Examining Russian Threats to the 2020 Election

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 178 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

We are joined this week by Roman Sannikov, director of cybercrime and underground intelligence at Recorded Future. The focus of our conversation is a report recently published by Recorded Future’s Insikt research team, titled “Russian-Related Threats to the 2020 US Presidential Election.”

In reviewing the report’s findings, we’ll explore the methods Russian actors have employed in their effort to disrupt and influence the 2020 U.S. presidential election, the context within which these efforts are best considered, and how as individuals, organizations and nation wide we can best counter these efforts to help ensure a safe, smooth election process.

Roman Sannikov:

So I initially started out as an interpreter, Russian English, as you can probably tell by my last name. And I worked for many years as a contract linguist, primarily for the Federal Bureau of Investigations. So between about the beginning of 1993, till the beginning of 2014, my primary contract was with the FBI. And around the year 2000, I started working primarily on cybercriminal cases. That's when the first Russian hackers became a thing. And I worked with the FBI doing a lot of research on various underground sources and forums, and really working with them on these various investigations. With foreign law enforcement as well, including law enforcement representatives from Russia, Ukraine, Belarus, Kazakhstan, the Baltic countries, et cetera.

Then in 2014, I decided to go into the private sector and I spent about two and a half years working as the lead e-crime analyst at CrowdStrike. And then as the director of European Intelligence at Flashpoint also for about two and a half years, and now I've been with Recorded Future for about a year and a half heading up their cybercrime underground intelligence team. And what our team focuses on primarily is, as you can imagine, criminal activities but also pretty much everything that's not specifically linked to nation-state actors. So we also investigate extremist content, terrorists, domestic terrorists, hacktivists, all of that kind of activity on various underground and chat resources, forums, services, et cetera.

Dave Bittner:

Well, we're going to spend some time digging into the report that you and the Insikt Group published. It's titled “Russian-Related Threats to the 2020 US Presidential Election.” Before we do, though, I'd love to get insight from you with your background, your deep knowledge of everything having to do with Russia, Russian language and all those sorts of things, their techniques. Is there an overarching sort of insight that you think it's important for people to understand as they explore this topic? Or are there things that those of us in the West, I'm thinking particularly here in the U.S., are there things that we get wrong or things that we could do better by having a better understanding of?

Roman Sannikov:

I do. I think one of the things that is natural is for people to always look at something that's happening to them through their own lens, but all of these activities, including information operations, they're really motivated primarily by domestic considerations. So whether it's China, whether it's Iran, North Korea, or Russia, one of the leading drivers behind everything they do externally is really how will that affect domestic politics. And that's something that I think a lot of times we don't really think of.

For example, why some of the activities are motivated by the way it may be perceived by people locally. So some of the things that Russia does against the West or in the West really is not just to affect what happens in the West, but also to change the way the West is viewed domestically in Russia. So I guess jumping into what we've seen in some of our research is that it's very much influenced, again, by the domestic message and the domestic effects of these actions within Russia.

Dave Bittner:

Well, let's dig into the report here and we only start with some high level stuff here. I mean, what prompted the creation of the report?

Roman Sannikov:

Well, obviously the elections coming up are a very important election and important probably not only domestically in the United States, but around the world. I think we can probably all agree that the policy differences between the Trump administration and any potential Biden administration would be quite stark, both domestically in the United States and overseas. So I think there's a lot of interest in this particular election, probably even more so than any of the recent elections in the United States. So partly because of that.

And then also, because we've seen so much activity by Russia and other powers, again, like China, Iran over the course of the last several years, we felt that it was very important to really look at what is happening right now, compare it to what we've seen in the past, and maybe even, not necessarily predict, but to say these are some of the things that we should be on the lookout for in case there is active election meddling.

Dave Bittner:

Well, let's go through the report together. What are some of the key findings? What are some of the things that you think it's important to highlight?

Roman Sannikov:

Well, one of the things that we found, again, we took a look at not just Russia, but other countries as well. And one of the things that we think is particularly dangerous or particularly of interest about Russia is that while certainly China, Iran, North Korea, and potentially other countries as well outside of the big four so to speak are involved in information operations, maybe even disinformation campaigns, most of those are targeted primarily at topics or issues that relate specifically to them. So for example, China and Iran are working primarily to improve their own image abroad and to affect any issues and topics that are tied specifically to them.

Russia, on the other hand, I believe, or we believe is more dangerous because they are involved in various issues that don't necessarily even affect them in any way that they are really trying to create a level of instability in the West in the traditional liberal democracies, including the U.S. That is a step above what we're seeing with some of the other countries that are involved in influence operations. So that's one of the key findings that we've seen is that Russia, their information operations, their disinformation gets involved with various topics that they're not directly influenced by.

Dave Bittner:

So a couple of things that jumped out to me as I was reading through the research here, one of them was looking back on the types of things that you were tracking in 2016 and then in 2018, that you haven't really seen overt examples of those things so far as you and I record this heading into 2020?

Roman Sannikov:

Yes, it seems like they're being a lot more careful in any of the actual hacking or actual operations. Still, there certainly is a lot of disinformation, a lot of information operations that are being conducted. We're not seeing the same level of hack and release that we saw going into the 2016 or even some of other elections overseas. For example, we're not seeing something that we saw with the Macron leaks, where some documents around the Macron campaign were leaked shortly before the French elections. So we're certainly not seeing that. That said, we still do have, I believe seven weeks approximately before the election. So there's certainly still room for an October surprise, but I think what we're probably seeing is a much more concerted effort by the intelligence community and by the campaigns here in the United States to prevent that activity.

Certainly we recently saw the report by Microsoft saying that there are attempts, but that largely those attempts have not been successful. So I think that this is probably at least partly a reflection of the fact that things have changed since 2016. I think that both public and private sector companies are a lot more aware of what the dangers are out there.

Dave Bittner:

Give us an overview and some insights into what the spectrum of things that you expect to see from a Russian disinformation campaign?

Roman Sannikov:

Sure. One of the interesting things about the disinformation campaigns that Russia has sponsored in the past is they're really agnostic. They're really meant not just to affect specific topics, but really to cause some chaos and to really create as much of a destabilizing force as possible in the West. So for example, we've seen Russian actors behind campaigns start competing marches. So you literally had Russian backed actors who were sponsoring protests on both the left and the right at the same time, presumably in an effort to get a confrontation, to get some sort of conflict going. Again, this goes back to something that they can then really publicize in the media in Russia to make the West, that's always been this beacon of freedom and democracy, look much less appetising to the domestic audience, saying that is this really what you want your country to look like? Where you have individuals rioting in the streets and burning places and frequently really exaggerating what has happened.

For example, we've seen Russian-backed actors posting on social media pictures of law enforcement, actually Australian law enforcement that was injured several years ago during some operation, but posting it now as if this was something that was happening on the West coast of the United States and that these officers were severely injured by the rioters in Portland and Seattle. So again, really using disinformation to make the situation in the West seem even more chaotic.

But again, interestingly, I think there is some sensitivity now, even domestically in Russia. So they have to be a bit more careful. So for example, when the movement after the death of George Floyd happened in Minnesota, in various cities around the country, when you saw those demonstrations crop up, rise up. Initially, there was a lot of publicizing that again by Russian media, both overtly and covertly, both by official Russian media and by social media sources. However, what happened shortly thereafter is that these demonstrations and this topic was taken up by Russians not in a way that I think the Russian authorities had expected, not in a way of oh look at this chaos. This is not what we want. Instead, there was actually a hashtag movement called Russian Lives Matter where they were saying, "Look, the Americans are rising up against police abuses. We have a lot of police abuses, including people killed by the police in Russia. Why aren't we rising up the way they are?"

So in response to that, the narrative around the demonstration, the protest, the riots quickly changed among Russian media, both in the official media and the social media, where they weren't really glorifying the actions of the protestors. Now there were talking about this in a negative sense, that this was chaos, that this was an improper way to show your protest, et cetera. So really, again, it goes back to what I said initially, a lot of times we look at actions of foreign adversaries only through our lens. We don't necessarily look at what's motivating them on their end and what is the end result and the goal from their perspective.

Dave Bittner:

Yeah, that's a really fascinating insight. And I'm curious how much of their success comes from the structural vulnerabilities of our own system. The fact that we have a free press, the fact that we have a First Amendment that our social media platforms are so open. Are those things that we consider to be fundamental parts of our democracy in a way, do they play into their hands?

Roman Sannikov:

Absolutely. And I'm going to butcher this quote, but there was actually a Russian intelligence officer or Soviet intelligence officer going back to the Cold War days that said that "if the West hadn't invented a free press, we would have had to invent it for them to destroy them." So really that is one of the main throughout the Cold War and really unfortunately into the post Cold War period and into the present period, our own freedoms are frequently used against us by our adversaries who have much more tightly controlled media and tightly controlled media environment in their countries. So it really is an asymmetrical warfare, so to speak, it's a way for them to go after the Western democracies in a way that is relatively inexpensive, that does not require a significant military buildup, but still does quite a bit of social and moral damage to those countries.

Dave Bittner:

Yeah. And it strikes me that we find ourselves with this ongoing since 2016, I suppose, this ongoing peculiar deference to the Russians from the executive branch of our nation, which I suppose it emboldens them to act without fearing real strong retribution from the U.S.

Roman Sannikov:

I tend to agree. I tend to think that we have really not ... You see, for example, how strongly we've gone after China and some Chinese threat actors. Certainly we've seen indictments and that's as it should be. We certainly should be going after anyone who's involved in either criminal or nation-state espionage activity. But really when it's come to Russia, if anything, I think the administration has undermined the intelligence community, really second guessing a lot of the findings coming out of the intelligence community, or even ignoring a lot of the findings coming out of the intelligence community. So there's really been very little repercussion to Russia for some of the offensive actions that they've taken against the U.S.

Dave Bittner:

As we head into the election. And as you mentioned, we're weeks away. What is your outlook? Are you optimistic that we have effective ways to counter the things that are going to be coming at us? Where do you suppose we stand?

Roman Sannikov:

So I am cautiously optimistic because I do feel that people are familiar enough with the threats to our election that hopefully they will not jump to any conclusion. In case the election day itself is a bit more chaotic than it normally would have been, obviously with COVID, there's going to be a lot of different factors, including mail-in ballots, et cetera, but I'm hoping that people are going to be a bit more understanding than they may otherwise be. Again, knowing that there are these threats through the elections.

One of the things that I think we particularly need to watch out for though, is we've seen in the past Russian state connected actors use a combination of hack and release and also fake documents. So for example, we saw information at the end of last year that there was a phishing campaign against Burisma. And to this day, I don't believe we've seen any of the actual documents that may have been taken during that phishing campaign. So certainly it's something where Russian-backed actors could release information that may have been doctored, or may be fake to look like it's embarrassing to one of the candidates and make it look like it's legitimate, authentic, because it came supposedly from this hacked documents collected from Burisma. Again, that's just an example, but we've seen that before where they've used an actual hack or a purported hack as a way of giving legitimacy to documents that really are not legitimate, that are fake. So that's something that I think we should be really on the lookout for.

And then finally, just the idea that somehow these elections will not be legitimate, that there will be massive fraud is something that certainly has been encouraged by a lot of the Russian disinformation campaigns. And I think that's something that really the public has to be on the lookout for fake information around polling and fake polling sites and things like that. They have to be, not just the public, but certainly the various states and the election committees have to be very careful for any erroneous information that is being put out there by various sectors backed by nation states.

Dave Bittner:

Our thanks to Recorded Future's Roman Sannikov for joining us. The report from the Recorded Future Insikt Group is titled “Russian-Related Threats to the 2020 US Presidential Election.” You can find it on the Recorded Future website.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.