The Special Counsel’s report into Russian interference in the 2016 U.S. presidential election is out. TechCrunch is exploring hacking, disinformation, surveillance and more.
Russian operatives successfully targeted and hacked “at least one” Florida county government in the run up to the 2016 U.S. presidential election, according to new findings by the Special Counsel Robert Mueller.
The report, published Thursday by the Justice Department, said the county was targeted by the Russian intelligence service, known as the GRU. The hackers sent spearphishing emails to more than 120 email accounts used by county officials responsible for administering the election, the report said.
According to the findings:
In August 2016, GRU officers targeted employees of [REDACTED], a voting technology company that developed software used by numerous U.S. counties to manage voter rolls, and installed malware on the company network… the spearphishing emails contained an attached Word document coded with malicious software (commonly referred to as a Trojan) that permitted the GRU to access the infected computer.
The findings are a significant development from previous reporting that said Florida’s election systems were merely targets of the Russian operatives.
Sen. Bill Nelson (D-FL) was derided after he claimed just days before his eventual re-election that hackers had gained access to the state’s election systems. According to NBC News, some of Nelson’s assertions were based off classified information that was not yet public.
Nelson’s remarks came almost a year after The Intercept published a classified document — later discovered to have been sent by since-jailed NSA whistleblower Reality Winner — showing that intelligence pointed to a concerted effort by the GRU to target election infrastructure. The NSA said the hackers sent to state government officials emails impersonating voting technology company VR Systems.
The Orlando Sentinel confirmed Thursday following the release of Mueller’s report’s that Volusia County was sent infected emails containing malware, suggesting Volusia County — north of Orlando — may have been the target.
Mueller’s report confirmed that the FBI investigated the incident.
The office of Florida’s secretary of state said that Florida’s voter registration system “was and remains secure,” and “official results or vote tallies were not changed.”
Two years later, following the 2018 midterm elections, the Justice Department and Homeland Security said there was “no evidence” of vote hacking or tampering.
A single paragraph in the Mueller report out Thursday offers an interesting look into how the Special Counsel’s investigation came head-to-head with associates of President Trump who used encrypted and ephemeral messaging to hide their activities.
From the report:
Further, the Office learned that some of the individuals we interviewed or whose conduct we investigated-including some associated with the Trump Campaign — deleted relevant communications or communicated during the relevant period using applications that feature encryption or that do not provide for long-term retention of data or communications records. In such cases, the Office was not able to corroborate witness statements through comparison to contemporaneous communications or fully question witnesses about statements that appeared inconsistent with other known facts.
The report didn’t spell out specifics of whom or why, but clearly Mueller wasn’t happy. He was talking about encrypted messaging apps that also delete conversation histories over a period of time. Apps like Signal and WhatsApp are popular for this exact reason — you can communicate securely and wipe any trace after the fact.
Clearly, some of Trump’s associates knew better.
But where prosecutors who have faced similar setbacks with individuals using encrypted messaging apps to hide their tracks have often attacked tech companies for building the secure apps, Mueller did not. He just stated a fact and left it at that.
For years, police and law enforcement have lobbied against encryption because they say it hinders investigations. More and more, apps are using end-to-end encryption — where the data is scrambled from one device to another — so that even the tech companies can’t read their users’ messages. But just as criminals use encrypted messaging for bad, ordinary people use encrypted messaging to keep their conversations private.
According to the report, it wasn’t just those on the campaign trail. The hackers associated with the Russian government and WikiLeaks, both of which were in contact following the breaches on Hillary Clinton’s campaign and the Democratic National Committee, took efforts to “hide their communications.”
Not all of Trump’s associates have fared so well over the years.
Michael Cohen, Trump’s former personal attorney, learned the hard way that encrypted messaging apps are all good and well — unless someone has your phone. Federal agents seized Cohen’s BlackBerry, allowing prosecutors to recover streams of WhatsApp and Telegram chats with Trump’s former campaign chief Paul Manafort.
Manafort, the only person jailed as part of the Mueller investigation, also tripped up after his “opsec fail” after prosecutors obtained a warrant to access his backed-up messages stored in iCloud.
On Thursday, Attorney General William Barr released the long-anticipated Mueller report. With it comes a useful overview of how Russia leveraged U.S.-based social media platforms to achieve its political ends.
While we’ve yet to find too much in the heavily redacted text that we didn’t already know, Mueller does recap efforts undertaken by Russia’s mysterious Internet Research Agency or “IRA” to influence the outcome of the 2016 presidential election. The IRA attained infamy prior to the 2016 election after it was profiled in depth by the New York Times in 2015. (That piece is still well worth a read.)
Considering the success the shadowy group managed to achieve in infiltrating U.S. political discourse — and the degree to which those efforts have reshaped how we talk about the world’s biggest tech platforms — the events that led us here are worth revisiting.
IRA activity begins in 2014
In Spring of 2014, the special counsel reports that the IRA started to “consolidate U.S. operations within a single general department” with the internal nickname the “translator.” The report indicates that this is the time the group began to “ramp up” its operations in the U.S. with its sights on the 2016 presidential election.
At this time, the IRA was already running operations across various social media platforms, including Facebook, Twitter and YouTube. Later it would expand its operations to Instagram and Tumblr as well.
Stated anti-Clinton agenda
As the report details, in the early stages of its U.S.-focused political operations, the IRA mostly impersonated U.S. citizens but into 2015 it shifted its strategy to create larger pages and groups that pretended to represent U.S.-based interests and causes, including “anti-immigration groups, Tea Party activists, Black Lives Matter [activists]” among others.
The IRA offered internal guidance to its specialists to “use any opportunity to criticize Hillary [Clinton] and the rest (except Sanders and Trump – we support them” in early 2016.
While much of the IRA activity that we’ve reported on directly sowed political discord on divisive domestic issues, the group also had a clearly stated agenda to aid the Trump campaign. When the mission strayed, one IRA operative was criticized for a “lower number of posts dedicated to criticizing Hillary Clinton” and called the goal of intensify criticism of Clinton “imperative.”
That message continued to ramp up on Facebook into late 2016, even as the group also continued its efforts in issued-based activist groups that, as we’ve learned, sometimes inspired or intersected with real life events. The IRA bought a total of 3,500 ads on Facebook for $100,000 — a little less than $30 per ad. Some of the most successful IRA groups had hundreds of thousands of followers. As we know, Facebook shut down many of these operations in August 2017.
IRA operations on Twitter
The IRA used Twitter as well, though its strategy there produced some notably different results. The group’s biggest wins came when it managed to successfully interact with many members of the Trump campaign, as was the case with @TEN_GOP which posed as the “Unofficial Twitter of Tennessee Republicans.” That account earned mentions from a number of people linked to the Trump campaign, including Donald Trump Jr., Brad Parscale and Kellyanne Conway.
As the report describes, and has been previously reported, that account managed to get the attention of Trump himself:
“On September 19, 2017, President Trump’s personal account @realDonaldTrump responded to a tweet from the IRA-controlled account @ l0_gop (the backup account of @TEN_ GOP, which had already been deactivated by Twitter). The tweet read: “We love you, Mr. President!”
The special counsel also notes that “Separately, the IRA operated a network of automated Twitter accounts (commonly referred to as a bot network) that enabled the IRA to amplify existing content on Twitter.”
Real life events
The IRA leveraged both Twitter and Facebook to organize real life events, including three events in New York in 2016 and a series of pro-Trump rallies across both Florida and Pennsylvania in the months leading up the election. The IRA activity includes one event in Miami that the then-candidate Trump’s campaign promoted on his Facebook page.
While we’ve been following revelations around the IRA’s activity for years now, Mueller’s report offers a useful birds-eye overview of how the group’s operations wrought havoc on social networks, achieving mass influence at very little cost. The entire operation exemplified the greatest weaknesses of our social networks — weaknesses that up until companies like Facebook and Twitter began to reckon with their role in facilitating Russian election interference, were widely regarded as their greatest strengths.
Facebook? Sure. Instagram? Yup, that too. YouTube? Twitter? Oh my, yes. Even Tumblr makes an appearance (LOL. Tumblr).
Apparently the Russians used the platform (alongside Facebook and the rest) to facilitate their real-life trolling campaigns.
The Russian influence operations included things like recruiting individuals to walk around New York City “dressed up as Santa Claus with a Trump mask” (the relevant section is on page 32 of the Mueller report). Craigslist may have also been used in other schemes — like hiring a self-defense instructor to offer classes sponsored by a Russian operative working under the persona “Black Fist” to teach African-Americans how to protect themselves in encounters with law enforcement.
The fact that Russians affiliated with the Internet Research Agency were using Craigslist in addition to all of the other tech tools at their disposal is interesting and comes from a footnote in the Mueller report.
We don’t know the full extent of contacts between Russian operatives and Craigslist and have reached out to them for comment.
The Mueller report contains new information about how the Russian government hacked documents and emails from Hillary Clinton’s presidential campaign and the Democratic National Committee.
At one point, the Russians used servers located in the U.S. to carry out the massive data exfiltration effort, the report confirms.
Much of the information was previously learned from the indictment of Viktor Borisovich Netyksho, the Russian officer in charge of Unit 26165. Netyksho is believed to be still at large in Russia.
But new details in the 488-page redacted report released by the Justice Department on Thursday offered new insight into how the GRU operatives hacked.
The operatives working for the Russian intelligence directorate, the GRU, sent dozens of targeted spearphishing emails in just five days to the work and personal accounts of Clinton Campaign employees and volunteers, as a way to break into the campaign’s computer systems.
The GRU hackers also gained access to the email account of John Podesta, Clinton’s campaign chairman, of which its contents were later published.
Using credentials they stole along the way, the hackers broke into the networks of the Democratic Congressional Campaign Committee days later. By stealing the login details of a system administrator who had “unrestricted access” to the network, the hackers broke into 29 computers in the ensuing weeks, and more than 30 computers on the DNC.
The operatives, known collectively as “Fancy Bear,” comprised several units tasked with specific operations. Mueller formally blamed Unit 26165, a division of the GRU specializing in targeting government and political organizations, for taking on the “primary responsibility for hacking the DCCC and DNC, as well as email accounts of individuals affiliated with the Clinton Campaign,” said the Mueller report.
The hackers used Mimikatz, a hacking tool used once an intruder is already in a target network, to collect credentials, and two other kinds of malware: X-Agent for taking screenshots and logging keystrokes, and X-Tunnel used to exfiltrate massive amounts of data from the network to servers controlled by the GRU. Mueller’s report found that Unit 26165 used several “middle servers” to act as a buffer between the hacked networks and the GRU’s main operations. Those servers, Mueller said, were hosted in Arizona — likely as a way to obfuscate where the attackers were located but also to avoid suspicion or detection.
In all, some 70 gigabytes of data were exfiltrated from Clinton’s campaign servers and some 300 gigabytes of data were obtained from the DNC’s network.
Meanwhile, another GRU hacking unit, Unit 74455, which helped disseminate and publish hacked and stolen documents, pushed the stolen data out through two fictitious personas. DCLeaks was a website that hosted the hacked material, while Guccifer 2.0 was a hacker-like figure who had a social presence and would engage with reporters.
Under pressure from the U.S. government, the two GRU-backed personas were shut down by the social media companies. Later, tens of thousands of hacked files were funneled to and distributed by WikiLeaks.
Mueller’s report also found a cause-and-effect between Trump’s remarks in July 2016 and subsequent cyberattacks.
“I hope you’re able to find the 30,000 emails that are missing,” said then-candidate Trump at a press conference, referring to emails Clinton stored on a personal email server while she headed the State Department. Mueller’s report said “within approximately five hours” of those remarks, GRU officers began targeting for the first time Clinton’s personal office.
More than a dozen staffers were targeted by Unit 26165, including a senior aide. “It is unclear how the GRU was able to identify these email accounts, which were not public,” said Mueller.
Mueller said the Trump campaign made efforts to “find the deleted Clinton emails.” Trump is said to have privately asked would-be national security advisor Michael Flynn, since convicted following inquiries by the Special Counsel’s office, to reach out to associates to obtain the emails. One of those associates was Peter Smith, who died by suicide in May 2017, who claimed to be in contact with Russian hackers — claims which Mueller said were not true.
Does that implicate the Trump campaign in an illegal act? Likely not.
“Under applicable law, publication of these types of materials would not be criminal unless the publisher also participated in the underlying hacking conspiracy,” according to Elie Honig, a CNN legal analyst. “The special counsel’s report did not find that any person associated with the Trump campaign illegally participated in the dissemination of the materials.”
The Mueller report has been published. It was posted at 11am ET, a month after Special Counsel Robert Mueller submitted his findings to the Justice Department examining Russian interference in the 2016 U.S. presidential election.
Per remarks by U.S. attorney general William Barr speaking this morning, there are three major components to the report:
- How the Russian troll farm, the so-called Internet Research Agency, used social media and disinformation to sow uncertainty and doubt among American voters;
- The involvement of the Russian government’s intelligence unit, the GRU, in hacking into computers belonging to the Democratic National Committee and the Hillary Clinton campaign to steal documents and emails;
- And the investigation of the Trump campaign’s links and connections over possible collusion with the Russian government during the 2016 presidential election,
If there weren’t enough obstacles already standing between Congress and the results of the special counsel’s multiyear investigation, lawmakers are expecting to need an optical drive to read the document.
A Justice Department official told the Associated Press that a CD containing the Mueller report would be delivered to Congress tomorrow between 11 and noon Eastern. At some point after the CDs are delivered, the report is expected to be made available to the public on the special counsel’s website.
Any Congressional offices running Macs will likely have to huddle up with colleagues who still have a CD-capable drive. Optical drives disappeared from Apple computers years ago. With people increasingly reliant on cloud storage over physical storage, they’re no longer as popular on Windows machines either.
Tomorrow’s version of the report is expected to come with a fair amount of detail redacted throughout, though a portion of Congress may receive a more complete version at a later date. The report’s release on Thursday will be preceded by a press conference hosted by Attorney General William Barr and Deputy Attorney General Rod Rosenstein. If you ask us, there’s little reason to tune into that event rather than waiting for substantive reporting on the actual contents of the report once it’s out in the wild. Better yet, hunker down and read some of the 400 pages yourself while you wait for thoughtful analyses to materialize.
Remember: No matter what sound bites start flying tomorrow morning, digesting a dense document like this takes time. Don’t trust anyone who claims to have synthesized the whole thing right off the bat. After all, America has waited this long for the Mueller report to materialize — letting the dust settle won’t do any harm.
After nearly two years of investigation and months of delays — not to mention partisan bickering the whole time, Special Counsel Robert Mueller’s report on the president’s campaign and Russian interference in the 2016 election is out today.
We’re not a politics news site but we’re still looking into it — tech has figured more prominently than ever in the last few years and understanding its role in what could be a major political event is crucial for the industry and government both.
The report and discussion thereof is bound to be highly politically charged from the get-go and the repercussions from what is disclosed therein are sure to reach many in and out of office. But there are also interesting threads to pull as far as events and conspiracies that could only exist online or using modern technology and services, and for these the perspective of technology, not politics, reporting may be best suited to add context and interpretation.
What do we expect to find in the report that is of particular interest to the tech world?
The topic that is most relevant and least explored already is the nature of Russia’s most direct involvement in the 2016 election, namely the hack of the Democratic National Committee email server, attributed to Russia’s GRU intelligence unit, and funneling of this information to WikiLeaks and the Trump campaign. The recent arrest of Julian Assange may prove relevant here.
The report will illuminate many things relating to these events, not necessarily technical details — although they may have been furnished by any number of parties — but plans, dates, people involved, and networks through which the hack and resulting data were communicated. Why was this added to Mueller’s pile in the first place? What about Assange? Who knew about the hack and when, and what does that imply?
Another topic, which seems more well trodden but about which we can never seem to know enough, is the origin and extent of Russian “troll farm” activity through the so-called Internet Research Agency. We’ve seen a great deal of their work as part of the ongoing barbecue of Facebook’s leadership, and to a lesser extent other social media platforms, but there’s much we don’t know as well.
Was there coordination with some U.S. entities? How was the content created, and the topics chosen? Was there a stated outcome, such as dividing the electorate or damaging Clinton’s reputation? Was this contiguous with earlier operations? How, if at all, did it change once Trump was named the Republican candidate, and was this related to other communications with his campaign?
The last of our topics of most likely interest is that of the technological methods employed by Mueller in his investigation. Previous investigations of this scale into the activities of sitting presidents and their campaigns have occurred in completely different eras, when things like emails, metadata, and encrypted messaging weren’t, as they are today, commonplace.
How did Mueller pursue and collect privileged communications on, for example, private email servers and hosted web services? What services and networks were contacted, and how did they respond? How were the U.S.’ surveillance tools employed? What about location service from tech giants or telecoms? Was other garden-variety metadata — the type we are often told is harmless and which is often unregulated — used in the investigation to any effect?
We will be poring over the report with these thoughts and ideas in mind but also with an eye to any other interesting tech-related item that may appear. Perhaps that private server used “admin/password” as their login. Perhaps GRU agents were communicating using a cryptographic method known to be unsafe. Perhaps the vice-president uses a Palm Pre?
We’ll leave the politics to cable news and D.C. insiders, but tech is key to this report and we aim to explain why and how.