Full Report
Our bulletin covering coordinated influence operation campaigns terminated on our platforms in Q2 2025.
Analysis Summary
This summary focuses on the coordinated influence operations identified and terminated by the Threat Analysis Group (TAG) during Q2 2025, as detailed in the provided bulletin. Since the context describes multiple distinct operations linked to various nation-states without naming a single specific enduring threat actor with unique TTPs, the summary will reflect the collective findings organized by the attributed nation-state.
# Threat Actor: Nation-State Coordinated Influence Operations (Q2 2025)
## Attribution & Identity
This summary aggregates findings regarding multiple entities engaged in Coordinated Inauthentic Behavior (CIB) during Q2 2025, attributed primarily to: **Russia (RF)**, **China (PRC)**, **Iran**, **Turkey**, **Azerbaijan**, **Romania**, and **Ghana**. These entities operate via coordinated influence campaigns rather than being identified as a single persistent threat actor group.
**Known Aliases and Associated Groups:**
* **Russia:** Some campaigns were linked to a **Russian consulting firm** and **Russian state-sponsored entities**.
* **Ghana:** One campaign was linked to a **digital marketing firm**.
## Activity Summary
The operations detailed were primarily influence campaigns aimed at shaping political narratives across various platforms, including YouTube and Google News surfaces.
**Key Campaigns (Q2 2025):**
* **Russia:** Multiple distinct operations were terminated throughout April and June, consistently supporting Russian state interests, criticizing Ukraine, Poland, and the West, and often involving high volumes of terminated channels.
* **PRC:** Ongoing CIB network terminated for uploading content about China and US foreign affairs in both Chinese and English.
* **Turkey:** A campaign supportive of the Turkish Victory Party was terminated in April.
* **Iran:** Campaigns supportive of the Iranian government and Palestine, while also criticizing Israel and the West.
* **Azerbaijan:** Campaigns supportive of Azerbaijan and critical of Armenia and domestic critics.
* **Romania:** A campaign supportive of a specific Romanian political party.
* **Ghana:** A campaign focused on influencing the Ghanaian presidential election.
## Tactics, Techniques & Procedures
The primary observable tactic across almost all terminated operations was **Coordinated Inauthentic Behavior (CIB)** involving mass account coordination across Google platforms.
- **Content Amplification:** Using large networks of YouTube channels, Blogger blogs, and Ads/AdSense accounts to distribute specific narratives.
- **Narrative Shaping:** Content was specifically designed to be supportive of the attributing nation/party or critical of geopolitical rivals (e.g., Russia critical of Ukraine/West; Iran critical of Israel/US).
- **[Specific MITRE ATT&CK IDs not provided in the source text]**
## Targeting
The targeting was primarily focused on shaping information environments rather than direct cyber espionage or destructive attacks.
- **Sectors:** Political discourse, foreign policy perception, and domestic electoral processes.
- **Geography/Language Focus:** Campaigns were multilingual, targeting audiences based on language:
- **Russian-linked:** Russian, Ukrainian, English, Polish, Farsi, Bahasa Indonesian, Spanish.
- **PRC-linked:** Chinese, English.
- **Turkey-linked:** Turkish.
- **Iran-linked:** Arabic.
- **Azerbaijan-linked:** Azerbaijani.
- **Romania-linked:** Romanian.
- **Ghana-linked:** English.
* **Victims:** The primary "victims" appear to be the opposing political entities or governments being criticized (e.g., Ukraine, Armenia, the West, critics of the Azerbaijani government). No specific corporate victims of destructive malware were mentioned.
## Tools & Infrastructure
The infrastructure primarily related to content distribution on Google properties.
- **Malware Families Used:** Not specified (The operations appear focused on influence/CIB, not traditional malware).
- **Infrastructure (C2, domains, IPs):**
- **YouTube Channels:** Thousands of channels were terminated across all operations.
- **Domains:** Domains were blocked from Google News/Discover visibility. (Specific domains were not listed or defanged).
- **Accounts:** Ads accounts and AdSense accounts were terminated where relevant.
## Implications
The Q2 2025 data highlights the continued high-volume use of influence operations by nation-states and associated entities (consulting firms, political parties) to manipulate international discourse across digital platforms. The scope remains broad, covering geopolitical conflicts (Russia/Ukraine), internal political events (Ghana elections, Romanian local politics), and long-standing rivalries (Iran/Israel, Azerbaijan/Armenia). **Russia** and the **PRC** demonstrated the largest recorded volumes of terminated assets.
## Mitigations
- **Platform Monitoring:** Continuous monitoring and termination of large, coordinated networks across social media and news aggregation platforms.
- **Supply Chain Risk:** Awareness that influence operations are being outsourced to **consulting firms** (Russia) and **digital marketing firms** (Ghana).
- **Geopolitical Awareness Filter:** Organizations should heighten awareness regarding information sources originating from state-backed or politically aligned media, especially those originating from actors identified in this bulletin.
- **Defense Against Information Warfare:** Implementing technical and procedural hardening against information integrity risks, particularly those targeting public perception of political events.