FireEye is disregarding what Hamilton 68 shows. Russian trolls are stoking the fire surrounding the Kavanaugh confirmation hearings on both Twitter and Facebook.
True, we have not seen hack and leak attacks – yet. It is now October, an “October Surprise” would not have arrived yet. I’m not saying it will, however.
Influence operations by Russia’s Internet Research Agency are becoming more sophisticated, but so far there have not been any hack-and-leak operations or attacks on election infrastructure seen in 2016, according to FireEye.
Russia’s original strategic goals for its information operations during the 2016 US presidential election were to “sow discord and undermine confidence in institutions and democracy”, according to Lee Foster, manager of information operations analysis at FireEye Intelligence.
“They may be taking a step back this time,” he told journalists at the FireEye Cyber Defense Summit in Washington DC on Wednesday, referring to America’s upcoming 2018 midterm elections taking place in early November.
“The divisions are already there. Russia is in a happy place right now, given what the national political situation looks like in the US.”
One of the worst things that could happen for Russia is to engage in a very direct attempt to influence the election that is immediately attributed to it, Foster said. That would completely negate the entire narrative it’s been pushing, which is that it wasn’t involved in 2016.
Two years ago, Foster said there were three prongs to Russia’s influence activities:
- Hack-and-leak operations, which included work by personas such as Guccifer 2.0, which claimed to have hacked the Democratic National Committee (DNC) and leaked its emails; the website DCLeaks that published leaked emails from a number of political figures, and which is believed to be a front for cyber espionage group Fancy Bear; and Anonymous Poland, which also conducted information operations in connection with Ukraine;
- Attacks on election infrastructure, such a voter registration databases; and
- Disinformation, social media manipulation, and what is casually termed as “trolling”.
Things are different in 2018.
“We haven’t seen hack-and-leak operations happen yet. That doesn’t mean they won’t occur. It’s possible they will. As time progresses, the likely impact of those is going to be reduced, because there does need [to be] time for the dissemination, and for current narratives to build up around them. But there is still time,” Foster said.
There have been reports that some US politicians have been targeted by intrusion operations, but Foster downplayed their importance.
“I just want to lay out from the outset that that is not unusual. That has always existed in the espionage space, and that’s why here I don’t say we’ve seen, potentially, hack-and-leak operations, because we haven’t seen any leaks stem from these yet,” he said.
“We haven’t seen any election infrastructure targeting so far. We have seen a continuation and evolution of the disinformation, the social media manipulation, and trolling side of things.”
Russia’s Internet Research Agency (IRA), a business based in St Petersberg, is the primary so-called “troll factory”. It has been conducting information operations since late 2013. According to FireEye Intelligence analyst Cosimo Mortola, those operations are becoming increasingly sophisticated and harder to track.
“When we were looking at their activity in 2014 and 2015, their campaigns on Twitter were very easy to identify,” Mortola said.
It would push a disinformation campaign on a specific day or two, and the rest of the time the content would be “apolitical filler, so spam-like content”, making it easy to identify the campaign.
“Contrast that with today, where there’s a lot more interweaving of the disinformation campaigns. They’re more constant.”
IRA has moved from creating its own hashtags to attaching disinformation to existing hashtags. By mingling in with “real people”, it’s harder to figure out which accounts are actually IRA. It’s also retweeting a lot more legitimate users, which helps reduce the amount of stilted English that might give it away as fake.
IRA also appears to have improved its operational security.
“Between 2014 and 2016, there were seven whistleblowers that spoke with the press, who said they were former IRA employees … since 2016, we’ve only seen two former IRA employees speak to the press,” Mortola said.
“That may be indicative that the IRA’s keeping a tighter lid, or that IRA employees are more afraid to come out.”
FireEye has identified an influence campaign on YouTube, posting comments that are “in line with Russian state interests”.
“We know with high confidence that the IRA is currently active on YouTube in Russian. They’re targeting Russian domestic audiences, potentially Ukrainian audiences, but Russian-speaking audiences. We’ve been tracking this for several months,” Mortola said.
FireEye is now seeing the same sort of activity in English, with comments posted on Western news stories from outlets such as the BBC, Fox News, and Al Jazeera English. FireEye assesses with “low confidence” that the IRA is also behind this activity.
According to Mortola, the accounts are pro-Brexit, aiming to create a divided Europe. They criticise heads of state in Europe and immigration policies, spread anti-Muslim sentiment, and attack specific government activities such as the British education system.
The move to operations on YouTube in English is significant, because YouTube is the second most visited website after Google, with Facebook in third place.
FireEye has also seen the artificial boosting on Reddit of stories from inauthentic news site USA Really, among others. Similar activity has been seen on far-right “free speech” site Gab.
In the lead-up to the French elections in 2017, there was also the artificial boosting of links to leaked material on 4chan and 8chan.
Disclosure: Stilgherrian traveled to Washington DC as a guest of FireEye