Full Report
ChatGPT, Gemini, DeepSeek, and Grok are serving users propaganda from Russian-backed media when asked about the invasion of Ukraine, new research finds.
Analysis Summary
# Incident Report: LLM Dissemination of Sanctioned Russian Propaganda
## Executive Summary
Researchers discovered that major Large Language Models (LLMs)—including ChatGPT, Gemini, DeepSeek, and Grok—were disseminating propaganda originating from Russian-backed and EU-sanctioned media entities when queried about the invasion of Ukraine. This exposure primarily occurred through the chatbots' integrated search functionality, which exploited "data voids" by citing unverified or malign state-attributed sources instead of legitimate news. The impact is primarily reputational and informational, raising serious concerns about content moderation and compliance with regulatory sanctions.
## Incident Details
- Discovery Date: Research concluded covering the six-month period ending September 30, 2025. Public findings released around October 27, 2025.
- Incident Date: Ongoing issue identified during July 2025 queries, still present in October 2025.
- Affected Organization: OpenAI (ChatGPT), Google (Gemini), DeepSeek, xAI (Grok).
- Sector: Technology (Artificial Intelligence/Large Language Models) & Information Services.
- Geography: Global, with specific concern noted for the European Union user base (approx. 120.4 million average monthly active recipients for ChatGPT in the EU).
## Timeline of Events
### Initial Access
- Date/Time: Research period began *prior* to July 2025 for testing, with validation ongoing through October 2025.
- Vector: User query exploiting **Data Voids** regarding the Russia-Ukraine conflict.
- Details: Researchers submitted 300 neutral, biased, and "malicious" questions in multiple languages (English, Spanish, French, German, Italian) to test LLM source citation.
### Lateral Movement
- Not applicable. This incident does not describe a traditional cyber intrusion but rather system behavior based on model training or real-time retrieval. The propagation mechanism is the search/retrieval function linking to external, sanctioned sources.
### Data Exfiltration/Impact
- No data exfiltration occurred. The impact was the *inflow* and *amplification* of misinformation and sanctioned content to end-users globally, specifically users within the EU who rely on these models for real-time information. Approximately one-fifth of responses cited state-attributed Russian sources.
### Detection & Response
- **Detection:** Independent research conducted by the Institute for Strategic Dialogue (ISD).
- **Response actions taken:** Researchers alerted the public/media. OpenAI acknowledged the findings, stating they take steps to prevent the spread of misleading information via state-backed actors and clarified that the issue appeared related to **search results drawn from the internet** rather than issues of "model manipulation" alone. Other affected companies did not issue public comment immediately.
## Attack Methodology
An adversary did not actively "attack" the models in the traditional sense of exploiting vulnerabilities or compromising internal systems. Instead, the methodology relates to information warfare exploitation:
- **Initial Access:** Prompt engineering (user questioning) targeting specific geopolitical events (Russia-Ukraine war).
- **Persistence:** The models’ tendency to surface information prevalent in poorly moderated internet spaces (data voids).
- **Privilege Escalation:** N/A
- **Defense Evasion:** The models failed to adhere to established EU sanctions against specific media outlets.
- **Credential Access:** N/A
- **Discovery:** N/A (Research team performed the discovery through systematic querying).
- **Lateral Movement:** N/A
- **Collection:** N/A
- **Exfiltration:** N/A
- **Impact:** Dissemination of propaganda from sanctioned entities, including RT, Sputnik Globe, EADaily, and the Strategic Culture Foundation.
## Impact Assessment
- Financial: Not disclosed/Not directly applicable (No financial loss reported by the LLM providers due to this behavior).
- Data Breach: None.
- Operational: Potential operational risk for LLM providers regarding long-term content filtering and compliance with regulatory frameworks (e.g., EU Digital Services Act).
- Reputational: Significant reputational risk for OpenAI, Google, DeepSeek, and xAI due to facilitating the spread of prohibited content to millions of users.
## Indicators of Compromise
- **Network indicators:** N/A (No malicious external IPs/URLs strictly identified as causing the *generation* of propaganda, though the content cited known malign domains).
- **File indicators:** N/A
- **Behavioral indicators:** LLM response generation consistently citing sanctioned Russian state media (Sputnik Globe, RT, EADaily, Strategic Culture Foundation, R-FBI) when questioned about the Ukraine conflict.
## Response Actions
- **Containment measures:** OpenAI stated they are improving the model and platforms to address these long-standing issues. The immediate containment rests on the expectation that providers will update grounding data or moderation layers to block references to sanctioned sources.
- **Eradication steps:** Ongoing model refinement and platform updates by the respective AI companies.
- **Recovery actions:** None required for system restoration, but the recovery involves rebuilding user trust in the neutrality and compliance of the AI outputs.
## Lessons Learned
- LLMs, particularly those utilizing web browsing/search functionality, are susceptible to propagating disinformation from state-sponsored sources, especially when "data voids" lack authoritative real-time results.
- Current filtering and moderation systems are insufficient to enforce geo-political sanctions against media sources globally across all LLM modalities (retrieval vs. pure generation).
- The distinction between "model generation" and "retrieved search results" is a critical defense line that needs clearer operational protocols, as highlighted by OpenAI’s statement.
## Recommendations
- Implement stricter, globally enforced content filtering specifically targeting sources explicitly sanctioned by major regulatory bodies (like the EU) within the LLM's real-time retrieval layer.
- Enhance prompt engineering guardrails to recognize queries with high potential for disinformation exposure regarding sensitive geopolitical topics, triggering more conservative source citation policies or human review flags.
- Develop more robust auditing mechanisms to measure the frequency and substance of state-attributed source citation in real-time search integrations.