New Report Details What Dirty Tricks Russian Cyber Hackers Use to Spread Lies and Mayhem

“Fakes in a forest of facts.”

Monika Skolimowska/Zuma

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.


Citizen Lab, a Toronto-based human rights research group that focuses on cybersecurity and surveillance, issued a report Thursday offering a detailed look at what they call an “extensive Russia-linked phishing and disinformation campaign” that targeted journalists and others, many of whom could be seen as undermining Russian President Vladimir Putin, those close to him, or Russian geopolitical interests.

Entitled “Tainted Leaks,” the report traces the evolution of how stolen emails are altered and eventually used to disrupt political campaigns or dishonestly shape public opinion. In this case, the emails and other documents were stolen from the targets, modified in subtle but meaningful ways, published by pro-Russian hacktivists, and amplified by pro-Russian media in an attempt to discredit negative reporting about Putin and his inner circle. It showed how critical journalism was made to appear more subversive than it was by having locally based stories appear to be the work of a CIA operation looking to foment revolution. Aimed at Russia’s domestic population, the disinformation campaign appears designed to distract from any anger or distrust that reporting about Putin’s and his associates’ corruption may have created.

“Russia-linked cyber espionage campaigns, particularly those involving targeting around the 2016 US elections, and more recently the 2017 French election, have dominated the media in recent months,” the report’s authors write, noting that the most persistent victims of such campaigns are journalists, academics, activists, researchers, and others. “A healthy, fully-functioning, and vibrant civil society is the antithesis of non-democratic rule, and as a consequence, powerful elites threatened by their actions routinely direct the powerful spying apparatuses toward civil society to infiltrate, anticipate, and even neutralize their activities.”

Beginning with the successful breach of journalist David Satter’s email box in October 2016, researchers traced its consequences to an operation that targeted 218 unique targets in at least 39 countries. Satter had worked in Russia for years as a writer and journalist but was kicked out of the country in December 2013, likely as a response to his investigative reporting on powerful Russian figures and corruption for the Financial Times and other outlets. While analyzing the phishing email used to access Satter’s email, the Citizen Lab researchers discovered that the breach that snared Satter was potentially linked to a target list that included politicians and other government officials, journalists, academics, leaders of energy and mining companies, UN officials, and military personnel from more than a dozen countries, including the United States and NATO. In many cases, the targets of the campaign weren’t directly attacked, but by targeting people close to them, the perpetrators were able to discredit them nonetheless. Here is an outline of what they found:

Citizen Lab

Once Satter’s email account was accessed, the language of some of his emails was altered to change the context, so that it appeared his Radio Liberty reporting project was much bigger than it was. It also gave the impression that Russia-based journalists contributing to the project, who wrote stories critical of Putin and members of his circle, were funded by foreign money. For example, in some cases, the modifications to Satter’s emails made it appear as though Alexei Navalny, an opposition leader in Russia, was receiving foreign funding to carry on his activities.

The text in red represents text removed from the original document. The text in blue represents text that has been added. Citizen Lab

By studying the URLs used to lure Satter into providing his email login credentials, the researchers believe they’ve found similarities between the operation and that which was used to target Hillary Clinton’s campaign and the Democratic National Committee during the 2016 US presidential election. The group that targeted the Clinton campaign is believed by some researchers and the US government to be APT28, an organization some have tied to Russian intelligence operations. “This similarity suggests possible code re-use,” the researchers write. “The two operations may be using the same phishing ‘kit.'”

The net result of operations such as the one detailed by the Citizen Lab is that by modifying authentic documents and emails in subtle ways, doubt can be cast on entire organizations, campaigns, projects, or individuals themselves. In the context of Russian operations, this is known as “dezinformatsiya,” which is propagating forged documents among legitimate documents to taint and call into question the entire batch.

The researchers acknowledge they have no “smoking gun” evidence pointing to a “particular Russian government agency, despite the overlaps between our evidence and that presented by numerous industry and government reports concerning Russian-affiliated threat actors.” But the researchers note the Russian government is known to use proxy hacking groups to go after targets while maintaining plausible deniability, a practice that has been described by Mark Galeotti of the Institute of International Relations Prague as “guerilla geopolitics” based on its insurgent and asymmetric approach to achieving military and political goals.

“Tainted leaks are a growing and particularly troublesome addition to disinformation tactics, and in the current digital environment are likely to become more prevalent,” the researchers wrote. “Tainted leaks—fakes in a forest of facts—test the limits of how media, citizen journalism, and social media users handle fact checking, and the amplification of enticing, but questionable information.”

AN IMPORTANT UPDATE

We’re falling behind our online fundraising goals and we can’t sustain coming up short on donations month after month. Perhaps you’ve heard? It is impossibly hard in the news business right now, with layoffs intensifying and fancy new startups and funding going kaput.

The crisis facing journalism and democracy isn’t going away anytime soon. And neither is Mother Jones, our readers, or our unique way of doing in-depth reporting that exists to bring about change.

Which is exactly why, despite the challenges we face, we just took a big gulp and joined forces with the Center for Investigative Reporting, a team of ace journalists who create the amazing podcast and public radio show Reveal.

If you can part with even just a few bucks, please help us pick up the pace of donations. We simply can’t afford to keep falling behind on our fundraising targets month after month.

Editor-in-Chief Clara Jeffery said it well to our team recently, and that team 100 percent includes readers like you who make it all possible: “This is a year to prove that we can pull off this merger, grow our audiences and impact, attract more funding and keep growing. More broadly, it’s a year when the very future of both journalism and democracy is on the line. We have to go for every important story, every reader/listener/viewer, and leave it all on the field. I’m very proud of all the hard work that’s gotten us to this moment, and confident that we can meet it.”

Let’s do this. If you can right now, please support Mother Jones and investigative journalism with an urgently needed donation today.

payment methods

AN IMPORTANT UPDATE

We’re falling behind our online fundraising goals and we can’t sustain coming up short on donations month after month. Perhaps you’ve heard? It is impossibly hard in the news business right now, with layoffs intensifying and fancy new startups and funding going kaput.

The crisis facing journalism and democracy isn’t going away anytime soon. And neither is Mother Jones, our readers, or our unique way of doing in-depth reporting that exists to bring about change.

Which is exactly why, despite the challenges we face, we just took a big gulp and joined forces with the Center for Investigative Reporting, a team of ace journalists who create the amazing podcast and public radio show Reveal.

If you can part with even just a few bucks, please help us pick up the pace of donations. We simply can’t afford to keep falling behind on our fundraising targets month after month.

Editor-in-Chief Clara Jeffery said it well to our team recently, and that team 100 percent includes readers like you who make it all possible: “This is a year to prove that we can pull off this merger, grow our audiences and impact, attract more funding and keep growing. More broadly, it’s a year when the very future of both journalism and democracy is on the line. We have to go for every important story, every reader/listener/viewer, and leave it all on the field. I’m very proud of all the hard work that’s gotten us to this moment, and confident that we can meet it.”

Let’s do this. If you can right now, please support Mother Jones and investigative journalism with an urgently needed donation today.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate