THREAT REPORT: Pro-Kremlin Disinformation Ecosystem “Pravda” Targets Worldwide Audiences Including Canada

TLP:CLEAR

Source: CyberAlberta Investigation

Overview

Since November 2024, a pro-Kremlin disinformation ecosystem known as Pravda, and Portal Kombat, has resumed targeting specific national audiences, including Canada. While Alberta has not been a direct target, pro-Kremlin narratives have surfaced in both English and French-language Pravda sites, leveraging political and economic issues that are relevant to Alberta as part of operations targeting the Canadian national audience. Members are encouraged to consistently monitor sources covering the threat of disinformation to maintain awareness and share knowledge within communities.


The Pravda Disinformation Ecosystem

The Pravda disinformation ecosystem is a pro-Kremlin propaganda network consisting of many sites that impersonate legitimate news outlets and target specific regional audiences. These sites are designed to circumvent sanctions on Russian state media, laundering and amplifying pro-Kremlin narratives that focus on degrading support for Ukraine, and intentionally undermine the quality of shared information spaces, primarily amongst Ukrainian and Western audiences.

First reported in February 2024 by the French disinformation watchdog VIGINUM, the first iteration of the Pravda network consisted of at least 193 websites. In an effort to impersonate legitimate news sites and make their outlets appear localized, the operators behind Pravda used country-coded domain names like pravda-fr[.]com or pravda-de[.]com, a tactic that is still in use in Pravda's latest iteration. 

Pravda's impersonating news sites do not host any original content, but instead are provided content by an automated aggregator to flood audiences with reposted pro-Kremlin narratives and conspiracy theories. There are three categories of "source" from which the aggregation process derives its content from:

  1. Russian state media such as TASS or Lenta.
  2. Pro-Kremlin and/or conspiracy theorist social media accounts (mainly Telegram)
  3. Official sites or accounts of local institutions such as the Russian Embassy in Canada.

 

Mainpage of Pravda

Figure 1 - Screenshot of the main page of a Pravda site now targeting Canadian audiences since November 2024.

 

Many of the sources used by Pravda to fuel their operation also leverage legitimate local sources (as shown below in Figure 2), twisting their content to support pro-Kremlin narratives. Furthermore, as reported by VIGINUM, the operators behind Pravda have used search engine optimization (SEO) techniques, such as SEO Poisoning, in an effort to increase viewership.

 

Example of Russian Disinformation

Figure 2 - Post from the Canadian Pravda site leveraging a Globe and Mail article that has been distorted by the "Source" the Russian state news agency Lenta.

 

The Globe and Mail article that is being cited does not focus on the topic suggested in the headline. But as shown in the image above (Figure 2), Lenta deliberately misrepresents the article to focus on the part that supports the Kremlin’s strategic aims. This distorted version of events is then hosted on the Canada specific Pravda site, to amplify the narrative.

These tactics and techniques result in a high-volume stream of automated disinformation that threatens to degrade the overall quality of our information environment and attempts to corrupt the public with curated views that support the Kremlin's strategic goals. As noted by DFRLab, while the webpages in this network all share the name Pravda (Russian for "the truth"), they are not connected to the historic Russian newspaper of the same name.


Latest Iteration of Pravda

Since early November 2024, the operators behind the Pravda disinformation ecosystem began laundering pro-Kremlin narratives through a newly created collection of subdomains. Their latest infrastructure consisted of a mixture of national and national leader themed subdomains (under the one domain of news-pravda[.]com), e.g., canada.news-pravda[.]com and trump.news-pravda[.]com, to target specific audiences based on nationalities of interest, including Canada.


Infrastructure Used to Host Webpages

1. Internet Hosting

The top domain of news-pravda[.]com is highly likely provided by the autonomous system "Domain names registrar REG.RU LLC" (AS49352), a Russian-based domain name registrar. However, the operators behind Pravda are leveraging the legitimate Cloudflare reverse proxy service to hide the true IPs of the origin servers used in this operation. When performing searches, the latest Pravda sites appear to be hosted on two Cloudflare IPs, presumably to provide redundancy if one should fail.

 

Flow diagram of system

Figure 3 - Flow diagram providing an overview of the latest Pravda operation.

2. HTML elements

The websites that form the Pravda network all use near-identical HTML elements, making detection of new domains relatively easy. Using the hash of some of the elements in URLScan’s ‘Search’ function led to the discovery of the Pravda site targeting Canada, as well as other recent sites previously reported by DFRLab.


Pravda Targeting Canada

As demonstrated by the Canadian-themed subdomain, Canada was among the countries whose audiences were targeted by this latest iteration of Pravda. As previously reported by VIGINUM, earlier versions of the Pravda ecosystem had often targeted audiences based on language. While it's possible that Canadian related topics would have been leveraged on the now inactive English and French speaking Pravda sites (pravda-en[.]com and pravda-fr[.]com), the Canada specific site canada.news-pravda[.]com marks the first time that Canadian audiences have been directly targeted by this disinformation network.

While the Canadian audience is now being specifically targeted, the content on the Canada specific Pravda site largely follows the same patterns as its counterparts. Like others, the Canada specific Pravda site is frequently used to shape foreign perceptions of Russia’s invasion of Ukraine. An example of this is provided in Figure 4 below, showing a post that initially covers the possibility of Canada sending military aid to Ukraine, but later shifts to reframing the war in a manner favorable to the Kremlin.

 

Example Text

Figure 4 - Text from a post shared on the Canada specific Pravda site, quoting Russian state media reframing the war in Ukraine to falsely make the West appear to be the aggressors, and the Kremlin justified in it's invasion of Ukraine.

 

Despite the timing, it's unlikely that the Canada specific Pravda site was established to specifically target the upcoming federal election (currently scheduled to be held no later than October 25th, 2025). However, considering Pravda's modus operandi is primarily to launder pro-Kremlin narratives and evade sanctions on Russian state media, elections are considered a residual target. The role of impersonating news sites within the context of election interference, and much more, will be covered in an upcoming CyberAlberta strategic report on election interference.

 

Example text

Figure 5 - Another example of the type of posts that are shared on the Canada specific Pravda site, attempting to fuel political division. The source in this case was a pro-Kremlin Telegram account, being passed of as a credible news source.


Risk to Alberta

As with all other threats currently monitored by CyberAlberta, the targeting of Canadians by Pravda is also considered through an Albertan perspective. Amidst the torrent of content posted to the Canada specific Pravda site, there were only two posts that had references to Alberta, and only one that was of interest. This post's "source" was a conspiracy theory account centered on Canadian issues, which posts content to a Telegram account, as well as videos on YouTube, and more.

Alberta has also been implicated in Pravda sites targeting French-speaking audiences. In one post observed on francais.pravda-news[.]com, issues regarding Alberta’s energy sector were leveraged in a post that targeted the federal government. In this instance, the "source" was a French language disinformation site that pushes pro-Kremlin narratives and conspiracy theories.

These observations demonstrate how Alberta is currently a secondary, and relatively minor, victim of broader efforts targeting national audiences, whereby disinformation networks occasionally leverage issues that are important to Albertans. This also further demonstrates how Pravda uses local sources wherever possible to increase engagement with their audiences, providing amplification of Canadian-based disinformation.


Impact and Outlook

Using The Information Laundromat to analyze the spread of a sample of content from the Canada specific Pravda site, we assess the spread of its content to be low. However, due to the overwhelming volume of content published across Pravda’s network and the limitations in tracking its full dissemination, this assessment is made with low confidence.

Web traffic analysis of the top-level domain, news-pravda[.]com, using the digital intelligence platform Similarweb, revealed that between November 2024 and January 2025, the site received over 1.5 million visitors. The highest traffic originated from France, the United States, and Germany. Data on the Canada specific Pravda site was unavailable for similar analysis.

The extent of damage from Pravda to Canada’s shared information space and public discourse remains unknown. However, these platforms must not be allowed to thrive, given their potential to degrade information integrity and spread disinformation to unsuspecting audiences. Left unchecked, they risk influencing individuals who may inadvertently adopt pro-Kremlin narratives, amplify them on their own platforms, or become entangled in conspiracy theories that distort perceptions, deepen societal divides, and contribute to isolation.

To help raise awareness of this threat and uphold media literacy, continue to monitor CyberAlberta's reports and other intelligence sources for updates on the threat of disinformation, which is almost certain to continue.


Indicators of Compromise

 
IP Addresses
104.21.62[.]172Cloudflare Reverse Proxy IPs, not recommended to be blocked due to shared hosting.
172.67.137[.]144
Domain Names
albania.news-pravda[.]com
bosnia-herzegovina.news-pravda[.]com
bulgaria.news-pravda[.]com
burkina-faso.news-pravda[.]com
canada.news-pravda[.]com
chad.news-pravda[.]com
croatia.news-pravda[.]com
cyprus.news-pravda[.]com
czechia.news-pravda[.]com
denmark.news-pravda[.]com
deutsch.news-pravda[.]com
dutch.news-pravda[.]com
egypt.news-pravda[.]com
en-ro.news-pravda[.]com
estonia.news-pravda[.]com
finland.news-pravda[.]com
francais.news-pravda[.]com
ge.news-pravda[.]com
germany.news-pravda[.]com
greece.news-pravda[.]com
hungary.news-pravda[.]com
ireland.news-pravda[.]com
italy.news-pravda[.]com
japan.news-pravda[.]com
korea.news-pravda[.]com
latvia.news-pravda[.]com
lithuania.news-pravda[.]com
macron.news-pravda[.]com
mali.news-pravda[.]com
moldova.news-pravda[.]com
news-pravda[.]com
niger.news-pravda[.]com
north-macedonia.news-pravda[.]com
norway.news-pravda[.]com
ossetia-news[.]com
poland.news-pravda[.]com
portuguese.news-pravda[.]com
rca.news-pravda[.]com
romania.news-pravda[.]com
scholz.news-pravda[.]com
serbia.news-pravda[.]com
slovakia.news-pravda[.]com
slovenia.news-pravda[.]com
spanish.news-pravda[.]com
sweden.news-pravda[.]com
taiwan.news-pravda[.]com
trump.news-pravda[.]com

Further Reading: