Russians Who Hit DNC Are Using Fake News to Hack U.S.

Some of the Russian hackers blamed for infiltrating the DNC are using bogus news to get inside the networks of the unsuspecting.

Photo Illustration by Lyne Lucien/The Daily Beast

Fake news is more dangerous than you’d think. Deliberately falsified news reports aren’t just being used as propaganda to sway the gullible. Some of the Russian hackers blamed for infiltrating the Democratic National Committee are weaponizing fake news—inserting malware into bogus articles to get inside the networks of the unsuspecting.

For nearly a decade, various hacker groups accused of working for the Russian government have used fake news in cyberespionage campaigns targeting U.S. government, law enforcement, and military officials—not to mention think tanks, defense contractors, and universities. That’s according to more than a dozen reports and warnings issued by the Department of Homeland Security, the FBI, and other federal agencies over the last three years and reviewed by The Daily Beast. Private industry security firms, conducting their own research, have reached similar conclusions.

“Cyber-adversaries from Russia, China, and numerous other nations have been using real and fake news as social engineering lures (headlines, attachments, and links) for years, because news/fake news is an effective topic to coerce targets to open the lure and self-victimize,” James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, told The Daily Beast in an email.

“News or Fake News are both effective lures because the targets feel compelled to open the email or link in order to be informed [or] to be vindicated.”

Most recently, hours after Donald Trump became president-elect, a post-election campaign was launched against political supporters from both sides of the aisle. The hackers, believed to be tied to the Russian government, used fake news sent from Gmail addresses and what appeared to be hacked email accounts at Harvard’s Faculty of Arts and Sciences, according to security firm Veloxity. Two of the emails claimed to be forwarded from the Clinton Foundation; others contained malicious links to efax or PDF attachments of news articles on topics including:

• “Elections Outcome Could Be revised [Facts of Elections Fraud]”• “The ‘Shocking’ Truth About Election Rigging”• “Why American Elections Are Flawed”• “Clinton Foundation FYI #1”

That same group—sometimes referred to as “the Dukes,” “APT29,” and “CozyBear”—is believed to be affiliated with Russia’s premiere intelligence service, the FSB. Both the U.S. government and private security analysts say that “CozyBear” was one of two that penetrated the DNC in the run-up to the 2016 election. Their hacks have used fake news in targeted cyberespionage campaigns since at least 2008, according to a report on their activity by F-Secure, a second cybersecurity firm.

“Usually, the contents of the decoys appear to be taken from public sources, either by copying publicly accessible material such as a news report or by simply repurposing a legitimate file that has been openly distributed,” the F-Secure report notes.

In recent months, “fake news” has gone from a largely ignored phenomenon to a central subject in media and political circles. The term was initially used to label deliberately falsified news reports spread by hucksters and propagandists in order to make a buck or bend a mind. But in recent weeks, as Facebook, Google, and other top technology firms have moved to curtail fake news’ rise, the term has been co-opted by partisans to simply refer to any article they disagree with. That’s a dangerous development, because some of these bogus reports can be truly malicious.

The weaponized fake news reports deploy malware that can infiltrate the target’s entire network or company. Eventually, everything in the system can be stolen, manipulated, or deleted.

Sometimes, hackers use links to entirely made-up news stories on sites that sound like they are legitimate but perhaps obscure blogs or foreign news agencies. (“The Dukes” have used domains like,,,, according to the F-Secure report.)

Other tactics in these so-called spearphishing campaigns—hackers’ attempts to specifically target their victims with seemingly-trustworthy materials—involve links that look exactly like well-known international media outlets, but are really parts of a hacker’s domain. A third tactic involves attaching a real authentic news article from a well-known media outlet to an email—and loading that attachment with malware.

Get The Beast In Your Inbox!

Daily Digest

Start and finish your day with the top stories from The Daily Beast.

Cheat Sheet

A speedy, smart summary of all the news you need to know (and nothing you don't).

By clicking “Subscribe,” you agree to have read the Terms of Use and Privacy Policy
Thank You!
You are now subscribed to the Daily Digest and Cheat Sheet. We will not share your email with anyone for any reason.

For example, a 2009 campaign against Poland, the Czech Republic, and a U.S. foreign policy think tank used a decoy document that appears to have been copied from a BBC news article, according to the F-Secure report, which includes a screenshot of the document.

Other campaigns directed victims to a site purporting to be a Turkish news organization covering jihadi news. Another site controlled by the Russian hackers claimed to be a Chechen news organization.

In 2014—as the Russian government began to broaden its online espionage efforts—a different Russian hacker crew, known in cybersecurity circles as Sandworm, targeted attendees of a global security conference focused on the then developing Ukraine crisis. The “GlobeSec” gathering was attended by senior U.S. officials including Victoria Nuland, assistant secretary of State for European and Asian Affairs, who railed against Russia and pledged the support of the United States to Ukraine and its upcoming national elections. (Those same elections held in Ukraine were held shortly after the May 2014 conference and were hacked by Russia in efforts to fix election results, according U.S. officials.)

Former DHS Secretary Michael Chertoff, top Defense Department officials, U.S. House of Representatives Foreign Affairs Committee staffers, senior executives from Microsoft, Raytheon, and Lockheed, and dozens of U.S. foreign policy thinks tanks were all there, too—and were all targeted by Sandworm.

“Many of the decoy documents used to deploy the malware were spoofed news coverage of political or economic situations in Europe,” according to a briefing document compiled by the Institute for Critical Infrastructure Technology for the White House and Congress in November 2015.

Around the same time, the Department of Homeland Security’s National Cybersecurity and Communications Integration Center issued a warning to federal employees about a malware campaign using “current events themed emails with malicious links.”

Two DHS sources said this warning, dated Oct. 15, 2015 was believed to be associated with Russian Federation nation state attackers.

The emails, according to the DHS report, contained the following email subject lines:

· “Russia upgrades military despite economy”· “Barack Obama says ISIS will be defeated by ideas, not guns”· “How Russia vs. West Tensions Could Trigger World War 3”· “News: For-profit college operator accused of fraud Pentagon’s latest strategy document”· “News:Inspectors in Syria Find Traces of Banned Military Chemicals”· “Russians troops captured in Ukraine on their way to capital”

This wasn’t the only fake-news related warning issued by DHS. At least a dozen more warnings or notes on malicious links appearing to be news articles (real or fake) were disseminated inside federal agencies in the last three years.

Nor is Russia the only country blamed for using fake news to hack their targets.

In July 2014, for instance, the FBI’s Unclassified National Security Threat Awareness Monthly Bulletin circulated a report from iSight to federal law enforcement agencies about a newly discovered Iranian campaign dubbed NEWSCASTER. It employed fake social media accounts purporting to be journalists and a fictitious journalism website,, which plagiarized news content from other legitimate media outlets to eventually gain login credentials from federal employees working on highly sensitive defense programs and critical infrastructure.

A few months earlier, on January 29, 2014, the FBI warned agency employees about potential fake news spearphishing attacks related to the upcoming winter Olympics in Sochi in an Official Use Only Situational Intelligence Report.

“Events which gain significant public interest and media coverage are often used as lures for spam or spearphishing campaigns. Malicious actors may also create fake Web sites and domains that appear to be official Olympic news or coverage that can be used to deliver malware to an end user upon visiting the site (also known as drive-by downloads or watering holes),” the report says.

“NBCUniversal offers exclusive coverage of the games for viewers via NBC, NBCSN, MSNBC, USA Network, and corresponding Twitter, Facebook and Instagram accounts. Viewers should be wary of any other source claiming to provide live coverage. As always, it is best to visit trusted resources directly rather than clicking on e-mailed links or opening attachments.”