The detailed report I was reading, which pre-dated the additional information from Winner, included specific information on the coordinated efforts of Russian state intelligence services, hacking under those familiar names APT28 and APT29 – both of whom I had already extensively linked to the ongoing, Russian hybrid operation. The Joint Analysis Report246 (JAR) was the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). The document provided technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services, which they refer to as RIS, to compromise and exploit networks and endpoints associated with the US election, as well as a range of US Government, political, and private sector entities. The USIC was referring to the malicious cyber activity by the Russians under the name GRIZZLY STEPPE. Previous reports of this kind had not attributed malicious cyber activity to specific countries or threat actors, however, the JAR made clear: “Public attribution of these activities to RIS is supported by technical indicators from the US Intelligence Community, DHS, FBI, the private sector, and other entities. This activity by RIS is part of an ongoing campaign of cyber-enabled operations directed at the US government and its citizens.” Confirming my previous, independent findings, the JAR also stated: “Cyber operations have included spear-phishing campaigns targeting government organisations, critical infrastructure entities, think tanks, universities, political organisations, and corporations leading to the theft of information.”
“In foreign countries, RIS actors conducted damaging and/or disruptive cyber-attacks, including attacks on critical infrastructure networks. In some cases, RIS actors masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack,” the report added.
I was astonished, reading this, to see that two different – but, by then, very familiar – Russian actor groups were confirmed to have participated in the intrusion into the systems of a US political party – the DNC. The first group, APT29, entered into the party’s systems in summer 2015, while the second, APT28, entered in spring 2016. Both the GRU and FSB had already been linked by my own investigation to terrorist narratives in the EU and the ongoing hybrid conflict which was targeting democracies across the West, but this was official validation. According to the report, “APT29 has been observed crafting targeted spear-phishing campaigns leveraging web links to a malicious dropper; once executed, the code delivers Remote Access Tools (RATs) and evades detection using a range of techniques,” while “APT28 is known for leveraging domains that closely mimic those of targeted organisations and tricking potential victims into entering legitimate credentials.” This latter was the same method used to target Macron’s En Marche!
APT28’s actors, the JAR stated: “Relied heavily on shortened URLs in their spear-phishing email campaigns. Once APT28 and APT29 have access to victims, both groups exfiltrate and analyze information to gain intelligence value. These groups use this information to craft highly targeted spear-phishing campaigns.”
“These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organisations, establish command and control nodes, and harvest credentials and other valuable information from their targets,” the report continued, which explained a great deal more about how the Wannacry attack managed to create such a mess and muddied waters as regards the location of a “patient zero.” My own trip down the rabbit hole independently verified most, if not all of this, even before reading the JAR – both in the broader context of the world cyberattack, and in the subsequent, unfounded allegations of North Korea being responsible – but I added crucial detail.
In summer 2015, the JAR recaps an APT29 spear-phishing campaign which directed emails containing a malicious link to over one thousand recipients, including multiple US Government victims. They used legitimate domains, including some associated with US organisations and educational institutions, to host malware and send spear-phishing emails. This was the same tactic used with the NATO email and which was caught out in Romania two years later. In the course of the 2015 campaign, however, the report states the group successfully compromised the DNC and at least one targeted individual activated links to malware hosted on “operational infrastructure of opened attachments containing malware.” Again, this functioned in a similar way to the Trump-Syria document in the 2017 campaign. The report was unambiguous as to how the spear-phishing operation was used once a person had launched the infected attachment, saying: “APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.” To my surprise, known disinformation actors – associated amongst other things with the spurious 'pizzagate' narrative – began proactively attempting to convince the American public the DNC information was passed legitimately to Wikileaks. This remains untrue, despite being reported on Fox and the Russia-serving right-wing conspiracy theory about the alternative source of the leak will never be repeated by me – due to the distress it has caused a family concerned and out of respect for their requests for it to stop being mentioned. However, the disinformation – designed to cover for known Russian activity – tightened the direct link between the so-called alt-right and the broader state-sponsored hybrid conflict, which I already believed incorporated Wikileaks working as a deniable asset on behalf of Russia.
The JAR continued documenting the Russian operation, stating it continued in Spring 2016, when APT28 compromised the same political party, again via targeted spear-phishing. This time, the malicious email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure – and, again, this was deployed against Macron in France. Using the harvested credentials, APT28 was subsequently able to gain access and steal content, likely leading to “the exfiltration of information from multiple senior party members.” The USIC report assesses that the information was leaked to the press and publicly disclosed.
The Russian Intelligence Service groups continued to be actively deployed across Europe, in the UK, and in the US, and the activities the report covered carried on in the US right up until the days before Trump’s election – something which was again mirrored in the French campaign.
The JAR was incredible to read: an inarguable statement of Russian responsibility – though I’m still glad I took the long way around to arrive at the same destination. The report was not, however, the only document which exposed the scale of Russia’s hybrid operations and how each element had been interacting. Disinformation and its spread was just as important as the more covert cyber-espionage.
I first came across Trend Microsystems when initially looking into hacking – along with the shift in the dynamic of terrorism across Europe – and it was through them I had found out about Russia masquerading as the Islamic State in earlier cyberattacks on France. After I finished reading the NSIC’s JAR, Trend released an incredibly detailed research paper247 on Fake News and disinformation, which exposed how it can be spread by deniable assets, acting through a cash-driven, underground network of privateers. Properly, in my opinion, the cyber security firm opened their June 2017 report by highlighting the true significance of what could have otherwise become a throwaway term.
“Fake news became increasingly common during the past year,” they said. “While this concept has many synonyms—disinformation campaigns, cyber propaganda, cognitive hacking, and information warfare—it’s just one facet of the bigger problem: the manipulation of public opinion to affect the real world.”
“Until society agrees to the norms—whether through government regulation or societal self-regulation—various parties will abuse it to serve their agendas. This results in false information reaching the public—deliberately or by accident. Either way, it results in wh
at we know as fake news today,” the authors added, echoing my conversation with Nils Karlsson back at the Malmö Stadhuset.
My own investigations established a clear lack of suitable regulation and ineffective counter-measures, both of which combined to create the environment in which two Western democracies were successfully subverted by Russia. The Trend report made no bones in explaining exactly how useful disinformation is too, specifying how it works within the same sphere of influence as the big data and psychometric tactics utilised by companies like Cambridge Analytica. By “manipulating the balance of how a particular topic is reported (whether that concerns politics, foreign affairs, or something more commercial),” the report said, adding: “The views on that topic can be changed. This can be done either with inaccurate facts or with accurate ones twisted to favor a particular view or side.”
According to the analysts at Trend Micro, social media posts also have to attract the target readers of their operation. “To do this,” Trend said, “the fake news posts are crafted to appeal to its readers’ psychological desires—confirming biases, the hierarchy of needs, etc.” In addition, the report set out that some services use crowdsourcing mechanisms to manipulate real users into doing the bidding of fake news promoters. “For example, offer users free likes in exchange for a number of likes produced by the participating user,” the report pointed out. “It would be nearly impossible for social media networks to distinguish such manipulated activity from actual or natural user actions.”
In their detailed analysis, analysts set out the key benefits to using the underground market, saying it begins with cost. “Legitimate advertising is more expensive compared to the costs of fake news (which is important to smaller, less-funded actors),” they wrote, observing that viral spread through users also gains more traction than adverts. Having explored the existence of the St Petersburg Troll Army, the Kremlin-linked operation which works with bots and humans to spread disinformation and steer public opinion, I found Trend's report complemented what I had already found but expanded upon the costs in detail.
“The pricing models are generally simple: a fixed amount of money results in a fixed amount of actions and manipulations performed on a social media site (likes, favorites, etc.). Some of these services guarantee the quality of these actions as well (i.e., they will use humans instead of bots, etc.),” the report said.
Going beyond social media likes, shares, and comments, however, the Trend research also delves into darker territory. One Russian company, Jet-s, can purportedly manipulate petitions on platforms like change.org – “Its prices vary: RUB 60,000 ($1,065) will turn into 10,000 votes or petition signatures, while RUB 150,000 ($2,664) will give customers 25,000. A vying service, Slavavtope, offers more platforms,” the report stated. This clearly would have the ability to drive more significant change than push messaging alone, as these petitions are often used to influence governmental behaviour.
Another Russian site, Weberaser, focuses on taking down and removing undesirable (and ironically, fake) content or information from the internet, or removing top results from search engines. Its services, depending on the complexity of the task and available time, start from three-thousand Rubles (about fifty dollars) if the customer can read Russian or use a machine translator. By the time I was reading this, Cambridge Analytica's parent company, SCL, had recently changed its website, deleting all references to SCL Elections and were upping their public denials of any involvement with Leave.EU. Though the web-archive meant snapshots of their sites were saved for reference, services such as Weberaser remain clearly a useful, if not dangerous, tool.
The services available in these underground markets Trend were discussing extended beyond spreading fake news alone and one factor driving the dark economy appeared to be the same reason deniable assets have always been relied upon in espionage and other state activities: anonymity. Using this underground network it is, Trend highlighted, much easier to hide the true origin of any campaign and protect not only those involved but keep obscured what they are trying to do.
Fake news, Trend identified, is a “means to an objective, not an objective in and of itself,” adding: “The parties who commissioned the promotion of fake news sites do so with an objective in mind.” I was beyond holding on to any doubt the desire of the people utilising these campaigns and, additionally, the underground network of extra services, had simply been to influence and undermine Western democracies, thus affecting their international policy and military relationships. While the primary motives so far had been political, my own investigations led me to conclude the geopolitical control also led to the control of the money, to the benefit of those responsible. That’s a pretty solid objective and is likely to be the ultimate and lasting one. Trend’s report largely confirms this view, setting out a stark warning for the future: “Even if political fake news is the most commonly used today, the tools and techniques that enable them are becoming more available. It is inevitable that other motivations—such as profit—will come to the forefront in later years.”
Something as innocuous sounding as alternative facts has played a crucial role in all of this – despite being something which initially defied common sense – and Trend’s report goes a long way to succinctly explaining the easy psychology of this, saying: “In today’s digital era, the attention span of a typical reader is very short. Fake news creators use this to manipulate the public. There’s no need for an article to be sensible, complete, or factual; a sensational headline will achieve the objectives just as well.”
This made for an excellent, capsule explanation of the alt-right and the broader disinformation which had been combined with the micro-targeting of voters to full, gruesome effect. Taking everything into account – from my own discoveries, Komarnyckyj’s view, the JAR, and Trend’s report – there was little doubt left in what had taken place. Problematically, as I had accidentally proven, the truth of all of it simply cannot be explained in less than one hundred thousand words, completely contrary to the successful technique Russia had designed and deployed. So, my own responses to the Alternative War – from the articles to the seventy-page statement, to this book – are as much of an experiment as Tallinn once was for Capstone. A weapons test.
Nineteen:
I suppose, in many ways, I was starting to wrap up loose ends up when I eventually sat down to read “Assessing Russian Activities and Intentions in Recent US Elections,” the public version of that highly classified assessment which was provided to President Barack Obama in December 2016 — and to additional recipients approved by him at the time. The report was based on information and intelligence available to the CIA up until the 29th of December 2016 and, though I was aware of it, I had avoided reading it, intentionally holding it away at arm's length to avoid any taint on what I had been doing. I’ll admit, at the end of it all, I was relieved to see it confirmed my own findings.
While the conclusions in the public version of the report were all reflected in the classified assessment, the declassified copy did not (and could not, for obvious reasons) include the full supporting information, specific intelligence, source details and methods used to put it together. This was a protection measure primarily aimed at protecting people who had provided evidence to the authorities and the CIA followed the rules in a way President Trump had not. The report opened by outlining the difficulties faced by the intelligence agencies in the current geopolitical climate – in effect, in the face of a complex hybrid threat from Russia – saying: “The mission of the Intelligence Community is to seek to reduce the uncertainty surrounding foreign activities, capabilities, or leaders’ intentions. This objective is difficult to achieve when seeking to understand complex issues on which foreign actors go to extraordinary lengths to hide or obfuscate their activities.”
“The nature of cyberspace makes attribution of cyber operations difficult but not impossible. Every kind of cyber operation—malicious or not—leaves a trail,” it added.
Intelligen
ce tradecraft has developed over the years into a standard model which combines analysis, probability, and logical reasoning. This is the same standard which was applied throughout my own investigation and includes those assessments of confidence which the NCSC also applied to their North Korea conclusion reported by the BBC. The document also included an analytical assessment drafted and coordinated between The Central Intelligence Agency (CIA), The Federal Bureau of Investigation (FBI), and The National Security Agency (NSA), which drew on intelligence information collected and disseminated by those three agencies. The assessment focused on activities aimed at the 2016 US presidential election, drew on their combined understanding of previous Russian influence operations, and it covered the “motivation and scope of Moscow’s intentions regarding US elections and Moscow’s use of cyber tools and media campaigns to influence US public opinion.” The joint analysis was, however, clear the agencies “did not make an assessment of the impact that Russian activities had on the outcome of the 2016 election,” saying “the US Intelligence Community is charged with monitoring and assessing the intentions, capabilities, and actions of foreign actors; it does not analyze US political processes or US public opinion.”
Alternative War: Unabridged Page 29