Russia’s Influence Operation

The post below is now incorporated (with updates) into this page.

According to a January 6, 2017, report published by the US Office of the Director of National Intelligence (DNI), “Moscow’s influence campaign followed a Russian messaging strategy that blends covert intelligence operations—such as cyber espionage—with overt efforts by Russian Government agencies, state-funded media, third-party intermediaries, and paid social media users or ‘trolls.’” Link (PDF) On this page, additional public information and examples are provided to support this statement.

Covert intelligence operations

The DNI report focused on cyber activity within Russia’s broader covert intelligence operations designed to influence the 2016 election. The cyber activity involved both cyber espionage (hacking), and facilitating the public disclosure of the information stolen via cyber espionage.

Cyber Espionage

Russian intelligence services conducted broad, ‘dragnet’ cyber operations that breached the systems of a variety of entities associated with the 2016 US presidential election. Victims included US primary campaigns, think tanks, consultants, foundations, law firms, and influential lobbying groups. Source

The FBI and DHS’s NCCIC joint analysis report stated the following: Link (PDF)

This activity by RIS is part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included spearphishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information.

The U.S. Government confirms that two different RIS actors participated in the intrusion into a U.S. political party. The first actor group… entered into the party’s systems in summer 2015, while the second… entered in spring 2016.

In summer 2015, [the first group’s] spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims…In the course of that campaign, [the first group] successfully compromised a U.S. political party.

In spring 2016, [the second group] compromised the same political party…The U.S. Government assesses that information was leaked to the press and publicly disclosed.

In July 2015, hackers believed to be Russian intelligence, FSB, had gained full access to all email and chat traffic within networks of the Democratic National Committee, and maintained access until at least June 2016. Source

Around March 2016, hackers believed to be Russian military intelligence, GRU, began their cyber operations targeting the US election. This group targeted opposition files, gaining access to the computers of the entire research staff and stealing files, including the DNC’s opposition research on Trump, and voter info. Source

Russian intelligence additionally penetrated systems of multiple US state and local electoral boards. For example, in the Summer/Fall of 2016, hackers believed to be Russian military intelligence, GRU, were detected scanning voting systems for vulnerabilities and gaining access to election-related computer systems in 21 states. Source The hackers accessed systems linked to the US electoral system in at least 39 states (Source), although Obama Administration officials assumed they had probed all 50 states (Source). In Illinois, hackers gained access to the state’s voter database and tried to delete or alter voter data, and accessed software designed to be used by poll workers on election day; and in at least one state, accessed a campaign finance database. Source Voter data was found to have been manipulated by hackers in at least one county database, but these alterations were discovered and rectified at the time. Source

In one campaign revealed in a leaked, classified document from the NSA, the hackers sent spoofed emails purporting to be from Google to employees of VR Systems, a private contractor managing critical election systems. The email linked to a faux-Google website requesting Gmail login credentials. From these phishing emails, the hackers apparently obtained information on VR’s elections-related software and hardware solutions. 2 months later, in October, the hackers set up an “operational” Gmail account and sent spear-phishing emails to 122 local government organizations and officials involved in the management of voter registration systems across the US. The emails included MS Word documents purporting to be documentation for VR Systems’ EViD voter database product line, but they were infected with PowerShell scripts allowing control over the user’s computer. Source

Public Disclosures of Stolen Data

Coupled with the cyber espionage to steal information, the Russian influence operation then publicly disclosed the information to influence the US election. The DNI report judged that Russian military intelligence, GRU, was responsible for the Guccifer 2.0 persona and the DCLeaks pages, and used them to publicly release data obtained through its cyber operations. Link (PDF)

In May 2015, during a Facebook “town hall” event, Facebook CEO Mark Zuckerberg was forced to respond to questions from Ukraine about Russian trolling of the site’s report button to silence the accounts of anti-Kremlin Ukrainian activists. The top 20 questions worldwide that Zuckerberg had received were about Russian trolling, and Ukrainian president Petro Poroshenko also requested Facebook’s help with the issue. Zuckerberg laughed off the complaints, downplayed any abuse of the report button, and stood by their “hate speech” policies. Source

Nevertheless, cybersecurity experts at Facebook began tracking a Russian hacking group believed to be linked to Russian military intelligence, GRU. In June 2016, based on their findings, Facebook notified the FBI that they suspected a Russian espionage operation was utilizing their social network. They reported that they had found evidence the hackers had created a series of Facebook accounts, including one called Guccifer 2.0, and a Facebook page called DCLeaks. The accounts were being used to echo propaganda about emails stolen from the DNC. Source

On June 15, 2016, the Guccifer 2.0 persona leaked documents stolen from the Democratic National Committee, including an opposition research file on Donald Trump. Source At least some of the leaked documents were altered before they were published. Source

On August 31, 2016, Guccifer 2.0 leaked further documents hacked from US House Minority Leader Nancy Pelosi’s personal computer. Source

On September 13, 2016, at a cybersecurity conference in London, UK, Guccifer 2.0 leaked a large file including additional internal documents stolen from the DNC. Source

After technical analysis the US intelligence community (source1, source2) and a host of private intelligence firms (source1, source2, source3, source4, source5, source6 (pdf), source7) concluded that the documents leaked by Guccifer 2.0 were obtained by Russian intelligence.

At least some of the leaked documents were mischaracterized, altered, or completely fabricated before release. For example, the June 15 release of the opposition research file on Donald Trump was found to have been altered by labeling it “confidential” after it was stolen. Source

Additionally, on October 4, 2016, in a hoax, Guccifer 2.0 falsely purported to leak documents stolen from the Clinton Foundation. However, the release did not contain any Clinton Foundation documents, but rather only included documents already previously released that were stolen from the DNC; other publicly available documents; and other documents that were fabricated as propaganda (including a fake Clinton Foundation document titled, “Pay for Play,” showing false evidence of bribery). Source

Russian intelligence also used Wikileaks to release further stolen data it had acquired from the DNC and from senior Democratic officials. On June 12, 2016, Wikileaks founder Julian Assange publicly announced plans to publish stolen emails relating to Hillary Clinton. Source On July 22, 2016, WikiLeaks published a collection of leaked DNC emails in the first of a series of such leaks. Source From July–October 2016, Wikileaks continued to serially publish leaked emails from the DNC, John Podesta, and others. Source

On December 29, 2016, the FBI and DHS’s NCCIC published a joint analysis report providing technical details about the tools and infrastructure used by Russian intelligence in hacking the various US entities. Source Link (PDF) The DNI report mentioned above additionally indicated that US intelligence agencies agreed with “high confidence” that Russia was behind the cyber attacks in the US, and that Russian president Vladimir Putin directed the effort. US Intelligence said that Russia’s intentions with the email leaks were to help Trump. Link (PDF) Private companies Crowdstrike, Fidelis Cybersecurity, Mandiant, SecureWorks, and ThreatConnect agreed that Russia was behind the leak of DNC emails to Wikileaks. Sources: 1, 2, 3, 4, 5, 6.

Overt efforts

In parallel with the covert hacking campaign, Russia undertook overt actions also to interfere with the 2016 US election. According to the DNI report (Link (PDF)), these overt actions were carried out by Russian government agencies, Russian state-funded media, certain third-party intermediaries, and a host of paid social media users or ‘trolls.’

Russian government agencies

In February 2016, at a security conference in Moscow, Russian cyber official Andrey Krutskikh publicly admitted that Russia was working on information warfare against the United States, making the analogy to the Soviet Union developing their first nuclear bomb in 1949 and saying their hacking would “allow us to talk to the Americans as equals.” Source

In March 2016, the Kremlin instructed state-backed media outlets, including RT and Sputnik, to report positively about Donald Trump. Source

In May 2016, as Donald Trump was locking up the Republican presidential nomination, a U.S. intelligence intercept picked up Russians discussing ways to spread news damaging to Clinton. Source

In June 2016, the Russian Institute for Strategic Studies (RISS), a Russian government think-tank, published a strategy paper circulated among top Russian officials, recommending the Kremlin launch a propaganda campaign in support of Trump on social media (e.g., Twitter) and Russian state-backed global news outlets targeting US voters. The approach in this paper was a broadening of an effort the Putin administration had launched in March 2016, when the Kremlin instructed state-backed media outlets, including RT and Sputnik, to report positively about Trump. Source

In October 2016, RISS published a second strategy document warning that Hillary Clinton was likely to win the US general election, and therefore, Russia should end its pro-Trump propaganda. Instead, it recommended Russia intensify its messaging about voter fraud, to undermine the legitimacy of the US electoral system and to damage Clinton’s future presidency. Source

Russian state-funded media

Russian state-funded media includes domestic media, media targeted at international audiences (e.g., RT and Sputnik), and quasi-government “trolls.” According to the DNI Report Link (PDF), these state-funded media served as a platform for Kremlin messaging to audiences both inside Russia and internationally.

According to the DNI report, Russian state-funded media provided open support for Trump’s candidacy, and consistently negative coverage of Hillary Clinton. Further, it consistently attacked traditional US media for being part of a corrupt establishment and for “unfair” coverage of Trump, in part, because of his desire to work with Moscow.

For their domestic audience, Russian state-funded media openly proclaimed that, if Trump were president, Russia’s positions in Syria and Ukraine would advance. Once Trump achieved victory in the November election, they hailed Trump’s win as a vindication of Putin’s policies promoting global populist movements, as well as just another example of the collapse of Western liberalism. Similarly, Vladimir Putin’s October 2016 annual conference for Western academics promoted these same themes. Link (PDF)

The DNI Report indicated that Russian state-funded media had expressed broad, open support for Trump since at least March 2016, with increasingly positive advocacy for Trump as the US presidential campaign progressed. It’s unclear whether a survey of articles was conducted to reach these conclusions, but a brief skim of articles about Trump in Sputnik and RT over the relevant timeframe appears to support them. At times, coverage of Trump may have expressed surprise at his rhetoric or even made fun of him, but it generally appeared to attempt to cover his policies, actions, and polling without substantial criticism.

On the other hand, the DNI Report points to consistently negative coverage of Hillary Clinton by Russian state-funded media. For example, much of their coverage held a strong focus on her leaked emails, and in fact, falsely characterized the content of many of the leaks. As one example, on October 10, 2016, Sputnik, a Russian state-controlled news agency, published an article including a falsified version of a hacked email from Clinton adviser Sidney Blumenthal. The doctored email falsely showed Blumenthal was critical of Clinton’s handling of the Benghazi embassy incident. Only hours after the article appeared on Sputnik, at a campaign rally in Wilkes-Barre, PA, Donald Trump read quotes from the falsified version of the leaked email to “prove” that Clinton lied about Benghazi, resulting in chants of “lock her up.” Source1 Source2

Further coverage by Russian state-funded media consistently accused Clinton of corruption, poor physical and mental health, and ties to Islamic extremism, and claimed that Clinton’s election could lead to war between the US and Russia.

Beyond the content of their messaging, the state-funded media also conducted activity to support their aims at influencing the US election. For example, the DNI Report points to RT actively collaborating with Wikileaks and Julian Assange. While Wikileaks provided RT with exclusive access to leaks, RT provided sympathetic coverage to Assange, as well as a platform for him to denounce the US. Link (PDF)

Paid social media users or “trolls”

Russian Internet trolls primarily acted to amplify stories or scandals coming from Russian state-funded media sources, and to amplify the role of Wikileaks in the election campaign.

For example, the Internet Research Agency is the most well-known group of professional Russian Internet trolls.

On September 9, 2013, independent Russian newspaper Novaya Gazeta published a story revealing that a St. Petersburg company called Internet Research Agency Ltd., founded a few months before, was specially equipped for the work of Internet trolls to push pro-Kremlin propaganda. Source (machine translation)

In May 2014, a group of hackers called “Anonymous International” leaked documents stolen from managers at the Internet Research Agency. It was revealed that the company was controlled by Concord, a Russian holding company. Concord’s founder and director general was retired Russian military colonel Mikhail Bystrov, and Concord was financed by Yevgeniy Prigozhin, Russian president Vladimir Putin’s personal chef, who also has ties to Russian intelligence. Prigozhin’s Concord holding company was also reported to be linked with the Russian Ministry of Defense. Source (machine translation)

Hacked correspondence between Concord and Internet Research Agency is said to have revealed Concord’s covert control of the company, as well as payments, made in cash, to hundreds of Internet trolls. The hacked documents additionally revealed that the Internet Research Agency was linked to a number of Russian and Ukrainian news agencies, print, and online publications. Source (machine translation); Source2

The Internet Research Agency would eventually move into English-speaking media. On September 11, 2014, the Internet Research Agency orchestrated a hoax claiming an explosion had taken place at a chemical plant in Centerville, Louisiana, resulting in a release of toxic gas. Reports were sent to local residents via text messages and spread through social media, including claims that the Islamic State ISIS had claimed responsibility for the attack. In fact, there was no such explosion or release of toxic gas. Source

Russia’s Internet trolls have been revealed to have utilized social networks Facebook, Twitter, and Google to spread Kremlin propaganda.


The Internet Research Agency used false identities to create about 470 identified accounts. They used these accounts to purchase advertisements to spread divisive political propaganda in the US between 2015-2017, both before and after the election. Source Facebook estimated that the Russia-funded propaganda in the advertisements originating from these accounts was directly served to 29 million people, and after accounting for sharing among users, they were seen by roughly 126 million people in the US, more than half the total US voting population. Source


The Internet Research Agency created thousands of accounts and posted hundreds of thousands of tweets just during the period from September 1, 2016 to November 15, 2016 to push propaganda and disinformation. They also purchased a significant volume of advertising on the platform. Source In addition, the Russian government-controlled news site RT spent $274,100 advertising on its platform in 2016. Source


Russian agents purchased many advertisements to spread disinformation via YouTube, Gmail, Google Search, and via Google’s DoubleClick ad network. However, the activity Google identified had not originated with the troll farm Internet Research Agency, suggesting that the Kremlin effort was even more widespread than previously believed. Source

Themes of Propaganda

As discussed further below, the themes of the Kremlin-originated propaganda  pushed both far-right pro-Trump themes, and left-wing, anti-Clinton (and anti-Trump) themes, targeting the Hillary Clinton campaign from both sides.

Right-Wing Propaganda

For example, Facebook has confirmed that propaganda accounts established by the Internet Research Agency included “SecuredBorders” and “Heart of Texas,” both of which had used divisive, extremist rhetoric to organize rallies in the US as the election approached.


“SecuredBorders” was a US anti-immigrant page with 133,000 followers when Facebook shut it down. Some examples of Internet Research Agency memes posted under the guise of SecuredBorders (Source):

Link: SecuredBorders Memes

Heart of Texas

“Heart of Texas” generally promoted the Texas secession movement, but often posted extremist memes with violent rhetoric that linked refugees to crime and promoted Islamophobia. Heart of Texas had nearly a quarter of a million followers when Facebook took down the account. Source Some examples of Internet Research Agency memes posted under the Heart of Texas persona:

Link: Heart of Texas Memes

In May 2016, Heart of Texas organized a protest at the opening of a library at an Islamic Center in Houston. The rally, called “Stop Islamization of Texas,” was being staged based on false claims that the Islamic library had received public funding. Source

Link: Stop the Islamization of Texas Memes

In early November 2016, Heart of Texas created a Facebook event for a “Texit statewide rally” titled, “Get ready to secede.” With this event, the Heart of Texas group attempted to organize a series of rallies across Texas on November 5 to demand that Texas secede from the US if Hillary Clinton won the election. While few attended the rallies, those who signed a petition to express support for the movement had their information delivered to the Texas Nationalist Movement (TNM), a Texas secession organization known to have previously received funding from the Kremlin. Source1 Source2

Link: Get ready to secede Memes

Left-Wing Propaganda

Other identified Internet Research Agency activities promoted Green Party presidential candidate Jill stein, and Clinton’s Democratic party rival Bernie Sanders. Source Their Sanders support would continue even after he had conceded Clinton’s win in the primary and dropped out of the race. Source

Other Propaganda

Another theme of Internet Research Agency propaganda appeared to target right-wing audiences to portray groups that the right-wing audience was likely to oppose, such as Muslims and the Black Lives Matter movement, as extremist, violent, or threatening. Source One such advertisement revealed to have originated from the Kremlin featured photographs of a black woman pulling the trigger of a rifle. Congressional investigators characterized ads of this type as being designed to encourage militancy of oppressed groups, and at the same time, to stoke fears within white communities. Source

For example, “United Muslims of America” was an Internet Research Agency impostor account that impersonated an actual organization. The Facebook page ostensibly promoted Muslim causes, but in most cases, appeared to promote right-wing stereotypes of Muslims and pro-Kremlin causes. Some examples of memes posted by the Internet Research Agency under the guise of United Muslims of America: Source

Link: United Muslims of America Memes

See also: #Nov4ItBegins