Nigerian social media accounts targeted in influence campaign centered on Ukraine invasion

Olalekan Owonikoko’s Twitter account was used to post support for the Russian attack on Ukraine on February 27 — just days after the invasion:

“NATO destroyed Afghanistan, Iraq, Syria, Yugoslavia and Libya. All the oppressed countries should stand with Russia. It's not a war against the Ukrainian people but against NATO’s evil. Putin has a right to guard its borders ( love emoji)



Owonikoko, a Nigerian web designer and development artist, appears to have been one of many bystanders in the Global South caught in the online battle to control how people perceive Russia’s invasion of Ukraine. In response to these content moderation challenges social media companies have ramped up bot and misinformation monitoring and the global media is investigating the scope of the problem.

Owonikoko also began his own personal investigation after a friend alerted him to the fraudulent tweet.

“I checked my account and saw tweets and yet, my password, email, phone number was intact. I had to change them immediately,” said Owonikoko, while speaking to The Record. 

“I’m still not sure if it was from Buffer, or where it came from. I do know that I have my account linked to Buffer,” Owonikoko explained, referring to a social media management tool used to plan, post and monitor content on social media accounts.

In February, Buffer accounts were accessed by threat actors to “spread support for Russia’s invasion of Ukraine,” as confirmed in an official statement from Buffer on February 26. According to Buffer, 1,552 accounts were accessed, out of which 618 accounts were used to post 766 unauthorized messages across Twitter (505), Facebook (233), and LinkedIn (28).

This attack is part of a wave of digital supply chain attacks that threatens the larger ecosystem by targeting less secured services and platforms. 

The Twitter account of TechCabal, a leading tech publication in Africa whose account was connected to Buffer, was also used to post a tweet similar to that of Owonikoko. Both accounts had two-factor authentication activated on their Twitter accounts but likely not on their Buffer accounts, which were then used to access their social media accounts.

“Our records don’t show any (of the compromised Buffer) accounts with two-factor authentication enabled at the moment the incident happened, however we did see accounts enable two-factor authentication immediately after noticing the unauthorized posts,” a spokesperson for Buffer told The Record. 

“After that investigation, we can safely say that our systems weren't compromised, this was a result of a credential stuffing attack,” they said. A credential stuffing attack is when threat actors log into a targeted website with lots of ID and password credentials over a short period of time. 

According to Buffer, the incident is likely due to reused passwords.

Content similar to what wasposted on Owonikoko’s account is scattered across Twitter. The social media company said it is monitoring for such activity. 

“We continue to proactively assess for inauthentic behavior and other violations of our rules. Since the war in Ukraine began, we have removed more than 75,000 accounts for violations of our platform manipulation and spam policy,” a spokesperson told The Record. 

It’s unclear exactly how or by whom Owonikoko’s account was compromised, but the content posted and strategy appear to follow Russia’s playbook. 

“We know what Russian disinformation campaigns have looked like in Africa in the past, so even if we can’t say these are Russian actors pushing these narratives at the moment, we can say it fits this established pattern of what inauthentic coordinated campaigns have done in the past — and Russia has a big incentive right now to be doing something similar,” said Mark Duerksen, a research associate at the Africa Center for Strategic Studies, told The Record. 

There have also been apparent attempts to leverage the concerns about the ongoing conflict to target users with phishing attempts. 

On March 3, Ope Adetayo, a Nigerian journalist who has covered issues involving Ukraine, received an email that appeared to warn him of a login attempt related to his Twitter account. The message said it came from Moscova, Russia.

But Adetayo said the message felt off — and it came from a “” email address, indicating it was an attempt to “phish” or to trick him into sharing his login credential with an attacker. 

Even though he thought it might be official at first, he also suspected it could be unsafe. 

“I didn’t click on that link (in the mail), because who knows who designed the mail?” Adetayo told The Record. 

When he went to re-check the message a few weeks later, Gmail had marked it as potentially dangerous.

“Similar messages were used to steal people’s personal information,” Gmail warned.

The apparent phishing attempt against Ope Adetayo. (Via Ope Adetayo)

Twitter says it is working to fight media manipulation campaigns on its platform. 

“We’re actively monitoring vulnerable high-profile accounts, including journalists, activists, government officials, and agencies to mitigate any attempts at a targeted takeover or manipulation. Protecting people on Twitter, particularly during high-risk periods, is important to us,” said the spokesperson for Twitter.

But even as social media companies have moved to crack down on misinformation and media manipulation during the Russian invasion, Adetayo and Owonikoko’s experiences show how the online fallout of the conflict is disrupting communications in other parts of the world. 

“It’s really been destabilizing the information ecosystem in those places, leaving people confused as to which narratives are true, which is part of the strategy of misinformation campaigns — to sow distrust,” Duerksen said. 

Since the recent invasion of Ukraine on February 24, the Russian government’s propaganda machine has been working in overdrive to influence the media narratives about the war domestically and abroad — including efforts targeting people in Africa and Latin America. 

Russia has a considerable presence and influence in African countries, creating strong incentives for it to control narratives about the invasion in these places — especially now.

“Russia is at the moment internationally isolated because of the invasion of Ukraine, so Putin really needs African support, he needs engagement — backing at the UN, he needs African resources, he needs African gold as it (Russia) runs out of money,” said Duerksen.

It also has a history of covert online influence campaigns in the region. In 2019, a report by Stanford researchers exposed a network of coordinated campaigns by Russia to influence narratives and favor their interests in Libya, Sudan, Central African Republic, Madagascar, Mozambique, and The Democratic Republic of Congo. 

Russia’s disinformation related to Ukraine in recent months has also targeted Spanish speakers across Latin America already inclined to distrust the U.S. due to the country’s long history of military intervention in the region, according to a report by the Associated Press

Since the invasion began, Russia’s media manipulation efforts have included the extensive use of bot networks, account hacking, dubious fact-checking, the stifling independent media, increased use of TikTok to spread disinformation, and the use of local influencers to spread misinformation — all seemingly geared to share a false narrative about the invasion. 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Olatunji Olaigbe

is a freelance journalist based in Nigeria. His work has been published by VICE, Al-Jazeera, and The Record. His reporting often examines the underlying factors of societal issues and he was a winner of the International Organisation for Migration’s 2021 West and Central Africa Migration Journalism Awards.