In the Thick of It

A blog on the U.S.-Russia relationship
2018 midterm election interference

Russia and the 2018 Midterms: Laying Out the Publicly Available Evidence

November 07, 2018
Mari Dugas and Natasha Yefimova-Trilling

This week’s midterms offer a good opportunity for a status update on the latest evidence of Russian meddling in U.S. elections.

Over the past six months, there has been no shortage of alarming warnings. In August, five of the country’s top national security officials spoke to reporters at the White House about the threat posed by Moscow and efforts to combat it. “Russia attempted to interfere with the last election and continues to engage in malign influence operations to this day,” FBI director Christopher Wray said then. Dan Coats, the director of national intelligence, added that “the Russians are looking for every opportunity, regardless of party, regardless of whether or not it applies to the election, to continue their pervasive efforts to undermine our fundamental values.” Homeland Security Secretary Kirstjen Nielsen said that “our democracy itself is in the crosshairs.”

At the same time, the officials noted that Russian interference efforts seem far less intense than during the 2016 presidential race. “It is not the kind of robust campaign that we assessed in the 2016 election,” Coats said of alleged Russian efforts to meddle in the midterms. “We know that, through decades, Russia has tried to use its propaganda and methods to sow discord in America. However, they stepped up their game big-time in 2016. We have not seen that kind of robust effort from them so far.” Wray likewise said that, “in the context of 2018, we are not yet seeing the same kind of efforts to specifically target election infrastructure—voter registration databases, in particular.” In July, Nielsen delivered a similar message, as reported by CNN, saying there are "no indications that Russia is targeting the 2018 U.S. midterms at a scale or scope to match their activities in 2016."

Senior Russian officials have denied accusations of election interference, calling them “baseless.” Concord Management and Consulting, a Russian company indicted in February for allegedly funding a “troll farm” that meddled in the 2016 election, pleaded not guilty in May and has tried to fight the charges in a U.S. court since then, arguing that Special Counsel Robert Mueller was unlawfully appointed and lacks the legal authority to push the case forward.

Some U.S. commentators have been skeptical about “the supposed Russian threat to the midterms,” with an analysis in The Nation arguing recently that “given what we actually know about Russian disinformation [so far], its most significant impact appears to be as fodder for ongoing efforts intent on convincing Americans that unsophisticated social-media trolling could somehow divide and weaken their society.

Nonetheless, U.S. officials, political operatives and tech executives have made a concerted effort to remain vigilant about meddling efforts. The Washington Post reported this month that “DHS has created round-the-clock communications channels with election officials in all 50 states, run national tabletop exercises with state and local officials to game out how to respond to possible crises and, at the states’ request, is monitoring election system network traffic for cyberthreats. Social media companies and political organizations have also strengthened their defenses.” In May, according to the New York Times, “eight of the tech industry’s most influential companies … met with United States intelligence officials … to discuss preparations for this year’s midterm elections.” A number of think-tanks have been contributing expertise as well. Harvard’s Belfer Center has been training state election officials through its Defending Digital Democracy initiative, for instance, while the Atlantic Council has tried to track Russian disinformation efforts through two projects, the Disinfo Portal and DFR Lab.

For some security analysts, the seeming lull in Russian activity is cold comfort. “The Russians are too smart to run the same play a second time,” Dmitri Alperovich, a founder of the cybersecurity firm CrowdStrike, told the New York Times. “If they were going to do anything in today’s environment, they certainly wouldn’t want to act until the very last moment.” As two examples of last-minute efforts that could be used “to convince voters that their ballots might not be counted, or [not be] counted correctly,” the paper mentioned an “attack on county or state voter-registration systems, just to knock them off-line, [which] would create an uproar from voters who might show up at the polls and find they could not vote,” and a “strike at power grids, turning out the lights at polling places, or just disrupting transportation systems [that] could suppress turnout and lead to charges of manipulation.” (Unnamed intelligence officials and technology company executives reportedly told the Times in July that they have seen “surprisingly far more effort [by Russian hackers] directed at implanting malware in the electrical grid” than interfering with elections.)

Moreover, as with the 2016 polls, new specifics about attempts at interference are likely to become public well after the voting is over and done—and Russia’s role is unclear thus far. In August, the Times cited unnamed officials as saying that “vital Kremlin informants have largely gone silent, leaving the C.I.A. and other spy agencies in the dark about precisely what Mr. Putin’s intentions are for November’s midterm elections.” The Times also reported that last weekend “cybersecurity firms and some election officials reported seeing an increase in cyberattacks on websites and infrastructure surrounding the vote,” but “it is unclear where the attacks are coming from; … the sources appear to be a mix, everything from other countries to lone hackers looking to make a name for themselves, investigators say.” Cloudflare’s chief executive, Matthew Prince, told the paper that “the incursions were not an effort to disrupt the vote, but merely to bolster rumors of election fraud and interference. ‘They are going after anything that can undermine the process itself,’ he said. ‘Their aim is to put the outcome in doubt.’” This, the paper noted, could give losing candidates and their supporters a chance to claim elections were rigged. Earlier, too, the Times had reported that disinformation campaigns used to influence public opinion “are increasingly a domestic phenomenon fomented by Americans on the left and the right.”

On Nov. 5, the Boston Globe reported that government documents reviewed by the newspaper show that “federal agencies have logged more than 160 reports of suspected meddling in U.S. elections since Aug. 1” and the “pace of suspicious activity has picked up in recent weeks—up to 10 incidents each day,” with officials “on high alert.” The previously unreported incidents, mostly documented in DHS election-threat reports reviewed by the Globe, range from “injections of malicious computer code to a massive number of bogus requests for voter registration forms.” The reports “make no conclusions about who is behind the attacks,” but “describe most of the recent incidents as ‘foreign-based.’” A DHS cybersecurity official, speaking anonymously, told the paper: “‘We’re seeing the same thing [as in 2016]; the only difference is now we aren’t saying Russia… It’s nuanced. We haven’t attributed the attacks to anyone yet.’”

Earlier this year, Russia Matters tried to lay out the publicly available evidence related to Russia’s interference in the 2016 presidential election. (That was published before July’s indictment of 12 Russian military intelligence officers, charged with “large-scale cyber operations to interfere with the 2016 U.S. presidential elections.”) Here we have tried to do the same thing for evidence related to the 2018 midterms, divided into two categories: the cyber domain and the information domain. Like our earlier attempt, this is not an investigation, merely a stock-taking of evidence about meddling in the U.S. midterm elections. In compiling this evidence we have limited ourselves to using information that is publicly available at the time of writing, such as media reports and public statements or documents from government officials and company representatives. The list is not exhaustive and we welcome suggestions for ways to improve it (please use the comments section below).

CYBER DOMAIN

In July 2018, Sen. Claire McCaskill, a Missouri Democrat battling to keep her seat in the November midterms, confirmed a Daily Beast report that Russian hackers had attempted to infiltrate her official Senate computer network. “Russia continues to engage in cyber warfare against our democracy,” McCaskill said in a statement, adding that “this attack was not successful.” On July 26, the Daily Beast had identified McCaskill as one of the three unnamed midterm candidates targeted in phishing attacks described earlier that month by Microsoft; the software giant had attributed the hacking attempts to the same group referred to as Fancy Bear and APT 28, which, in turn, is widely believed to overlap with the group of Russian military intelligence officers indicted in July (see details below). According to the Daily Beast, the methods deployed in the hack attempt resembled phishing scams used successfully against Democratic candidate Hillary Clinton’s campaign chairman in 2016. McCaskill later told NPR that the attack had been detected by Microsoft. In August 2018, researchers at RiskIQ, an internet-security company, described some of the technical proof they had found that a phishing page used in the McCaskill hack was created from Russian IP space. 

On July 19, 2018, a week before the above-mentioned Daily Beast report, Mircosoft’s corporate vice president for customer security and trust, Tom Burt, told the Aspen Security Forum in Colorado that earlier in the year Microsoft had detected the creation of a Russia-linked fake Microsoft domain that was being used for phishing attacks against staff members of three candidates in the 2018 midterm elections.1 Burt could not name the candidates under privacy rules, but said they “might have been interesting targets from an espionage standpoint as well as an election-disruption standpoint.” (McCaskill, whom press reports have called “a vocal Russia critic,” serves on Senate committees focusing on armed services, homeland security and finance.) Burt said the domain was one of dozens taken down by Microsoft since August, after the company won a court battle to take over fake Microsoft domains being registered by an “activity group” that Microsoft internally calls Strontium; he added that the group is the same as one that other IT security experts have called Fancy Bear and APT28 and is “very much the subject” of the July 2018 indictment against Russian military intelligence agents. Burt noted that Microsoft could not know whether the hackers answered to Russian officials, but that the indictment “cites very convincing evidence that indeed that organization is directed by officials in Russia’s GRU [the former acronym of Russia’s military intelligence service] and … we know that their [the hackers’] conduct is consistent with that.” Burt added that, in the case of the midterm candidates, Microsoft and the government were able to “avoid anybody being infected by that particular attack.” He also said the fake domains had been set up both for phishing attacks and for other purposes, such as “command and control.” On Aug. 20, Microsoft announced that it had taken down six more internet domains “created by a group widely associated with the Russian government and known as Strontium, or alternatively Fancy Bear or APT28,” bringing the total to “84 fake websites associated with this group” in two years. Three of the six domains appeared to mimic Senate domains and two more seemed to mimic accounts associated with two Washington-based NGOs—the International Republican Institute, a democracy-promoting organization with six senators on its board, and the Hudson Institute, a conservative think-tank; the sixth domain appeared to mimic Microsoft’s popular Office 365 service.

Based on its review of DHS election-threat reports, the Boston Globe wrote that, on Oct. 23, “a senior official in charge of a state’s election process had a personal social media account hacked and reregistered to a Russian e-mail provider, a [DHS] report shows. The report does not list the state or include other identifying details.”

In late August, also according to the Boston Globe, “Vermont officials found that hackers—believed to be from Russia—were scanning their voter registration databases and looking for vulnerability, according to [Jim] Condos, Vermont’s secretary of state. The state immediately notified the Department of Homeland Security, which opened an investigation.” The Nov. 5 Globe story did not mention the outcome of the investigation.

In August 2018, according to multiple press reports, Florida Sen. Bill Nelson warned that Russia had breached election systems in Florida and may purge voters from the rolls. In a letter quoted by the Wall Street Journal, the FBI and DHS reportedly said they had “‘not seen new or ongoing compromises of state or local election infrastructure in Florida,’” although “‘Russian government actors have previously demonstrated both the intent and capability to conduct malicious cyber operations.’” A spokeswoman for Florida’s Department of State told the Tampa Bay Times that her agency “has received zero information from Senator Nelson or his staff that support his claims," and two fact-checking efforts, at Politifact and The Washington Post, challenged the claim as well, pointing out that the senator had provided no evidence. NBC, meanwhile, cited three unnamed people “familiar with the intelligence” as saying that “there is a classified basis for Nelson's assertion,” rooted in information he’d gotten from leaders of the Senate Intelligence Committee. Speaking with the Tampa Bay Times, Nelson had said: "We were requested by the chairman and vice chairman of the Intelligence Committee to let the supervisors of election in Florida know that the Russians are in their records.” Before making those comments, as quoted in the same article, Nelson had also said: “They have already penetrated certain counties in the state and they now have free rein to move about."

INFORMATION DOMAIN

On Sept. 28, the FBI filed a criminal complaint against a Russian citizen, Elena Khusyaynova, charging her with conspiracy to defraud the United States in her role as chief accountant of “Project Lakhta,” a Russian effort whose “stated goal in the United States was to spread distrust towards candidates for political office and the political system in general.” (One of the many Russian entities through which Project Lakhta allegedly operated was the St. Petersburg-based Internet Research Agency, or IRA, charged in February 2018, along with two other Russian companies and 13 Russian nationals, with crimes committed “while seeking to interfere with U.S. elections and political processes.”) According to the September complaint, made public on Oct. 19, the conspiracy described therein sought to influence “U.S. elections, including the upcoming 2018 midterm elections” and “to conduct what it called internally ‘information warfare against the United States of America’ through fictitious U.S. personas on social media platforms and other Internet-based media.” The fake accounts, according to the complaint, were “designed to attract U.S. audiences and to address divisive U.S. political and social issues or advocate for the election or electoral defeat of particular candidates,” both Republican and Democratic. The midterms are mentioned a dozen times in the 38-page complaint: once in the description of the conspiracy; twice as a topic to be covered in the thousands of tweets sent from the fake accounts; and the other times in reference to seven concrete tweets, which range from neutral exhortations to take part in voting to messages in support of specific candidates or parties. The complaint states that Project Lakhta’s operations targeted populations in Russia, the U.S., the European Union and Ukraine; its “proposed operating budget” between about January 2016 and June 2018 was over $35 million, with $10 million of that allotted for January-June 2018. In that latter period, Khusyaynova allegedly “compiled and submitted” expenditures of $60,000 for advertisements on Facebook and $6,000 for ads on Instagram; over $18,000 was budgeted for “bloggers” and “developing accounts” on Twitter. According to the Associated Press, Khusyaynova “mocked the accusations” on an internet news site reportedly linked to businessman Evgeny Prigozhin, one of the Russians named in the February indictment: “I was surprised and shocked, but then my heart filled with pride,” AP quotes Khusyaynova as saying. “It turns out that a simple Russian woman could help citizens of a superpower elect their president.”

In June, the Wall Street Journal reported that “Russian trolls [had] found ways to remain active on Twitter well into 2018,” posting “politically divisive messages” as recently as May 2018. The findings were based on the newspaper’s own analysis of freshly released “investigative documents and Twitter data,” including a “new tranche of about 1,100 account names released … by Democrats on the House Intelligence Committee.” The newspaper noted that “people connected to the IRA have previously denied ties to election interference efforts.” On Oct. 17, Twitter released an enormous dataset (more than 10 million tweets) including “all the accounts and related content associated with potential information operations” that the company had found since 2016. The data dump, Twitter officials said on the company’s blog, included “3,841 accounts affiliated with the IRA [Internet Research Agency], originating in Russia.” The stated goal of making the data available was to encourage “open research and investigation of these behaviors” by researchers and academics worldwide.

Shortly before the midterms, on the evening of Nov. 4, U.S. law enforcement contacted Facebook about “online activity that they recently discovered and which they believe may be linked to foreign entities,” according to the company’s head of cybersecurity policy, Nathaniel Gleicher. The company “immediately” blocked around 30 Facebook accounts and 85 Instagram accounts that may be engaged in coordinated inauthentic behavior” and was investigating them in more detail, Gleicher wrote on the company’s website on Nov. 5. He added that “[a]lmost all the Facebook Pages associated with these accounts appear to be in the French or Russian languages, while the Instagram accounts seem to have mostly been in English—some were focused on celebrities, others [on] political debate.”

In August, Facebook announced that it had “removed Pages, groups and accounts that can be linked to sources the U.S. government has previously identified as Russian military intelligence… While these are some of the same bad actors we removed for cybersecurity attacks before the 2016 U.S. election,” the company said on its website, “this more recent activity focused on politics in Syria and Ukraine. … To date, we have not found activity by these accounts targeting the U.S.” About a month earlier, Facebook had announced that it had removed “eight Pages and 17 profiles on Facebook, as well as seven Instagram accounts, that violate our ban on coordinated inauthentic behavior”; the pages had been created between March 2017 and May 2018. Facebook said at the time that it did not know who was behind the accounts, but had “found evidence of some connections between these accounts and IRA accounts we disabled last year.” For example, the accounts used some similar techniques and one of the disabled pages, “Resisters,” had hosted a Facebook event that had been shared by an IRA account disabled in 2017; moreover, the Resisters page “previously had an IRA account as one of its admins for only seven minutes.” Facebook also described some differences between the two sets of accounts—most notably that “whoever set up these [newly disabled] accounts went to much greater lengths to obscure their true identities than the Russian-based Internet Research Agency (IRA) has in the past.” Facebook noted, for instance, that it had not found any Russian IP addresses in use with the freshly disabled accounts. Alex Stamos, Facebook’s chief security officer, wrote at the time that the “set of actors we see now might be the IRA with improved capabilities, or it could be a separate group. This is one of the fundamental limitations of attribution: Offensive organizations improve their techniques once they have been uncovered, and it is wishful thinking to believe that we will always be able to identify persistent actors with high confidence.”

1The New York Times reported that Burt later said “employees from only two legislative offices” had been targeted.

Mari Dugas is project coordinator for the Cyber Security Project and the Defending Digital Democracy initiative at Harvard's Belfer Center for Science and International Affairs; Natasha Yefimova-Trilling is editor of Russia Matters. 

Illustration by pjedrzejczyk shared in the public domain.