Hybrid Threats: Russian Interference in the 2016 US Election

What are now called “hybrid threats” are not new. Nations, and sometimes non-national groups, long have employed a variety of means short of war, simultaneously, to influence others.

by Gregory F. Treverton and Alicia R. Chen

NOTE: The views expressed here are those of the author and do not necessarily represent or reflect the views of SMA, Inc.

What is new is the virtual realm—cyber attacks to ferret out, then strategically release, discrediting information, and social media, to lower the entry cost for massive propaganda campaigns. Both were on vivid display in the Russian intervention in the 2016 US presidential election, which also suggested some limits and possible counters.

Bottom Lines

  • During the 2016 US presidential election, Russia sought to undermine the public’s faith in the US democratic process and to damage Secretary Clinton’s candidacy and potential presidency.
  • The influence campaign was three-fold, featuring leaks of information Russia had stolen through cyber espionage, overt Russian propaganda, and hacks into election infrastructure, all of which were distinct but done simultaneously and complementarily.
  • The Russians conducted cyber espionage operations on major political organizations and people—especially the Democratic National Committee (DNC), which included many of candidate Clinton’s emails, and John Podesta, her campaign manager—with leaks timed strategically to influence the popular discourse and to attack the US democratic process.
  • The spread of misinformation during the 2016 US election was one of the most effective campaigns of Russian propaganda to influence US voters. By using botnets and trolls on social media sites, as well as its own news websites such as RT and Sputnik, the Kremlin successfully propagated Russian ideas and preferences to mainstream media and the general public.
  • The cyber hacking of infrastructure associated with the election, such as voting systems and voter databases, provided the Russians with the techniques, materials, and familiarity with the US election system that can be applied to future Russian influence campaigns—in the US and perhaps elsewhere. It remains unclear whether the hacking had any actual effect on the election outcome. The initial judg­ment by US intelligence was “no,” but elections are the responsibility of US states, which jealously guard their prerogatives, so detailed forensic assessments seem not yet to have been done.[1]


The end of the Cold War was perhaps not the “end of history,” but it did leave the United States and the US-led liberal democratic order as the dominant system of governance.[2] Confronted with a collapsed empire and a collapsing economy in the 1990s, Russia was forced to retreat from the global stage and from the great power status it once held. With the growth of numerous regional and transregional multi­lateral organizations, including but not limited to the expansion of NATO and the European Union into Central and Eastern Europe, many people believed that the foundations of the postwar order would continue to thrive well into the future.

However, Russian President Vladimir Putin determined to change that and to challenge the future of liberalism and democracy. Since the early days of his presidency, he has been working steadily towards rebuilding Russian power and influence, seeking to curb Western sway that had spread to its borders while in turn expanding its own sphere of influence. The aggressive Russian actions that the world has witnessed in the 21st century—including those in Ukraine, Georgia, Syria, as well as the interference into the political processes of foreign nations—can all be viewed within part of that plan. In doing so, Putin has and will continue to use all the tools at his disposal, both conventional and unconventional, to lever­age, coerce, and spread ideologies and political preferences beneficial to Russian national interest onto neighboring countries and beyond.

For perspective, it is worth noting that the first target of Russia’s information efforts is probably the Russian people. For instance, one of touchstones of Russian propaganda is spreading fear of global ca­lamity, like nuclear war. That is also a fear beamed at Russians.[3] Discrediting western democracy makes Putin’s authoritarianism more appealing. His approval ratings have remained above 80 percent since the occupation of Crimea, despite increasing public concerns over the economy and corruption.[4]

Although not the first example of such attempts and surely not the last, Russia’s intervention into the 2016 US Presidential election is a stark instance of an influence campaign aimed at undermining the Western liberal democratic order. Russia has long used a blend of covert and overt tactics to advance its goals, but the scope and directness of its actions towards the United States in 2016 was unprecedented. Starting since at least the summer of 2015, Russia launched three distinct but simultaneous campaigns in the United States. This case study explores all three campaigns in detail, and thus serves as a useful vehicle for understanding Russia’s hybrid threat against the political processes of foreign nations.

The Scope and Nature of Russia’s Meddling

A partially declassified US Intelligence Community Assessment (ICA) in early 2017 concluded that, in addition to its longstanding desire of undermining the US-led order, the Kremlin launched an influence campaign with three specific goals: “to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency.”[5] The Kremlin also displayed a clear preference towards candidate Trump and so helped to increase his election chances.[6] The ICA also noted that President Putin’s dislike for Secretary Clinton was likely to have stemmed from his holding her responsible for the mass protests against him in 2011 and 2012.[7]

While the full extent and detail of Russia’s meddling is still currently under investigation, including by special counsel and former FBI director, Robert Mueller, it can be understood that the nature of the in­fluence campaign was three-fold: it featured leaks of information Russia stole through cyber espionage, overt Russian propaganda, and hacks into election infrastructure, all three of which were distinct but were done at the same time and complemented each other. A substantial portion of the Russian effort focused on the first two of these operations, both of which are forms of strategic information operations—that is, the weaponizing of information for strategic objectives—a strategy the Kremlin has shown to be prone to use. The third, on the other hand, was a purely covert cyber operation that has not as of yet been proven to have had as much effect on the US electoral process as the previous two. However, this is not to say that the Kremlin’s capability of hacking into the US election infrastructure is inconsequential. Rather, it is likely an investment for future Russian interference and serves as a harbinger that Russia will utilize this access more extensively in the next election cycle—and perhaps in elections elsewhere.

During this operation, Russia adapted to the events as they were unfolding and changed its approach based on its own understanding of the prospective results of the election. As a result, determining Russian objectives with precision is tricky, for however strategic the planning of the operations, they were bound to evolve over time with the evolving approach. Surely, the aims of discrediting American democracy and tarnishing candidate Clinton were visible from the start. By the end, the pro-Trump bias was also clear. Whether that was present from the start or developed over time as the Russians hacked more anti-Clinton material is hard to know. It is ultimately moot, for to tarnish Clinton was to embellish Trump, even if the Russians thought there were tarnishing a future President Clinton, not electing a President Trump.

In any case, it is clear that the Kremlin’s actions were not simply disruptive but also had specific political goals and objectives. The hackers and bots involved in the operations also enjoyed the full support of the Russian government, contrary to Putin’s suggestion of the opposite.[8] These characteristics, along with the multifaceted nature of the operation, embody the nature of Russia’s hybrid threat.

Cyber Espionage and Leaks

The cyber operations conducted against targets associated with the US election consisted of two distinct but related parts—hacks and leaks. In 2015 and 2016, the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC), and the Hillary Clinton campaign were all targeted by Kremlin-sponsored cyber espionage operations. The two hacker groups involved, CozyBear and FancyBear, have conducted similar operations in Europe and North America and employed the same modus operandi (MO) they have previously used against other foreign agencies and states.[9] The docu­ments and information stolen from these networks were then shared via a persona and website created by the Russian government, Guccifer 2.0 and DCLeaks.com, and later via Wikileaks and mainstream media outlets. The remainder of this section explores these two components separately and provides specific details into both operations.

The DNC, DCCC, and Clinton Hacks

Russian intelligence gained access to the DNC network from June 2015 until at least June 2016. CozyBear and FancyBear, the two hacker groups that conducted these operations, are both tied to the Russian gov­ernment but to intelligence agencies that are at least competitors—the FSB or SVR (the federal security service, successor to the KGB’s foreign operations directorate), and the GRU (main intelligence direc­torate, military intelligence), respectively.[10] When FancyBear gained access to the DNC network in 2016, it stole the DNC’s opposition files on Candidate Trump, which ultimately prompted the DNC to hire cyber security firm Crowdstrike to investigate the breach. Crowdstrike was then able to identify both CozyBear and FancyBear in the DNC network and both were subsequently ejected.

CozyBear. CozyBear, also known as APT 29, Office Monkeys, CozyCar, and CozyDuke, was the first of the two groups to gain access to the DNC network in June 2015. It infiltrated networks through phishing emails, which typically include web links to or attachments of a malicious dropper that installs a mal­ware implant. In the case of the DNC, CozyBear used an implant called SeaDaddy, which is a highly configurable and encrypted exfiltration malware that is almost identical to previous programs linked to the FSB.[11] SeaDaddy allows hackers to exfiltrate data from compromised networks and to monitor the communication channels within them. The implant, configured in .exe format, can run on any Windows computer, and once implanted maintains a backdoor access to allow task automation and configuration.[12]

FancyBear. FancyBear, also called APT 28 and Sofacy, successfully hacked into the DNC network in April 2016, and was removed soon after it stole opposition files on Candidate Trump. In addition to phishing emails like CozyBear, FancyBear is also known for registering domains that mimic legitimate sites to ob­tain user information as well as to enhance the deceptiveness of its phishing emails. Its primary implant, X-Agent, is a malware that allows for remote commands, file transmissions, and keylogging, a feature that records every keystroke made on a compromised computer to allow easy access to passwords. X‑Agent is also configured to be capable of running on both computer and mobile platforms.[13] In addi­tion to the DNC network itself, FancyBear also targeted a DNC IT contractor called MIS Department. In late March 2016, FancyBear hackers used a misspelled domain, misdepatrment[.]com, to mimic MIS Department. This bogus domain was then linked to an IP address that is known to belong to APT 28.[14]

The hacks into the DCCC were also likely the work of FancyBear. They consisted of the use of a bogus site, ActBlues, which resembles a DCCC donation site called ActBlue, thus consistent with FancyBear’s MO. The email used to register for the ActBlues domain, fisterboks@email[.]com, has been used to reg­ister sites that have previously been tied to FancyBear. Its registered domains are also tied to the email of the registrant of misdepatrment[.]com, the bogus site used in the DNC hack.[15] The timing of the DCCC hacks also shed light on the Kremlin’s involvement: the registration date of the ActBlues domain coin­cides with the first public report of CozyBear and FancyBear’s involvement in the DNC hacks, suggesting that FancyBear’s interest in the DCCC likely stemmed from an interest in maintaining access to the Democratic Party’s systems.

Hillary Clinton’s campaign Chair, John Podesta, was also targeted by Russian hackers in 2016. On 19 March, Podesta received an email warning from Google claiming that someone had attempted to sign in to his Gmail account and that he should change his password immediately.[16] One of Podesta’s aides unintentionally advanced the Russian operation when he forwarded the email to IT with a typo, writing that the email was “legitimate” rather than “illegitimate.” Once the password was changed by clicking the “change password” link, it granted the Russian hackers full access to Podesta’s private Gmail account. Podesta’s, and naturally the Clinton campaign’s numerous emails were later published by Wikileaks in early October.

In addition to Russia’s cyber capabilities, these three operations are suggest some laxness on the part of US institutions. In September 2015, an FBI official called the DNC to warn that at least one of its comput­ers had been hacked by “the Dukes,” or Cozy Bear. Unfortunately, because the FBI agent did not go to the DNC in person, he was only able to reach a part-time tech contractor. The FBI also never mentioned any suspicion of Russian involvement related to these warnings. While the contractor did conduct a scan of the DNC’s computer systems, which revealed no traces of intrusion, he himself admits that he did not look very hard as he had no idea whether the caller had been a real FBI agent or not. More importantly, as a nonprofit group, the DNC lacked the funds for the most advanced cybersecurity tools. When DNC personnel request more help from the FBI to track down the hacks, the FBI allegedly failed to provide more information. It wasn’t until March 2016 when the DNC noticed that certain documents had been extracted from its network that it realized the seriousness of the FBI’s warning.[17] The DNC then engaged Crowdstrike.

Leaks and Strategies

On 15 June 2016, a day after the DNC and Crowdstrike publicly confirmed the Kremlin’s hack of the DNC network, an anonymous persona called Guccifer 2.0 emerged online and claimed sole credit for the cyber attack. Guccifer then began to publish some stolen documents, including but not limited to the DNC’s opposition research on Trump that had been exfiltrated by FancyBear. On July 22, days before the Democratic National Convention, Wikileaks published about 20,000 DNC emails as part of its “new Hillary Leaks series” which Guccifer claims to have provided.[18] Following these leaks, Wikileaks founder Julian Assange stated during an interview with ‘Democracy Now!’ that Wikileaks releases are always strategically timed to get a “big political impact.”[19] Guccifer 2.0 continued to publish data from the DCCC and from Podesta’s private email account in the weeks leading up to the election, both on its own website and via Wikileaks. DCLeaks.com, another outlet linked to Guccifer 2.0 and FancyBear,[20] also released leaked information obtained in Russian operations. Figure 1 outlines the cycle of hacks and leaks.

What is most notable about the Russian leaks is their strategic timing. As the nature of hybrid threat suggests, and as Assange himself admitted, releases of “secret” documents are never random but always timed to achieve specific political objectives, and in the US case, to influence popular discourse and shift the media and public’s attention when needed. To drive this point home, notice that the Wikileaks release of stolen DNC emails was three days before the start of the Democratic National Convention. This enabled the emails to dominate mainstream news as the convention took place, with extensive reports of the contents of these emails and with suggestions that more damaging ones were to come. As a result, top DNC officials faced increasing calls to resign, and the contents of the emails—focused mainly on the DNC’s apparent favoring of Secretary Clinton over Bernie Sanders—called into question the legitimacy of Secretary Clinton’s candidacy. These emails also provided Candidate Trump with ample ammunition to attack both Clinton and the “rigged” US electoral system.

Figure 1: Russian Hacks and Leaks


The release of Podesta’s private emails was also strategically timed to divert the media’s attention from the news of the day. On 7 October at 3:30 pm, the Obama administration issued a formal statement blaming the Kremlin for interfering in the US election. That afternoon at 4:00 pm, the Washington Post published the “Access Hollywood” tapes in which Candidate Trump can be heard making lewd state­ments about women.[21] Half an hour later at 4:30 pm, Wikileaks began to publish emails stolen from Po­desta’s email server that tied Clinton to major banks, an already contentious issue that had been used against Clinton and her campaign throughout the election.[22] While the “Access Hollywood” tapes still dominated the news, Podesta’s emails also received abundant reporting. This episode sheds light on the Kremlin’s clear preference for candidate Trump and its assistance in helping to increase Trump’s electoral chances.

Russian Propaganda

Russian media outlets, especially those targeting global audiences, played an important role in Russia’s influence campaign by serving as an outlet for Kremlin messaging during the 2016 US presidential elec­tion. Russia leaders were hardly shy about the emphasis on information operations. During an interview with RT in 2013, Putin stated that he wanted to “break the Anglo-Saxon monopoly on the global infor­mation streams.”[23] Or his press secretary, Dmitri Peskov, in talking with the New York Times cited Kim Kardashian, a popular American celebrity with 55 million Twitter followers, as an example of the reach in mobilizing people. “This will be a signal that will be accepted by millions and millions of people. And she’s got no intelligence, no interior ministry, no defense ministry, no KGB. The new reality creates a per­fect opportunity for mass disturbances,” he said, “or for initiating mass support or mass disapproval.”[24]

Botnets, paid human trolls, and Russian news websites such as RT and Sputnik all assisted in propagat­ing Russian ideas and preferences to English speaking viewers. The Kremlin depended on mainstream media outlets as well as social media to maximize the effect and reach of its operations: many Russian-sourced stories first reported in RT or Sputnik were often reiterated and amplified on Twitter or Face­book via botnets and trolls, causing algorithms to trend misleading or false reports that may be picked up by mainstream news coverage. Russian state media often generally covered candidate Trump in a positive light in contrast to Secretary Clinton, who always received negative coverage. In the weeks leading up to Election Day, there were also increasing reports of potential irregularities or faults with election systems. Additionally, the Kremlin’s propaganda campaign also increased the spread of “fake news” that either distorted actual facts or spread misleading stories about Secretary Clinton and the US electoral process. Fake news originating from Russian sources consistently trended on various social media outlets throughout the election cycle.

In early August 2016, for instance, Twitter began to trend news regarding a Turkish protest surrounding the US airbase in Incirlik. RT and Sputnik first tweeted reports that thousands of police had gathered at the site. These stories were then promulgated by a group of users who were panicking over the alleged nuclear weapons stored at the base and questioning why mainstream media did not cover the story. These Russian botnets and trolls, however, prompted a storm of panic over a story that was factually untrue. While a peaceful protest did take place in Turkey, the protest was substantially smaller in scale compared to the reports of RT, Sputnik, and Twitter, and the Incirlik base was not surrounded, contrary to these same accounts.[25]

Reports denigrating Secretary Clinton’s health also spread in a similar fashion. While rumors surround­ing this issue had circulated regularly throughout the election cycle, in late August, Wikileaks tweeted “Clinton looked at drug after suffering from ‘decision fatigue’” accompanied by a screenshot of an al­ready released Hillary Clinton email.[26] This was then cited by pro-Russia outlet ThePoliticalInsider.com as evidence for its unsubstantiated claim that Clinton had Parkinson’s Disease.[27] The story, which was then reiterated by other fake news outlets and their social media channels, ended up gathering 90,000 Facebook engagements and over 8 million views.[28] Mainstream media sources also picked up on the story, including Fox News.[29] While The Daily Beast countered the story the following day, the article received significantly less attention, with only 1,700 Facebook engagements and 30,000 views. The Kremlin’s ability to disseminate factually false news and garner significant engagement over legitimate sources is evidence of the Kremlin’s robust propaganda network.

An investigation by the New York Times and cybersecurity firm FireEye revealed that the Kremlin’s Twitter operations rely on an automated Twitter army, or bots, that publishes identical messages sim­ultaneously or just seconds apart.[30] Another interesting characteristic is that these tweets are posted in alphabetical order of the usernames of these fake accounts. On Election Day for example, FireEye iden­tified more than 1,700 tweets with the hashtag #WarAgainstDemocrats in the following fashion:

@edanur01 #WarAgainstDemocrats 17:54
@efekinoks #WarAgainstDemocrats 17:54
@elyashayk #WarAgainstDemocrats 17:54
@emrecanbalc #WarAgainstDemocrats 17:55
@emrullahtac #WarAgainstDemocrats 17:55

Facebook also hosted various Russian-sponsored fake accounts that spread anti-Clinton propaganda and promoted leaks. Similar to Twitter bots, Facebook users can be easily identified to be fake. Often, their Facebook posts were never personal but rather consisted only of pro-Russia, anti-Clinton related news or articles. On their profiles, these users often had filled out their “introduction” overview, which gives information regarding where they grew up, where they went to school, or what their job is. How­ever, as the Times investigation reported, their high schools or colleges would have no record of them ever attending the school. In September 2017, Facebook officials stated that the company had shut down several hundred fake accounts that they linked to a Kremlin company. This same company also bought $100,000 of ad space during and after the election cycle.

Both Twitter and Facebook have strengthened efforts to crack down on the number of fake accounts found on their platforms. Now, Facebook takes down about a million accounts a day. However, most of their efforts are reactive rather than proactive. Given the number of users—328 million on Twitter users and nearly 2 billion on Facebook—it is difficult to keep track of every account, and so accounts are taken down mostly after the fact. According to statistics later released by the companies, Russian agents disseminated inflammatory posts that reached 126 million Facebook users, published 131,000 message on Twitter and uploaded over a thousand videos on YouTube.[31]

The Russian bots and trolls on Twitter and similar social media sites that have contributed to the Krem­lin’s propaganda campaign have been found to have operated behind a common strategy. The users target audiences vulnerable to their influence on both the political right and left, including the alt-right as well as the victims or critics of globalization, immigration, terrorism, and economic recession. The biographies of these accounts often include words such as “America,” “military,” or “Christian,” and stories they shared were accompanied by hashtags or phrases that would appeal to these audiences. In the Incirlik case, the fake news story was shared with #NATO, #benghazi, and #trumppence16 to attract Trump supporters.[32]

Hacks into Election Infrastructure

The third element of Russia’s interference campaign into the 2016 US Presidential election involved the covert cyber hacking of infrastructure directly associated with the election. While the extent and conse­quences of these hacks are not as significant as the leaked documents and the spread of fake news from the other two operations, their precise effect is not yet clear. However, the techniques, information, and familiarity that the Kremlin gained as a result of their efforts are notable in making the US electoral sys­tem more vulnerable to future Russian influence campaigns.

The first evidence of these hacks was in May 2016, when Arizona’s voter registration system was taken offline for a couple of days following a FBI warning of a cyber threat. Investigations revealed that hackers had tried but failed to infiltrate the system. A month later, in June 2016, the Illinois Board of Elections was successfully hacked. The hackers gained access to Illinois’ voter database and had access to around 90,000 records including the names, date of births, genders, driver’s licenses, and partial social security numbers of registered voters. Although it was concluded that no data had been manipulated, investiga­tions also revealed that the hackers had tried but failed to alter some information in the database.[33]

A leaked NSA document dated 5 May 2017 revealed that the GRU targeted at least one voting system manufacturer through spear-phishing emails.[34] Although the document does not name the company in question, there are mentions of products made by and emails related to VR Systems, a voting services and equipment retailer. This successful intrusion allowed access to the credentials of local electoral officials, which were then used to launch another spear-phishing campaign on these officials. Beyond VR Systems, hackers targeted at least two other similar election services providers.[35] A US Senate intel­ligence hearing on the matter in June 2017 also revealed that a total of 21 states’ election-related systems had been targeted, including Arizona and Illinois.

While a number of systems were successful hacked, there is still no evidence to suggest that election day vote tallying was affected. In January, intelligence officials concluded that the actual vote count was not influenced by Russian hackers and they maintain this conclusion up until now. However, government officials said that this conclusion does not address whether the hacks of election systems could have prevented voters from casting ballots.[36]

The significance of Russia’s hacking of U.S. election infrastructure, more so than the tangible effects on the outcomes of the 2016 election, lies in the knowledge and experience Russia gained. As Samuel Liles, Acting Director of the Department of Homeland Security (DHS) Cyber Analysis Division testified dur­ing the Senate intelligence hearing, “the majority of activity we observed was indicative of simple scan­ning for vulnerability.”[37] Russia’s cyber operations aimed at the US electoral infrastructure likely generated materials and knowledge that will be applied for similar influence campaigns in the future, rendering the US electoral system more vulnerable to Russian influence than ever.

Comparing Interventions: The French 2017 Elections

There is less information available on this case, largely because it was much smaller and briefer, and has not been the subject of a formal French investigation. The main points:

  • The Russians hacked and released 9 GB of emails stolen from Macron’s campaign less than 48 hours before the run-off election in May 2017.
  • As with the DNC, the timing was strategic, not giving Macron time to respond since French law forbids candidates from speaking publicly for two days ahead of election.
  • However, at the 11th hour, the campaign issued a statement saying it had been hacked and that many of the documents that were dumped on the American 4Chan site, and reposted by Wikileaks, were fakes. Mainstream media in France carried the statement but said little about the leaks.
  • The hacking was likely the work of FancyBear, who was also behind DNC, DCCC, and previously TV5 Monde (which is why France took major steps to protect from hacking).
  • Earlier in the year, Macron’s campaign said it had been targets of hacking attempts, but all of these attempts failed. The campaign, however, did not closely monitor look-alike sites, like misdepatrment in the US case.
  • The propaganda campaign was similar to that in the US election; indeed, it employed some of the same bot accounts.

The leaks appeared in a collection of links to torrent files that appeared on the anonymous publishing site PasteBin.[38] The leaks were attributed to Fancy Bear and to Russia by several sources. [39] The phishing domain was similar to a cloud storage site that Macron’s campaign used. Trend Micro, a Tokyo based cybersecurity firm, did monitor look-alike websites, which is how it found the phishing domain. Still another firm detected four Macron-related fake domains. In the end, the Russians weren’t very good at hiding their tracks. By mid-March, Trend Micro was watching the same Russian intelligence unit behind some of the DNC hacks start building the tools to hack Macron’s campaign. They set up web domains mimicking those of his En Marche! Party, and began dispatching emails with malicious links and fake login pages designed to bait campaign staffers into divulging their usernames and passwords, or to click on a link that would give the Russians a way into the campaign’s network.[40]

The Macron statement said: “The files which are circulating were obtained a few weeks ago thanks to the hacking of the professional and personal email accounts of several members of the campaign,” but also warned that among the authentic documents in the leak were “numerous false documents intended to sow doubt and disinformation.”

Interestingly, and surely partly because of the earlier DNC hacks, the Macron campaign was attentive to possible hacks from December, the first round of the election. Moreover, the campaign responded to phishing attempts with disinformation of its own. As Mounir Mahjoubi, the head of Macron’s digital team, explained: “We went on a counteroffensive…We couldn’t guarantee 100 percent protection” from the attacks, “so we asked: what can we do?” The campaign opted for a classic “cyber-blurring” strategy, well known to banks and corporations, creating false email accounts and filled them with phony docu­ments the way a bank teller keeps fake bills in the cash drawer in case of a robbery.[41] “You can flood these [phishing] addresses with multiple passwords and log-ins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out,” Mahjoubi said.[42]

The propaganda campaign was very similar to that mounted against the US election.[43] The goal was to spread fake news and rumors, such as that US agents were meddling in France’s finances, that Macron was gay, or that his campaign was funded by Saudi Arabia. The same botnets that had been active for Trump turned, after the US election, to Europe—to the Netherlands, Germany, and, especially France. On Twitter, five percent of users accounted for a full 40 percent of the tweets related to the French election. One account tweeted a whopping 1,668 times in 24 hours, faster than one per minute. And it was hardly alone. For several of these accounts, the tweets were coming through in bursts too fast for an individual to keep up with them, suggesting automation rather than a highly active human.[44] For its part, Facebook removed over 30,000 fake accounts around the French election.[45]

4chan’s online image board, which had also played a role in the US case, was mentioned frequently in Le Pen related tweets as a source of where memes originated. In the US case, the memes had been anti-Clinton and pro-Trump ones. [46] In France, they propagated a claim that Macron used an offshore bank account in the Cayman Islands to evade French taxes. Following up on this story, there was evidence that Reddit users were purposefully repeating identical phrases about this conspiracy theory to “Google bomb”―to feed false, verbatim content into sites Google mines to feed their search engine algorithm, in the hopes that they can influence the phrases that Google uses to autocomplete searches beginning with “Macron”

Marine Le Pen referenced it in the debate, accusing Macron of using a tax haven. During the debate, #Bahamas was a trending hashtag on Twitter, as a result.

Lessons for the Future

  • The Russians are coming. The US case makes plain that the Russians have both will and capacity to intervene in other nations’ elections. That plain lesson is the most important. Since the Cold war, Moscow has attempted to disrupt the democratic process in Western countries. What is different in this case, in addition to the new cyber tools, is the explicit purpose not merely of disruption and sowing mistrust but also of seeking to tilt the election in favor of a particular candidate.
  • Thus, pay close attention to early warning. In this case, the FBI, apparently, warned the DNC in the fall of 2015 of potential hacks into its information systems. It did not, however, make clear that it suspected these were Russian-government sponsored operations. Nor did it do so in ensuing months, and the DNC did not become alarmed until March 2016 and did not engage CrowdStrike until May. By con­trast and no doubt partly because of the US case, the Macron campaign in France was attentive to hacking and cyber security at least from December 2016, the first round of the election.
  • Early warning and attribution are tricky but not impossible. The hacks and leaks in this case were fairly quickly and firmly attributed to Russia’s hand, and the FBI already suspected Russia when it reached out to the DNC in the fall of 2015. Suggestively, a group of outside analysts had been tracking the online dimensions of the jihadis and the Syrian civil war when they came upon interesting anomalies, as early as 2014. When experts criticized the Assad regime online, they were immediately attacked by armies of trolls on Facebook and Twitter. Unrolling the network of the trolls revealed they were a new version of “honeypots,” presenting themselves as attractive young women eager to discuss issues with Americans, especially those involved in national security. The analysts made the connection to Russia but found it impossible, that early, to get anyone in the American government to listen, given the crises competing for attention.[47] At least countries, like Germany and Sweden, with elections com­ing up will know where to look and not be distracted. Indeed, one upside of the US attack is that everyone is more careful now and more focused on Russian hackers. There is a lot more information out there.
  • Tighten links across the public-private divide. This is a great challenge of the cyber realm in any case. It is easier with regard to elections to the extent that elections plainly are a public good and a government But, as with Mrs. Clinton’s emails and also Mr. Macron’s, private citizens and their private correspondence will be targets. On the government’s side, the need is to stretch discretion and be as clear about warnings as possible. The FBI needed to tell the DNC in the autumn of 2015 that it suspected the Russians. In the event, the FBI officer, though, was apparently not confident enough in his case (and perhaps his interlocutor) to communicate that suspicion. The Bureau would not have needed to say why it suspected the Russians, though given the activities of private compa­nies, like CrowdStrike, in cyberspace to say why would seem to have posed little risk to “sources and methods.”

The role of private companies is a complicating but also promising facet of cyber. The companies do upset the traditional government process: when a hack occurred, intelligence agencies would seek to attribute it, then pass that information in secret to policy agencies, which would decide what to do—name and shame, go after individuals, retaliate and so on. Now, however, private companies will be doing attribution on their own and will reveal their conclusions when they choose. Governments will have less discretion in deciding whether or when to attribute. The companies will not only be useful partners, but their public attributions will also make it easier for governments to protect their own sources and methods.

  • Likewise, pay close attention to the infrastructure of elections. The decentralization of election machinery in the United States was probably an operational advantage (if a forensic liability), for it complicated the attackers’ challenge. To the extent that European election infrastructure is more centralized, it is a more tempting target. That may be offset, however, if the election system doesn’t exaggerate, as does the American, the importance of a few critical districts or areas of the country. In any case, the danger of being hacked is increased the more voting is virtual (and the less there are ways to check results after the fact in the way that paper ballots did).
  • In the end, though, the Russians aren’t ten feet tall. The Russian hacking probably wasn’t decisive in the US election (by comparison, say, to FBI Director Comey’s eleventh-hour intervention). Russian cyber attacks on France’s TV5Monde succeeded in taking it down but raised the question of what the point was. Similarly, Russian efforts to discredit François Hollande probably had less effect than Paris Match’s Speed and forthrightness in responding are critical. The Incirlik fake news story faded quickly once news outlets began publishing pictures of the actual protests. Similarly, in early 2017 when Russia tried its allegations of rapes in the Baltic by NATO soldiers, Germans to boot, Lithuania was ready. Its parliament immediately dismissed the story as spurious. And the Macron campaign’s “counter-offensive” at least demonstrates that those attacked have options.[48]

[1] Nicole Perlroth, Michael Wines, and Matthew Rosenberg, “Little Effort to Investigate in States Targeted by Election Hacking,” New York Times, 1 September 2017, nytimes.com/2017/09/01/us/politics/russia-election-hacking.html

[2] From Francis Fukuyama’ famous book of that title: The End of History and the Last Man. New York: Perennial, 2002

[3] See, for instance, a BBC report, twitter.com/BBCSteveR/status/793332773130014720

[4] See Gallup World Poll 2016, 28 March 2017, available at gallup.com/poll/207491/economic-problems-corruption-fail-dent-putin-image.aspx

[5] US Intelligence Community Assessment (ICA), an unclassified version of which was made public in January 2017, available at dni.gov/files/documents/ICA_2017_01.pdf

[6] Ibid.

[7] Ibid.

[8] Russian President Vladimir Putin said during a press conference on 1 June 2017 that independent Russian hackers may have launched cyber attacks on foreign nations, but that the Russian state was uninvolved and that the hackers acted on their own patriotism. See Andrew Higgins, “Maybe Private Russian Hackers Meddled in Election, Putin Says,” New York Times, 1 June 2017, nytimes.com/2017/06/01/world/europe/vladimir-putin-donald-trump-hacking.html

[9] CozyBear was responsible for the 2015 hacks into the US White House, State Department, and Join Chiefs of Staff networks. It has also targeted organizations in Western Europe, Central and East Asia, and Central and South America. FancyBear on the other hand is known to target military—and defense-related units in America, Europe, and Asia. FancyBear was also the group behind the German Bundestag and France’s TV5 Monde hacks in 2015 See Dmitri Alperovitch, “Bears in the Midst: Intrusion into the Democratic National Committee,” Crowdstrike, 15 June 2016, crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

[10] Crowdstrike, the cyber security firm that the DNC hired to investigate its breach, observed CozyBear and Fancy­Bear infiltrating the same networks and stealing similar data. It found that the two groups worked simultaneous likely without knowledge of the other’s involvement. See Dmitri Alperovitch, “Bears in the Midst: Intrusion into the Democratic National Committee,” 15 June 2016, crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee. For more information on the adversarial nature of Russia’s intelligence services, see Mark Gale­otti, Putin’s Hydra: Inside Russia’s Intelligence Services, London: European Council on Foreign Relations (ECFR), 2016, ecfr.eu/page/-/ECFR_169_-_PUTINS_HYDRA_INSIDE_THE_RUSSIAN_INTELLIGENCE_SERVICES_1513.pdf

[11] Massimo Calabresi and Pratheek Rebala, “Here’s The Evidence Russia Hacked The Democratic National Com­mittee,” Time, 13 December 2016, time.com/4600177/election-hack-russia-hillary-clinton-donald-trump

[12] For more information on the SeaDaddy implant and its code, see Dmitri Alperovitch, “Bears in the Midst: Intrusion into the Democratic National Committee,” Crowdstrike, 15 June 2016, crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

[13] For more on FancyBear and X-Agent, see Dmitri Alperovitch, “Bears in the Midst: Intrusion into the Democratic National Committee,” Crowdstrike, 15 June 2016, crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

[14] For more on the digital fingerprints tying misdepartrment[.]com to FancyBear, see “Rebooting Watergate: Tapping into the Democratic National Committee,” ThreatConnect, 17 June 2016, threatconnect.com/blog/tapping-into-democratic-national-committee/

[15] For a full analysis of links between the DCCC hacks and FancyBear, see “FANCY BEAR Has an (IT) Itch that They Can’t Scratch,” ThreatConnect, 29 July 2016, threatconnect.com/blog/fancy-bear-it-itch-they-cant-scratch/

[16] Identical emails were also sent to DNC officials. See Eric Lipton, David E. Sanger, and Scott Shane, “The Perfect Weapon: How Russian Cyberpower Invaded the U.S.,” New York Times, 13 December 2016, nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html

[17] Nicole Perlroth, Michael Wines and Matthew Rosenberg, “Little Effort to Investigate in States Targeted by Election Hacking,” New York Times, 1 September 2017, nytimes.com/2017/09/01/us/politics/russia-election-hacking.html; Mark Hosenball, John Walcott and Joseph Menn, “The FBI reportedly waited months to tell Demo­crats that Russians may have played a role in the DNC hack, Business Insider, 3 August 2016, businessinsider.com/fbi-waited-months-to-tell-dnc-of-suspected-russian-role-in-hack-2016-8

[18] Guccifer 2.0, Twitter Post, 22 July 2016, 9:44 am, twitter.com/guccifer_2/status/756530278982684672

[19] “EXCLUSIVE: WikiLeaks’ Julian Assange on Releasing DNC Emails That Ousted Debbie Wasserman Schultz,”Democracy Now!, 25 July 2016, democracynow.org/2016/7/25/exclusive_wikileaks_julian_assange_on_releasing

[20] “Does a BEAR Leak in the Woods?,” ThreatConnect, 12 August 2016, threatconnect.com/blog/does-a-bear-leak-in-the-woods/

[21] For a transcript of Trump’s remarks, taped in 2005, see nytimes.com/2016/10/08/us/donald-trump-tape-transcript.html

[22] Both Sanders and Trump have accused Clinton for cozying up to Wall Street during the election cycle. These emails provided further evidence that Clinton had made paid appearances before big banks. The leaks of Podesta’s emails also took place days before the second presidential debate, although Candidate Trump only mentioned Clinton’s ties to Wall Street once.

[23] Source: rt.com/news/putin-rt-interview-full-577/

[24] Source: nytimes.com/2017/09/13/magazine/rt-sputnik-and-russias-new-theory-of-war.html

[25] For more on the specifics of how the Incirlik story spread, see Clint Watts and Andrew Weisburd, “How Russia Dominates Your Twitter Feed to Promote Lies (And, Trump, Too),” The Daily Beast, August 6, 2016, thedailybeast.com/how-russia-dominates-your-twitter-feed-to-promote-lies-and-trump-too.

[26] Wikileaks, Twitter Post, 23 August 2016, 5:04 am, twitter.com/wikileaks/status/768056314761191424

[27] Thomas, “WikiLeaks Just Dropped Bombshell About Hillary’s Health… The Truth, REVEALED!,” The Political Insider, 23 August 2016, thepoliticalinsider.com/wikileaks-just-dropped-bombshell-hillarys-health-truth-revealed/

[28] Anonymous research group PropOrNot, which targets pro-Russian propaganda news sources, issued a report analyzing Russia’s propaganda campaign against the US during the 2016 election. For more on the Parkinson’s case as well as similar others, see PropOrNot, Black Friday Report: On Russian Propaganda Network Mapping, 2016, drive.google.com/file/d/0Byj_1ybuSGp_NmYtRF95VTJTeUk/view

[29] “Julian Assange Discusses Hillary Health Rumors from Latest Email Release,” Fox News, 26 August 2016, insider.foxnews.com/2016/08/26/julian-assange-discusses-hillary-clinton-health-rumors-latest-email-release

[30] Scott Shane, “The Fake Americans Russia Created to Influence the Election,” New York Times, 7 September 2017, nytimes.com/2017/09/07/us/politics/russia-facebook-twitter-election.html

[31] As reporting by the New York Times, based on company reports to Congress. Mike Isaac and Daisuke Waka­bayashi, “Broad Reach of Campaign by Russians Is Disclosed,” p. B1, 31 October 2017

[32] Clint Watts and Andrew Weisburd, “How Russia wins an election,” Politico, 13 December 2016, politico.eu/article/how-russia-wins-an-election/

[33] Investigators found that the hackers attempted to delete or alter some voter data in the Illinois database. This was the first and only report of such attempts. See Michael Riley and Jordan Robertson, “Russian Cyber Hacks on US Electoral System Far Wider than Previously Known,” Bloomberg, 13 June 2017, bloomberg.com/news/articles/2017-06-13/russian-breach-of-39-states-threatens-future-u-s-elections

[34] The leaked NSA document is available at assets.documentcloud.org/documents/3766950/NSA-Report-on-Russia-Spearphishing.pdf

[35] Nicole Perlroth, Michael Wines and Matthew Rosenberg, “Little Effort to Investigate in States Targeted by Election Hacking,” New York Times, 1 September 2017, nytimes.com/2017/09/01/us/politics/russia-election-hacking.html

[36] Ibid.

[37] “Russian Interference in US Elections,” C-SPAN, Washington, DC: C-SPAN, 21 June 2017, c-span.org/video/?430128-1/senate-intel-panel-told-21-states-targeted-russia-2016-election

[38] wired.com/2017/05/macron-email-hack-french-election/

[39] telegraph.co.uk/news/2017/05/06/russian-hackers-blame-emmanuel-macrons-leaked-emails-could/, citing Vitali Kremez, director of research with New York-based cyber intelligence firm Flashpoint. See also documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf

[40] nytimes.com/2017/05/09/world/europe/hackers-came-but-the-french-were-prepared.html

[41] See nytimes.com/2017/05/09/world/europe/hackers-came-but-the-french-were-prepared.html

[42] As quoted in thedailybeast.com/fighting-back-against-putins-hackers

[43] thinkprogress.org/russian-bots-where-are-they-now-e2674c19017b

[44] slate.com/blogs/the_slatest/2017/05/06/american_alt_right_and_twitter_bots_are_key_to_spreading_french_election.html

[45] facebook.com/notes/facebook-security/improvements-in-protecting-the-integrity-of-activity-on-facebook/10154323366590766

[46] medium.com/data-for-democracy/democracy-hacked-a46c04d9e6d1

[47] See Andrew Weisburd and Clint Watts, “Trolling for Trump: How Russia is Trying to Destroy Our Democracy,” November 2016, available at warontherocks.com/2016/11/trolling-for-trump-how-russia-is-trying-to-destroy-our-democracy.

[48] See dw.com/en/nato-russia-targeted-german-army-with-fake-news-campaign/a-37591978

Published on October 31, 2017 by

Dick Eassom, CF APMP Fellow