American Snoper

The truth will not set you free

thaddeus t. grugq
10 min readMar 24, 2017


How modern conflicts play out in the informatics sphere, what I mean when I talk about cyber war, is happening in France. After France there will be Germany, then the Scandinavian countries have their elections. There is no chance that Putin attempting to shape the world to best suit Russian interests will abate. Currently, the strongest area that he can contend in is the informatics sphere, the cyber realm, where human perception of reality is shaped.

Attention not Deception

Russians believed that creating a narrative that democracy was corrupt in implementation and releasing curated proof of this was persuasive. In fact, it was simply the tempo of releases keeping the Democrats (or Republicans) from ever getting any of their own messaging out. This was a successful attack because of attention budget consumption, not a narrative.

Speculation! Russia is used to a population that knows not to believe the newspapers, to read between the lines, to accept the official line in public and not question it. They very likely believe that the Americans read and accept the false narrative because it was presented, with evidence, and then the objectives of the operation were met. That is, they presented a narrative and backed it up and the op worked, the lesson they’d learn from that is that they can create narratives that people will accept. I don’t believe this is true. I believe they are thus vulnerable in that they don’t know why their operation worked.

Another way: the Russians crafted a narrative that they then “supported” with a curated set of “evidence” stolen from various people and institutions. They presented this narrative and supporting proof, pushed it hard using a number of channels (leaks, bots, propaganda outlets, etc.) and surprisingly, it worked. For them, the take away is simple: craft a narrative (in this case: corrupt democracy) and provide supporting “evidence.”

This is not why their attacks were effective (part of what helped is the extremely partisan Breitbart dominated “conservative reality distortion field.”) The main effect that the Russian hacks had, via the Wikileaks cut-out releasing portions of Podesta’s emails in a steady drip, was that they crowded out all other news stories. This total domination of the news cycle sucked the oxygen out of the room for the candidates own messaging. If the Russians want to repeat their success in France, they don’t need to go to the trouble of crafting a narrative and presenting it, they simply need to release the inbox of a TV5 reporter every other day.

Stop Kicks and Counter Attacks

There are a very few cases where the Russian influence operation was weak or stopped. This was when the WashPo exposed them, which came as a surprise and left them scrambling to react – hence Guccifer 2.0. Unfortunately for the American media, they were not capable of pressing their advantage (only VICE continued to hammer G2.)

The Russians, when they choose the time and place for action, are formidable. But when they are forced to cyber before they’re ready, then things fall apart. They cobbled together Guccifer 2 very rapidly from various parts. A cyber Frankenstein: the name of a Romanian hacker who’d just claimed to have hacked HRC’s email server; unsanitised documents already selected for DCLeaks; poorly coordinated emails and website construction. After the poor metadata hygiene was pointed out, they sanitised all future documents.

Proper planning prevents piss poor performance.

They learned that they can’t operate a real time deception (the interviews were terminated for a FAQ after they got tripped up with the Romanian language questions.) This “just wing it” approach has very seldom worked for intelligence operations. Experienced case officers know that good results come from good plans, not thinking on your feet.

Recommendation: move against them before they start ops. They have shown great agility and responsiveness, but they make mistakes then they have to wing it. Force them to wing it as much as possible.

Cyber Defoliate

The recalcitrant nature of the US IC to produce damning evidence against the Russian meddling is understandable. Burning sources and methods is extremely expensive. The problem here is that:

The fog of cyberwar is the war

Uncertainty and lack of transparency are strategic advantages that the opposition (the Russians) have used to maximum effect. This ranges from their denials of the Little Green Men in Crimea, to the denials of war in Ukraine, to the denials of hacking political targets and attempting to influence the political campaign:

[Putin]…denied allegations of Russian interference in the election, but said “maybe we helped a bit with WikiLeaks.” — Source

Troll armies work

People, human beings, only have so much energy to invest into something. Arguing with strangers on the internet is just the sort of energy sapping activity that is exhausting. A tarpit of never ending pain, frustration and boredom. This is one of the reasons that troll armies work, they exhaust people who are genuinely engaged in a topic.

The trolls enjoy what they are doing far more than the victims. This is a basic rules for radicals tactic. Indeed, most of the rules for radicals apply very well to cyber electioneering.

Recommendation: create troll counter armies. Attack the identified trolls to keep them away. A skirmish line of troops protecting civilians. Much of this could be automated with bots as well.

Recommendation: they don’t react well to evidence that implicates them. There is a reasonable chance that putting strong dossiers out early will make them less aggressive, less effective, and reduce their freedom of movement.

Learning the wrong thing

A number of erroneous “Lessons Learned” have been drawn from the cyber conflict around the US election. There were a number of issues at play.

  1. Systems compromise: usually abbreviated as “the DNC hack” it actually involved a large number of penetrations. Some were typical passive monitoring espionage (accepted norms of behaviour), there was a lot of additional hacking of think tanks, strategy centres, sympathetic voter roll databases, individuals at the centre core, and peripheral people that had useful information or access.
  2. Leaks: this includes several waves of leaked mail spools by Wikileaks, and a number of other communications channels including sympathetic news agencies (such as The Intercept, Breitbart, and Info Wars.) The main lesson the Russians learned here was that using their own platform (DCLeaks) was a failure because it didn’t have sufficient page views to consume attention, they needed established channels with credibility and large audiences.
  3. State propaganda: Russia Today and other controlled media was used to provide an alternative news source that was completely under Russian editorial control. This allowed for significant releasing of information to shape and support the narrative.
  4. Shadow Brokers: the Russians used very expensive signals to throw the US intelligence community into disarray when they should have been working to counter Russia ops more aggressively. This was very well done and involved weeks of preparation work before being released at the strategically appropriate time.
  5. Defeat in Detail: Facebook and other “filter bubble” systems have allowed the voting electorate to become splintered into smaller spheres of like minded “echo chambers.” The opposition was able to craft a specific message for each echo chamber and control the information within each target. This is extremely powerful.

Garbage In, Garbage Out

The lessons that journalists, Services, and many in the public are drawing from the Russian influence operations against the US, as well as the rash of independent freelance influence operations (see: Macedonian teenagers, random dude out for a quick buck, etc.), are mostly just wrong.

The biggest take away that Europe, for example, seems to have developed is a firm belief that “setting the record straight” or providing a central authority of “true facts” will allow them to defeat disinformation. This is wishful thinking at its worst. There are a number of reasons that this will not work, but I’ll limit myself to a few of them:

1. Fact Checking Doesn’t Work

There was no lack of fact checking during the US election, but it had little impact. People simply didn’t care, “I know too much about a good story to let the truth get in the way,” and “never underestimate the ability of people to rationalize anything.”

2. Ammunition, Not Information

People read news for ammunition, not information. It seems unlikely that those committed to voting one side or the other are much concerned with verifying the validity of a story. They want something to be outraged by (high valence), or they want something to reinforce their pre-existing world view.

3. Disinformation Doesn’t Require Falsehood

Creating a narrative doesn’t require lying. As a classic example, say that the UK Air Force reports that their guided munitions have a 74% accuracy the papers could run either “Over a Quarter of Bombs Miss” or “Almost Three Quarters of Bombs Hit Target.” Both variants are true, but present the same fact from different angles. Examples of how using distorted versions of facts to achieve aims are extremely prevalent. Media outlets are more than happy to present facets of a story that align with their interests. The opposition will happily supply these media outlets with data for favourable stories.

Direct Channel To The Opposition

Historically, the KGB loved telephones (and other systems) that they knew where monitored by their opposition. They believed, in many cases correctly, that the opposition would believe whatever intelligence they collected from the surveillance was reliable, AAA rating. The KGB thought of these surveilled systems as a direct channel to the opposition where they could control was revealed and when it was revealed. The typical KGB technique during this time (everyone good still does it) was to place only fragmentary hints about a narrative, and allow the opposition to reach the conclusion themselves. People believe conclusions they have drawn themselves better than those told to them, so the KGB was basically enlisting the oppositions analysts to become champions of the disinformation.

I suspect that the current FSB views certain channels of communication in the same way. My speculation is that they are treating Wikileaks as a “tapped phone.” They know that they can feed data into Wikileaks and it will be published in a reasonable time (they probably have very good models of how long it takes from “leak” to publication.) They can basically reveal the information they want the opposition to know about, via a cut out, that leads to a response, a reaction, by the Western Services.

Take their horse out the race

In France there are two very clear outcomes that work well for Russia: either Fillon gets elected, or Marine Le Pen. The early polls showed that the likely second round of voting would be a run off between MLP and Fillon. A win-win for Russia.

Instead, because Fillon had betrayed Sarkozy, or someone else similarly powerful within his party, he was knifed in the back. His petty embezzling was exposed and his poll numbers collapsed. Somehow, he has managed to stay in the race. Then there was a crucial rally for him. If he fails to draw a large crowd, he’ll probably have to drop out. The rally was rained out. Somehow, despite all this, Fillon is not done.

So what?

This is extremely interesting because it was not an anti Russian meddling counter attack, but rather internal French politics as usual. The result though, has been wonderful. Fillon was significantly more palatable than MLP so with him floundering, that makes for an interesting opening. It also takes one Russian horse out of the race, limiting their options and reducing their “win states.”

Now, the most recent development, both Fillon and MLP are under investigation. Misuse of public funds. MLP is essentially broke, she has only Russian money available to her. If she takes it, that’s going to look bad. If she doesn’t take it, she won’t have sufficient funds. Combined with the investigation, this may lead to both MLP and Fillon being forced out of the race due to circumstances.

Recommendation: take the Russian horse out of the race. Remove their incentives to interfere. Although they will likely still make some moves, even just as spoilers, they are robbed of the opportunity for victory. They have no winning outcome.

Speculation: Russia will target the investigations and attempt to damage the people or institutions involved, such as the judges or prosecutors. They’ll also figure out a way to get MLP some much needed cash.

For now?

Right now, who knows what will happen in the weeks before the election. There is a lot that can happen still.

The most likely action is that Putin will continue to attack Macron. Probably not using a coordinated barrage like the beginning of February which saw Wikileaks, Russia Today and a few other outlets attempt to push a narrative (“Macron is a Rothschild banker,” which apparently has strong negative connotations for French voters.)

If I had to guess, I believe that curated “leaks” of Macron staff emails and Telegram conversations are going to be used to make him look bad. This is very likely to happen, I think, regardless of whether Fillon or MLP are still viable candidates.

Macron has been playing this poorly with regards to the Russians. Earlier this month he complained about “thousands of cyber attacks per day from Russia” which is, quite frankly, horse shit. Wasting credibility on such a meaningless event is only going to hurt him in the long run when he’ll need to counter the real attacks.

What is to be done?

What Macron needs to do is to make sure that his staff are locked down as securely as possible (GMail, 2FA, etc etc), and move his inner circle to a non attributable compartmented comms system. For example, using Threema on dedicated iPhones with Reservoir Dogs style code names for principals. Migrate regularly to new equipment, names, etc. This will make the job of penetrating the external layer harder and it will make the job of the analysts dealing with exfil from the inner circle (assuming they can get it) much harder. It contains and restricts the damage of a penetration and exposure, and it raises attacker costs in term of resources, some of which don’t scale (eg time).

The French DGSE, CERT and other elements need to respond immediately to “leaks” by revealing their origin in Russia. The affected candidates need to demonstrate immediately whether the documents leaked have been tampered or altered. This will help to reduce the credibility of additional future leaks. Immediately attack the lies, mistakes, and fabrications for what they are. The Americans made the mistake of sitting back and hoping for the best. It seems to me that the Russian way of cyberwar is not very capable of responding to counter attacks, so rather than attempt to preserve secrecy or dignity (both of which are lost anyway), use the opportunity to expose the active manipulation of the Russian intelligence services. This will help to reduce the credibility of future leaks.

Fund more content like this.