Russian Interference: The Evidence
How we know Russian operators tried to throw the 2016 U.S. election
Russian government channels seized on the report by Special Counsel Robert Mueller to claim that there was no interference by Russian operators in the 2016 U.S. presidential elections, after a heavily redacted version of the report was released on April 18, 2019.
The claims of a large-scale Russian operation to interfere in the U.S. elections have cast a shadow over United States-Russia relations and dogged the first two years of Donald Trump’s presidency. Kremlin officials have repeatedly denied any Russian interference in the U.S. election, claiming that Russia “has never interfered in electoral processes in any country.”
On April 18, the Russian Embassy in the United States published a 121-page document rejecting the accusations of interference, writing “there was no ‘interference’ in the first place.”
Open-source information, however, confirms that Russian operators did attempt to interfere in the U.S. election. This post summarizes the Russian claims and the evidence to the contrary.
In the wake of the Mueller report’s release, Kremlin officials and outlets such as RT made three main claims about the report:
- There was no interference;
- The interference was too small-scale to have an impact; and
- Mueller did not present evidence of interference.
The Russian Embassy’s document, illustrated above, made the first point. Both the Embassy and RT made the second point.
Both also made the third point, as this screenshot of RT’s headline demonstrates.
The claim that the interference had no impact raised a legitimate question over the Russian campaign’s effect and did so in a way that suggested the interference never actually happened. These are two separate questions: using the question of impact to suggest that there was no attempt at interference was deceptive.
The first and third points were factually false. Mueller’s report did present evidence of interference, although a substantial number of individual points were redacted. Far more broadly, however, the open-source evidence confirms that Russian operators attempted to interfere in the elections.
RT and Mueller’s Evidence
RT’s topline was that Mueller’s report “offers no actual evidence” of Russian attempts at interference. RT’s anonymous author wrote:
“Any time it looks like the report might be bringing up proof, it ends up being redacted, ostensibly to protect sources and methods, and out of concern it might cause ‘harm to an ongoing matter.’”
Much of the report was, indeed, redacted under the motto “harm to ongoing matter” — in other words, arguing that revealing the details could jeopardize an ongoing case.
Yet some of Mueller’s evidence did escape redaction. This evidence can be cross-referenced with open-source materials to confirm its authenticity.
For example, on page 25 of the report, Mueller provided the verbatim texts of three Facebook advertisements paid for by the Russian “troll farm,” the Internet Research Agency, which ran the main Russian online interference campaign targeting the 2016 election. The first two ads were attacks on candidate Hillary Clinton; the third endorsed then-candidate Donald Trump.
All three texts match ads that Facebook itself attributed to the Russian troll operation. Facebook shared these ads with the House Intelligence Committee; the Committee published the ads.
The quotes provided in Mueller’s report match the texts of three ads identified by the committee as numbers 2402 of March 2016, 1868 of April 2016, and 1908 of April 2016.
Mueller’s report also claimed that the troll operation on Twitter “provoked reactions from users and the media. Multiple IRA-posted tweets gained popularity.” As evidence, it cited a tweet by an account called @jenn_abrams that posted, “To those people, who hate the Confederate flag. Did you know that the flag and the war wasn’t about slavery, it was all about money.”
Twitter confirmed @jenn_abrams was run by the Russian operation in a list of troll factory assets that the platform published in 2018. The actual tweet was preserved on the Wayback Machine internet archive. By the time it was saved on May 10, 2017, it had 461 retweets, 992 likes, and over 3,700 replies, some of which gained tens of thousands additional reactions.
RT’s claim that the redacted version of Mueller’s report “offers no actual evidence” was false, given the abundance of evidence contained within the report. This is such a fundamental failure of accuracy and editorial rigor that it was likely a deliberate attempt at deception.
Twitter and Facebook
The most comprehensive proof of the Russian operation online comes from the social platforms. Beginning in September 2017, Facebook and Twitter began announcing that they had taken down inauthentic accounts “likely operated out of Russia.”
In November of that year, Facebook’s General Counsel Colin Stretch told the Senate Intelligence Committee that accounts “associated with the IRA” made over 80,000 posts in 2015–2016, with a potential reach of 126 million people.
In May 2018, House Democrats published some 3,000 Facebook ads paid for by the Russian operation and attributed to them by the platform.
As Facebook pointed out in a later takedown of suspected Russian troll accounts in July 2018, the platform has access to a range of data unavailable to open-source researchers, such as the IP addresses used to register accounts and the accounts that manage different pages.
“For example, while IP addresses are easy to spoof, the IRA accounts we disabled last year sometimes used Russian IP addresses.” — Facebook statement, July 31, 2018.
The platforms have not publicly disclosed how they attributed these accounts to the Russian operation. Three details are worth noting, however. First, in May 2017, Twitter user @AltCyberCommand attempted to reset the password of the @TEN_GOP account and, in doing so, demonstrated that it was registered to a phone number beginning with country code 007, which is the country code for Russia.
Second, Stretch confirmed that some of the politically themed Facebook ads had been paid for in Russian rubles, despite purporting to come from American accounts.
Third, Mueller’s indictment of Russian hackers in July 2018 indicated that they used a Facebook account, “Alice Donovan,” to manage a page called “DCLeaks” and that they used the same computer to run two separate Twitter accounts. (The DFRLab analyzed the indictment here.)
These details indicate the range of data points that the platforms used as the basis of their attribution. When Kremlin officials stated that there was “no interference” in the U.S. election, therefore, they denied the existence of millions of social-media posts attributed to the Internet Research Agency by the platforms themselves.
Confirmation of some of the platforms’ attributions came from genuine Russian journalists. In October 2017, Russian outlet RBC published a list of known Russian troll accounts from a source inside the troll factory.
The report came shortly after Facebook and Twitter had suspended the accounts but before their names were made public; thus, RBC’s source was not one of the social networks but someone inside the operation.
Reports that the Internet Research Agency was founded and funded by oligarch Yevgeniy Prigozhin — indicted by Mueller in February 2018 — also came from Russian journalists. As early as March 2015, Russian reporter Andrei Soshnikov wrote in St. Petersburg outlet Moy Rayon (Мой район, “My district”) that the troll operation was apparently funded by Prigozhin’s company Concord Asset Management, based on company records.
These Russian reports, based on sources inside the country and made well before the social platforms published their findings, corroborate the evidence provided by Facebook and Twitter that an operation in Russia, apparently funded by Prigozhin’s holding company, ran social-media accounts posing as Americans that posted on political and election-related topics.
Russian officials’ frequent claim that the accusations of interference amount to “Russophobia” fail to take genuine Russian reporters’ evidence into account.
Mueller’s report and July indictment also described how Russian hackers associated with military intelligence targeted Democratic servers and the Clinton campaign. The leaks these hacking attacks generated had a significant impact on the Trump and Clinton campaigns, giving the former more ammunition and putting the latter on the defensive.
The various hacking attacks have been attributed to Russian actors by multiple sources, both public and private.
On October 2016, the Department of Homeland Security and Office of the Director of National Intelligence issued a joint statement that the U.S. intelligence community was “confident” that the Russian government had directed the hacking and leaking operations. The three-paragraph statement did not provide any forensic detail.
Much more detail was provided by cybersecurity firms CrowdStrike and ThreatConnect. The former was hired by the Democratic National Committee (DNC) to investigate the hacking of its servers. In a post in June 2016, CrowdStrike detailed its findings, including the exact methods used to intrude into the DNC systems and the commands used to deploy the malware.
CrowdStrike’s findings were summarized in a Wired article in March 2017:
“We realised that these actors were very well known to us,” Alperovitch says. This is because of a handful of small but significant tells: data exfiltrated to an IP address associated with the hackers; a misspelled URL; and time zones related to Moscow. “They were called FANCY BEAR and COZY BEAR, and we could attribute them to the Russian government.”
In parallel, ThreatConnect analyzed email traffic from the “Guccifer 2.0” personality that claimed to be behind the DNC leaks, concluding that it was “a Russian creation to maximize the impact of strategic leaks” and connecting another leaking operation, “DCLeaks.”
Separately, in January 2018, Dutch news outlets NieuwsUur and de Volkskrant reported that Dutch intelligence had not only alerted the United States to the Russian hackers but had hacked them back. The report claimed that the information “ended up on the desk of Robert Mueller.”
Mueller’s indictment of the accused hackers in July 2018 provided a wealth of detail but without revealing the source. These details included the email address allegedly used in the hacking of Clinton campaign manager John Podesta, the technical queries that the accused sent, the type of malware they used, and the exact phrases that they searched for online — phrases subsequently used in the leaks.
The “john365gh” email address was named in a separate court filing in May 2018, where it was attributed to an internal Bitly investigation into how the spearphishing links had been created. Other details do not appear to have been posted online before Mueller’s indictment. The indictment did not name its sources, but these are likely to have included both technical platforms (such as Bitly, Facebook, and Twitter) and intelligence sources.
Kremlin outlets and officials were quick to claim that there was no evidence of Russian interference in the U.S. election, but the evidence was not on their side.
The social-media platforms, Russian journalists, and open-source researchers provided a range of evidence of the attempt at interference, including the phone numbers of individual accounts, the currency of ad transactions, IP addresses, and computer identities.
Security agencies and cybersecurity companies alike attributed the hacking operations to Russian government hackers, based on a range of technical indicators, including email and IP addresses.
Overall, therefore, there is a substantial body of evidence to show that Russian operators attempted to interfere in the U.S. election.
Ben Nimmo is Senior Fellow for Information Defense at the Atlantic Council’s Digital Forensic Research Lab (DFRLab)
Register for the DFRLab’s upcoming 360/OS summit, to be held in London on June 20–21. Join us for two days of interactive sessions and join a growing network of #DigitalSherlocks fighting for facts worldwide!
This article was updated on April 29, 2019, at 1700 UTC, to correct a number of hyperlinks.