- New analysis: Google’s Threat Intelligence Group (GTIG) documents a coordinated, Russia‑aligned disinformation drive that began within hours of the Sept. 9–10, 2025 drone incursions into Polish airspace. Google Cloud
- Tactics observed: A network of look‑alike “news” portals and inauthentic personas pushed intersecting narratives to shift blame to Ukraine, attack Poland’s government, and erode trust in NATO. Google Cloud
- Incident backdrop: Poland reported ~19 incursions; NATO aircraft intercepted and shot down drones over Polish territory—the first such action of this war—prompting Article 4 consultations and the launch of NATO’s Operation Eastern Sentry. Reuters
- Named networks: GTIG highlights activity from Portal Kombat/“Pravda network,” Doppelgänger, and the long‑running NDP (Niezależny Dziennik Polityczny) influence operation that uses fake identities. Google Cloud
- Polish authorities’ warning: Warsaw’s advisory council flagged immediate post‑incident narratives denying Russian responsibility, blaming Ukraine, and belittling NATO—explicitly labeling them part of Russia’s hybrid warfare. Gov.pl
The incident—and the information battle that followed
On the night of Sept. 9–10, 2025, Poland said 19 objects entered its airspace amid a major Russian strike on Ukraine. Polish and allied aircraft responded; drones over Polish territory were shot down, and debris was later recovered across several regions. Poland invoked NATO Article 4, framing the episode as a serious security breach requiring allied consultations. Reuters
NATO’s Mark Rutte condemned the drone incursions as “reckless and unacceptable” and, two days later, the alliance launched Operation Eastern Sentry, a new multi‑domain mission to harden the eastern flank. Reuters
While militaries gathered facts, an online operation was already in motion. Within hours, Russian‑aligned information operators began seeding competing claims: that the drones were Ukrainian; that the incident was a false flag; that Poland had overreacted; and that NATO was weak or divided. The Washington Post
What Google’s Threat Intelligence Group (GTIG) found
In a report published Oct. 21, 2025, GTIG says multiple pro‑Russia information‑operations (IO) actors mobilized rapidly to weaponize the drone story. According to GTIG, the push served four intersecting objectives: deny Russian culpability, blame NATO/the West, undermine confidence in the Polish government, and erode support for Ukraine. GTIG stresses the observations derive from tracking IO beyond Google surfaces. Google Cloud
GTIG’s examples detail how familiar Kremlin‑aligned brands repurposed existing infrastructure to respond to a breaking crisis—highlighting the speed and flexibility of the ecosystem that emerged after Russia’s 2022 full‑scale invasion. Google Cloud
Expert view: “Physical attacks and disinformation work in tandem to erode society’s faith in institutions,” said John Hultquist, chief analyst at Google Threat Intelligence Group. bankinfosecurity.com
The networks: Portal Kombat/“Pravda,” Doppelgänger, and NDP
Portal Kombat (“Pravda network”)
French gov’t threat lab VIGINUM previously mapped the Portal Kombat network—an array of hundreds of coordinated “portal” sites pushing pro‑Kremlin narratives in multiple languages. GTIG’s case study shows the same network quickly published pieces questioning whether the drones could have reached Poland, insinuating a Western pretext to escalate, and labeling Polish media footage fake. sgdsn.gouv.fr
Doppelgänger
The Doppelgänger operation clones media and builds custom inauthentic “brands” to deliver local‑language propaganda. In this incident, GTIG observed Polish‑ and German‑language items claiming Poles reject their government’s Ukraine policy and that European reactions were “hyperinflated” to push war with Russia—classic blame‑shifting and division tactics. Independent research and official probes across Europe have linked Doppelgänger to Russian actors since 2022. Google Cloud
Niezależny Dziennik Polityczny (NDP)
GTIG describes NDP as a long‑standing pro‑Russia campaign vehicle that has historically used suspected inauthentic personas across blogs and social platforms. Around the incursion, NDP channels pushed claims of “war hysteria”, framed NATO activity as destabilizing, and suggested Poland was pre‑warned and overreacting—all designed to sow doubt in institutions. Earlier investigations tied NDP to fabricated personas amplifying anti‑NATO themes in Poland. Google Cloud
Context check: A PISM bulletin days after the incident documented similar narratives but initially assessed that some previously used portal infrastructures were not yet activated in the first phase—illustrating how assessments can differ by timeframe and visibility. pism.pl
Poland and NATO: the response
Poland’s Foreign Minister’s Advisory Council warned the morning after the incursion that Russia and Belarus were pushing contradictory stories: denying responsibility, shifting blame to Ukraine, and questioning evidence—explicitly calling this hybrid warfare aimed at undermining the EU and NATO. Gov.pl
By Sept. 12, NATO rolled out Eastern Sentry—with additional fighters, sensors and counter‑drone capabilities from multiple allies—stressing the alliance will “defend every inch” of its skies. Reuters
Prime Minister Donald Tusk called the incursion “the closest we have been to open conflict since World War Two,” while NATO’s Rutte labeled the violation “absolutely reckless.” Reuters
Why these narratives? The strategic aims
The EU’s FIMI (Foreign Information Manipulation & Interference) framework notes Russia’s ecosystem blends overt (state channels) and covert (proxy portals, fake brands, inauthentic personas) vectors to erode trust, inflate uncertainty, and fracture allied cohesion. The Sept. 9–10 episode fits that pattern: blame Ukraine, belittle Polish defenses, ridicule NATO, and question reality until the public conversation splinters. EEAS
“They know they will never convert Polish society to support Russia… but they know they can divide it,” said Michał Fedorowicz of Warsaw‑based Res Futura, after his team logged a surge of drone‑related posts blaming Ukraine within hours of the incursion. The Washington Post
How the campaign worked in practice
- Affiliated portals: “Portal Kombat/Pravda” sites mass‑publish short articles tailored by country—then cross‑seed them into local social channels. sgdsn.gouv.fr
- Fake identities & custom brands: Doppelgänger maintains look‑alike outlets and bespoke “media” with fabricated bylines and impersonated designs to launder narratives into mainstream conversations. EU DisinfoLab
- Legacy vectors: NDP’s use of suspected inauthentic personas (e.g., fictitious “journalists”) to plant op‑eds and social posts gives cloak‑and‑dagger legitimacy to anti‑NATO frames. Google Cloud
- Amplification loops: Hashtags such as #tonienaszawojna (“not our war”) spike engagement, allowing false or misleading content to mix with factual updates and capture trending slots. pism.pl
What experts are saying (short quotes)
- John Hultquist (Google GTIG): “Physical attacks and disinformation work in tandem to erode society’s faith in institutions.” bankinfosecurity.com
- PISM analysts: The disinformation surge is “part of a broader hybrid operation against NATO and the EU.” pism.pl
- Mark Rutte (NATO): The incursion was “absolutely reckless.” Reuters
- Nerijus Maliukevicius (Vilnius University): Russia seeks to “test the temperature”—probing defenses while modeling public reactions. The Washington Post
- Julia Smirnova (CeMAS): It’s a “systematic effort to constantly create this flood of false stories.” Sky News
Related IO ecosystems: what we already know
- Portal Kombat/Pravda: Mapped by France’s VIGINUM as a coordinated pro‑Russia portal network spanning ~200+ domains, later tracked by DFRLab as it expanded globally. sgdsn.gouv.fr
- Doppelgänger: Documented by EU DisinfoLab, CORRECTIV and others for cloned media, fake quotes, and bot amplification across Europe and the U.S. EU DisinfoLab
- Ghostwriter antecedents: Google previously tied inauthentic personas to Belarus‑linked operations targeting NATO narratives—an early template for the persona‑driven content visible in Poland today. Google Cloud
Why it matters
Poland is a logistics hub for aid to Ukraine and a frontline NATO state. Undermining Warsaw’s credibility and NATO cohesion is a strategic objective—especially when physical provocations (drones) can be synchronized with digital manipulation to muddy facts in real time. The Eastern Sentry mission underscores NATO’s view that air incursions and disinformation must be countered together. Reuters
How to spot and resist these tactics (public guidance)
- Check the outlet: Is a “local” portal part of a known Pravda/Portal Kombat cluster or a Doppelgänger clone? Be wary of sites with identical layouts across countries or recently registered domains. (See EU FIMI guidance.) EEAS
- Scrutinize personas: Recycled author photos, no offline footprint, or sudden “experts” with extreme claims are red flags—classic IO markers noted in GTIG’s findings. Google Cloud
- Beware narrative scaffolding: Blame‑shifting (“it was Ukraine”), ridiculing defenses, and casting NATO as divided are recurring patterns catalogued by Polish authorities and EU monitors. Gov.pl
- Use fact‑checking resources and official channels during fast‑moving crises; the EU’s FIMI framework and DISARM‑based toolkits offer practical checks for diplomats and citizens alike. community-democracies.org
What’s next to watch
- Further GTIG/TAG enforcement on YouTube/News surfaces against coordinated IO networks tied to Russia. blog.google
- NATO’s Eastern Sentry deployments and whether broader counter‑drone and counter‑FIMI measures are institutionalized along the eastern flank. AP News
- Elections in the region: DFRLab and allied researchers have flagged continued targeting of Polish voters via Doppelgänger assets and affiliated personas. DFRLab
Sources & further reporting
- Google Threat Intelligence Group report: Pro‑Russia Information Operations Leverage Russian Drone Incursions into Polish Airspace (Oct. 21, 2025). Google Cloud
- Reuters / AP / Washington Post reporting on the incursions and NATO response; NATO announcements of Operation Eastern Sentry. The Washington Post
- Polish MFA Advisory Council warning on coordinated narratives post‑incident. Gov.pl
- VIGINUM (France) on Portal Kombat/Pravda; EU DisinfoLab/CORRECTIV on Doppelgänger. sgdsn.gouv.fr
- PISM Bulletin on Russia’s hybrid operation against Poland (Sept. 19, 2025). pism.pl
- EU EEAS (FIMI threat report) on the architecture of foreign interference. EEAS
