by Clint Watts
While individual campaigns like Operation Infektion achieved immeasurable results and a mix of intended and unintended consequences, the Soviet Union’s active measures never materialized as a sufficient asymmetric counter for U.S. might and NATO’s growth. Soviet propaganda outlets took many years or even decades to grow their audiences. Distributing messages and dollars to propel a Communist media insurgency in America required repetitive synchronization and significant resources in both manpower and production. Moreover, influencing populations in Western areas required layers of agents undertaking physical actions at the behest of the Kremlin. Exposure of Soviet operatives conducting active measures in the United States persistently jeopardized Kremlin foreign policy. Finally, American nationalism during the Cold War sustained a population averse to anything Soviet, resistant to Communist messaging and deeply suspicious of foreign influence. Stand-alone initiatives like Operation Infektion achieved remarkable tactical success, but strategically, active measures required too much time and money. They also required less resistance to cement themselves among targeted Western populations and to generate grassroots support. Active measures could and would work; the timing just wasn’t right—until the advent of the internet.
* * *
Almost a year before Russia invaded Crimea in 2014, the chief of the general staff of the Russian Federation, General Valery Gerasimov, authored an article laying out his vision of future warfare based on his interpretation of recent Arab Spring protests across North Africa and the Middle East. Gerasimov noted:
The very rules of war have changed. The role of non-military means of achieving political and strategic goals has grown, and, in many cases, they have exceeded the power of force of weapons in their effectiveness. . . . In North Africa, we witnessed the use of technologies for influencing state structures and the population with the help of information networks. It is necessary to perfect activities in the information space.4
Gerasimov asserted that Russia would be moving away from traditional ideas of conventional war, where battlefields defined the beginnings and ends of conflicts. Instead warfare would be conducted perpetually, on many fronts, with military action, particularly that of special operations forces, blended with political, economic, and, most important, information campaigns.
Only a few months after Gerasimov hinted at his military’s future intentions, RIA Novosti News Agency disclosed the Russian Defense Ministry’s formation of a separate branch of military forces aimed at combating cyber threats. The department evaluated candidates it wanted to work with, and Putin specifically noted that “so-called ‘information attacks’ are already being applied to solve problems of a military and political nature.”5 Active measures, something old, would be new again, this time using the advantages of the internet, cyberspace, and social media to accomplish what they could never do during the analog era of information warfare: dismantle democracies worldwide.
And we were watching—the “Jewish Asshole” Weisburd, the “Loud Shaytan” Berger, and I, “Big Watty Kafir.” Similar to how Soviet intelligence had exploited race issues during the Cold War to divide American audiences, Russian influence efforts showcased violence and chaos all across the United States in the summer of 2015 as protests against police brutality broke out. Black Lives Matter demonstrations would be promoted and simultaneously scorned by the troll army, increasing distrust among the populace, law enforcement, and the government. Allegations of government misconduct might be seeded to agitate antigovernment groups. Government standoffs at the Bundy ranch, in Oregon, Jade Helm 15, and abortion protests all were showcased to fuel contempt among competing American factions. Traditional lines of active measures attack were all there on social media: political, social, financial, and calamitous. We considered writing up our analysis of the active measures renaissance, but we kept arriving at the same question: Why? In the fall of 2015, we didn’t think Americans would understand Russia’s active measures. Even if they did understand what was happening, I didn’t think they would care.
The same could be said for the U.S. government. In the early summer of 2014, I provided a snapshot of the Russian social media campaign with regard to Syria as I closed a briefing on the Islamic State’s rise.
“Have you all seen what the Russians are doing on social media?” I inquired.
The analysts were curious, but they were focused on counterterrorism, and ISIS’s aggressive rise. Throughout the next year, I discussed Russian cyber influence whenever I had the chance during counterterrorism panels or government sessions, but the Islamic State’s wave of violence suffocated any other impending threat. During a domestic extremism conference, another panelist studying antigovernment militias and white supremacists noted that she’d seen Russian influence pick up significantly in their online forums. At another security conference, a Russia national security expert remarked about how they were personally targeted by cyber attacks. And then there were rumors circling of hacks, big ones, many of them hitting American targets.
Russia’s dedicated hacking campaign in the fall of 2015 proved to be like no other in history. Unlike the hacking tirades of criminals, Russia didn’t pursue indiscriminate breaches for financial gain. It sought information from a select group—politicians, government officials, journalists, media personalities, and foreign policy experts—numbering in the thousands, according to government and media estimates.
Cyberattacks from Russia weren’t new. The Kremlin had perpetrated cyberattacks as part of its military campaigns prior to invading Georgia in 2008, when it defaced and disabled Georgian government websites as part of a psychological warfare campaign. In 2014, a pro-Russian group called CyberBerkut surfaced alongside Kremlin hackers and penetrated Ukraine’s Central Election Commission, altering the nationwide presidential vote in favor of Russia’s preferred candidate, Dmytro Yarosh. Luckily, the Ukrainian government caught the manipulation before the results were aired. Despite this setback, the pace of Russian cyberattacks only quickened. Throughout 2015 and 2016, Ukrainian businesses and government agencies suffered endless cyber assaults. The most ominous Russian attack, known as BlackEnergy, struck the power grids of the Ivano-Frankivsk region of Ukraine, disabling electricity during one of the country’s coldest periods, December 2015. These attacks, though, sought to damage infrastructure and undermine Eastern European countries through humiliation and confusion. The Russia-connected breaches surfacing in America, though, sought something different.
Putin’s widespread hacks on America pursued privileged information about his country’s Western adversaries. The stolen information the Russians wanted wasn’t intellectual property, trade secrets, military plans, or bank account numbers, but rather compromising data on people, digital kompromat for discrediting reputations, sowing conspiracies, seeding false narratives, and ending careers. Hackers were gathering fuel for an active measures campaign like no other, an all-out operation to win the U.S. election.
Starting in the late summer of 2015 and extending through the fall, Russia undertook the largest, most sophisticated, most targeted hacking campaign in world history, breaking into the email accounts of thousands of American citizens and institutions. Analysts posit that the cyber offensive was perpetrated by two of Russia’s intelligence agencies: the Main Intelligence Directorate, known by the acronym GRU, and the Federal Security Service, known by the acronym FSB, predominantly an internal intelligence arm but particularly sophisticated in cyber operations.
In cybersecurity speak, the GRU and the FSB operated as Advanced Persistent Threats (APTs), a reference to their dedicated targeting and wide array of cyber-hacking techniques. APTs, unlike common cybercriminals or hacker collectives, have sufficient resourcing to stay on their targets until they penetrate the systems they desire to access. APTs use a range of techniques, from the simple to the complex, employing all forms of social engineering and specifically tailored malware known as “zero days.”
The Russian APTs were known in the cybersecurity world as AP
T28 (code name: Fancy Bear) and APT29 (Cozy Bear). Cozy and Fancy Bear represented competing Russian hacker groups seeking access and compromising information from democratically elected officials adversarial to Russia, media personalities (particularly reporters who interfaced with anonymous sources), military leaders, and academic researchers and policy think tanks studying Russia. In sum, anyone and everyone opposing Russia was targeted, in hopes that their private communications, if revealed, would undermine the credibility of a Russian adversary and/or sow divisions and mistrust between the targeted individual and those they maligned in private.
Common lore might suggest that Russia’s hackers operate a complex system of hacking techniques and malicious code designed specifically to infiltrate American systems. But that’s not really the case. Russia’s hackers often use the most basic of techniques, relying on the underlying principles of social engineering to dupe unwitting computer users into coughing up log-in credentials to their email accounts, social media handles, and websites.
“Spearphishing” remains the most useful and most common mechanism for gaining access to users’ accounts. Every internet user has encountered spam tempting them to click on a link for an amazing deal at a favorite store or claim a prize they’ve won. But Russian spearphishing focused more squarely on injecting fear of a breach to actually achieve a breach. Many of Russia’s targets received what appeared to be legitimate warnings to reset their email passwords. These spearphishing emails trick unsuspecting users into clicking on a link that redirects them to what’s known as a “watering hole” website—a site that appears to be a well-known legitimate portal but is actually a fake page requesting a username and password. Common watering hole attacks mirror the home log-in pages of banks, email providers, social media platforms, and student portals. The user unwittingly enters his or her username and password on the watering hole, and instantly hackers gain the target’s log-in criteria. Hackers then use that username and password to access the true email of the target and download their private communications.
The Kremlin election hacking wave began in the fall of 2015. We all remember the most critical and ultimately damaging hack—when the Democratic National Committee was breached. In September 2015, a D.C.-based FBI agent notified the DNC’s tech support contractor Yared Tamene via a voicemail, regarding a potential intrusion at the DNC. But Tamene didn’t react to the notifications of Special Agent Adrian Hawkins, who in recent years had been tracking a Russian cyber-espionage group called “the Dukes”. Both Fancy Bear and Cozy Bear breached the DNC in separate attacks, roaming the party’s computers for seven months, stealing emails, communications, and records—a treasure trove of information ripe for kompromat. Separately, hackers penetrated the Democratic Congressional Campaign Committee sometime around March or April 2016. Hackers also hit the Republican National Committee (RNC), but the GOP got lucky, compared with its political rivals. That intrusion was smaller and struck an old RNC server no longer in use, rendering virtually no compromising materials. Some sources suggested that the old server had previously been used by Senators Lindsey Graham and John McCain—two well-known adversaries of Russia.6
By the start of 2016, Russia had gone from spearphishing of political parties to “whalephishing” of key political operatives and government officials. Whereas spearphishing targets swaths of accounts, seeking many entry points and access to unknown data, whalephishing targets prominent individuals inside organizations or governments whose private communications likely provide a wealth of insight and troves of secrets to propel conspiracies. John Podesta, campaign manager to Hillary Clinton, proved to be the biggest whale hacked in 2016.
Podesta received an email that appeared to be from Google, alerting him of an improper attempt to log in to his Gmail account. The message, designed by social engineers to inject fear of compromise into the target’s mind, redirected the user to change his password by clicking a button in the email. Charles Delavan, a Clinton campaign aide notified about the warning and tasked with checking the message’s legitimacy, claims he made a typo in his response.
“This is a legitimate email,” Delavan messaged to one of Mr. Podesta’s aides. Later Delavan would say he’d meant to type “illegitimate” and that his typo implied the opposite of what he intended.7 The link in the whalephishing email was clicked, and very soon about sixty thousand emails had been taken from Podesta.8 Retired flag officers in the military, both current and former, encountered the same scheme. Former secretary of state and chairman of the Joint Chiefs of Staff Colin Powell lost control of his account, as did a former commander of NATO, General Philip Breedlove. Washington, D.C.’s academic think tanks that had programs focusing on Russia, if they didn’t detect it on their own, received warnings from the government or from cybersecurity companies like CrowdStrike.9 Post-election reports revealed that Russia had issued expertly crafted Twitter messages to more than ten thousand U.S. Department of Defense users. The malware enabled Moscow-based hackers to take control of the victim’s phone or computer. The Kremlin left no target untouched.10
Meanwhile, the troll army’s interest in the U.S. presidential election gained steam toward the end of 2015. One article in particular caught my eye.
“Is Donald Trump a Man to Mend US Relations with Russia?” Sputnik asked on August 24, 2015.11 Trump’s campaign, at the time, seemed more celebrity stunt than deliberate effort to lead the nation, but the post was curious, given that Russian disdain for both parties and their leaders had historically been a constant.
From then on, the social media war in America surrounding the election proved unprecedented, and the Russians were there and laying the groundwork for their information nuclear strike. Russian state-sponsored media, the English-speaking type, was quite clear: Putin did not want Hillary Clinton to become president. Aggressive anti-Clinton rhetoric from state-sponsored outlets, amplified by their social media trolls, framed Clinton as a globalist, pushing democratic agendas against Russia—an aggressor who could possibly bring about war between the two countries. The trolls’ anti-Clinton drumbeat increased each month toward the end of 2015 and going into 2016. The Kremlin spotted a new, more likable alternative among the Democrats, Bernie Sanders, whose challenge to Clinton was growing each day and whose message rang with socialist themes. Meanwhile, Trump’s brash barbs against his opponents were working unexpectedly well. Kicking off 2016, the troll army began promoting candidate Donald Trump with increasing intensity, so much so their computational propaganda began to distort organic support for Trump, making his social media appeal appear larger than it truly was.
Russian leaders, much like their boastful American counterparts, have egos and often can’t help themselves when they want to brag. That appears to be the case with Andrey Krutskikh. Speaking at Infoforum 2016, in Moscow, he hinted at the Kremlin’s plans. The Russians were implementing new strategies for the “information arena,” he said, echoing General Gerasimov’s doctrine from a couple of years earlier. Krutskikh compared deployment of Moscow’s new influence weapons to that of a nuclear bomb that would allow the Russians “to talk to the Americans as equals.”12
Curiously, on March 16, 2016, during the height of the primary season, WikiLeaks launched a new database that provided users with a search function for moving through and identifying topics among more than fifty thousand pages of emails from Clinton’s private server. The State Department had previously released some of the data, but WikiLeaks took the added step of creating a rapid system for accessing these emails around key words. The archive provided a novel feature for Clinton’s opponents seeking to gather dirt on the Democratic candidate and greatly assisted journalists looking for juicy campaign stories. All the while, those attending Trump rallies screamed about 33,000 missing emails and calling for her to be “locked up” for disclosing classified information—referring to the emails deleted from the private server of Hillary Clinton that were unaccounted for in the FBI investigation. But on July 5, FBI director James Comey conclu
ded his investigation into Secretary Clinton’s emails and recommended no formal charges. The chants would continue, and the searchable database of WikiLeaks would take on a new life.
The fuel for Russia’s new cyber active measures appeared on July 22, 2016. The twenty thousand emails and more than eight thousand attachments stolen from the DNC surfaced on WikiLeaks. The compromising information covered internal communications from January 2015 to May 2016 and was made available to the public just three days prior to the Democratic National Convention. Media coverage of the convention became distracted by conflict and conspiracies. The emails pointed to DNC suppression of the Bernie Sanders campaign, creating a third theme that Russian troll networks reinforced: that the Democratic Party was corrupt and Bernie Sanders got a raw deal, never having a chance to defeat Hillary Clinton. Revelation of DNC chairwoman Debbie Wasserman Schultz’s private remarks showing her favoring Clinton over Sanders led to her resignation, and the mainstream media ran wild with the leaked information. The Russian leaks tarnishing Clinton worked, and they were just beginning.
Five days after WikiLeaks’ dump of DNC emails, Donald J. Trump took to the stage at a press conference in Doral, Florida, and announced, “Russia, if you’re listening, I hope you’re able to find the thirty thousand emails that are missing . . . I think you will probably be rewarded mightily by our press.”13
I watched the clip several times, and a sick feeling settled in my stomach. I’d watched the Russian system push for Trump and tear down Clinton, but up to that point, I hadn’t believed the Trump campaign might be working with the Russians to win the presidency. I’d given briefs on the Russian active measures system in many government briefings, academic conferences, and think tank sessions for more than a year. But nothing seemed to register. Americans just weren’t interested; all national security discussions focused narrowly on the Islamic State’s recent wave of terrorist attacks in Europe. I did what most Americans do when frustrated by politics: I suffered a Facebook meltdown, noting my disbelief that a U.S. presidential candidate would call on a foreign country, one already pushing for his victory, to target and discredit a former first lady, U.S. senator, and secretary of state.