Influence Operations🇷🇺 RU

Storm-1516

Also known asCopyCopNeva FloodStorm-1516

Storm-1516 is a Russian influence and disinformation operation active since at least 2023. The content describes it as a pro-Russian malign influence network and disinformation group that has sought to discredit Ukraine, undermine European unity, sow discord in Europe, and influence democratic processes. French government service Viginum said Storm-1516 had been publicly attributed to Unit 29155 of the Russian GRU. Known aliases in the content include CopyCop and Neva Flood. The actor is described as operating a covert network of inauthentic websites, spoofed media outlets, and social media accounts, including hundreds of fake sites disguised as local news outlets, political parties, and fact-checking organizations. Reported tradecraft includes creating fictional websites for different national audiences; impersonating legitimate journalists and media brands; publishing fabricated stories on spoofed news sites; laundering narratives through purpose-built video channels and covertly managed websites; amplifying content through broader networks and sympathetic amplifiers; and using automated content replication, spoofed media infrastructure, AI-generated content, and synthetic media to scale operations. The content also links CopyCop-associated infrastructure to broader pro-Russian disinformation ecosystems and notes use of German-language fake news impersonation sites. Targets mentioned in the content include Ukraine; European countries including France, Germany, Armenia, Moldova, and Norway; North America including the United States and Canada; and parts of Africa. Specific targeting described includes efforts against Germany’s February 2025 election, interference in elections in the U.S. state of Georgia and elsewhere in the United States, campaigns targeting Armenia ahead of its parliamentary election, and narratives aimed at French and German audiences. The actor has also been tied to false narratives about Emmanuel Macron, anti-Ukraine messaging laundered into U.S. audiences, fake stories targeting Moldovan President Maia Sandu and German Chancellor Friedrich Merz, and a Norway-focused operation using a fake environmental nonprofit site. Authorities and researchers cited in the content characterize Storm-1516 as a significant foreign digital interference threat to public debate in France and across Europe. French authorities reportedly took down more than 100 websites operated by the group.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Government & Administration

Where they target

Geographies tied to known operations.

🇦🇲 Armenia

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics3 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0042

Resource Development

2 techniques

T1584

Compromise Infrastructure

T1585×3

Establish Accounts

TA0007

Discovery

1 technique

T1654

Log Enumeration

IOCS

Observables

1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

1 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

eurasianetNews

Jun 5, 2026

Armenian election campaign features rampant Russian disinformation | Eurasianet

A Russian malign influence network conducting information operations and disinformation campaigns targeting Armenia, with content aimed at undermining European unity and building support for Russia’s war in Ukraine.

cbcNews

May 6, 2026

Russia and U.S. amplifying Alberta separatist narratives to stoke division, distrust: report | CBC News

Russian covert influence network linked to fake websites and social media accounts used to target audiences in multiple countries; in this content it targeted Canada and Alberta separatism narratives to sow division and distrust.

occrpNews

Mar 11, 2026

Spies, Lies, and Video Clicks: The Warped World of Pro-Russian Disinformation in Europe | OCCRP

Russian disinformation operation conducting foreign digital interference and spreading pro-Russian propaganda narratives in Europe, including narratives targeting France, Ukraine, and Western leaders who support Ukraine.

risky biz rssNews

Mar 2, 2026

LLMs can deanonymize internet users based on their comments

Russian-aligned disinformation / influence operations shifting focus toward European allies (notably France and Germany) amid changes in US support to Ukraine.

+18 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping4

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables1

Domains, IPs, and hashes tied to this actor, refreshed continuously.