NOTE: Aside from the anecdote about the typo in the IT staffer’s email, and the final quote from DNI Dan Coats, everything in this article comes straight from the FBI indictments linked at the bottom of this page.
Russia hacked our elections. This is how they did it.
The FBI has released two criminal indictments describing the Russian hacking and influence operations during the 2016 election. The picture they paint is incredibly detailed and deeply disturbing.
In this article, I’ll describe exactly what the FBI discovered and explain why we still have reason to worry. Quotations are taken directly from the criminal indictments released by the FBI Special Counsel’s office.
The story begins in 2013, when a new initiative, the Internet Research Agency, rose out of Russian military intelligence, aimed at changing US public policy by influencing American elections. According to the indictments, this agency employed hundreds of people, working both day and night shifts, ranging from “creators of fictitious personas to the technical and administrative support.” Its budget totaled “millions of US dollars” a year.
In 2014, the Internet Research Agency began studying American social media trends, particularly “groups on US social media sites dedicated to US politics and social issues.” They examined things like “the group’s size, the frequency of content placed by the group, and the level of audience engagement with the content, such as the average number of comments or responses to a post.” Their goal was to understand the mechanics of social media success in order to make their future influence operations in the United States more effective.
Using what they learned, they “created hundreds of social media accounts and used them to develop certain fictitious US personas into ‘leader[s] of public opinion’ in the United States.”
Sometime in 2015, the Russians began buying ads on social media to enhance their online profiles and to reach a wider audience. Soon they were “spending thousands of US dollars every month” on ads.
By the 2016 election season, Russian-controlled social media groups had “grown to hundreds of thousands of online followers.” These groups addressed a wide range of issues in the United States, including: immigration; social issues like Black Lives Matter; religion, particularly relating to Muslim Americans; and certain geographic regions, with groups like “South United” and “Heart of Texas.”
They often impersonated real Americans or American organizations, such as the Russian-controlled Twitter account @TEN_GOP, which claimed in its profile to represent the Tennessee Republican Party. By November 2016, this Twitter account had attracted over 100,000 followers.
From the very beginning, Russian strategy was to pass themselves off as American, and they went to great lengths to accomplish this. They bought the personal information and credit card numbers of real Americans from identity thieves on the dark web, and used those credentials to create fake social media profiles and open bank accounts to pay for their online activities.
With this network of social media accounts, they staged rallies and protests in New York, North Carolina, Pennsylvania and especially, Florida. These rallies were organized online, but the Russians often engaged real Americans to promote and participate in them. For example, in Florida, they “used false US personas to communicate with Trump Campaign staff involved in local community outreach.” At some rallies, they asked a “US person to build a cage on a flatbed truck and another US person to wear a costume portraying Clinton in a prison uniform.”
Staging rallies and spreading disinformation via social media was not all they were up to though. At the same time, they were trying to break into the email accounts of Clinton Campaign staffers, and to hack the computer networks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC).
Starting in March 2016, according to the indictments, the Russians began sending “spearphishing” emails to employees at the DCCC, DNC, and the Clinton Campaign. These were emails mocked-up to look like security notices from the recipient’s email provider, containing a link to a webpage that resembled an official password-change form. The page was actually controlled by Russian military intelligence, waiting to snatch the victim’s password as soon as they entered it.
One of their first targets was Clinton Campaign Chairman John Podesta. He received an email, apparently from Google, asking him to click a link and change his password. Suspicious, he forwarded the email to the campaign’s IT staff, and unfortunately received the reply: “This is a legitimate email. John needs to change his password immediately.” Dutifully, Podesta clicked the link and changed his password. The Russians were waiting. They promptly broke into his account and stole 50,000 emails. The IT staffer later claimed he had made a typo and instead meant to write, “This is not a legitimate email.” Never has a typo been more consequential.
In another case detailed in the indictments, the Russians created an email address nearly identical to a well-known Clinton campaign staffer. The address of this account deviated from the staffer’s real email address by only a single letter. Then, posing as that staffer, they sent spearphishing emails to more than 30 Clinton Campaign employees.
The Russians also used this technique to hack into the computer network of the DCCC. After gaining entry, they “installed and managed different types of malware to explore the DCCC network and steal data.” Once the malware had been installed, the Russians were able to take screenshots and capture every keystroke on the infected machines.
One of those hacked computers was used by a DCCC employee who also had access to the DNC computer network. When that user logged into the DNC network, the Russians stole their username and password and proceeded to invade the DNC network as well, installing Russian-developed malware on more than thirty DNC computers.
And the Russians stole more than emails. They took “gigabytes of data from DNC computers,” including opposition research, analytic data used for campaign strategy, and personal information on Democratic donors, among other things.
Then in June 2016, the hackers “constructed the online persona DCLeaks to release and publicize stolen election-related documents.” This persona included the website DCLeaks.com, along with a companion Twitter account and a Facebook page, where they claimed to be a group of “American hacktivists.”
However, a month earlier, the DNC and DCCC had finally become aware of the intrusions into their networks and hired a cybersecurity firm to investigate and prevent additional attacks. Shortly after the launch of the DCLeaks website, this firm finished its investigation and published its findings, identifying Russia as the source of the attacks.
In response to this allegation, and to further sow disinformation about the attacks, the Russians created a new online persona, Guccifer 2.0, who claimed to be a “lone Romanian hacker” and solely responsible for the cyber-attacks.
Under the guise of Guccifer 2.0, the Russians gave media interviews, provided a US Congressional candidate with “stolen documents related to the candidate’s opponent,” transferred “gigabytes of data stolen from the DCCC to a then-registered state lobbyist and online source of political news,” and coordinated with the website WikiLeaks.org in order to time the release of stolen documents to coincide with critical points in the 2016 election.
For example, shortly after the emergence of the Guccifer 2.0 persona, WikiLeaks, a website responsible for previous disclosures of government data like the secret NSA surveillance files of 2013, contacted Guccifer 2.0 by email, saying, “if you have anything hillary related we want it in the next tweo [sic] days prefable [sic] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after.” Guccifer 2.0 replied, “ok … i see.” Then WikiLeaks explained further, “we think trump has only a 25% chance of winning against hillary … so conflict between bernie and hillary is interesting.”
On July 22, three days before the start of the Democratic National Convention, WikiLeaks released “20,000 emails and other documents stolen from the DNC network.” In the months following, they would release thousands more. Each of these timed releases was supported and promoted by the Russians’ extensive social media network.
The Russians didn’t only target the Clinton Campaign and Democratic committees. They also tried to “hack into protected computers of persons and entities charged with the administration of the 2016 US elections in order to access those computers and steal voter data and other information.”
In some cases, they succeeded. In July 2016, they hacked the website of a state board of elections and “stole information related to approximately 500,000 voters, including names, addresses, partial social security numbers, dates of birth, and driver’s license numbers.” Then in August, the Russian hackers broke into the computers of “a US vendor that supplied software used to verify voter registration information for the 2016 US elections.”
During our 2016 election, Russian military intelligence launched an extensive and multi-pronged influence campaign on the American people. It was an operation three years in the making, and its purpose was “to sow discord in the US political system.” By any measure, it was a great success.
In closing, I’ll leave you with the words of Dan Coats, Director of National Intelligence, from a speech at the Hudson Institute only a few weeks ago: “In the months prior to September 2001 … the system was blinking red. And here we are nearly two decades later, and I’m here to say the warning lights are blinking red again. Today, the digital infrastructure that serves this country is literally under attack.”
Let’s not ignore those blinking red lights a second time. Our democracy depends on our diligence.
Eric W. Austin writes about technology and community issues. He can be reached by email at firstname.lastname@example.org.
NOTE: Aside from the anecdote about the typo in the IT staffer’s email, and the final quote from DNI Dan Coats, everything in this article comes straight from the FBI indictments linked below.
To read the FBI indictments referenced in this article, click the links below to download them: