The Russian military hackers who stole tens of thousands of sensitive Democratic Party documents in 2016 struggled to disseminate their bounty online — at least until anti-secrecy group WikiLeaks joined the effort, according to a report released Tuesday night.
The report, prepared by analyzing data Facebook provided to the Senate Intelligence Committee, found that the Russian military hackers sought to publicize the documents as early as June 14 that year through a post on Facebook that said, “Check restricted documents leaked from Hillary Clinton’s presidential campaign staff,” and provided a link to an online trove. But despite the potentially explosive contents, the post on the “DCLeaks” page generated just 11 “likes,” 17 shares and zero comments.
Direct messages to American journalists, made through a fictitious Twitter persona called Guccifer 2.0, generated a spate of news coverage soon after. But that was modest compared to the deluge that came five weeks later, on July 22, when WikiLeaks published the documents and tweeted a link to its 3.2 million followers.
The revelations from the stolen documents, many of which were embarrassing emails showing party officials appearing to favor Clinton over her rival for the presidential nomination, Sen. Bernie Sanders, soon spread widely enough to prompt the Democratic chairwoman to resign on the eve of the party’s national convention.
The hacking campaign’s outreach efforts, executed by the Russian military intelligence agency known as the GRU, underscore how marrying stolen documents with sophisticated social media outreach can generate outsize results. It also underscored the unwitting role American journalists played in a Russian intelligence operation to interfere in a U.S. election.
Tuesday’s report, called “Potemkin Pages & Personas: Assessing GRU Online Operations 2014-2019,” is the latest that disinformation researchers have produced using data provided to the Senate Intelligence Committee and gives the most complete account yet of the social media operations of the GRU. It was released by the Stanford Internet Observatory, with research manager Renee DiResta as the lead author. DiResta also has worked as part of the Technical Advisory Group for the Senate committee.
The report found that the GRU, in targeting the United States and other countries, set up phony think tanks and news organizations, created fake online personas and pushed racially divisive online messages through Facebook pages it created, including “Baltimore is Everywhere” and “Michael Brown Memorial.” Then-special counsel Robert Mueller III indicted 12 GRU officers last year for their alleged role in seeking to disrupt the U.S. election.
“One thing this report shows is that what happens on social media doesn’t stay isolated to social media,” said Sen. Mark Warner of Virginia, the top Democrat on the Intelligence Committee. “Platforms like Facebook can also serve as the launching pad for narratives that spread throughout the information ecosystem. These big platforms need to do a better job of making sure they don’t become tools for Russian manipulation of American voters, and responsible actors need to take serious stock of how they interact with, rely on and amplify the information found on those platforms.”
The committee’s chairman, Sen. Richard Burr, R-North Carolina, said: “This report helps us better understand how the GRU conducts its information warfare operations. It’s clear that the foreign influence threat is persistent and evolving, and we cannot flag in our collective effort to combat it.”
Many researchers who have studied Russia’s efforts to influence the 2016 presidential race have pointed to the publication of the Democratic Party documents as especially effective at disrupting the election, which Republican Donald Trump narrowly won. Such tactics — called “hack and leak” by researchers — are widely used, highly effective and difficult to combat when used in democratic nations that respect press freedoms.
Mueller’s final report, released publicly in April, detailed the relationship between the GRU, operating through the fictitious persona Guccifer 2.0, and WikiLeaks. The anti-secrecy group did not respond to requests for comment Tuesday.
WikiLeaks’ founder and longtime public face, Julian Assange, who is in British custody and has been charged by U.S. officials for alleged violations of the Espionage Act, long has denied that the group’s source for the Democratic Party documents was Russian military intelligence. (The indictments against Assange are not related to the Democratic Party documents; rather they concern a 2010 leak of U.S. government documents.)
The GRU operations mirrored, to some degree, the influence campaigns waged by the Internet Research Agency (IRA), the St. Petersburg-based operation that was created by an ally of Russian President Vladimir Putin but run more as a social media start-up, with civilian employees, than a formal government operation. While the GRU excelled at hacking, it was not nearly as good as the IRA at building an online following and spreading messages.
“We were stunned by what a failure it was,” DiResta said. “Maybe that’s why the IRA exists … Maybe there’s a recognition that this is a different form of propaganda.”
Facebook said it has removed a number of accounts related to Russian interference in the United States, Syria and Ukraine. “We welcome independent analysis like the one by the Stanford Internet Observatory that chronicles these campaigns that we investigated and removed in the past,” said Nathaniel Gleicher, Facebook’s head of cybersecurity policy.
In addition to the document dump by WikiLeaks ahead of the Democratic National Convention, WikiLeaks in October that year also published thousands of emails stolen from Clinton campaign chairman John Podesta, sparking several news stories and the spread of lurid and demonstrably false conspiracy theories based loosely on remarks in the emails.
The IRA used its Twitter accounts to help push information from those documents and the ones WikiLeaks published in July, according to previous research by Clemson University professors Darren Linvill and Patrick Warren. They found a dramatic surge of tweets — 18,000 over a single 24-hour period — from IRA accounts on Oct. 6, 2016, the day before WikiLeaks published the Podesta emails. The timing suggests some degree of coordination between the GRU and the IRA, perhaps intended to spur online conversation to prepare for the document dump.
Linvill, an associate professor of communication, said there may have been an explicit division of responsibility, with the GRU focused on hacking valuable targets while the IRA mounted a “guerrilla marketing campaign.”
“That takes sustained effort at persona-building,” he said. “That’s really effective, but it’s the kind of thing you are going to want grunts to do … It’s not really what the GRU is built for.”
The GRU was comparatively successful at what the Stanford report calls “narrative laundering,” meaning the spreading of disinformation through phony think tanks or news sites, or by using fictitious personas to post content mimicking actual news reports. One well-chronicled fake journalistic persona, sometimes going by “Alice Donovan,” wrote for a number of sites, including the Inside Syria Media Center, which was a GRU creation as well.
Like the IRA, the GRU also worked across tech platforms. The Inside Syria News Center, for example, operated on Facebook, Twitter and YouTube and had a channel on the encrypted communication service Telegram. Another phony persona, Sophia Mangal, who was listed as an editor for the Inside Syria Media Center, had accounts on Medium, Quora and Twitter.
Despite some successes in these areas, the GRU-created DCLeaks page posted only 22 times over a four-month period before Facebook closed the page. During that time, it had just 834 “engagements” — a metric counting likes, comments and other reactions from Facebook users — and did not deploy other promotion tools, such as advertisements.