Storm-1516: VIGINUM Report Insights

[INTRODUCTION]

This week, we examine the report “Analysis of the Russian Information Manipulation Campaign Storm-1516,” published in May by VIGINUM.

The timing of its release is unlikely to be coincidental. At the end of April 2025, the French government publicly confirmed what had long been suspected: repeated cyberattacks on French institutions can be directly attributed to Russian intelligence services.[1] What stands out is not the substance of the accusation, such activities have been documented since 2017, but France's unusually explicit and public first attribution.[2]

It seems likely that this attribution is part of a broader political communication strategy. The VIGINUM report should, therefore, be seen not only as a technical analysis but also as a political signal. It forms part of France’s effort to publicly expose Russian influence operations and foster coordinated international awareness and response.

[SUMMARY]

The report documents 77 information operations attributed to the actor cluster Storm-1516. The comprehensive list of individual cases included in the annex is particularly noteworthy.[3] This level of transparency sets a benchmark for structured and verifiable threat analysis.

At this point, we adopt the summary before turning to selected highlights for a more in-depth examination:

[INSIGHTS]

The role of “CopyCop” remains open to interpretation. VIGINUM draws a clear analytical line between Storm-1516 and CopyCop—two closely intertwined operations that are nonetheless treated as distinct entities. This distinction is significant, as other organizations, such as Recorded Future, have previously treated both clusters as identical or inseparably linked. (4)

VIGINUM, by contrast, emphasizes that Storm-1516 is an autonomous Russian information manipulation set (IMS) responsible for strategic disinformation operations. CopyCop, in turn, functions as a technical dissemination network used by multiple Russian actors.

This differentiation is evident in the report’s executive summary, which refers to “close coordination and occasional overlap between Storm-1516 and other Russian IMS, including Project Lakhta and CopyCop.” [5] The latter is not considered an internal component of Storm-1516 but a separate actor within the broader Russian influence ecosystem.

Another example of this operational overlap is the registration of the domain ensemble-24.[fr], in June 2024, by operators affiliated with CopyCop. The site impersonated the official campaign website of the French political party “Ensemble” and was used as part of a Storm-1516 election interference operation. Technical indicators, such as shared IP infrastructure, demonstrate the close connection. [6]

VIGINUM notes that the CopyCop network “is now used by several actors in the Russian information influence ecosystem”[7] —an indication that it functions not as a proprietary tool of Storm-1516, but as a shared technical infrastructure. The report further states that “Storm-1516 narratives are almost systematically amplified by fake news websites from the CopyCop network”[8], positioning the network less as an originator of content and more as a key amplifier in coordinated influence campaigns.

Although a clear chain of command between the actors is not defined, there are technical overlaps in domain infrastructure and indications of possible links to the Russian Federal Security Service (FSB). [9] These ambiguities suggest an underlying structure that warrants further investigation into how collaboration within the network is organized.

Storm-1516 strategically uses artificial intelligence, deepfakes, and forged content—standard tools in hybrid disinformation operations, but especially well-documented in this case. While the campaign initially focused on discrediting Ukraine to erode Western support, it later shifted toward direct interference in democratic elections. One example includes a fabricated audio recording falsely implicating Barack Obama in the attempted assassination of Donald Trump. In Germany, political figures such as Friedrich Merz, Robert Habeck, and Annalena Baerbock were targeted with fabricated allegations ranging from corruption to conspiracy theories involving sexual abuse and immigration.[10]

Storm-1516’s disinformation architecture unfolds across five tightly connected phases: Preparation, Distribution, Laundering, Amplification, and Relays. [11] This structured process reveals a methodical, scalable operation designed to obscure attribution while maximizing narrative reach and political effect.

In the Preparation phase, operators create and stage false content. They register domain names, fabricate personas, open burner social media accounts, and develop visual and textual materials. These setups, such as fake whistleblower identities, lay the technical and narrative foundation for later phases.

Distribution follows via three key vectors. First, disposable social media accounts post videos or claims under the guise of spontaneous leaks. Second, paid third-party actors, from fringe influencers, distribute the narratives to broader audiences. Third, the CopyCop network, comprising over 290 fake news sites operated by John Mark Dougan, is a direct publishing platform for core disinformation content.

Laundering is the third stage. Content originally seeded by Storm-1516 is republished in foreign media outlets, primarily in Africa and the Middle East. These reprints, often labeled as "sponsored" or "branded content," are meant to obscure the Russian origin and present the stories as independent, locally sourced reporting.

Amplification escalates the visibility of these narratives. CopyCop sites recycle the content across multiple domains, while paid social media accounts repeat and boost messaging. Comment sections on Western media outlets—particularly tabloids and far-right platforms—are manipulated to insert links and echo narratives. Telegram channels serve as distribution hubs, frequently replicating CopyCop material. X accounts affiliated with Project Lakhta, the BRICS Journalists Association, and Russia’s Federal Security Service strategically broadcast the stories across languages and regions, reinforcing their legitimacy and volume.

In the final phase, Relays, other actors take up the narratives, amplifying their reach even further. This includes Russian disinformation networks like Portal Kombat, RRN/Doppelgänger, and Mriya. Russian embassies, state broadcasters (RT, TASS, RIA), and media linked to FSB, GRU, and SVR continue the distribution. Belarusian outlets and Western pro-Russian actors—including influencers, fringe websites, and at times even elected officials—also help circulate these narratives.

We’ll bypass further details and jump straight to the attribution, where a sharp chart lays out the complex web of actors driving the operation.

Section 4 of the report focuses on the key actors behind the Storm-1516 campaign. Among them are John Mark Dougan, who runs the CopyCop network, and ideological figures such as Aleksandr Dugin, Valery Korovin, and Leonid Savin—individuals long embedded in Russian think tanks and influence networks. Particularly noteworthy is Section 4.4, which introduces Yury Khoroshenky, a figure allegedly linked to GRU Unit 29155.

According to VIGINUM, Khoroshenky was involved early on in the organization and financing of the campaign and maintained close ties to other core actors. While the report stops short of formal attribution, it emphasizes that the structure and behavior of Storm-1516 are consistent with state-directed influence operations. The mention of a potentially GRU-affiliated individual offers a crucial lead for further investigation. [12]

[Conclusion]

VIGINUM concludes that Storm-1516 meets the criteria of targeted foreign digital interference. Due to its technical sophistication, high adaptability, and strategic focus, the campaign represents a serious threat to the integrity of the digital public sphere in France and Europe. Especially during election periods and international crises, Storm-1516 has the potential to distort public discourse, undermine trust in democratic institutions, and deliberately fuel social polarization. [13]

Footnotes

(1)    Agence nationale de la sécurité des systèmes d'information (ANSSI), 2025. Targeting and compromise of French entities using the APT28 intrusion set. CERTFR-2025-CTI-007. [online] Available at: https://www.cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-007/, 

[Accessed 18 May 2025].

(2)   Reuters, Irish, J., 2025. France accuses Russian intelligence of repeated cyberattacks since 2021. [online]

Available at: https://www.reuters.com/world/europe/first-france-accuses-russian-intelligence-repeated-cyber-attacks-2025-04-29/ 

[Accessed 18 May 2025].

(3)    SGDSN, VIGINUM, 2025. Analyse du mode opératoire informationnel russe Storm-1516, pp. 29-33 [online] Available at: https://www.sgdsn.gouv.fr/files/files/Publications/20250507_TLP-CLEAR_NP_SGDSN_VIGINUM_Technical%20report_Storm-1516.pdf 

[Accessed 18 May 2025].

(4)   Insikt Group®, 2024. Russia-Linked CopyCop Uses LLMs to Weaponize Influence Content at Scale. Recorded Future. [online] Available at: https://www.recordedfuture.com/research/russia-linked-copycop-uses-llms-to-weaponize-influence-content-at-scale 

[Accessed 18 May 2025].

(5)    ASGDSN, VIGINUM, 2025. Analyse du mode opératoire informationnel russe Storm-1516, p. 3 [online] Available at: https://www.sgdsn.gouv.fr/files/files/Publications/20250507_TLP-CLEAR_NP_SGDSN_VIGINUM_Technical%20report_Storm-1516.pdf 

[Accessed 18 May 2025].

(6)    ASGDSN, VIGINUM, 2025. Analyse du mode opératoire informationnel russe Storm-1516, p. 6 [online] Available at: https://www.sgdsn.gouv.fr/files/files/Publications/20250507_TLP-CLEAR_NP_SGDSN_VIGINUM_Technical%20report_Storm-1516.pdf 

[Accessed 18 May 2025].

(7)    ASGDSN, VIGINUM, 2025. Analyse du mode opératoire informationnel russe Storm-1516, p. 15 [online] Available at: https://www.sgdsn.gouv.fr/files/files/Publications/20250507_TLP-CLEAR_NP_SGDSN_VIGINUM_Technical%20report_Storm-1516.pdf 

[Accessed 18 May 2025].

(8)    ASGDSN, VIGINUM, 2025. Analyse du mode opératoire informationnel russe Storm-1516, p. 17 [online] Available at: https://www.sgdsn.gouv.fr/files/files/Publications/20250507_TLP-CLEAR_NP_SGDSN_VIGINUM_Technical%20report_Storm-1516.pdf 

[Accessed 18 May 2025].

(9)    ASGDSN, VIGINUM, 2025. Analyse du mode opératoire informationnel russe Storm-1516, p. 23 [online] Available at: https://www.sgdsn.gouv.fr/files/files/Publications/20250507_TLP-CLEAR_NP_SGDSN_VIGINUM_Technical%20report_Storm-1516.pdf 

[Accessed 18 May 2025].

(10)    ASGDSN, VIGINUM, 2025. Analyse du mode opératoire informationnel russe Storm-1516, p. 7 [online] Available at: https://www.sgdsn.gouv.fr/files/files/Publications/20250507_TLP-CLEAR_NP_SGDSN_VIGINUM_Technical%20report_Storm-1516.pdf 

[Accessed 18 May 2025].

(11)    ASGDSN, VIGINUM, 2025. Analyse du mode opératoire informationnel russe Storm-1516, p. 11-20 [online] Available at: https://www.sgdsn.gouv.fr/files/files/Publications/20250507_TLP-CLEAR_NP_SGDSN_VIGINUM_Technical%20report_Storm-1516.pdf 

[Accessed 18 May 2025].

(12)    ASGDSN, VIGINUM, 2025. Analyse du mode opératoire informationnel russe Storm-1516, p. 27 [online] Available at: https://www.sgdsn.gouv.fr/files/files/Publications/20250507_TLP-CLEAR_NP_SGDSN_VIGINUM_Technical%20report_Storm-1516.pdf 

[Accessed 18 May 2025].

(13)    ASGDSN, VIGINUM, 2025. Analyse du mode opératoire informationnel russe Storm-1516, p. 28 [online] Available at: https://www.sgdsn.gouv.fr/files/files/Publications/20250507_TLP-CLEAR_NP_SGDSN_VIGINUM_Technical%20report_Storm-1516.pdf 

[Accessed 18 May 2025].

DISCLAIMER

Copyright and License of Product 

This report (the "Product") is the property of Cyfluence Research Center gGmbH ("Cyfluence") and is protected by German and international copyright laws. The User is granted a limited, non-transferable license to use the Product solely for internal purposes. Reproduction, redistribution, or disclosure of the Product, in whole or in part, without prior written consent from Cyfluence is strictly prohibited. All copyright, trademark, and proprietary notices must be maintained.

Disclaimer of Warranties

The Product is provided "as is" without warranties of any kind, express or implied, including but not limited to warranties of merchantability or fitness for a particular purpose. Although Cyfluence takes reasonable measures to screen for viruses and harmful code, it cannot guarantee the Product is free from such risks.

Accuracy of Information 

The information in the Product has been obtained from sources believed to be reliable. However, Cyfluence does not guarantee the information's accuracy, completeness, or adequacy. The User assumes full responsibility for how they use and interpret the Product. Cyfluence is not liable for errors or omissions; opinions may change without notice.

Limitation of Liability

To the fullest extent permitted by law, Cyfluence shall not be liable for any direct, indirect, incidental, or consequential damages, including lost profits or data, arising from the use of or inability to use the Product, even if advised of such possibilities. Liability for intent or gross negligence remains unaffected under German law.

Indemnification

The User agrees to indemnify and hold harmless Cyfluence, its affiliates, licensors, and employees from any claims or damages arising from the User’s use of the Product or violation of these terms.

Third-Party Rights

The provisions regarding Disclaimer of Warranties, Limitation of Liability, and Indemnification extend to Cyfluence, its affiliates, licensors, and their agents, who have the right to enforce these terms.

Governing Law and Jurisdiction 

This Agreement is governed by German law, and any disputes shall be resolved exclusively in the courts of Berlin. If any provision is found invalid, the remaining terms remain in full effect.