theory to practice’,” Novosibirsk, Russia: SibAK, at

Y. Gavrilov, 2013. “Private hacker,” Rossiyskaya Gazeta (11 July), at

GazetaRu, 2017. “Russian Railways has reported a hacker attack on its IT system” (13 May), at

Government of the Belgorod region, 2017. “Regulation about organization of activity of cyber-patrols in the Belgorod region” (22 May), at

HeadHunter recruiting agency, n.d. “Engineer for source code analysis (Reverse Engineer),” at

The Insider, 2017. “Confessions of a propagandist. Part I. How they do the news on state TV: An employee of RT TV channel” (9 June), at

The Insider, 2017. “A new connection has been discovered between the hacker who hacked Makron and the Defense Ministry. ‘Evrika’ denies everything,” (12 May), at

Institute of the Federal Security Service of the Russian Federation (Nizhny Novgorod), n.d. “Goals and objectives of scientific activity,” at

Institute of the Federal Security Service of the Russian Federation (Nizhny Novgorod), n.d. “Official materials,” at

Institute of the Federal Security Service of the Russian Federation (Nizhny Novgorod), n.d. “Partnership and collaboration,” at

Institute of the Federal Security Service of the Russian Federation (Nizhny Novgorod), 2008. “The Federal Security Service awarded the schoolchildren” (21 March), at

Interfax news agency, 2017. “The National Guard of Russia will monitor social networks” (19 May), at

A. Kirilenko, 2017. “The metadata of Macron’s hacked letters revealed the name of the Russian hacker,” The Insider (6 May), at

M. Kolomychenko, 2017. “On the Internet, cyberwars have been introduced: Analysts estimated the number of hackers on the state service,” Kommersant (10 January), at

Y. Kozak, 2015. “The 5th research passed examination,” Krasnaya Zvezda (4 June), at

Y. Krutikov, 2016. “The appointment of General Korobov says a lot about the priorities in the work of the GRU,” Vzglyad (3 February), at

Laboratory of Information Systems, n.d. “Institute of the Federal Security Service of Russia, Nizhny Novgorod,” at

D. Legezo, 2013. “At the first meeting of the council at the military industrial commission, Deputy Prime Minister Dmitry Rogozin told about his vision of the problems of cybersecurity,” CNews (25 April), at

LenizdatRu, 2003. “ZAO EVRIKA received two more licenses to carry out activities to protect state secretsr” (13 October), at

A. Levashov, 2014. “The RF Ministry of Defense has formed high-tech units and hires cyber fighters,” CNews (18 April), at

I. Martynenko, 2017. “‘Departing youth’. Radio Liberty” (4 July), at

Y.N. Marusin, 2008. “At the defense of the state secrets,” Russian Military Review, volume 10, number 57, at

E. Merkacheva, 2017. “‘The Internet is a territory where you can become a hyper-villain’: Notes of the arrested person for state treason,” Moskovskiy komsomolets (17 April), at

Military Academy of Communications named after Marshal of the Soviet Union S.M. Budyonny, n.d. “Accommodation of the research company,” at

Military Academy of Material and Technical Support named after General of the Army A.V. Khrulev, n.d. “Research company,” at

Military Academy of Radiation, Chemical and Biological Defense named after Marshal of the Soviet Union S.K. Tymoshenko, n.d. “Research company,” at

Ministry of Defense of Russian Federation, 2016. “12 research companies of the Armed Forces of the Russian Federation will take part in the II International Military-Technical Forum ‘ARMY-2016’” (28 June), at

Ministry of Defense of Russian Federation, 2015. “Soldiers of the research company of the Military Communications Academy signed the first contract with the Defense Ministry” (14 December), at

Ministry of Defense of Russian Federation, 2015. “During the joint Russian-Belarusian operational exercise ‘Shield of the Union-2015’, signalmen of the Western Military District repulsed the cyberattack of the simulated enemy” (15 September), at

Ministry of Defense of Russian Federation, 2014. “Deputy Defense Minister Colonel-General Yuri Sadovenko opened a new academic year in the Ryazan Higher Airborne Command School” (1 September), at

Ministry of Defense of Russian Federation, 2013. “Research companies of the Armed Forces of the Russian Federation” (25 August), at

Ministry of Defense of Russian Federation, 2013. “Research companies of the Armed Forces of the Russian Federation” (25 August), retrieved from the WebArchive on 10 September 2013 at

Ministry of Defense of Russian Federation, 2013. “Research companies of the Armed Forces of the Russian Federation” (25 August), retrieved from the WebArchive on 16 April 2016 at

Ministry of Defense of Russian Federation, n.d. “3 Research Company (Aerospace Defense Forces),” at

Ministry of Defense of Russian Federation, n.d. “6th Research Company (Of the Eighth Directorate of the General Staff of the Armed Forces of the Russian Federation),” at

Ministry of Defense of Russian Federation, n.d. “8 Research Company (Medical Service),” at

Ministry of Defense of Russian Federation, n.d. “Center for Special Developments of the Ministry of Defense of the Russian Federation,” at

Ministry of Defense of Russian Federation, n.d. “Eighth Directorate of the General Staff of the Armed Forces of Russian Federation,” at

Ministry of Defense of Russian Federation, n.d. “Krasnodar Higher Military School named after General of the Army S.M. Shtemenko,” at

Ministry of Defense of Russian Federation, n.d. “Research companies: History,” at

Ministry of Defense of Russian Federation, n.d. “Structure of the Ministry of Defense of Russia,” at

Ministry of Education and Science of the Russian Federation, “National research South-Urals state university, 2014. Who is who at the conference ‘Parallel computational technologies (PaVT’2014)’. International scientific conference, April 1–3, 2014, Rostov-on-Don. The conference is held with support from the Russian fund of fundamental research,” at

O. Mukhin and M. Kotova, 2017. “Belgorod inhabitants are called into cyber-patrols: The government of the region officially approved their powers and curators,” Kommersant (30 May), at

Munitsipalnyi Skaner, 2017. “Eureka! ‘Munitsipalnyi Skaner’ has studied the company, which is connected with the hacking of the email of the President of France (31 May), at

I. Murtazin, 2017. “The Trojan code,” Novaya Gazeta (26 January), at

National Forum for Information Security Infoforum, n.d. “Participants,” at

National Research Nuclear University “MIFI” Obninsk Institute of Atomic Energy (IATE), n.d. “Research company,” at

Official site of the Russian unified information system in the area of procurement, n.d. at

Official site of the Russian unified information system in the area of procurement, n.d. at

Official site of the Russian unified information system in the area of procurement, n.d. at

[otakvot], 2015. “Google gave away the lair of the Kremlin trolls” (18 August), at

I. Panarin, 2008. “Information combat system. Voenno-promyshlennyi kurier” (15 October), at

Perm National Research Polytechnic University, 2015. “The ranks of the Russian army were enlarged by a research company” (24 July), at

President of Russia official Web site, 2013. “Vladimir Putin held a meeting of the Security Council in the Kremlin dedicated to the improvement of the military organization of Russia for the period until 2020” (5 July), at

Radio Moscow Echo, 2017. “Internet bans and cyberwarfare” (26 June), at

Radio Moscow Echo, 2016. “Modern cyberwars” (11 January), at

RIA Novosti news agency, 2015. “The Ministry of Defense of the Russian Federation is developing technologies for conducting cyberwarfare” (18 October), at

RIA Novosti news agency, 2013. “ITMO Rector: Our university will become the base civil service for the Defense Ministry” (20 August), at

RIA Novosti news agency, 2013. “The Ministry of Defense can create a separate kind of troops to combat cyberthreats” (5 July), at

RIA Novosti news agency, 2013. “Shoigu ordered to find champions from St. Petersburg” (4 July), at

RIA Novosti news agency, 2013. “Research companies will increase the intellectual level of the army, experts say” (14 June), at

RIA Novosti news agency, 2013. “Rogozin considered social networks as an element of modern cyberwar” (7 June), at

RIA Novosti news agency, 2013. “Shoigu: Defense Ministry can start creating research companies in universities” (12 March), at

RIA Novosti news agency, 2012. “A cyber command may appear in the Russian army, Rogozin said” (21 March), at

RosTender — All biddings of Russia, 2016. “Bidding: Work on special inspection and special research of foreign-made equipment” (24 February), at

I. Rozhdestvenskiy and M. Istomina, 2017. “The FSB officer, who is in the treason case, in the past was a hacker,” RBC (27 January), at

Russian Economic University named after G.V. Plekhanov, n.d. “Military service in the 6th research company of the 8th Directorate of the General Staff of the Armed Forces of the Russian Federation in the Krasnodar Higher Military School named after General of the Army S.M. Shtemenko,” at

Russian Economic University named after G.V. Plekhanov, n.d. “Become a military cyber-defender of Russia right now!” at

S. Sachevskiy, 2017. “Shoigu about creation of the information operations troops” [Video File] (22 February), at

K. Sagieva, 2017. “Arrested in the case of state treasury, the top manager of Kaspersky Lab addressed the authorities,” Dozhd TV Channel (12 April), at

Y. Saltykov, 2014. “In Russia, cyber-troops has been created” (12 May), at

P. Sedakov and D. Filonov, 2015. “Spy track: the Italian cyber group has Russian government customers,” (8 July), at

O. Shcheblykin, 2013. “1st Research Company of the Navy,” Central Naval Portal (12 December), at

I. Sheludkov, 2014. “From Russia — with awards,” Newspaper of the Ministry of Defense of the Republic of Belarus “For the Glory of the Motherland” (21 May), at

Superjob recruiting agency, n.d. “Vacancies of the Ministry of Defense, Special Development Center,” at

System for supporting the intellectual competitions of schoolchildren, n.d. at

TASS news agency, 2016. “The military of Russia for the first time worked out information combat during the exercises ‘Caucasus’” (14 September), at

TASS news agency, 2015. “A separate unit of the troops of information operations will appear in the autumn in the Crimea” (17 April), at

TASS news agency, 2014. “Source in the Ministry of Defense: Troops of information operations have been set up in the Armed Forces of the Russian Federation” (12 May), at

Tomsk State University of Control Systems and Radioelectronics (TUSUR), the editorial board of “Radioelectronic” magazine, 2016. “Research companies: How a student of TUSUR can become an elite soldier of a research company” (6 January), at

V. Tsybulskiy, 2017. “A virus-extortionist spreads around the world. In Russia, ‘Megafon’, the Interior Ministry and the Investigative Committee have been infected (at least),” Meduza (12 May), at

D. Turovsky, 2017. “In Moscow, there is a circle of school programmers under the care of the FSB, where students are told about the Jewish conspiracy. Really?” Meduza (25 May), at

D. Turovsky, 2016. “Russian armed cyberforces: How the state creates military detachments of hackers” Meduza (7 November), at

D. Turovsky, 2015. “To load under the full program: Why did state corporation need a system for organizing DDoS attacks,” Meduza (3 September), at

[VKontakte], n.d. “Defense Minister of the Russian Federation order from May 28, 2013 N 404,” at

[VKontakte], n.d. “Information on the procedure for selecting candidates for military service on conscription in a research company of electronic warfare in the Interbranch Center for preparation and combat employment of EW troops (educational and testing),” at

Y.V. Voinov and V.A. Mukminov, 2013. “The substantiation of necessity and the order of application of means of detecting computer attacks,” Journal of the Institute of Engineering Physics, volume 2, number 28, pp. 8–11, at

Wikimapia, n.d. “Nerastannoe. Russia/Moskovskaja Oblast/Chekhov/The FSB of Russia, a military town,” at

[YouTube], n.d. “[Video File, 5:13-5:26],” at



A. Baunov, B. Jarábik, and A. Golubov, 2015. “A year after Maidan: Why did Viktor Yanukovych flee after signing the agreement with the opposition?” Carnegie Moscow Center (25 February), at, accessed 5 April 2018.

A. Bessi and E. Ferrara, 2016. “Social bots distort the 2016 US Presidential election online discussion,” First Monday, volume 21, number 11, at, accessed 5 April 2018.
doi:, accessed 5 April 2018.

R. Blackwill and P. Gordon, 2018. “Containing Russia, again: An adversary attacked the United States — it’s time to respond,” Foreign Affairs (18 January), at, accessed 5 April 2018.

K. Boyte, 2017. “An analysis of the social-media technology, tactics, and narratives used to control perception in the propaganda war over Ukraine,” Journal of Information Warfare, volume 16, number 1, pp. 88–111, and at, accessed 5 April 2018.

J. Creswell, 2007. Qualitative enquiry & research design: Choosing among five approaches. Thousand Oaks, Calif.: Sage.

J. Farquhar, 2012. Case study research for business. Thousand Oaks, Calif.: Sage.

K. Geers (editor), 2015. “Cyber war in perspective: Russian aggression against Ukraine,” NATO Cooperative Cyber Defence Centre of Excellence, at, accessed 5 April 2018.

E. Iasiello, 2017. “Russia’s improved information operations: From Georgia to Crimea,” Parameters, volume 47, number 2, pp. 51–63.

R. Mackey, 2017. “There are no ‘Macron leaks’ in France. Politically motivated hacking is not whistleblowing,” The Intercept (6 May), at, accessed 5 April 2018.

NATO StratCom Centre of Excellence (COE), 2015. “Analysis of Russia’s information campaign against Ukraine: Examining non-military aspects of the crisis in Ukraine from a strategic communications perspective,” at, accessed 5 April 2018.

O. Pasitselska, 2017. “Ukrainian crisis through the lens of Russian media: Construction of ideological discourse,” Discourse & Communication, volume 11, number 6, pp. 591–609.
doi:, accessed 5 April 2018.

B. Renz and H. Smith, 2016. “Russia and hybrid warfare — Going beyond the label,” Aleksanteri Papers (Aleksanteri Institute, University of Helsinki, Finland), number 1, at, accessed 5 April 2018.

D. Sanger and S. Erlanger, 2014. “Suspicion falls on Russia as ‘snake’ cyberattacks target Ukraine’s government,” New York Times (8 March),, accessed 5 April 2018.

J. Schindler, 2016. “False flags: The Kremlin’s hidden cyber hand,&tdquo; Observer (18 June), at, accessed 5 April 2018.

M. Snegovaya, 2015. Putin’s information warfare in Ukraine: Soviet origins of Russia’s hybrid warfare. Washington, D.C.: Institute for the Study of War, and at, accessed 5 April 2018.

UNIAN Information Agency, 2015. “Russian journalist: Kremlin’s plan on Crimea’s annexation born in 2013” (19 November), at, accessed 5 April 2018.

A. Unwala and S. Ghori, 2015. “Brandishing the cybered bear: Information war and the Russia-Ukraine conflict,” Military Cyber Affairs, volume 1, number 1, article 7, at, accessed 5 April 2018.
doi:, accessed 5 April 2018.

B. van Niekerk, 2015. Information warfare in the 2013-2014 Ukraine crisis, In: J.-L. Richet (editor). Cybersecurity policies and strategies for cyberwarfare prevention Hershey, Pa.: IGI Global, pp. 307–339.
doi:, accessed 5 April 2018.

D. Ventre, 2016. Information warfare. Hoboken, N.J.: Wiley.
doi:, accessed 5 April 2018.

C. Watts, 2017. “Clint Watts’ testimony: Russia’s info war on the U.S. started in 2014,” Daily Beast (30 March), at, accessed 5 April 2018.

R. Yin, 2009. Case study research: Design and methods. Fourth edition. Thousand Oaks, Calif.: Sage.

A. Zelenkauskaite and M. Balduccini, 2017. “‘Information warfare’ and online news commenting: Analyzing forces of social influence through location-based commenting user typology,” Social Media + Society (17 July).
doi:, accessed 5 April 2018.

A. Zelenkauskaite and B. Niezgoda, 2017. “‘Stop Kremlin trolls:’ Ideological trolling as calling out, rebuttal, and reactions on online news portal commenting,” First Monday, volume 22, number 5, at, accessed 5 April 2018.
doi:, accessed 5 April 2018.

K. Zetter, 2016. “Inside the cunning, unprecedented hack of Ukraine’s power grid,” Wired (3 March), at, accessed 5 April 2018.


Editorial history

Received 20 November 2017; revised 6 February 2018; accepted 7 February 2018.

Copyright © 2018, Volodymyr Lysenko and Catherine Brooks.

Russian information troops, disinformation, and democracy
by Volodymyr Lysenko and Catherine Brooks.
First Monday, Volume 23, Number 5 - 7 May 2018