Russia’s Influence Campaign

According to a January 6, 2017, report published by the US Office of the Director of National Intelligence (DNI), “Moscow’s influence campaign followed a Russian messaging strategy that blends covert intelligence operations—such as cyber espionage—with overt efforts by Russian Government agencies, state-funded media, third-party intermediaries, and paid social media users or ‘trolls.’” On this page, additional public information and examples are provided to support this statement.

Covert Intelligence Operations

The DNI report focused on cyber activity within Russia’s broader covert intelligence operations designed to influence the 2016 election. The cyber activity involved both cyber espionage (hacking), and facilitating the public disclosure of the information stolen via cyber espionage.

Cyber Espionage

Russian intelligence services conducted broad, ‘dragnet’ cyber operations that breached the systems of a variety of entities associated with the 2016 US presidential election. Victims included US primary campaigns, think tanks, consultants, foundations, law firms, and influential lobbying groups. Source

In late 2016 the FBI and DHS together published a joint analysis report providing technical details about the tools and infrastructure used by Russian intelligence services (RIS) in hacking the various US entities. Source Link (PDF) This report stated the following:

This activity by RIS is part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included spearphishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information.

The U.S. Government confirms that two different RIS actors participated in the intrusion into a U.S. political party. The first actor group… entered into the party’s systems in summer 2015, while the second… entered in spring 2016.

In summer 2015, [the first group’s] spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims…In the course of that campaign, [the first group] successfully compromised a U.S. political party.

In spring 2016, [the second group] compromised the same political party…The U.S. Government assesses that information was leaked to the press and publicly disclosed.

Additional analysis by private entities revealed that the two groups described in the joint analysis report were likely to be Russian intelligence agencies FSB (Federal Security service, the “first actor group”) and GRU (military intelligence, the “second actor group”). The two groups did not appear to be working directly with one another. Source

By July 2015, the FSB had gained full access to all email and chat traffic within networks of the Democratic National Committee, and maintained access until at least June 2016. Around March 2016, the GRU began their cyber operations targeting the US election. This group targeted opposition files, gaining access to the computers of the entire research staff and stealing files, including voter information and the DNC’s opposition research on Donald Trump. Source

Russian intelligence additionally penetrated systems of multiple US state and local electoral boards. For example, in the Summer/Fall of 2016, hackers believed to be Russian military intelligence, GRU, were detected scanning voting systems for vulnerabilities and gaining access to election-related computer systems in 21 states. Source The hackers accessed systems linked to the US electoral system in at least 39 states (Source), although Obama Administration officials assumed they had probed all 50 states (Source). In Illinois, hackers gained access to the state’s voter database and tried to delete or alter voter data, and accessed software designed to be used by poll workers on election day; and in at least one state, accessed a campaign finance database. Source Voter data was found to have been manipulated by hackers in at least one county database, but these alterations were discovered and rectified at the time. Source

In one campaign revealed in a leaked, classified document from the NSA, the hackers sent spoofed emails purporting to be from Google to employees of VR Systems, a private contractor managing critical election systems. The email linked to a faux-Google website requesting Gmail login credentials. From these phishing emails, the hackers apparently obtained information on VR’s elections-related software and hardware solutions. 2 months later, in October, the hackers set up an “operational” Gmail account and sent spear-phishing emails to 122 local government organizations and officials involved in the management of voter registration systems across the US. The emails included MS Word documents purporting to be documentation for VR Systems’ EViD voter database product line, but they were infected with PowerShell scripts allowing control over the user’s computer. Source

On January 9, 2017, a darknet blog maintained by a Ukrainian hacker going by the name “Profexer” went offline. It was eventually revealed that he had turned himself in to Ukrainian police, and became a witness for the FBI. Profexer had written a program used as a tool in the Russian hacking campaign in the US, including the penetration of the DNC. Source

After being arrested in Barcelona at the request of the US, on April 21, 2017, a US federal grand jury indicted Russian national Peter Yuryevich Levashov, aka Petr/Pyotr Levashov, for multiple offenses relating to his alleged operation of the Kelihos botnet (wiki). Kelihos was a global network of tens of thousands of infected computers, which Levashov allegedly used to harvest login credentials, distribute bulk spam emails, and install ransomware and other malicious software. Source Russian state media RT reported that Levashov’s wife said that he had been suspected of being connected to the hacking attacks relating to the 2016 US elections. Source

As of September 22, 2017, both the US and Russia were working to have Levashov extradited from Spain into their own countries. Source

Levashov has said that he worked for Putin’s United Russia party for a decade, collecting information for them about opposition parties. Source

Public Disclosures of Stolen Data

Coupled with the cyber espionage to steal information, the Russian influence operation then publicly disclosed the information to influence the US election. The DNI report judged that Russian military intelligence, GRU, was responsible for the Guccifer 2.0 persona and the DCLeaks pages, and used them to publicly release data obtained through its cyber operations. Link (PDF)

In May 2015, during a Facebook “town hall” event, Facebook CEO Mark Zuckerberg was forced to respond to questions from Ukraine about Russian trolling of the site’s report button to silence the accounts of anti-Kremlin Ukrainian activists. The top 20 questions worldwide that Zuckerberg had received were about Russian trolling, and Ukrainian president Petro Poroshenko also requested Facebook’s help with the issue. Zuckerberg laughed off the complaints, downplayed any abuse of the report button, and stood by their “hate speech” policies. Source

Nevertheless, cybersecurity experts at Facebook began tracking a Russian hacking group believed to be linked to Russian military intelligence, GRU. In June 2016, based on their findings, Facebook notified the FBI that they suspected a Russian espionage operation was utilizing their social network. They reported that they had found evidence the hackers had created a series of Facebook accounts, including one called Guccifer 2.0, and a Facebook page called DCLeaks. The accounts were being used to echo propaganda about emails stolen from the DNC. Source

On June 15, 2016, the Guccifer 2.0 persona leaked documents stolen from the Democratic National Committee, including an opposition research file on Donald Trump. Source At least some of the leaked documents were altered before they were published. Source

On August 31, 2016, Guccifer 2.0 leaked further documents hacked from US House Minority Leader Nancy Pelosi’s personal computer. Source

On September 13, 2016, at a cybersecurity conference in London, UK, Guccifer 2.0 leaked a large file including additional internal documents stolen from the DNC. Source

After technical analysis, the US intelligence community (source1, source2) and a host of private intelligence firms (source1, source2, source3, source4, source5, source6 (pdf), source7) concluded that the documents leaked by Guccifer 2.0 were obtained by Russian intelligence.

At least some of the leaked documents were mischaracterized, altered, or completely fabricated before release. For example, the June 15 release of the opposition research file on Donald Trump was found to have been altered by labeling it “confidential” after it was stolen. Source

Additionally, on October 4, 2016, in a hoax, Guccifer 2.0 falsely purported to leak documents stolen from the Clinton Foundation. However, the release did not contain any Clinton Foundation documents, but rather only included documents already previously released that were stolen from the DNC; other publicly available documents; and other documents that were fabricated as propaganda (including a fake Clinton Foundation document titled, “Pay for Play,” showing false evidence of bribery). Source

Russian intelligence also used Wikileaks to release further stolen data it had acquired from the DNC and from senior Democratic officials. On June 12, 2016, Wikileaks founder Julian Assange publicly announced plans to publish stolen emails relating to Hillary Clinton. Source On July 22, 2016, WikiLeaks published a collection of leaked DNC emails in the first of a series of such leaks. Source From July–October 2016, Wikileaks continued to serially publish leaked emails from the DNC, John Podesta, and others. Source

Attribution of Covert Actions to Russia

The DNI report mentioned above additionally indicated that US intelligence agencies agreed with “high confidence” that Russia was behind the cyber attacks in the US, and that Russian president Vladimir Putin directed the effort. US Intelligence said that Russia’s intentions with the email leaks were to help Trump. Link (PDF) Private companies Crowdstrike, Fidelis Cybersecurity, Mandiant, SecureWorks, and ThreatConnect agreed that Russia was behind the leak of DNC emails to Wikileaks. Sources: 1, 2, 3, 4, 5, 6.

Overt Efforts

In parallel with the covert hacking campaign, Russia undertook overt actions also to interfere with the 2016 US election. According to the DNI report (Link (PDF)), these overt actions were carried out by Russian government agencies, Russian state-funded media, certain third-party intermediaries, a host of paid social media users or ‘trolls,’ and so-called ‘bots.’ Examples of each are provided below, followed by a discussion of their use in the spread of disinformation, or “fake news.”

Russian Government Agencies

In February 2016, at a security conference in Moscow, Russian cyber official Andrey Krutskikh publicly admitted that Russia was working on information warfare against the United States, making the analogy to the Soviet Union developing their first nuclear bomb in 1949 and saying their hacking would “allow us to talk to the Americans as equals.” Source

In March 2016, the Kremlin instructed state-backed media outlets, including RT and Sputnik, to report positively about Donald Trump. Source

In May 2016, as Donald Trump was locking up the Republican presidential nomination, a U.S. intelligence intercept picked up Russians discussing ways to spread news damaging to Clinton. Source

In June 2016, the Russian Institute for Strategic Studies (RISS), a Russian government think-tank, published a strategy paper circulated among top Russian officials, recommending the Kremlin launch a propaganda campaign in support of Trump on social media (e.g., Twitter) and Russian state-backed global news outlets targeting US voters. The approach in this paper was a broadening of an effort the Putin administration had launched in March 2016, when the Kremlin instructed state-backed media outlets, including RT and Sputnik, to report positively about Trump. Source

In October 2016, RISS published a second strategy document warning that Hillary Clinton was likely to win the US general election, and therefore, Russia should end its pro-Trump propaganda. Instead, it recommended Russia intensify its messaging about voter fraud, to undermine the legitimacy of the US electoral system and to damage Clinton’s future presidency. Source

Russian State-Funded Media

Russian state-funded media includes domestic media, media targeted at international audiences (e.g., RT and Sputnik), and quasi-government “trolls.” According to the DNI Report Link (PDF), these state-funded media served as a platform for Kremlin messaging to audiences both inside Russia and internationally.

According to the DNI report, Russian state-funded media provided open support for Trump’s candidacy, and consistently negative coverage of Hillary Clinton. Further, they consistently attacked traditional US media for being part of a corrupt establishment and for “unfair” coverage of Trump, in part, because of his desire to work with Moscow.

For their domestic audience, Russian state-funded media openly proclaimed that, if Trump were president, Russia’s positions in Syria and Ukraine would advance. Once Trump achieved victory in the November election, they hailed Trump’s win as a vindication of Putin’s policies promoting global populist movements, as well as just another example of the collapse of Western liberalism. Similarly, Vladimir Putin’s October 2016 annual conference for Western academics promoted these same themes. Link (PDF)

The DNI Report indicated that Russian state-funded media had expressed broad, open support for Trump since at least March 2016, with increasingly positive advocacy for Trump as the US presidential campaign progressed. It’s unclear whether a survey of articles was conducted to reach these conclusions, but a brief skim of articles about Trump in Sputnik and RT over the relevant timeframe appears to support them. At times, coverage of Trump may have expressed surprise at his rhetoric or even made fun of him, but it generally appeared to attempt to cover his policies, actions, and polling without substantial criticism.

On the other hand, the DNI Report points to consistently negative coverage of Hillary Clinton by Russian state-funded media. For example, much of their coverage held a strong focus on her leaked emails. Former US ambassador to Russia, Michael McFaul, expressed surprise about the level of overt support that RT and Sputnik expressed for Trump’s candidacy, even using the #CrookedHillary hashtag promoted by Trump. Source

In their focus on Clinton’s emails, these state-funded media often falsely characterized the content of many of the leaks. In one example, on October 10, 2016, Sputnik, a Russian state-controlled news agency, published an article including a falsified version of a hacked email from Clinton adviser Sidney Blumenthal. The doctored email falsely showed Blumenthal was critical of Clinton’s handling of the Benghazi embassy incident. Only hours after the article appeared on Sputnik, at a campaign rally in Wilkes-Barre, PA, Donald Trump read quotes from the falsified version of the leaked email to “prove” that Clinton lied about Benghazi, resulting in chants of “lock her up.” Source1 Source2

Further coverage by Russian state-funded media consistently accused Clinton of corruption, poor physical and mental health, and ties to Islamic extremism, and claimed that Clinton’s election could lead to war between the US and Russia.

Beyond the content of their messaging, the state-funded media also conducted activity to support their aims at influencing the US election. For example, the DNI Report points to RT actively collaborating with Wikileaks and Julian Assange. While Wikileaks provided RT with exclusive access to leaks, RT provided sympathetic coverage to Assange, as well as a platform for him to denounce the US.

Third Party Intermediaries

Other entities not directly affiliated with the Russian state still took their direction and assistance to participate in the Russian influence campaign. While some such third-party intermediaries were knowingly helping the Russian influence campaign, others did so unknowingly, believing the disinformation. Those parties were often referred to as “useful idiots.” Source

For example, outside of Russia, many far-right news agencies and websites trafficking in conspiracy theories actively promoted Kremlin messaging during the campaign. Example Within the Trump campaign, Donald Trump (source1 source2 source3), Eric Trump (source), Michael Flynn (source1 source2), his son Michael Flynn Jr. (source), Kellyanne Conway (source), and then-campaign manager Corey Lewandowski (source) were documented sharing Kremlin disinformation and conspiracy theories over their own Twitter accounts.

A group called PropOrNot established an online resource calling out specific websites, blogs, and news agencies for being a source of, or a repeater of, Russian propaganda. Link

Further, as mentioned above, Wikileaks collaborated with Russian state-funded media to improve their messaging. For example, the DNI Report points to RT actively collaborating with Wikileaks and Julian Assange. While Wikileaks provided RT with exclusive access to leaks, RT provided sympathetic coverage to Assange, as well as a platform for him to denounce the US.

During Wikileaks founder Julian Assange’s private communications with Donald Trump Jr., Assange requested Trump Jr. to provide Wikileaks with Trump’s tax returns, to help Wikileaks appear more impartial and to combat what Assange felt was the public perception of Wikileaks as a “‘pro-Trump’ ‘pro-Russia’ source.” Source

Paid Social Media Users, Trolls, and Bots

Social media users paid by the Russian state to promote the Kremlin agenda, often called trolls, primarily acted to amplify stories or scandals coming from Russian state-funded media sources, and to amplify the role of Wikileaks in the election campaign. These trolls have been revealed to have utilized social networks Facebook, Twitter, and Google to spread Kremlin propaganda, although this activity is also known to be commonplace throughout the Internet wherever public discussions and comments can be found, such as below news articles, on aggregators such as reddit.com, on image boards such as 4chan, etc.

This link provides further detail about trolls, focusing on confirmed Russian state activity.

In addition to trolls, large numbers of so-called “bots,” or artificial intelligence programs that used fake social media accounts to gather, spread, and target pro-Trump stories at US voters, overwhelmed the Internet. Source1, Source2. Many of these bots were distributed to unknowing users’ computers via malicious software, or “malware.” This malware would install programs onto an unwitting party’s computer, allowing the computer to be commanded and controlled by the botnet’s operator. Russian national Peter Levashov, the creator of one of the most famous known botnets, Kelihos, is under investigation for his part in Russian hacking efforts in relation to the 2016 US election. Source

Disinformation and ‘Fake News’

Throughout the US presidential campaign, and especially as the election approached, fraudulent stories pushing deliberate misinformation, particularly about Hillary Clinton and her presidential campaign, proliferated. These stories pushed claims that Clinton was hiding fatal health problems, that she had ordered multiple executions, that she participated in an underground satanic ring of pedophiles operating out of a Washington DC pizza restaurant, and many others. A criminal indictment of Clinton always seemed to be just around the corner. According to an analysis published by the University of Oxford, in the days before the election in the swing state of Michigan, fully half of all news stories shared on Twitter constituted such ‘fake news.’ Source

While some of these stories originated from Russian state-funded media such as RT, Sputnik, or paid trolls (source), others were created from other sources, many that appeared to be independent of the Russian government. Many individuals even began to generate and/or repeat pro-Trump and anti-Clinton fake news stories from home on their own websites, reaping profits via advertising as trolls and bots heavily promoted their stories, gaining them high traffic. Source

The European Union’s East StratCom Task Force established The Disinformation Review, an online resource providing examples of such “dezinformatsiya” with news and analysis. Link Another group, called PropOrNot, established an online resource providing information on identifying and distinguishing such propaganda used by Russian influence operations targeting US audiences, and even calling out specific websites, blogs, and news agencies for being a source of, or a repeater of, Russian propaganda. Link

Steele Dossier

Russia is conducting broad offensive cyber operations. Russia has had little success on primary targets, but massive effort invested in secondary targets with greater success, including western private banks and the governments of some smaller states allied with the west, including Latvia.

Hundreds of agents, either consciously cooperating or unwittingly having their IT systems compromised, were part of the program. Many were given money or contractual favors in return; The Central Bank of Russia knowingly covered up those agents’ money laundering operations through the Russian financial system.

From March–September, 2016, a company named XBT/Webzilla and its affiliates used botnets and porn traffic to transmit viruses, plant bugs, steal data, and conduct “altering operations” against US Democratic Party leadership. Aleksei Gubarov [sic] and Seva Kapsugovich, another hacking expert recruited under duress by the FSB, were heavily involved.

October 2016: The Kremlin had injected a stream of further hacked Clinton material into compliant western media outlets like Wikileaks. However, the Russians’ best material was already out there, and there were no real game-changers to come.

Sergei Ivanov indicated in confidence to a close colleague that Russian responsibility for the DNC hack and leaks to Wikileaks remained technically deniable, so Russia would not leak further material. Instead, they would spread rumors and disinformation about the content of what had already been leaked, and would make up new content.

Ivanov said Russia’s target audience for this disinformation would be American educated youth, believing they could be persuaded to support Donald Trump as a protest against the Washington establishment.

Russia’s goals included requesting sympathetic US actors how Moscow could help them; gathering intelligence; and creating and disseminating compromising information (kompromat). Sympathetic actors they targeted included Lyndon Larouche, Green Party presidential candidate Jill Stein, Trump foreign policy adviser Carter Page, and former DIA director Michael Flynn.

In October 2016, the Kremlin had injected a stream of further hacked Clinton material into compliant western media outlets like Wikileaks. However, the Russians’ best material was already out there, and there were no real game-changers to come.

Comments/Corroboration of Steele Dossier

Regarding the allegation that “Russia would not leak further material. Instead, they would spread rumors and disinformation about the content of what had already been leaked, and would make up new content.”: Circumstantially Confirmed.

Note that the Steele memo at P.15 was dated in mid-August. The Guccifer 2.0 hoax of October 4 strongly supports this allegation. Also, the September 13 dump of everything else they had from the DNC didn’t cause substantial press because there wasn’t anything good left.

Also, the October 10, 2016, Sputnik article with the fake Clinton email shows not only that Russia was pushing false propaganda, but also that the Trump campaign was at the very least monitoring Russian sources for intelligence, or possibly was working with those Russian sources to generate and disseminate false propaganda.