WASHINGTON — The effort by a Russian internet deception factory to manipulate American public opinion during the 2016 election was better planned and executed — and also more lucrative — than previously understood, according to a new analysis of nearly 10 million tweets by a leading cybersecurity firm.

The operation by the St. Petersburg-based Internet Research Agency amounted to "a vast, coordinated campaign that was incredibly successful at pushing out and amplifying its messages," according to Symantec, which conducted an in-depth analysts of nearly 4,000 Twitter accounts involved in what U.S. intelligence agencies assess was a Russian-government–sponsored propaganda operation designed in part to help Donald Trump get elected president.

Some of the accounts were set up months in advance. And some of the trolls used their fake accounts to make money on the side, the researchers found.

"While this propaganda campaign has often been referred to as the work of trolls, the release of the dataset makes it obvious that it was far more than that," Symantec researcher Gillian Cleary wrote in a blog post, calling it "a vast disinformation network."

"The sheer scale and impact of this propaganda campaign is obviously of deep concern to voters in all countries, who may fear a repeat of what happened in the lead-up to the U.S. presidential election in 2016."

The IRA's disinformation campaign was described in the final report by special counsel Robert Mueller, and in his indictment of multiple Russian nationals. U.S intelligence agencies assessed that the social media manipulation was part of a Russian intelligence operation designed to undermine American democracy by exacerbating divisions, hurt Democrat Hillary Clinton and help Trump. Experts say the U.S. government and American social media companies have yet to develop a strategy to prevent such manipulation from happening again. Just last week, a different cybersecurity firm exposed an Iranian effort to manipulate U.S. social media with fake accounts.

The IRA's basic strategy, Symantec found, was to use a small core of Twitter accounts to push out new content. And they harnessed a wider pool of automated accounts to amplify those messages.

The operation was carefully planned, with accounts often registered months before they were used — well in advance of the 2016 U.S. presidential election, Symantec found. The average time between account creation and first tweet was 177 days.

A building that houses the Internet Research Agency, also known as the "troll factory," in St. Petersburg, Russia in 2018. Dmitri Lovetsky / AP file

The core group of main accounts consisted mainly of "fake news" sources masquerading as regional news outlets or political organizations. Most of them had at least 10,000 followers but followed substantially fewer accounts. They were mainly used to publish new tweets.

They posed as local news outlets, such as "New Orleans Online," "El Paso Top News," and "San Jose Daily." The majority of these accounts were created between May and August of 2014, but lay dormant until January 2015, when most of them started tweeting. This suggests a significant element of advance planning, Symantec said.

A much larger pool of auxiliary accounts was used to amplify messages pushed out by the main accounts, many impersonating individuals.

Auxiliary accounts had less than 10,000 followers, but often followed more accounts than that. Their main purpose was to retweet messages from other accounts, although they were also used to publish original tweets, researchers found.

Symantec identified 123 main accounts and 3,713 auxiliary accounts within the dataset provided by Twitter.

The propaganda was "evenly split" in its efforts to aim at the extremes of both sides of the liberal/conservative political divide, the researchers found.

Among the majority of accounts that were automated, many would frequently show signs of human intervention, such as posting original content or slightly changing the wording of reposted content, presumably in an attempt to make them appear more authentic and reduce the risk of their deletion by Twitter, researchers found.

Some of the fake news accounts were set up to monitor the activity of certain blogs and push new posts to Twitter.

As NBC News has previously reported, a number of prominent Americans retweeted some of the fake Russian troll accounts, including President Donald Trump, The Washington Post, singer Nicki Minaj, comedian Sarah Silverman and Jack Dorsey, the head of Twitter.

Some of the accounts were using a technique that pushed an ad to whoever clicked on the link, generating money for the account.

A handful of of the IRA's Twitter accounts managed to be extraordinarily influential, the researchers found.

The most retweeted account within the dataset was @TEN_GOP, created in November 2015, which masqueraded as a group of Republicans in Tennessee. It appears to have been operated by a person, not a computer.

A man holds a smart phone with the icons for the social networking apps Facebook, Instagram and Twitter seen on the screen. Kirill Kudryavtsev / AFP - Getty Images file

In less than two years TEN_GOP gained 150,000 followers. Its 10,794 tweets garnered more than 6 million retweets, only a small fraction of which came from other Russian troll accounts.

TEN_GOP's tweets mixed pro-Russia messages with right-wing political memes, racism and conspiracy theories.

"It was a highly professional campaign," Symantec said. "Aside from the sheer volume of tweets generated over a period of years, its orchestrators developed a streamlined operation that automated the publication of new content and leveraged a network of auxiliary accounts to amplify its impact."

Editor's note: The Symantec report initially said that one of the Russian troll accounts could have been paid up to $1 million through the use of link shorteners, a technique that pushes ads to those who click on tweets. Craig Silverman, Buzzfeed's media editor and an expert in social media advertising, said in a tweet that the $1 million number was inflated, and that Symantec had used an incorrect formula to calculate it. In response, Symantec removed the $1 million figure "while we investigate some additional data," a spokeswoman told NBC News. "This does not change any of the other findings in our research." NBC News has removed references to $1 million from the story above.