CHAPTER 8
Internet Research Agency & Russian Cyber Weapons
Russia may not have been the first nation to weaponize information. They were not even the first to turn modern social media into a propaganda platform, recruiting sergeant, and fear projection tool—that would be the Islamic State terrorist group. While ISIS was using the precedents for weaponizing social media that exploded during the 2011 Arab Spring, Russian intelligence was watching and fusing their techniques with their near century-old political and propaganda warfare legacy from the KGB. The Russian goal was to quickly harness the power of personal access that social media gives and craft metanarratives and distribute in such a way that the enemy population can be turned against their own government. Opinion polls, news coverage, and street talk can be shifted by changing the perception of the populace. Social media not only weaponizes opinion, it gives the attacker the ability to act as puppeteer for an entire foreign nation. Two Russian information warfare officers wrote a treatise describing the combat effects of weaponized news and social media:
“The mass media today can stir up chaos and confusion in government and military management of any country and instill ideas of violence, treachery, and immorality, and demoralize the public. Put through this treatment, the armed forces personnel and public of any country will not be ready for active defense.”1
Additionally, the Russians make no distinction between using these activities in wartime and “peace.” The Russian Federation will deploy information warfare and propaganda persistently in a constant effort to keep adversaries off balance. When it comes to information warfare, such distinctions of peacetime and wartime fade away.
One key distinction that should be drawn is the difference between strategic tasks aimed at people and those aimed at technology. Deploying tasks against people involves psychological operations meant to affect the mindset of citizens, politicians, and military forces. Whereas tasks aimed at technological assets are meant to undermine the structures used to collect, process, or share information, including networks, computers, or the data itself.
The United States and Europe will be engaged in a psychological engagement until the fringes of their society turn to Moscow. The attack will be persistent, intense, and subversive. It’s a Metanarrative Cold War: Democracy or Autocracy?
Techniques of cyber operation resemble non-cyber techniques in many ways. For instance, sabotage will now be aimed at digital infrastructures. Example, sending tons of data at a server is known as a Denial of Service (DOS) attack, or when sent from multiple sources, it’s known as a Distributed Denial of Service (DDoS) attack. Much like jamming radio or radar signals in the past, DDoS attacks blind the opponent. While they can be carried out by non-state hackers for many reasons, in the hands of a nation-state, a DDoS attack can immobilize a nation. Similar sabotage techniques were used in combination with other tactics like in December 2015 when Russian hackers deployed BlackEnergy 3 and Killdisk, two malware tools, to take down power plants in Ukraine. The first took control of the systems and allowed the hackers to essentially flip the breakers while the second, Killdisk, wiped the code of the computers’ operating systems. The plant had to go on full manual control and rebuild all the computers. This attack showed that Russia could take control of Ukraine’s biggest power plants and flip them off like a light switch.
Subversion Station: The Internet Research Agency
A “troll” is a person who maliciously engages in a conversation with the intention of disruption. Internet trolls have been a part of internet culture since near the beginning of public access. Like the obnoxious dirty little gnomes that live under the bridge in the Brothers Grimm fairy tales, they interrupt your existence and threaten to eat you. The life of human trolls is to be overbearing, intrusive, and mean-spirited. They are also designed to stop you from performing normal activities on the web. The use of trolls in modern active measures resembles the use of human agent provocateurs during the pre-Bolshevik era to incite riots that legitimized action against revolutionaries.
The headquarters of the global troll activity under control of Vladimir Putin was the Russian Federation Internet Research Agency (RF-IRA), originally located on 55 Savushkina Street in St. Petersburg. The RF-IRA headquarters was the largest of what may have been the start of many of the paid troll factories operating in Russia to provoke and inflame discussions in the US.2 The network was under the special activities umbrella of Putin loyalist Yevgeniy Prigozhin, the director of Black and Grey area civilian operations who worked directly for the Kremlin.
Mikhail Burchik was alleged to be the head of RF-IRA. Previously, he owned information technology companies. He was supervised by Putin loyalists, including Prigozhin, and Oleg Vasilyev.3 The “American Department” 
of what was code named the “Translator Project” at the Savushkina location reportedly started with 80 to 90 permanent employees. It would expand to several hundred including subcontractors. The group produced thousands of fake news and propaganda items per week. By 2015 they could generate 20 to 30 million views on items per week. However, their products are tied to bots that can resend their obnoxious messages by the millions per hour.
The Mueller special counsel indictment as well as Russian and other journalists have discovered the salaries and structure of the Internet Research Agency. The lowest level content creators: $1,000 per month, Community Administrators: $1,538 per month. Department Heads make $2,051 per month. Purchases of SIM cards, proxy servers, IP addresses, and other IT support is $3,481 per month, likely per work station, and social media advertising is $5,000 per month.4 The Mueller investigation found that as much as $1,200,000 was spent on their operations per month.
Alex Stamos, Chief Security Officer of Facebook, told Congress that the RF-IRA spent more than $100,000 on Facebook political ads between June 2015 and May 2017.5 This amounted to approximately 3,000 ads from 470 fake accounts and pages. A quarter of these ads were “geographically targeted” with an uptick in 2016 over 2015.6 Stamos stated that the “behavior displayed” was intended to “amplify divisive messages.” In addition to these numbers, Stamos said that accounts with “very weak signals of a connection” or “not associated with any known organized effort” amounted to $50,000 spent on approximately 2,200 ads, including ads purchased from US IP addresses.7
These advertisements, tweets, and Facebook posts were seen by as many as 150,000,000 Americans during the 2016 election. The Oxford Internet Institute studied the election and found that on Twitter and Facebook people shared almost as many fake news stories as they did real ones.8 By 2018, Twitter would be forced to notify 677,000 users that they were exposed to Russian propaganda during the campaign, but not what kind specifically.
In February 2018, the United States District Court for the District of Columbia filed an indictment in the United States versus the Internet Research Agency, Concorde Management and Consulting, LLC, and Concorde Catering. The indictment alleges that the internet research organization is a Russian organization engaged in operations to interfere with elections in political processes. According to the indictment, beginning in late 2013, the organization hired staff and planned to manipulate the US Presidential election by creating false personas of American citizens. They would set up social media websites, group Facebook pages, and Twitter feeds to attract US audiences. They name 13 Russians who are the key managers of the organization starting with Yevgeniy Prigozhin.
The Mueller indictment wasn’t the first to identify the activities in these troll factories. One former employee of the RF-IRA named Lyudmila Savchuk attempted to expose the troll factory despite the risk of retaliation. She and others claim that the Russian government protects the organization. She sued the RF-IRA in Russia over worker conditions and pay, working with a lawyer named Ivan Pavlov from an NGO called Team29. Team29 represented Savchuk and another employee Olga Maltseva in her case against the RF-IRA.
The heat from the FBI on the RF-IRA for the activities during the American, French, and German elections forced it to rebrand itself as “TEKA” and move to a new location on Beloostrovskaya Street in St. Petersburg.9
Cambridge Analytica—Re-Engineering the American Psyche?
Russian hybrid warfare and its ability to develop propaganda to craft beliefs and change minds was the heart of their perception management campaign against Europe and the United States. Though their operations were conceptualized in the Soviet era and engineered during the first Putin years, they were operationalized as a response to the “Color Revolutions” in Ukraine, the Baltics, and central Asia. The Russian perspective was being lost and the only way to stop it was to craft a new view of Moscow through information warfare.
To apply this against hardened political structures such as those in the United States and Europe would take a new system of mind warfare. The most difficult political analysis was how to steer an undecided bloc of voters into believing what a candidate offers in the most efficient manner. In America, the king was television advertising. Billions were spent on 30-second advertisements. It was tried and true, but this was the second decade of the 21st century. Social media was even more influential. A political analyst who understood the modern social systems would be savvy enough to understand the distribution system depended on word of mouth. That was the entire basis of social sharing networks on Facebook and Twitter. The Muslim world showed the exponential power of social media during the Arab Spring of 2011. Egyptian protesters created rallies and sit-ins—agitation and political action seen across the world using applications such as Facebook, WhatsApp, and Viber. They streamed live video of the marches, which were picked up by international news media from Al Jazeera to CNN. When the Egyptian government shut off television broadcasts to halt the throngs, the street protesters transmitted videos and live streams of their protests. These protests and public outrage at the government forced the army to intervene and remove the Mubarak family. This would play out again in Libya, Syria, and Tunisia. Why could it not be co-opted and turned back into a propaganda warfare tool?
To work in the West would take a more sophisticated type of social engineering. In 2013, a British company called Strategic Communications Laboratories formed Cambridge Analytica in order to win contracts with the Republican Party leading up to the US elections. Cambridge also was said to have helped in the Brexit Leave EU campaign. The company was partially funded by the extremely conservative Mercer family and their super PACs. On the board of advisors were Steve Bannon and Jared Kushner.
After the election of Donald Trump and the suspicions that he was assisted by the Kremlin, Cambridge Analytica would quickly come under investigation by the American Special Counsel Robert Mueller. Konstantin Rykov, Putin’s head of propaganda and author of the infamous Rykov confession (where he asserts Trump worked with Russia to win the election as early as 2013), stated that Trump had been working with Cambridge to create 5,000 “psychotypes” to influence the voters. Rykov said that “British scientists from Cambridge Analytica offered to make out of 5 thousand existing human psychotypes [psychological profile]—the ‘perfect image’ of Trump’s possible supporter. Then… put that image back on all the [psychological profiles] and thus find the universal key to anyone and everyone.”10
Cambridge Analytica would also say the same thing. They could predict personality types and the political leanings of an individual based on data factors called OCEAN—Openness, Conscientiousness, Extroversion, Agreeableness, and Neuroticism. With this data they could then target specific types of individuals with the proper advertising.11 Alexander Polonsky of Bloom Consulting told the New York Times that, “It goes beyond sharing information.… It’s sharing the thinking and the feeling behind this information, and that’s extremely powerful.”
At the exact same time that Cambridge Analytica was forming, Putin’s two loyalists, Rykov and Yevgeny Prigozhin, were forming the Russian Internet Research Agency (RF-IRA) to distribute Russian propaganda warfare content to the United States and Europe. Is it a coincidence that both CA and RF-IRA each started their efforts in 2013 to impact the US elections simultaneously and independently? Accidents of destiny such as this raises eyebrows. They validate Nance’s Law: Coincidence takes a lot of planning. A historic intersection of these two entities was just too incredible to be believed.
In 2017, it would be discovered that the CEO of Cambridge, Alexander Nix, secretly reached out to Julian Assange at WikiLeaks by email to try to acquire the 33,000 emails that Clinton had deleted from her server and which WikiLeaks allegedly had in their possession. Assange turned Nix down, claiming he would sort through them himself. It was because Assange did not have the actual emails. In fact, no one did, as that was a piece of Russian fake news they had gotten Fox News’s Judge Napolitano to put on air in early 2016. Their existence took on a life of its own when Trump publicly asked Russia to release them.
Assange did not have the actual Clinton emails Nix wanted. In fact, no one did, as that was a piece of Russian fake news they had managed to inject into Fox News early in 2016. On May 9, 2016, Fox News’s legal analyst Judge Andrew Napolitano claimed that Putin and his top advisors had 20,000 of Hillary Clinton’s deleted emails and were having an internal debate about whether to release them to the West. Napolitano said, “There’s a debate going on in the Kremlin between the Foreign Ministry and the Intelligence Services about whether they should release the 20,000 of Mrs. Clinton’s emails that they have hacked into…”12 The source of that story was an obscure website called whatdoesitmean.com and an even more enigmatic conspiracy theory writer using the pseudonym “Sorcha Faal.”13 David Corn at Mother Jones also found the same story planted at a conspiracy news dump called the European Union Times. Both sources and the story are likely highly refined inventions of the RF-IRA and had the exact effect they desired. Moscow was not a hero in the conservative anti-Hillary world and they had the goods Republicans needed. The supposed existence of the 20,000 emails took on a life of its own when Trump publicly asked Russia to release them. However, Nix’s request was a sign that Cambridge was not just a data analytics company—they were a part of the Trump campaign’s political warfare and dirty tricks group.14 The question that has yet to be answered is whether Cambridge Analytica is the “bridge of spies” between the Trump campaign and Russian intelligence’s information warfare groups. The Mueller investigation is trying to determine if Cambridge knowingly provided the RF-IRA or Trump team with that extra bit of data targeting the 77,000 voters of Pennsylvania, Michigan, and Wisconsin that gave Trump his victory. The data flow was so precise there is no way Russia could know which specific voters in those states would be open to their propaganda. Only Americans on the ground could know with that level of specificity. If Cambridge or its staff passed the specific individual voter data collected for the Trump team on to Moscow so that the RF-IRA could target its messages to a specific bloc of voters, they may be exposed to much, much more than embarrassment, as both England and the United States laws would consider working for the Kremlin an act of espionage.
The Internet Research Agency and other troll farms weren’t the only Russian intelligence subcontractors in the 2016 election. Media investigations found that there were young, English-speaking men in Macedonia generating nonstop pro-Trump fake news stories for purely economic reasons. They would then feed these stories to Facebook pages and collect revenue via Google AdSense. They also created pro-Trump websites with domain names like DonaldTrumpNews.com, WorldPolititcus.com, and USADailyPolitics, which were then filled with fake news from numerous sources in the Russian information sphere. In a town with very little economic potential for young men, $5,000 per month is a lot of money.15 They did not have to maintain a news staff as their content was appropriated from other fake news sites from the United States. They found that posting pro-Trump materials were the most profitable but had no vested interest in his success during the election of 2016. However, they profited Donald Trump and Vladimir Putin to no end.
The motivation for creating fake news ranges from an intentional desire to mislead people for political reasons to a raw desire for money from the ad revenue generated by ad clicks. In web speak, “click bait” refers to content that is manufactured purely to get viewers to click the “read more” link. The content may be partially true and misleading or completely made up.
Ad-based revenue can generate thousands of dollars for site owners who create or aggregate fake or misleading partisan news. Using ad services like Google AdSense, for instance, content creators can monetize these manufactured stories. Then, to drive traffic to these sites, creators can purchase ads on Facebook to draw viewers of all political leanings to the content. Fake news ads can generate lots of views on Facebook. For $33, a single ad can reach up to 60,000 Facebook users per day.16
Approximately, 12% of the tweets posted from these accounts also attempted to mask the origin of the account by using VPN (Virtual Private Network) access. VPN allows users to access content indirectly to appear to be coming in from another location. For example, a death threat against the author used a VPN to access American servers. Once on the internet, it appeared to be in Denver, Colorado. VPN isn’t a guaranteed method to disguise the user’s origin as counter hackers discovered the death threats actually originated at the RF-IRA in St. Petersburg, Russia.
In terms of social media, a “bot” refers to the use of software that posts, reposts, and interacts like sentient human users. It’s a takeoff from robot, but since they tend to act autonomously the “ro” for remote was removed from the term. In propaganda warfare, bots are automated software weapons designed to disperse propaganda. They are the particles in a mist of influence warfare. Bots are the vehicles of manipulating perceptions. They are the cockroaches of computational propaganda. By using bot deployment technology to influence target audiences, they became the force multiplier for modern active measures. Had Stalin or Hitler had bot dispersal systems, they would currently be ruling the world.
RF-IRA Gets Indicted
On February 16, 2018, Special Counsel Robert Mueller filed an indictment at the US District Court for the District of Columbia titled The United States versus the Internet Research Agency [RF-IRA], Concorde Management and Consulting, LLC, and Concorde Catering. The indictment alleged that the “research” organization was in fact a “Russian organization engaged in operations to interfere with elections in political processes.” According to the indictment, beginning in late 2013, the organization was formed, hired staff, and planned and received orders to manipulate the US Presidential election through the largest Russian intelligence active measure ever conducted against the United States—a broad-based information warfare campaign to change the minds of American citizens. The RF-IRA conducted their operations by setting up tens of thousands of social media websites, Facebook groups and pages, and Twitter feeds designed to look like American citizens posting information to attract conservative American audiences. Additionally, they used “marionetting,” where they manipulated real people by pretending to be US citizens, and organized protests with civic groups who were convinced that they were communicating with legitimate people, not Russian agents.
Surprisingly, the Mueller indictment wasn’t the first to identify the activities in these troll factories. One former employee of the RF-IRA named Lyudmila Savchuk attempted to expose the troll factory despite the risk of retaliation. She and others claim that the Russian government protects the organization. She sued the RF-IRA over worker conditions and pay. Working with a lawyer named Ivan Pavlov from an NGO called Team29, they represented Savchuk and another employee, Olga Maltseva, in her case against the RF-IRA.
The heat from the Mueller investigation and the FBI on RF-IRA for the activities during the American, French, and German elections proved too much. By 2017, they had been forced to shut down, change their name to “TEKA,” and move to a new location on Beloostrovskaya Street in St. Petersburg. Then they resumed operations once Trump was in office—they attacked Robert Mueller, the FBI, and any critic of Donald Trump or Vladimir Putin.17
The Internet Research Agency and other troll farms weren’t the only Russian intelligence subcontractors in the 2016 election. Media investigations found that there were young, English-speaking men in Macedonia generating nonstop pro-Trump fake news stories for purely economic reasons. It’s likely they may have not known they were subcontracted by the RF-IRA as the products were virtually identical to Russia bots. The Macedonian bot farm also fed stories to Facebook pages and collected revenue via Google AdSense. They also created pro-Trump websites with domain names like DonaldTrumpNews.co, WorldPolititcus.com, and USADailyPolitics, which were then filled with fake news from numerous sources in the Russian information sphere. In a town with very little economic potential for young men, $5,000 per month is a lot of money.18 They did not have to maintain a news staff as their content was appropriated from other fake news sites around the United States. They found that posting pro-Trump materials were the most profitable but had no vested interest in his success during the election of 2016. However, they profited Donald Trump and Vladimir Putin to no end.
The motivation for creating fake news ranges from a desire to mislead people for political reasons to a need to gain money from the ad revenue generated by ad clicks. In web speak, “click bait” refers to content that is manufactured purely to get viewers to click the “read more” link. The content may be partially true and misleading or completely made up. Ad-based revenue can generate thousands of dollars for site owners who create or aggregate misleading partisan news. Using ad services like Google AdSense, for instance, content creators can monetize these manufactured stories. Then, to drive traffic to these sites, creators can purchase ads on Facebook to draw viewers of all political leanings to the content. Fake news ads can generate lots of views on Facebook. For $33, a single ad can reach up to 60,000 Facebook users per day.19
So how did the RF-IRA manage to fool Americans into thinking they were chatting with other real-but-fake Americans? They masked their true location. Approximately, 12% of the tweets posted from RF-IRA accounts attempted to mask the origin by using a VPN (Virtual Private Network) access. VPN allows users to access content indirectly, and, if done correctly, it appears to originate from another location. For example, death threats against myself used a VPN to access American servers and appeared to originate on a twitter account in Denver, Colorado. VPN isn’t a guaranteed method to disguise the user’s origin as counter hackers discovered my death threats actually originated at the RF-IRA in St. Petersburg, Russia.
Propaganda products, fake news articles, and crazy Russian death threats are not mass broadcasted tens of thousands of times a day by a real human being. The human element drafts the product but uses a self-replicating, self-transmitting piece of computer software called a “bot.” A bot refers to the use of software that posts, reposts, and interacts like sentient human users. It’s a takeoff from the word robot. In propaganda warfare bots are automated software weapons designed to disperse propaganda and fill blank spaces with their own message like the particles in a mist of influence warfare. They are the cockroaches of computational propaganda as they can invade any crevice no matter how seemingly secure, and cannot appear to be eliminated entirely. By using bot-deploying technology to influence target audiences, the RF-IRA became a globally unique information force in modern active measures. Had Stalin or Hitler had bot dispersal systems, they would currently be ruling the world.
Creating accounts that appear to share topical or partisan affinity mixed with hashtag promotion allowed bots to drive public opinion. People tend to enjoy spreading messages they agree with, no matter how obscure the source or crazy the claim. Human curiosity and gullibility are the dispersal agents of the bot. Russia became aware of this and turned it into an idea-changing weapon. Russians did not just attempt to rig elections in the United States, France, and Germany, but also influence operations like the policy debates of Brexit, immigration, or the Russia probe in the United States. The first place they experimented was on the Russian people. Recall that Yevgeny Prigozhin himself created the Kharkiv News Agency and used bots to flood fake news, and horrible comments using fake individuals to push the Kremlin’s view.
Another tool in the Russian arsenal was the use of fake news fire hydrants called botnets. A botnet is comprised of a string of connected computers and devices that run automated software (bots) for a particular task. When used by a nation-state, it can act as a virtual army that transcends the attackers’ point of origin. Imagine every fire hydrant in a city exploding and flooding the streets, the botnet would be the water main system feeding those hydrants. Botnets might be used to conduct Distributed Denial of Service (DDoS) attacks where your internet access is clogged by flooding data; brute force login attacks where massive computer power tries billions of attempts to log in to server or website administration logins or to spread malware, ad clicking fraud, and email spam. Botnets were first deployed in the early 2000s and continued to expand in complexity and capabilities over the years.
Every bot had a job and in many ways they mimic roles previously carried out by human beings in the espionage world. Those people were named Agents of Influence, Agents Provocateurs, and Chaos Agents. Today bots fill these roles. Bots operate in botnets, which could include millions of messages of every type that are usually focused on one propaganda objective.
In the weeks leading up to the 2016 election, Russian-linked bots retweeted 47,846 @HillaryClinton tweets while tweets from @realDonaldTrump were retweeted 469,537 times. Similarly, @HillaryClinton tweets received 119,730 likes from Russian-linked bots compared to 517,408 likes of @realDonaldTrump tweets by Russian-linked bots.
Twitter also examined content being shared from known and alleged Russian cutouts including from WikiLeaks, Guccifer 2.0, and DCLeaks. They noted @WikiLeaks posts were retweeted 196,836 times, @Guccifer_2 tweets were retweeted 24,000 times, and @DCLeaks_tweets were retweeted 6,774 times by Russian-linked bots.
A unique bot seen in the 2016 election could be called the Agitation Bot. In human terms it would be an agent provocateur where it would pose as a local resident and exhort followers to show up at a protest or real life street action. Of course, a bot can be used to organize the place and time of an event such as a protest. We use them all the time on our mobile phone schedulers. The trick is to make real people think it is a real person scheduling the event. Once people show up in real life, even without a bot organizer, they generally will spontaneously continue the protest activity. The Internet Research Agency created 129 Facebook events between 2015 and 2017.20 Facebook reported to the Senate Intelligence Committee that the posted events were viewed by over 300,000 users, and that around 62,500 planned to attend the events and 25,800 were interested in attending the event. All these Americans were being manipulated like marionettes by puppeteers in St. Petersburg, Russia.
For example, Russian accounts used Facebook to promote Pro-Trump rallies like the “Florida Goes Trump” rally on August 20, 2016. The rally was promoted on the Facebook page created by username “march for Trump.” The page called “Being Patriotic” promoted this event along with a “Down with Hillary!” event in New York at the Hillary Clinton campaign headquarters.21
Another example: the trolls posted opposing events for May 21, 2016, in Houston, Texas, around the opening of an Islamic Center library. Both sides, including “Stop Islamization of Texas” protesters and “Save Islamic Knowledge,” were actually Russian entities trying to create mayhem. Some comments related to the event issued threats of violence aimed at Muslim Americans.
In January 2017, a more unusual case of Russian intelligence “marionetting” of an unwitting innocent citizen using a hybrid mix of bots, human, and web propaganda, involved a martial arts teacher named Omawale Adewale. He was asked if he wanted to facilitate training self-defense classes to African Americans. Under the banner of “Black Fist Self Defense Project,” he conducted over a dozen trainings between January and May 2017 and was paid $320 via PayPal and Google Wallet for the sessions.22 However, Adewale never met the people who were soliciting him to conduct the classes. Instead, the events were part of a campaign developed by Russian intelligence and the Internet Research Agency.
Adewale was first contacted by a person who identified himself as “Taylor.” Taylor asked him to collect information on the participants. In other examples, the name “Jackob Johnson” has been used. The group used a website, “blackfist.pro,” to promote the trainings and even arranged interviews with podcasts like “No Holds Barred” with a host named Eddie Goldman.23 The podcast discussions with Adewale were conducted by phone. Text of the interview was posted to the blog, Sherdog.com.
“We all understand that since the election of Donald Trump there have been a lot of, I’ll say, hate crimes against minorities. And so, we thought that it’s a good idea where as Black people we could be able to defend ourselves. The main idea is not even the defense. It’s just being able to be in a position to defend ourselves. And also we understand that self-defense is something that if you know, it boosts your own [self-esteem]. To accomplish this, this year they have begun holding a series of seminars and self-defense classes around the U.S. At this time, these classes have been held in New York and Florida, with more locations soon to be announced. The trainers include Omowale Adewale, a kickboxer, boxer, and MMA fighter based in New York.… In addition, we open with a commentary on the importance of using the combat sports to fight the rise of reaction we see today, and of following the time-tested slogan on ‘an injury to one is an injury to all.’”
This was an active measure to create the impression that African Americans were preparing to focus their aggression through mixed martial arts–type street fighting. Had this succeeded, the propaganda would have been spread across RT, Sputnik, and Fox News to terrify white Americans who support Donald Trump.
When it comes to using bots, hashtags are relatively easy to program since they can be adopted, updated, and repeated. This made hashtags, symbolized by the #, a perfect companion to information warfare campaigns which were aimed to draw attention to themselves. The Internet Research Agency drove several propaganda campaigns in Europe well before the US election. They used hashtags #Frexit (French Exit the EU), #Grexit (Greek Exit the EU), #Brexitvote, #PrayForLondon, #BanIslam, and #Brexit. In the United States, they drove hashtags #CALEXIT (Northern California separatists), #TEXIT (Texas Republic separatists), #WhiteGenocide, and #BlackLivesMatter.24
In the 1960s, Service A (the disinformation service of the KGB) sought to sow racial division around Dr. Martin Luther King Jr. King was the target of active measures organized under KGB officer Yuri Modin. The KGB campaign to inflame racial tensions included sending fake pamphlets to black activist organizations meant to instigate tension with the Jewish Defense League. But decades later, it would be RF-IRA–driven trolls seeking to exacerbate tensions around the Black Lives Matter campaign. This time it would be a competing set of Twitter accounts joining the fight to instigate division between #BlackLivesMatter, #BlueLivesMatter, and #AllLivesMatter hashtags. A University of Washington examination of the accounts associated with the Internet Research Agency found that 29 of them were feeding the hashtag war on all sides.
In the lead-up to the 2016 election, the hashtag #DNCLeak was used. In the two months before the election, 26,500 users created 154,800 tweets with the hashtag #DNCLeak. This included 3% that were Russian-linked accounts. Clinton campaign chairman John Podesta’s emails had been stolen after a successful spear-phishing attack by COZY BEAR. He was tricked when he clicked on a link that pretended to be a Google security alert. In the weeks before the election, WikiLeaks published 118 tweets with the hashtag #PodestaEmails.25 Twitter said nearly 5% of the tweets with this hashtag were generated from Russia-linked accounts for a return of 20% of the impressions for the first week of posting.26 Twitter estimated 64,000 users created 484,000 tweets with variations of this hashtag in the two months before the election.
Twitter later testified that it sought to reduce the exposure of these hashtags and limited their distribution. It drew an immediate outcry from not only right-wing and conspiracy theory sites in America, but also from Russia Today and the Sputnik website. Both groups called this “censoring.”
In early January 2018, there was an effort by Chairman of the House Permanent Select Committee on Intelligence, Representative Devin Nunes and other Republicans to discredit the investigation into Trump’s relationship with Russia. A memo drafted by Nunes accused the FBI of abusing the FISA (Foreign Intelligence Surveillance Act) process to target Donald Trump and his campaign staff. Soon after rumors of this report surfaced the Russian originated hashtag #ReleaseTheMemo appeared on January 18, 2018. It was quickly shared over 3,000 times in a two-day period following the announcement of the memo’s existence.27 Other Deep State hashtags were launched to accompany this effort including #fisagate, #obamadeepstate, #wethepeopledemandjustice, #thememorevealsthecoup, and #obamaslegacyisobamagate.28 In addition, #SchumerShutdown was launched in a failed attempt to rival another hashtag, #TrumpShutdown, after the administration allowed the government to shut down for two days. On many accounts, it was added to posts with #ReleaseTheMemo. So pervasive was the belief that Russia was pushing the hashtags, many real conservatives started posting #IamNotaRussianBot. It was amusing until RF-IRA posts used it as well.
In early 2018, Twitter updated its methods of detecting bots and Russian associated accounts after the election in response to demands to deal with the abuse of their platform. This included examining what qualifies as “Russian-linked” or “RF-IRA–linked.” Criteria for this included determining where the account user was located, use of Russian email addresses, if the account was created from a Russian IP address, or if the account had been accessed from a Russian IP address. In some cases, use of Cyrillic in usernames or display names was considered or if Cyrillic was used in the sign-up interface.
Hoaxes: 48 Hours in the Life of an Assassination Bot
Bots may be automated software spreading propaganda everywhere, but they can also be “retasked” by their human handlers to intervene and focus a hateful message against very specific people and try to bring about violence at the hands of their puppets. In late July 2017, Moscow decided that they had enough of my and Joy Anne Reid’s free use of television. In late July 2017, I was attending Politicon, the convention for politics in Pasadena, California. Two days before the scheduled panel on “From Russia with Trump,” an account on Twitter began to issue death threats against both Joy Reid and me. The “person” promised an armed confrontation at the convention. But upon very close inspection it was determined this was a Russian bot programmed to pretend to act like an American citizen.
The account was named “Mario__Savio” (double underscores). It was found on Twitter encouraging people to confront me and others at the Pasadena Convention Center. When it was investigated, it appeared to be a legitimate account, but on closer inspection it was found that the Russian bot had “typo-squatted” and mimicked a real account right down to stealing the profile and photo. Typo-squatting is when an online name appears almost identical to another but distinguished by a hard to see typographic error. In this instance, the Russian programmer added an additional underscore mark (_) to the legitimate account Mario_Savio (single underscore).
A review of the bot’s history found that it had been operating as an Agent of Influence bot using a series of attacks and attempts to pump up followers. For almost 90 days, it posted negative comments on twitter about four TV personalities: Bill Maher, Joy Ann Reid, Rachel Maddow, and Michael Moore. A shift came when it started to attack Republican Senator John McCain who had criticized Donald Trump for his response to Russian aggression. In response to McCain, the account repeatedly attempted to associate the senator with conspiracy theories about his funding ISIS and the war in Syria. Further back, the account focused on Ukraine, Syria, and other topics that are typical of Russian geopolitical discussion. Forty-eight hours before the Politicon conference, the bot was re-tasked to Agent Provocateur mode. It started notifying a Southern California pro-Trump forum of my presence at Politicon and requested followers to come there. Twenty-four hours before the panel, it was re-tasked again and went into Chaos Agent mode. The bot started issuing death threats against Joy Reid and myself. It started posting threatening posters of me with a sniper’s cross hair on it with the text WANTED! For inciting #ISIS to “suicide bomb” a #Trump Hotel @FBI @SecretService. It also posted images of Joy Reid with Nazi paraphernalia and the word “Goebbels.” This was likely an allusion to the “Baby Goebbels” joke I had made on Real Time with Bill Maher about White House speechwriter Stephen Miller. The bot stated, “I need all the publicity I can get before I come after Malcolm Nance. I’ll be there after @JoyAnnReid at her gig #Politicon #Fakenews.” Cybersecurity experts determined it was a bot not physically located in Denver, Colorado, as its Twitter profile showed, but that it was a VPN used for entry into the US internet. The bot’s true location was then tracked back to St. Petersburg, Russia, likely the Internet Research Agency.
Though Twitter was alerted to this account on July 29, 2017, it took weeks for the same false username to be suspended and only after it had made dozens of additional threatening posts calling for direct confrontation with myself and others.
Another American fake news story pushed by Russia was the notorious hoax called #PizzaGate. After the release of emails attributed to former New York representative Anthony Weiner, a conspiracy theory emerged claiming that a pizza parlor, Comet Ping Pong, in Washington, DC, was secretly a front for a human trafficking and pedophilia ring. The story claimed that the New York Police Department found evidence of a massive human trafficking racket based on inside sources in the department. The story was then picked up by Sean Adl-Tabatabai, who posted it to his fake news site, YourNewsWire.com, with the additional claim that he had confirmed the claims through an “FBI Insider.” Adl-Tabatabai is the former webmaster for conspiracy theorist David Icke.
After the post was created, the 4chan message board picked up the story and began to feed on it. 4chan was one of the most popular genesis points for the alt-right subcultures and known for viral campaign generation. Driven by posts by anonymous users, 4chan is the web equivalent of the Wild West with very lax oversight and a culture of feeding-frenzied behavior around fake news and rumor mongering.
Conspiracy theorist Alex Jones’ InfoWars and others carried the stories further across the web, each with its own click bait–driven agenda. The spreading of the story didn’t stop in the US, but was picked up by sites around the world, often with each adding its own spin, variation, or new material to the claims. In just days, the first claimant of the story had reposted a link to “truepundit.com,” who had echoed the original claims as a source of validating it. “My source was right!” claimed the twitter account under the name “@DavidGoldbergNY.”
The story wasn’t true, of course, but that didn’t stop self-appointed internet sleuths from continuing after the release of emails via WikiLeaks supposedly belonging to John Podesta, Hillary Clinton’s campaign advisor. Various people began to pick apart the Podesta emails looking for code words they claimed would substantiate the PizzaGate theory, especially code words related to food. “I’m dreaming about your hotdog stand in Hawaii…,” wrote Mike Cernovich, alt-right leader and prolific fake news promoter. Under the hashtag #PodestaEmails28, users were combing through the WikiLeaks releases and picking out words like, “pizza,” “cheese,” “pasta,” “ice cream,” and “walnut” as code for little girls and boys or male prostitutes.
Ultimately, the story came to a crescendo when Edgar Maddison Welsh of North Carolina traveled to Washington, DC, and opened fire on the restaurant with an AR-15 on December 4, 2016. Welsh was convinced that real crimes were being committed and decided to take matters into his own hands. He was charged in December 2016, entered a plea agreement on transportation of firearms and assault with a deadly weapon on March 24, 2017, and was sentenced to a fine and four years in prison.
Additionally, a Shreveport, Louisiana, man, Yusif Lee Jones, called in a threat to shoot up another restaurant just 3 days after the Walsh shooting. Jones called the Besta Pizza restaurant in Washington, DC, claiming he was going to “shoot everyone in the place” to “save the kids.” Jones was arrested and pled guilty to issuing criminal threats against the restaurant on January 12, 2017.29 Though the story had been debunked in plenty of outlets, the restaurant faced an onslaught of continued harassment. The owners and others are still repeatedly threatened via social media.
The story wasn’t limited to fake news sites. Donald Trump’s campaign team member and soon to be National Security Advisor, Michael Flynn, shared the story via his Twitter channel as did his son, Michael Flynn Jr., who added, “until #PizzaGate proven to be false, it’ll remain a story.”30
#PizzaGate may have been the most popularized fake news story of the campaign season but not the most terrifying in terms of the number of people who were affected. In St. Mary Parish, Louisiana, residents were targeted with the fake news headline, “Toxic fume hazard warning in this area until 1:30 PM,” which prompted calls to the local Homeland Security office on September 11, 2014. Though there were hundreds of Twitter accounts discussing the “powerful explosion” under the hashtag #ColumbianChemicals,31 in fact, there was no emergency.
Despite the tweets and posts, the event was a hoax. Ultimately, Columbian Chemicals sent out a news release that there was no explosion and the reports were false. Despite it being a hoax, the non-event even had a Wikipedia page and a YouTube video purported to be an ISIS claim of responsibility with women in full burqa waving guns. On March 10, 2015, another similar hashtag, #PhosphorousDisaster was launched. It claimed that a large spill of phosphorous was dumped into American Falls (along with hashtag #AmericanFalls) in Idaho.
On October 4, 2014, a hashtag hit Twitter thanks to the Internet Research Agency. This time it was #MaterialEvidence. A Facebook event was inviting people to an art exhibit on West 21st Street in New York City with photos of Syria and Ukraine. When reporters from Gawker sought the funding source of the exhibit, they were told the gallery source was from a “silent guy” who “came back with a bag of cash and dropped it for them with no explanation.”32 The show ran from September to October 2014, and advertisement for the show was ubiquitously posted around the city on buses and subway posters. After emails were hacked by Anonymous International and leaked to the web, it was shown that among the financiers of this campaign was the Internet Research Agency of St. Petersburg.33
These are just a small sample of the efforts being conducted by the Internet Research Agency not only in the United States but around the world. A review of the digital infrastructure behind these hashtag campaigns linked the Twitter accounts to a mass posting tool called “Masss Post” tied to a domain in Russia (Add1.ru). New York Times reporter Adrien Chen asked Mikhail Burchik, alleged leader of the RF-IRA troll farm, if he registered the domain and Burchik denied it. Leaked emails stolen by the hacker activist group Anonymous tied Burchik back to the organization. Julian Hans of the German newspaper, Süddeutsche Zeitung, claims Burchik affirmed ownership of the leaked emails before denying it to Chen.
Frustrated with accusations that InfoWars was a Russian hashtag generator, Alex Jones posted a photo of his Russian business visa and tweeted mockingly, “Looking forward to Putin giving me the new hashtags to use against Hillary and the dems…”34 Little did he know he was revealing something not far from the truth. Jones had been a highly reliable source of fake news for the Russian propaganda warfare structure and his conspiracy theories were hashtagged like crazy by the RF-IRA. His nutty commentary is widely admired by some of Russia’s leading politicians, and thanks to his own tweet he revealed he had been issued a long-term business visa to keep his special brand of conspiracy mongering alive.
What Does the Fox Say?
Buzzfeed’s Sheera Frenkel discovered that Russia Defense Minister Sergey Shoigu reported to the Duma that Russia was engaged in a propaganda war. Shoigu said that Russia’s “[Cyber Army] are expected to be a far more effective tool than all we used before for counter-propaganda purposes.”35 The ability to use the worldwide web to execute many different avenues of attack would also explain why Russia chose WikiLeaks. They needed credibility on the world stage. Russian military strategists Col. Chekinov and Lt. General Bogdanov describe the efficiency of using non-attributable agencies such as non-governmental organizations to mask the work of intelligence operations in information war. They said:
“It is preferable to have a foreign nonprofit, nongovernmental organization (NGO) that could best contribute to the attainment of the goal of a hybrid operation. It can be established beyond the Russian Federation under the rules of a foreign country [and] can draw its members from residents.”36
Sergei P. Rastorguev, a Russian military hybrid warfare analyst, wrote an apocryphal story to illustrate the objectives of the coming cyber warfare with America and Europe in Philosophy of Information Warfare:
“Once there was a fox that wanted to eat a turtle, but whenever he tried to, it withdrew into its shell. He bit it and he shook it, but he wasn’t getting anywhere. One day he had an idea: he made the turtle an offer to buy its shell. But the turtle was clever and knew it would be eaten without this protection, so it refused. Time passed, until one day there appeared a television hanging in a tree, displaying images of flocks of happy, naked turtles—flying! The turtle was amazed. Oh! They can fly! But wouldn’t it be dangerous to give up your shell? Hark, the voice on television was announcing that the fox had become a vegetarian. ‘If I could only take off my shell, my life would be so much easier,’ thought the turtle. ‘If the turtle would only give up its shell, it would be so much easier to eat,’ thought the fox—and paid for more broadcasts advertising flying turtles. One morning, when the sky seemed bigger and brighter than usual, the turtle removed its shell. What it fatally failed to [be understood is] that the aim of information warfare is to induce an adversary to let down its guard.”37
With all systems in place, Russian assets of the FSB, SVR, GRU, the Military Intelligence Directorate, and Russia’s NSA, the Special Communications Information Service, were poised to strike a direct attack at the target they’ve been trying to hit for over 70 years—American democracy.