It may be years, if ever, before there is any clear understanding of how large a role Putin himself played in developing and executing “active measures” for the Internet age. He is not known as a user of social media himself. But he had a KGB alumnus’s appreciation of its power.
As start-ups go, the Internet Research Agency (called Glavset by the Russians) rose pretty fast. By sometime in 2013, it was getting its foothold in Saint Petersburg and began hiring. Soon it operated on a multimillion-dollar budget whose source is still murky. It quickly employed not only news writers but graphics editors and experts in “search engine-optimization” to ensure the greatest reach for its pro-Russian messages. And it took advantage of the fact that Facebook did little, at least at the time, to determine whether a member was really a person—or just a bot. The whole strategy depended on convincing other users that a fake persona was real. The IRA’s hackers were essentially playing the same role as those soldiers who had shed their uniforms in Ukraine.
And the digital little green men took the propaganda battle to the enemy’s territory. The American campaign began in September 2014 with text messages like the one aimed at the residents of St. Mary Parish, Louisiana, warning of a toxic fume release from a chemical plant. It turned out that “Columbia Chemical,” the plant, reported to be in the throes of the accident, did not exist. But the fear was palpable. Then came the echo-chamber rumors that Ebola was running wild in parts of the United States, stoked by Russian trolls who set about amplifying the rumors on social media—spreading the hashtag #EbolaInAtlanta with fake news and video accounts of the incident.
In its first headquarters, a blocky, four-story building in Saint Petersburg, at 55 Savushkina Street, the Agency’s dozens of twentysomethings learned to “troll” critics of Putin and journalists who delved too deeply into what the agency did. It didn’t take them long to perfect the art form. As Putin and his Chef had learned, it is easy to make a critic miserable in the Twitter age. And the Internet Research Agency performed the task well—growing to 80 employees with outsized influence online.
In late 2014, the agency dug into its social media campaign to commence its disruption of the US elections. The group deployed hundreds of fake accounts on Facebook and thousands on Twitter to target populations already divided by issues like immigration, gun control, and minority rights. These were early, “beta” efforts—propaganda on the cheap. All it required was figuring out how best to game the algorithms that fed Facebook news feeds, or fueled retweets on Twitter.
Then they moved on to advertising. Between June 2015 and August 2017, investigators later discovered, the agency and groups linked to it spent thousands of dollars on Facebook ads each month—at a fraction of the cost for an evening of television advertising on a local American television station. The reach was surprisingly broad. In that period, Putin’s trolls reached up to 126 million Facebook users, while on Twitter they made 288 million impressions—seemingly stark numbers given that there are about 200 million registered voters in the US and only 139 million voted in 2016. But it is unknowable if they had much impact.
Putin’s trolls posed as Americans or fake American groups on social media and promoted clear messages. Their Facebook posts might feature a doctored picture of Clinton shaking hands with Osama bin Laden or a comic depicting Satan arm-wrestling Jesus. “If I Win Clinton Wins,” the Satan figure says. “Not if I can help it,” the Jesus figure responds. (Users were encouraged to “Like” the image to help Jesus triumph, which in turn generated the Internet buzz needed to increase the picture’s visibility based on Facebook’s algorithm.) The purpose of the hundreds of posts like these, suggests Ryan Lizza’s reporting in the New Yorker, was to “overwhelm social media with a flood of fake content, seeding doubt and paranoia, and destroying the possibility of using the Internet as a democratic space.”
Yet social-media savvy could take the Russians only so far. In order to meddle in the United States they needed a better understanding of American electoral politics. The agency dispatched two of their experts—a data analyst and a high-ranking member of the troll farm, Aleksandra Krylova and Anna Bogacheva—to the United States, where they spent three weeks touring purple states: California, Colorado, Illinois, Louisiana, Michigan, Nevada, New Mexico, New York, and Texas—while another operative scoped out Atlanta. Along the way, they did rudimentary research and developed an understanding of swing states, a concept for which there was no parallel in Russian politics. The information that these agency researchers gathered during their weeks in the United States helped the Russians develop an election-meddling strategy based on the importance of purple states to the electoral map. That allowed the IRA to target specific populations within these states that might be vulnerable to influence by social media campaigns operated by trolls across the Atlantic.
In mid 2015—having mastered the art of social-media meddling—the trolls tested out a new tactic organizing a live event in the United States, according to an investigation by the Russian business magazine RBC. Using Facebook accounts based in Saint Petersburg, they posed as Americans and lured users to a free hot-dog event in New York. Of course, the trolls in Saint Petersburg didn’t provide the promised food to the New Yorkers whom they watched gather through a publicly accessible webcam in Times Square; rather, it was a successful experiment proving that, from their screens in Russia, they could orchestrate events in the physical world. This seemingly small feat would soon move far beyond hot dogs, and into the realm of inciting clashes among rival American groups at political rallies in the “purple states” that the Russians were learning about. The magazine reported: “From this day, almost a year and a half before the election of the US President, the ‘trolls’ began full-fledged work in American society.”
The use of Facebook events would evolve quickly. The following year the trolls recruited an actress to attend a rally for Trump in West Palm Beach dressed as Hillary Clinton in a prison uniform. She was paraded in a cage that was built by other Americans. They apparently didn’t know that they were being paid by Russians in Saint Petersburg.
* * *
—
The Internet Research Agency was not the only “proxy” force that was stepping up its game against the United States. So were the hackers working for Russia’s several, often competing, intelligence agencies. And before they ever broke into the DNC, the most sophisticated team, the one working for the SVR—a descendant of the old KGB—had been focused on two juicy, high-value targets: the State Department and the White House.
The first strike was against the State Department’s unclassified email system. (Like most government agencies, State maintained both a “high side” classified network and a separate “low side” network to communicate with the outside world.) It was a classic operation where the Russians inserted malware that created a link to their own command-and-control server abroad. When State Department staffers clicked on the “phishing” emails that the Russians had created, some purporting to be from American universities, the hackers were in. They could then copy emails at their leisure, hoping they might pick up some gossip, maybe a little policy debate, maybe an affair they could use for blackmail material.
With luck, they may have also found clues about how to get into the “high side” systems—the classified systems. By the time Kevin Mandia and his firm’s experts came to look at the system, “the Russians were all over it,” he recalled. They had gone after specific, high-ranking officials, including, of course, Toria Nuland. What Mandia saw in the State Department’s system was an attack that was far more brazen than anything the Russians had attempted before. “They were just a lot more stealthy,” he said.
Rumors of some kind of intrusion into the State Department systems had swirled in Foggy Bottom for weeks. The first hint I caught of the severity of the Russian hack came during a trip to Vienna on the third week of November 2014. A group of us, traveling with Secretary of State John K
erry, had landed in the city for another round of negotiations with Iran over its nuclear program. As I emailed and called American officials, a seemingly innocuous email message popped up from the State Department. Forget trying to get ahold of members of the offices of public affairs, much less Kerry’s negotiating team, by email over the weekend, it warned reporters. The entire State Department system was coming down for “system maintenance.”
Eyes rolled. To anyone who had heard the rumors of a Russian intrusion, this reeked of a cover story. The real issue was obviously not maintenance, though the creaky system that connected the nation’s diplomats together seemed at times little better than two paper cups and a string. This sounded more like standard operating procedure for damage control: to conduct a digital exorcism and flush out intruders, the first thing you had to do was bring the system down.
That wasn’t going to be easy. By this point getting the Russians out of the State Department systems had already proved too difficult for the Department of Homeland Security. They had called for reinforcements from the NSA, on the theory that it takes a cyber thief to catch one.
Rick Ledgett, the man who had handled the Snowden investigation, suddenly found himself overseeing the operation to oust the Russians from the State Department networks. And he was cautioning that it had to be done right. He knew from bitter experience that while it was tempting to rush the ouster of a cyber invader, that was usually how you made mistakes. (The Navy learned this the hard way, when Admiral Rogers was the head of Fleet Cyber and Iranian hackers got inside their networks. The hackers were thrown out before all the implants they had put in the system were discovered, and soon they came back.) So the NSA experts started by identifying where the Russians were in the system, and where they had placed implants and a command-and-control center. Only then could the system be brought down, the invaders disconnected, and a new system raised, phoenixlike and hopefully with better security, in its place.
“These guys were really dug in,” Kevin Mandia later told me. “And they weren’t planning on leaving. Usually, you shine a light on the malware, and the guys at the other end scatter like roaches.
“Not the Russians. They had a point to make.”
With some effort, a State Department team, backed up by Mandiant, the FBI, and the NSA, eventually chased the Russians out of the system. But it turned out they had just moved on.
No sooner had the battle at the State Department begun to wrap up than the Russians turned up a mile away—inside the White House servers. “The State Department was just winding up,” Ledgett said, “and the White House was ramping up.” Once again, the attackers hit the unclassified “low side,” not the “high side” systems that run on different computers.
The exorcism process began all over again. As they had at the State Department, the Russians made clear that, having started their White House tour, they had no intention of leaving the premises. In the White House system, it turned out that the NSA and its partners had walked into something of a digital ambush. The Russians were mounting the attack from command-and-control servers they had placed around the world, to help hide their identities. Every time the NSA’s teams of hackers cut the links, they found that the White House computers began communicating with new servers. No one had seen anything quite like it—a state-sponsored group of hackers in a digital dogfight.
To the NSA’s team, it looked a bit like a video game with real-life consequences. “They seemed to be having a good time living in the White House system,” one of the American officials noted, somewhat ruefully.
Later, Ledgett described what managing that battle was like, without ever mentioning that the hackers were from Moscow. “We saw for the very first time,” he said, that “instead of disappearing, [the hackers] fought back. And so it was basically hand-to-hand combat in a network where we would take an action, they would then counter that.”
The NSA, he said, would “remove their command-and-control channel to the malware, to the code that they were running,” and the Russians “would counter that by introducing a new command-and-control channel.”
In retrospect, it was also a new moment on the tactical battlefield of cyberspace, he said, “a new level of interaction between a cyberattacker and a defender.”
Ledgett alluded to the fact that the NSA had a secret weapon of its own: It was “able to see them teeing up new things to do. So if you’re the defender and you see what the adversary’s gonna do,” he added with some understatement, “then that’s a really useful capability.”
He appeared to be referring to some quiet help from the Netherlands. The tiny nation’s intelligence agencies, according to an investigation by two Dutch news organizations, had penetrated a university building off Red Square in Moscow, from which the group of Russian hackers sometimes called “Cozy Bear” operated. But the Dutch hadn’t just gotten into the computer systems, they also got into the building’s security cameras. “Not only can the intelligence service now see what the Russians are doing,” the Dutch report said, “they can also see who is doing it.”
The Dutch alerted their intelligence liaisons in The Hague, and soon a link was created so that American intelligence agencies could see who was going in and out in real time. Those pictures were then fed into facial-recognition software so that it was possible to identify who was operating the computers.
Suddenly everyone—from the NSA to the FBI, and the White House Communications Agency—were caught in the usual dilemma when they identify invaders in their networks. Do they watch them, track their activities, maybe feed them some false information? Do they move quickly to throw them out? And were the Russians really seeking information, or did they want to get caught so they could learn about American detection capabilities?
And most important, at least to the Russians: Was Obama willing to escalate a confrontation, or dismiss it as another moment in the endless spy-versus-spy games that both sides played?
* * *
—
In the end, the Americans won the cyber battle in the State and White House systems, though clearly, as events played out, they did not fully understand how it was part of an escalation of a very long war.
The battle for control of the computer networks at the State Department and the White House raised two big questions. First, why did the Russians choose to take on the United States so directly? And second, why did the Obama administration try to keep the whole series of incidents secret, including the hacks on the Pentagon and Congress?
The answer to the first question seems simple: The Russian hackers were strutting their stuff for the same reason Russian generals parade their tanks and missiles just across the border from Lithuania. It was the 2014 equivalent of what fighter pilots used to do in the Cold War, flying to the edge of Soviet-controlled airspace to see what would happen as the Russians scrambled their fleet.
“They were making it clear they were here to stay, and had the stuff to go up against our best,” a senior intelligence official said to me. “There was lots they were doing that was still hidden—like the election hack—but they wanted us to know they had entered the big leagues.”
But the bigger mystery was Obama himself. Once again he had chosen not to call the Russians out. At one Situation Room meeting, he told his intelligence officials that this was “just espionage.” And if the United States was sloppy enough to let it happen, then the answer was to up our game on defense rather than think about retaliation.
When this computer game was over, the Russians had retreated—though tactically, and not for long. They had moved up the learning curve fast. It’s unclear whether one could say the same of the Obama administration.
* * *
—
Remarkably, even with the hacks of the State Department and the White House in recent hindsight, in the waning days of 2015, no one told senior White House officials about the major, Russian-led intrusion in
to the DNC. Nor did the leadership of the DNC know: Special Agent Hawkins later told FBI officials that he was hesitant to email anyone inside the committee for fear of tipping off the Russians. In the first few months of phone-tag with Tamene, he never bothered to take a twenty-minute lunchtime walk from the Washington Field Office to the DNC headquarters, which had long ago moved from the Watergate to far blander quarters on Capitol Hill. “We are not talking about an office that is in the middle of the woods of Montana,” said Shawn Henry, the former head of the FBI’s cyber division, whose company was ultimately called in to help investigate. “We are talking about an office that is half a mile from the FBI office that is getting the notification.”
It was a stunning lack of judgment all the way around—a failure to grasp the gravity of an old threat wrapped in a new technology. It was also the beginning of a series of fumbles across the board that undercut America’s ability to react at a crucial point in time when it could have made a difference.
* * *
—
While the Americans dithered, the Russians feasted. The communications failures between the DNC and the FBI gave Putin’s hackers what they needed most: time. Exposed but not yet thwarted, they had the luxury of exploring every nook and cranny of the DNC’s main server, which was only slightly larger than a laptop computer. Once this was drained, they moved on to targets outside the DNC.
Finally, by March 2016, six months after the initial calls, Tamene and his colleagues had met the FBI at least twice and now seemed convinced that Hawkins was, in fact, an FBI agent.
The Perfect Weapon Page 22
