Russian Cyber Operations: Insights from The Mueller Report
By Terry L. Thompson
Much of the public attention on the Mueller Report has focused on questions regarding collusion and obstruction of justice. While these are important issues, the Mueller team also documented eye-opening information about the cyber tactics, techniques, and procedures used by the Russians in a coordinated effort to sow discord in American public opinion and affect the 2016 elections. Manipulating social media and hacking and then distributing internal emails from the Democratic National Committee and Democratic Congressional Campaign Committee, highly skilled and well-organized Russian civilian and military cyber experts preyed on unsuspecting Americans in unprecedented information operations conducted against the United States. Volume I of the Mueller Report documents Russian activities in detail rarely seen in an unclassified government document, leaving no doubt about Russian intentions to interfere in U.S. politics and society. Even though some sentences have been redacted to prevent harm to ongoing investigations or legal proceedings or to protect individual privacy, the published report provides significant insights into Russian cyber operations against the United States from 2014-2016, operations which echoed Soviet propaganda and disinformation techniques used during the Cold War. (1)
Social Media Operations
Volume I, Section II documents the “Russian ‘active measures’ social media campaign” conducted by the Internet Research Agency (IRA) beginning in 2014. “Active measures” are defined in the report as “operations conduced by Russian security services aimed at influencing the course of international affairs.” The reference for this definition is missing from the “Notes” section, but it is very close to the definition provided in a 1984 book by Richard Schultz and Roy Godson about Soviet active measures and disinformation operations. That definition provides more context and is worth quoting in full:
Soviet leaders use the term ‘active measures’ (aktivnyye meropriatiya) to describe an array of overt and covert techniques for influencing events and behavior in, and the actions of, foreign countries. Prior to the 1960s, the term dezinformatsiya was used in some Soviet circles to describe these instruments. Active measures may entail influencing the policies of another government, undermining confidence in its leaders and institutions, disrupting relations between other nations, and discrediting and weakening governmental and non-governmental opponents. This frequently involves attempts to deceive the target (foreign governmental and non-governmental elites or mass audiences), and to distort the target’s perceptions of reality. (2)
While Schultz and Godson describe Soviet influence operations and propaganda efforts to divide the West and disrupt NATO in the 1960s to the 1980s, it’s clear from the Mueller Report that the Russians used the same playbook to develop their information operations against the U.S. election. The playbook has been updated since Vladimir Putin began his third term as Russian president in 2012 when he became aware of the use of social media to influence public opinion.
Information operations became central to Russia’s military doctrine in 2013 when Chief of the Russian General Staff Valery Gerasimov described the importance of “information conflict” as a key means of modern warfare. In what has frequently been termed the “Gerasimov Doctrine,” the general noted that manipulating the adversary’s information space and political system can be an effective way to overcome an enemy, especially one with stronger military forces. And in 2014, a “troll army” was unleashed against VKontakte (Russian for “In Contact”) a Russian-language social media platform, to distort public opinion in Ukraine in the aftermath of Russia’s annexation of Crimea. (3)
Putin’s updated version of “dezinformatsiya” was deployed effectively in countries of the former Soviet Union and in Europe, where Russian active measures have been used to influence elections, prop-up governments favored by Russia, threaten energy security, and in general used to influence political and social outcomes favorable to Russia. (4)
The Mueller Report documents numerous tactics, techniques, and procedures used in the IRA’s social media campaign that clearly echo the strategy and approach of those earlier operations. The IRA’s activities included:
- Operating social media accounts and group pages using the names of fictitious U.S. persons
- Sending IRA operatives to the United States to gather information and photographs for use in IRA social media campaigns
- Using false identities to communicate with U.S. persons to gain support for and coordinate the staging of political rallies
The numbers involved are staggering. “Multiple IRA-controlled Facebook groups and Instagram accounts had hundreds of thousands of U.S. participants. IRA-controlled Twitter accounts separately had tens of thousands of followers, including U.S. political figures who retweeted IRA-created content.” Facebook identified 470 accounts controlled by the IRA and estimated that IRA content reached more than 125,000 Americans through 80,000 posts. Twitter identified more than 3,800 IRA-controlled accounts that may have reached 1.4 million Americans. (Mueller Report, pp. 52-53)
Like Soviet-era influence operations, the IRA’s activities were highly organized and well-funded. They also are apparently a subset of a “larger set of interlocking operations known as ‘Project Lakhta’.” Further explanations of this intriguing reference are redacted from the report. However, in October 2018, the Department of Justice indicted Elena Alekseevna Khusyaynova who served as the “chief accountant of ‘Project Lakhta.” This project is further described in the indictment as:
…A Russian umbrella effort funded by Russian oligarch Yevgeniy Viktorovich Prigozhin and two companies he controls, Concord Management and Consulting LLC, and Concord Catering. Project Lakhta includes multiple components, some involving domestic audiences within the Russian Federation and others targeting foreign audiences in the United States, members of the European Union, and Ukraine, among others. (5)
As early as 2014, IRA efforts were growing so rapidly that a reorganization was needed. Operations on social media platforms and related support services were consolidated into the “Translator (Perevodchik) Department,” and the department went right to work. In June 2014, Anna Bogacheva and Aleksandra Krylova were deployed to the U.S. on visas acquired under false pretenses. Their real mission was to mingle in American society and become fully engaged in social media to develop an on-the-ground sense of the issues that Americans were passionate about. The IRA would use this information to craft social media posts targeting diverse groups of Americans. (Mueller Report, p. 55)
Other IRA employees specialized in specific social media platforms. They initially targeted Facebook, YouTube, and Twitter, and later added Tumblr and Instagram. These specialists first created accounts by impersonating American citizens. Within a year, they created social groups that falsely claimed to be associated with U.S. political and social organizations. The IRA also created accounts that looked like real accounts, such as “@TEN_GOP” on Twitter, which pretended to be affiliated with the Tennessee Republican Party. Other fictitious social media groups created by the IRA focused on immigration, Black Lives Matter, and the Tea Party. (Mueller Report, p. 56)
The IRA’s social media campaign began to focus on the presidential campaign early in 2016. “By February 2016, internal IRA documents referred to support for the Trump Campaign and opposition to candidate Clinton.” And “IRA employees also acknowledged that their work focused on influencing the U.S. presidential election.” (Mueller Report, p. 56) This was evident from their activities.
The IRA bought over 3,500 advertisements from Facebook for about $100,000 to promote their newsfeeds and to expand their reach. They used some of these advertisements to promote IRA-established groups on divisive social issues and to generate participation in public events and rallies initiated by the IRA. In mid-2016, IRA advertisements focused on supporting the Trump campaign with Facebook groups like “Being Patriotic,” “Stop All Invaders,” and “Secured Borders.” These advertisements reached tens of millions of U.S. citizens.
Like they did on Facebook, IRA operators on Twitter created false personae that issued original tweets with messages targeted at specific individuals or groups. They also retweeted content that echoed IRA themes. For example, “@jenn_abrams” was said to be a Trump supporter from Virginia with over 70,000 followers. “@Pamela_Moore13” said she was a Trump supporter in Texas; she also claimed 70,000 followers. The large numbers suggested that many of the “followers” were actually botnets, networks of malware-infected computers that automatically “liked” or retweeted IRA posts. Amplifying the effect, many prominent Americans unwittingly also retweeted these posts. (Mueller Report, pp. 58-59)
A final tactic used by the IRA was to use the direct messaging features in Facebook, Twitter, and Instagram. Direct messages were used to contact and recruit Americans for activities ranging from moderating groups on social media to organizing political rallies. Initially directed to people who “liked” and shared IRA posts or tweets, the recruitment efforts later expanded to target people across the political spectrum and, eventually, to specific individuals working on the Trump campaign. In some cases, IRA specialists pretended to be interested in helping the Trump campaign organize campaign rallies. (Mueller Report, pp. 60-62)
Even though many Americans were used by the IRA to enable its social media campaign, the Mueller “investigation did not identify any evidence that any U.S. persons knowingly or intentionally coordinated with the IRA’s interference operation.” (Mueller Report, p. 53) In some ways, this is a more troubling conclusion than one that would have identified U.S. collaborators. But the fact remains that the Russians applied various tactics, techniques, and procedures to social networks very effectively, taking advantage of American naivete and a general tendency to trust people. Their social media campaign was augmented by hacking operations conducted against two Democratic Party organizations and key individuals, and these operations are documented in Volume 1, Section III of the Mueller Report.
Taking advantage of vulnerabilities in the way many Americans respond to emails from apparently reliable sources, the Russians gained access to sensitive documents from the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC). They used spearphishing techniques against people in those organizations to steal credentials and gain trusted access to the network and used that access to implant collection and dissemination tools to steal thousands of emails related to campaign strategy, specific plans, and other sensitive information.
Unlike the social media campaign that relied heavily on unwitting Americans to distribute their messages, the Russians created specific distribution channels to disseminate the emails they stole. They also bypassed the IRA, presumably because that organization was fully engaged with social media. To steal and disseminate sensitive campaign emails and documents, Russian leaders called on the military intelligence department of the General Staff of the Russian Military, commonly known as the GRU. The Mueller Report details the organizational structure of GRU units engaged in the hacking efforts and, despite many redactions, provides significant insights into the methods used to infiltrate the email systems supporting the DNC and DCCC and use stolen material to further their goal of influencing the election.
Military unit 26165 “is a GRU cyber unit dedicated to targeting military, political, governmental, and non-governmental organizations outside of Russia, including in the United States.” This unit had specialized departments dealing with malware development and spearphishing operations and other hacking-related activities. The unit also had a bitcoin mining operation that provided funds for buying computer infrastructure used to facilitate their hacking operations. Military unit 74455 is another GRU organization that developed dissemination channels for the distribution of hacked material stolen by unit 26165. This unit also “hacked computers belonging to state boards of elections, secretaries of state, and U.S. companies that supplied software and other technology related to the administration of U.S. elections.” (6)
Hacking the DNC and DCCC as well as individuals associated with the Clinton campaign was the responsibility of Unit 26165. Starting as early as March 2016, this unit began cyber reconnaissance of websites associated with organizations like “democrats.org” and “hillaryclinton.org.” Such exploratory efforts are standard procedure for any organized hacking attack. Before a successful hack can be conducted, the target environment must be understood and mapped. Cyber reconnaissance led to spearphishing attempts against members of the Clinton campaign including the well-known effort against campaign chairman John Podesta. Successful spearphishing against several campaign staffers gave the GRU access to “numerous email accounts” and resulted in the theft of “tens of thousands of emails” from the campaign. (Mueller Report, pp. 63-64)
The Russian hackers were very efficient, and they moved quickly. By mid-April, they had compromised the DCCC network via a spearphishing attack and then moved laterally via a VPN (virtual private network) connection to the DNC network. These steps – gaining a foothold and then expanding privileges – are also common in an organized hacking attack. The report does not specify how the Russians accessed the VPN, but they either broke the encryption that protected the VPN or, more likely, obtained the credentials they needed to access the private network from the employee they spearphished. In any event, a short time later, GRU hackers had gained control of about 29 DCCC computers and more than 30 DNC computers. (Mueller Report, p. 64)
Mueller’s team documented in significant detail the specific hacking tools used by the Russians. These tools included customized malware called “X-Agent.” X-Agent allowed the hackers to “log keystrokes, take screenshots, and gather other information” such as file directories. “X-Tunnel” was a tool that created an encrypted communications link between the compromised DNC and DCCC computers and the data repositories established by the GRU to hold stolen material. Mimikatz was used for harvesting email and network credentials, and “rar.exe” was used to compress files before they were exfiltrated to the GRU’s infrastructure. To control their operations, the GRU established a group of servers to communicate with the malware that was implanted in the DNC and DCCC computers. These servers in turn communicated with a second group of GRU computers named the “AMS Panel.” The AMS Panel was housed in a facility in Arizona, indicating the extensive operational infrastructure established by the Russians for their covert operations. (Mueller Report, p. 65)
The size, scope, and sophistication of the GRU’s hacking infrastructure and tactics, techniques and procedures used to steal information from the DNC and DCCC indicate the well-organized and well-funded effort undertaken by the Russians. The Mueller team doesn’t comment or editorialize about the facts it reports but does point out that within a short period the Russians exfiltrated over 70 gigabytes of information from a single DCCC server and “thousands of emails and attachments” from the DNC. (Mueller Report, p. 65)
Dissemination of hacked material
The release of DNC and DCCC material through Wikileaks and dcleaks (.com) is widely known through previous media reporting. The Mueller Report expands on the general information by documenting the mechanics of how this was done. GRU unit 26165 registered domain “DCLeaks” (.com) in April 2016 and created a website with this address. The GRU began posting stolen documents on this site two months later and opened a Facebook page, “DCLeaks,” to promote release of new material. The GRU also created a Twitter account, “@dcleaks,” and an email account, “firstname.lastname@example.org,” that was used to give U.S. persons and reporters tips about forthcoming material. They also provided passwords to reporters to a restricted area of the “DCLeaks” website, a site that remained active until April 2017. (Mueller Report, pp. 66-67)
When the DNC announced that its network had been breached in June 2016 and publicly attributed the breach to Russian intelligence services, the GRU quickly started a WordPress blog with the persona “Guccifer 2.0” and used this blog to divert attention from Russia. Guccifer 2.0 alleged that the DNC was hacked by a Romanian, and then began using the Guccifer 2.0 to post additional DNC and DCCC documents. These posts, many of which focused on campaign strategy and sensitive issues as well as campaign themes considered important in Florida and Pennsylvania, continued until October 2016. Guccifer 2.0 also sent stolen documents with potentially damaging material about the Clinton campaign and local campaigns directly to news organizations, a candidate for Congress, and a member of the Trump campaign. Guccifer also sent passwords to some reporters allowing them to access restricted areas of the “DCLeaks” website, indicating a close connection between the GRU’s website and the Guccifer 2.0 persona. (Mueller Report, p. 69)
In March 2016, in a parallel effort initially unrelated to the Russian operation, WikiLeaks and its founder Julian Assange began developing an anti-Clinton data base of over 30,000 items it obtained through a Freedom of Information Act request. The Russians became aware of this activity and contacted WikiLeaks to suggest collaboration. A direct message on Twitter from “@dcleaks” to “@WikiLeaks” on June 14 contained the following offer:
“You announced your organization was preparing to publish more Hillary’s emails. We are ready to support you. We have some sensitive information too, in particular, her financial documents. Let’s do it together. What do you think about publishing our info at the same moment?” (Mueller Report, pp. 69-70)
One month later, on July 14, 2016, the GRU used the email account of Guccifer 2.0 to send WikiLeaks a message with subject line “big archive” and an encrypted attachment with the name “wk dnc link1.txt.gpg.” They followed up with an encrypted file on Twitter that contained instructions about opening the file. Two days later, WikiLeaks confirmed it had received “the 1GB or so archive” and would publish the information “this week.” WikiLeaks subsequently published over 20,000 emails and other documents on July 22, three days before the opening of the Democratic National Convention. (Mueller Report, pp. 70-71)
WikiLeaks and the GRU-backed persona Guccifer 2.0 communicated regularly in the weeks leading up to the election. While much of their correspondence was encrypted, the Office of the Special Counsel extracted useful information from the metadata of the encrypted messages. They determined that documents published by WikiLeaks in September were likely staged for transfer to WikiLeaks by the GRU using similar techniques that were used in the July transfer of DNC material. Though some of the details have been redacted from the report and the possibility of a physical transfer of the stolen data cannot be ruled out, the association of the dates of emails and direct messages almost certainly indicates that the GRU used electronic means to transfer stolen DNC and DCCC material to WikiLeaks in an ongoing collaboration that lasted several months. By early November 2016, WikiLeaks had released more than 50,000 documents stolen from John Podesta’s personal email accounts. The date-time groups on these emails indicate that the thefts began two days after Podesta responded to a GRU spearphishing email in March. (Mueller Report, pp. 71-72)
The Mueller Report documents WikiLeaks’ efforts to deny that Russia was the source of the DNC material. Assange stated that the source was an “inside job.” He falsely implicated former DNC staffer Seth Rich as the source of the leaks after Rich was tragically murdered in a robbery attempt on a Washington street in July 2016. The report also documents successful efforts by the GRU to penetrate email accounts of Democratic candidates and sympathizers. They specifically targeted the Clinton campaign, and while many details have been redacted, the report states that “the GRU stole approximately 300 gigabytes of data from the DNC cloud-based account.” (Mueller Report, p. 73)
The GRU also expanded their target list to include state boards of election and technology firms that provided electronic voting machines and related technology to state and local governments. They used SQL injections, a well-known hacking technique, to access voter registration lists in Illinois and possibly other states. They also sent spearphishing emails to Florida election officials and probably gained illicit access to at least one Florida county government. These activities were out-of-scope for the Mueller team, however. The report mentions that the FBI, DHS, and state governments investigated these incidents. (Mueller Report, p. 74)
The Mueller Report provides a case study in Russian cyber operations directed at influencing American public opinion in the campaign leading to the 2016 presidential election. The combination of disinformation using social media and publishing stolen documents obtained by hacking into political organizations is a 21st Century update to Russian active measures that have existed since the early years of the Soviet Union. The Mueller Report catalogs Russia’s sophisticated cyber operations that were well-organized, coordinated, planned in detail, well-funded, and timed to achieve the maximum impact on the election campaign.
While the ultimate effect on the outcome of the election can never be known for certain, Mueller’s team has documented the extensive efforts by the Russians who applied their best tradecraft in an attempt, by their own admission, to influence the election. Special Counsel Robert Mueller and his team have done a tremendous service in documenting the extensive and sophisticated Russian efforts in 2016 and have provided many specifics that can be used to develop effective cyber defenses. Time will tell whether we have learned enough from the report to protect ourselves against similar activities in future elections.
1 The source document for this paper is The Mueller Report: The Final Report of the Special Counsel into Donald Trump, Russia, and Collusion, with an Introduction by Alan Dershowitz (New York: Skyhorse Publishing, 2019). All page numbers refer to this version of the report.
2 Richard H. Schultz and Roy Godson, Dezinformatsia (Washington: Pergamon-Brassy’s, 1984).3 Andrei Soldatov and Irina Borogan, The Reb Web: The Kremlin’s War on the Internet (New York: Public Affairs, 2015), pp. 279-285)
4 Alina Polyakova, “The Kremlin’s Toolkit of Influence in Europe,” in Alina Polyakova, et al., The Kremlin’s Trojan Horses: Russian Influence in France, Germany, and the United Kingdom (Washington: Atlantic Council, 2016)
5 U.S. Department of Justice, October 19, 2018. https://www.justice.gov/opa/pr/russian-national-charged-interfering-us-political-system. “Lakhta” is the name of an historical district of St. Petersburg near Lake Lakhta. There is also a “Lakhta Center,” the tallest building in Russia, under construction near St. Petersburg. See https://en.wikipedia.org/wiki/Lakhta_Center
6 Mueller Report, p. 63. Russian hacking efforts during the U.S. presidential campaign are also well-documented in the Intelligence Community Assessment, “Assessing Russian Activities and Intentions in Recent U.S. Elections” published in January 2017. See https://www.dni.gov/files/documents/ICA_2017_01.pdf.
Dr. Terry Thompson is a lecturer in cybersecurity at the Johns Hopkins University and University of Maryland, Baltimore County. He is a regular contributor to the NCMF blog, as well as the NCMF's Cybersecurity & Cryptology Today web page.