Russia’s disinformation campaign in the run-up to the 2016 US presidential election, often believed to be the work of trolls, was in fact bigger, better coordinated, and far more effective than previously believed, according to a study by US cybersecurity firm Symantec.

The study used a massive data set that Twitter had released in October 2018, which included nearly 3,900 suspended accounts and 10 million tweets. It found that the average gap between account creation and first tweet was 177 days suggesting that the campaign, run by Russia’s Internet Research Agency (IRA), was far more professional — and patient — than previously thought. The most retweeted account got 6 million retweets, and fewer than 2,000 of those came from within the IRA-linked network of accounts. The accounts then remained active for an average of 429 days, well into August 2016, when almost all stopped tweeting.

Two main types of accounts

Symantec found that the accounts could be divided into two types — main accounts and auxiliary accounts. It said that it had identified 123 main accounts and 3,713 auxiliary accounts in the data set.

Main accounts had at least 10,000 followers but followed substantially fewer accounts, and were primarily used to publish new tweets. They were generally ”fake news” outlets masquerading as regional news outlets, or pretending to be political parties. Their creation dates suggested that they were usually created individually, or in small batches. The default language selected for main accounts was always either English or Russian.

Auxiliary accounts, on the other hand, had fewer than 10,000 followers, but often followed more accounts than that. Their main purpose was to retweet messages from other accounts and amplify distribution, though they also published original tweets. These accounts usually pretended to be individuals. Unlike main accounts, these accounts were usually created in large batches — sometimes hundreds in a day. In May 2014, for example, the IRA set up seven main accounts and 514 auxiliary ones.

Most influential account got 6 million retweets

Symantec said that some accounts became hugely influential — the most retweeted account in the data set was TEN_GOP. Created in November 2015, it masqueraded as a group of Republicans in Tennessee and appeared to have been operated manually. In less than two years, TEN_GOP managed to rack up nearly 150,000 followers. Although it sent out only 10,794 tweets, it garnered more than 6 million retweets, most of which were by unsuspecting Twitter users. Of the 6 million retweets, only 1,850 retweets came from other accounts within the data set.

55% of the most prolific accounts retweeted fake news

The study found that 55% of the most prolific accounts were fake news accounts. Most acted as auxiliary accounts and were automated in the same way as most of the fake news accounts. However, while the fake news accounts were automated to publish original content, these accounts were automated to retweet content.

The study also confirmed that the IRA’s campaign was not one-sided, and targeted both ends of the political spectrum in the US to sow division. The 20 most retweeted English-language accounts were split evenly between conservative and liberal messages. The most followed English language accounts showed a similar split — 35% pretended to support conservative causes, while 30% pretended to back liberal causes.

96% of fake news accounts were fully automated

Most of the fake news accounts that IRA created pretended to be local news outlets. The majority of these were created between May and August 2014, but lay dormant until January 2015, suggesting that the fake news element of the operation was planned well in advance. The vast majority of these accounts — 96% — were fully automated, using services to monitor blog activity and automatically push new posts to Twitter. Another 2% queued tweets for publication at scheduled times.

Symantec said activity on fake news accounts trended upwards from the beginning of 2015 until the summer of 2016, when there was a sudden fall in activity. This, the study said, was probably because the accounts had been using the Twitterfeed service to push their blogs on Twitter. But Twitterfeed had announced that it would close by October 2016 of that year, forcing the accounts shift to an alternative service called Twibble. “The drop off in activity during August 2016 could have been caused by technical problems during the changeover. By December the changeover was complete and the fake news accounts had resumed business as usual,” the report said.

Accounts linked to real news when it suited their goals

Some tweets in the data set had shortened links to other content. Symantec followed each shortened URL to find out the ultimate link destination. The largest number of links led to other Twitter posts, some of which were from other suspended accounts. Some links led to legitimate media outlets, which suggested that the sophisticated campaign also used real news stories that supported its goals.

Activity spiked close to election time

English language tweets by month, January 2016 – November 2016

Between January and November 2016, accounts in the data set sent 771,954 English language tweets, with a marked uptick in activity as November approached. Symantec studied the content of these tweets and found they were both heavily focused on the election, and “quite evenly split” between left-wing and right-wing topics. And though the accounts comprised fake personas and organisations, they succeeded in mobilising people to attend events. The campaign’s operators also organised rallies supporting positions on both sides of the political spectrum, the report said.