Madrugada Verde -

Revealed: Estonia targeted by Russia-linked disinformation deluge

Kremlin-linked threat actors are undermining the government of Estonia and its relationship with the European Union through a concerted disinformation campaign, with wider ramifications

The people of Estonia are being targeted by a Russia-linked covert influence operation attempting to undermine the Baltic state’s government and, in particular, its relationship with the European Union (EU), while exploiting the European refugee crisis.

This is according to intelligence uncovered by Recorded Future’s Insikt Group, which has dubbed the campaign against Estonia – which is one of the most advanced digital economies in Europe – Operation Pinball.

The campaign bears many of the same hallmarks as an alleged Russia-based operation called Secondary Infektion, which unfolded over the course of 2019 targeting the West, including against the NHS in the UK.

“Recorded Future found that this activity shared significant overlap with previously reported tactics, techniques, and procedures (TTPs) used in Secondary Infektion campaigns, namely the use of self-publisher blogs with single-use personas, Reddit promotion, and multilingual obfuscation,” said the group in a disclosure report.

Some of the TTPs observed by the Insikt Group’s researchers included use of forged letters and email correspondence; targeting of geopolitical incidents in the former USSR; errors in language that are characteristic of native-Russian speakers; and seeding and promotion by one-off burner accounts on Reddit and other self-publisher websites and blogs.

Recorded Future said it assessed “with high confidence” that the activity targeting Estonia was a coordinated and deliberate attempt to undermine Tallinn’s relationship with Brussels, degrade the confidence of Estonians in their government, sow strife and discord among Estonian officials, and sour public opinion against migrant refugees entering Europe.

One example of the disinformation spread by Operation Pinball was posted in December 2019 on, a German self-publishing platform under the headline “Neue Flüchtlinskrise: Europa ist nicht dazu bereit” (New refugee crisis: Europe is not ready for it).

The article blamed the US and Europe for wars in the Middle East and Africa prompting the Mediterranean refugee crisis that has unfolded over the past few years, claimed that refugees were overwhelming other European countries, and blasted the Estonian government for welcoming the EU’s migration quotas in spite of local opposition.

It included a letter to Dimitris Avramopoulos, the European commissioner for Migration, Home Affairs and Citizenship, from Taavi Aas, Estonia’s minister of economic affairs and infrastructure, backing up this line.

The Insikt Group said that linguistic analysis of the letter strongly suggested it was a fake, written by a native Russian speaker using grammatically incorrect English constructions.

Two key indicators in this analysis centres on how the genitive case denoting ownership is translated from Russian to English, and confusion between the definite and indefinite articles – Russian does not have a definite or indefinite article (the/a/an) or the verb ‘to be’ in the present tense, so many English-speaking Russians are inclined to use the words ‘the’ and ‘a’ incorrectly, or even omit them.

There is also the fact that the real Taavi Aas speaks fluent English.

A second instance of the campaign targeting Georgia – long in Moscow’s sights for rejecting Russia’s influence – seemed to be an attempt to disrupt and undermine the growing relationship between Georgia and Nato; create uncertainty around Georgia’s economy and energy independence; sow the narrative that the Georgian government is selling out its people; and promote support and recognition of the independence of the breakaway regions of Abkhazia and South Ossetia.

US is next target?

Additional investigations into Operation Pinball also found undisclosed attempts to pin falsified documents on US officials and political bodies. In light of this, the Insikt Group warned that there was some evidence to suggest that the almost inevitable covert influence operation targeting the 2020 US presidential election will seek to leverage similar techniques.

“Though we have not identified specific cases of Operation Pinball targeting the US 2020 election process, we believe that the operatives behind this information operation are likely capable of doing so,” they said.

“Well-crafted false documents and letters planted on Reddit, social media, and self-publishing sites (like Medium or WordPress) which attempt to emulate correspondence between US political figures remains a significant possibility, and, if successful, could have wide-ranging consequences for the US elections. We believe it is possible that actors could leverage Operation Pinball tactics against US political figures this year.”

Recorded Future said that while preventing the use of such tactics was difficult, their impact could be somewhat mitigated through a whole-community approach to cyber security and disinformation.

This could include continuous monitoring of websites and pages likely to be taken advantage of; empowering admins to isolate and remove such content; making targets (such as politicians) aware of the operations to let them debunk falsehoods in any forged documents; and wider public education on identifying disinformation and false claims online.

The full report can be downloaded from Recorded Future’s website.

Read more about disinformation

  • A cross-departmental counter-disinformation unit will seek to protect and secure UK citizens from disinformation, scams and cyber security threats related to the Covid-19 outbreak.
  • The World Health Organisation and Rakuten Viber have built an interactive, multi-language chatbot to try to get on top of the growing problem of disinformation during the coronavirus pandemic.
  • Facebook and Twitter have been cast as the villains of the piece, but social media disinformation and propaganda are evolving in new and alarming directions, say Oxford University researchers.

Read more on Hackers and cybercrime prevention

Data Center
Data Management