Researchers: No Evidence That Russia Is Messing With Campaign 2018—Yet
By the first week of October 2016, Russia’s pawprints were all over the presidential race. Not this year, researchers say.
All eyes are peeled for foreign interference in November’s elections. But amid the Senate hearings on election security and indictments, the warning sirens and reports, experts in computer security and influence operations are quietly acknowledging an elephant in the room, or, more accurately, a bear that isn’t. With just 28 days to go before the midterm elections, they haven’t found any evidence yet of direct Russian interference in 2018’s races.
By the first week of October 2016, Russia’s paw-prints were all over the presidential race. Wikileaks had already dumped thousands of DNC emails stolen by Russia’s Main Intelligence Directorate, the GRU, and was on the verge of doing the same to Clinton campaign chair John Podesta. A persona created by Russian intelligence was giving press interviews and chatting with a member of Donald Trump’s inner circle. Provocateurs at Russia’s infamous troll factory in St. Petersburg had already organized pro-Trump and anti-Clinton rallies around the country, drawing hundreds of Americans into the streets to wave MAGA signs and dangle from Vladimir Putin’s invisible strings.
This year, crickets.
Russian social media trolls are, of course, still promulgating fake news and slapping frantically at America’s hot buttons—tweeting wildly in favor of Brett Kavanaugh’s confirmation, according to researchers, and pushing a counter-protest against last summer’s white supremacist Unite the Right 2 rally. The GRU is still hacking into computers in the U.S. and everywhere else. But so far, Russia-watchers say the trolls haven’t delved into the nitty gritty of 35 Senate campaigns and 435 House races. Nor has the GRU engineered the type of damaging email dumps that tent-posted the 2016 election circus.
“I think everyone is expecting the 2016 shock and awe,” said Robert Johnston, CEO of Adlumin. “They needed that level of action in 2016 to achieve their objective. They don’t need that today. Today is a much different America than 2016.” Now Russia need only “stoke the fire, provide oxygen every day, every quarter every month” whether it’s an election year or not.
Johnston led the forensic investigation into the DNC breach in 2016 while working at Crowdstrike. In an interview with The Daily Beast he said it’s a mistake to look for the same splashy techniques in the midterms, particularly when Russia has problems in its own neighborhood. “They’re always focused in the Caucasus, the Baltics, and Europe,” said Johnston. “Putin views the United States as something to be dealt with, but Europe as the threat. So they’re always going to be focused there.”
Johnston says that since 2016 the GRU’s hackers have mostly gone back to their roots, conducting spying operations, and primarily focusing on Russia’s side of the Atlantic. Other hacker-trackers agree. “They haven’t gone away, but they have returned to the type of low-key espionage attacks we observed prior to 2016,” said Dick O’Brien, a manager in the security response team at Symantec. O’Brien said Symantec has been tracking the hackers—which it calls APT28—in attacks against military and civilian government offices in Europe and South America. “The overall activity level has dropped somewhat from what we saw prior to 2016.”
Of course, nobody is sounding the all-clear on the midterm election. Russia has an arsenal of disruption capabilities—previously deployed against Ukraine—that the Kremlin could conceivably train on the U.S. in an attempt to sow havoc on election day. “The idea that they could stage municipal attacks to interfere with people getting to the polls in certain areas, messing with electricity, or traffic lights, or mass transit, those are all things that we think that they tried when attempting to influence recent European elections,” said attorney Christopher Ott, a former Justice Department prosecutor who worked on the DNC hack prior to Mueller’s appointment.
And in last year’s French election, the GRU put off its interference until the last minute, dumping its “Macron Leaks” tranche of stolen email in the final hours of the election. (Macron won anyway). Near the end of the 2016 campaign, when off-kilter polls suggested Russia’s efforts were failing, the GRU made tentative moves against voter registration records and local election offices. So far, no such efforts have publicly surfaced in the midterms. If the NSA or some other intelligence agency has indications of 2018 Russian election hacking, it hasn’t shared them.
The Daily Beast reached out to more than a dozen officials in Western governments who have worked on the issue of election interference in the past two years. While some cautioned against the idea that Russia is sitting out the 2018 midterms entirely, none of those officials could provide specific examples of Russian operations to interfere in this year's elections.
The Office of Director of National Intelligence, CIA, NSA, and FBI did not respond to requests for comment for this story. The Justice Department declined comment. Shortly after The Daily Beast's deadline, a representative for the Department of Homeland Security said the agency would "get back to [the Daily Beast] as soon as possible." Offices for congressional leadership overseeing intelligence issues didn't answer questions for this story either.
Theories abound as to why the Kremlin appears to be staying its hand so far. The potential gains for Russia are murkier in 2018, and Putin might prefer to keep his powder dry for European elections in 2019, or the 2020 U.S. presidential race. Russia is also fast becoming an international pariah after the GRU’s March nerve agent attack in London, which nearly killed an agency defector and his daughter, and did kill a 44-year-old mother of two who stumbled on the discarded chemical weapon following the assassination attempt. And, of course, the Kremlin has lost the advantage of surprise it held two years ago.
“The rewards of steering Congressional outcomes may be outweighed by the risk of further solidifying opposition to Russia,” said John Hultquist, threat intelligence manager at FireEye. “Information operations benefit from surprise and an unwary public. It’s important we talk about this threat, because awareness inoculates us. Hopefully, we are more aware, and that has entered the Russian calculus.”
But things are different in 2018. Today Russia’s most aggressive and brutal spies are photos on an FBI wanted poster.
The GRU may have been caught off guard by the intense spotlight that followed its surprise November 2016 triumph. Robert Mueller indicted 12 GRU officers by name last July, and detailed their alleged roles in the election interference hacking. Last week prosecutors in Pittsburg charged seven GRU officers, including three of Mueller’s defendants, for 2016 cyberattacks on the anti-doping agencies that busted Russian athletes juicing for the Winter Olympics.
The GRU’s attack on Sergei Skripal brought it even more exposure. The UK police released photos of the two alleged GRU hit men last month, leading to a bizarre TV appearance by the accused killers on Russian state-owned television. Journalists have since unmasked one of the men as a decorated GRU colonel and the other as a military medical doctor recruited into the agency. And last week Dutch officials laid out a case against additional GRU officers who tried to hack into the intergovernmental organization investigating the nerve agent attack.
That’s a lot of sunlight for an agency accustomed to the shadows, said Ott, a partner at Davis Wright Tremaine. “It wouldn’t surprise me if it’s causing them to rethink their tactics,” Ott said. “From an intelligence craft perspective, if people know what you’re doing, if it’s going to be in the history books, it is always a long term failure.”
So far the only verifiable Russian hacker activity implicating the midterms is the August 2017 targeted phishing attack against staffers for Missouri Democrat Claire McCaskill, one of a handful of Senate Democrats considered vulnerable in the midterms. McCaskill has said the hack, which was first reported by The Daily Beast, was unsuccessful. Neither McCaskill nor any other candidate has had their private emails dumped to the web, as invariably followed Russia’s 2016 election hacks.
In July, a Microsoft executive announced the company had discovered Russian hack attempts targeting three unnamed candidates for reelection (likely counting McCaskill). At the same time, company VP Tom Burt also acknowledged that the politicians may well have been targeted for intelligence purposes, not election defeat. “They’re all people who, because of their positions, might have been interesting targets from an espionage standpoint as well as an election disruption standpoint, and we don’t know the answer,” Burt said at the time. “I would say the consensus of the threat intelligence community right now is we’re not seeing the same level of activity by the Russian activity groups leading into the mid year elections that we could see looking back at the 2016 election.”
The same month, Director of National Intelligence Dan Coats famously warned that “the warning lights are blinking red again” inside U.S. intelligence agencies. Though the statement was widely read as referring to foreign election interference in 2018, the transcript of his speech at the Hudson Institute makes clear he was speaking of America’s vulnerability to a broad range of cyber attacks from the full array of rogue actors. “We are not yet seeing the kind of electoral interference in specific states and voter databases that we experienced in 2016,” Coats said.
According to a former senior U.S. cybersecurity official, the Kremlin enjoyed such runaway success in 2016—encouraging American political chaos and helping elect Donald Trump—that substantial interference in the midterm elections isn’t necessary. Instead, the Russians can focus on other targets, such as influencing the European parliamentary elections in the spring of 2019.
“They’re going to adjust their tradecraft and figure out other ways to weigh in without being so obviously Russian as to generate antibodies to their interference,” said Andrew Grotto, who oversaw cybersecurity issues for both Barack Obama and Donald Trump’s National Security Councils.
Grotto said that Russian hacking related to the congressional elections carried the risk of jeopardizing whatever they might be planning for Europe next spring. “That always has costs in terms of exposing their tradecraft,” Grotto told The Daily Beast.
The Internet Research Agency, Russia’s troll farm, was never a clandestine organization and isn’t as affected by exposure. But post-election crackdowns at Facebook and Twitter cost the IRA thousands of fake accounts, including a number of high-profile cover identities with large followings, and some personas that enjoyed retweet love by Trump’s family and advisors or were quoted in the press.
Today the troll factory is using a mix of surviving accounts and new ones to do what it’s always done, spread fake news and fan division on Twitter, said Ryan Fox, a former NSA official now serving as COO of the smear-fighting startup New Knowledge. It’s also sneaking back onto Facebook, which discovered and deleted a fresh batch of fraudulent IRA-linked profiles and group pages in July. So far, though, none of the accounts are doing anything special for the election. “Lately, it’s been Kavanaugh all day, all the time,” said Fox.
“My assessment of the situation is they’re having to reconstitute. I also would assume that because most of their accounts were taken down that they don’t have the same robustness available,” Fox said.The indicted Russian businessman who funded the IRA is now pouring resources into a new venture called USA Really, a Russian site dedicated to pushing anti-American propaganda. Unlike the IRA’s deceptive websites and Facebook groups, USA Really doesn’t disguise itself as a domestic U.S. entity, and it has real people on its masthead. In the short term, that makes it less effective at influencing Americans, but it also makes the site harder to target with a rational social media policy. Fox thinks that model is the future of Russia’s information operations. “They’re out in the open now,” said Fox. “You can’t just call them out as Russian bots. You have to get into a debate about who counts as a journalist.”
Fox agrees with Grotto there may be careful thinking behind Russia’s comparatively low-key approach in 2018.
“Strategically, are they content with the way things are? Does it play in their favor to do anything right now? That’s a valid question,” Fox said. “Keep up the momentum, keep poking away. But do they have to implement drastic measures like hacking the DNC and exposing thousands of emails? Probably not.”
It’s the simplest theory, and perhaps the most compelling. Putin examined the state of American discourse and politics in 2018, and decided that, for now at least, his work here is done.