This story is part of , CNET’s coverage of the run-up to voting in November.
With less than a month before Election Day, cybersecurity officials and social networks are on the lookout for a disinformation tactic that throws politics into chaos at the last minute: hack-and-leak operations.
The tactic was used four years ago on Oct. 7, 2016, when Russian hackers released stolen emails from Democratic nominee Hillary Clinton’s campaign chair, John Podesta, and amplified it on WikiLeaks.
The Russian hackers had stolen thousands of Podesta’s emails in a phishing attack conducted six months earlier. But they waited until October to dump the contents, leading to conspiracy theories that were behind the .
US officials have warned about a flurry of Facebook continues to take down networks linked to political interference by foreign countries. No significant hack-and-leak operations that could affect the 2020 US presidential election have been reported. Still, there’s plenty of time for a late October surprise., while
Hackers from Russia, China and other countries are constantly trying to break into political campaigns. They have an explicit goal: meddling in the US presidential election.
Campaigns and election officials have ramped up security measures to prevent hacks. Social networks have policies against disinformation campaigns and falsehoods and believe they’re better prepared today than they were four years ago.
Nathaniel Gleicher, Facebook’s cybersecurity policy chief, says the social network can now better recognize the signs of a disinformation campaign. It’s been active cutting them out before they can grow an audience. In September, for example, Facebook took down fake accounts tied to Russia’s Internet Research Agency, the organization that tried to meddle in the 2016 election.
“We have not seen the networks we removed in September engage in hack-and-leaks, but they are linked to actors who engaged in hack-and-leak operations in the past, and we know law enforcement agencies have been vocal publicly about being ready,” Gleicher said at a press briefing on Thursday. “We anticipate that operations like what we saw last month could attempt to pivot at any time.”
Social networks also have a better understanding of how these leaked posts go viral. It often starts with a vulnerability that tech platforms can’t control: newsrooms.
Plugging the leak
Hackers can steal sensitive documents, but they won’t have much political influence if there’s no way to spread the information. To do that, hackers rely on social media and tricking journalists into giving the hacked material enough oxygen to catch fire.
It’s unlikely the American public would trust stolen emails published by Russian hackers. But the hackers can launder the material if they pose as a news outlet or influence reporters to cover the documents.
In June 2016, Russian operatives launched “DCLeaks,” an online persona that posed as American hacktivists who had obtained documents from the Democratic National Committee and wanted to “tell the truth” about decision-making in the U.S.
The DCLeaks website received more than 1 million page views before it was shut down in March 2017, according to the Senate committee’s investigation.
The outreach to journalists took place on Twitter and Facebook under a DCLeaks account falsely registered under a US IP address.
Russian operatives also created a fake “Guccifer 2.0” persona, named after a Romanian hacker who stole documents information from the Bush family. This fake persona released thousands of documents obtained by Russian hackers and relied heavily on Twitter to contact journalists and the Trump campaign to do this.
Journalists were eager to publish the material and didn’t question the source, according to the Senate committee’s investigation.
In one exchange on Twitter between a Florida politics blogger and Guccifer 2.0, the reporter wrote: “Holy fuck man I don’t think you realize what you gave me. I’m still going through that stuff and I find buried deep the turnout model for the Democrats’ entire presidential campaign. This is probably worth millions of dollars. I’m going to post it tomorrow.”
Four years later, tricking American journalists to post disinformation through social media is still a popular tactic for Russian operatives.
Facebook’s September takedown showed the Russians are shaking up the script. The affected accounts posed as news editors who tricked freelance reporters into writing news articles for a propaganda site about US politics.
A Forbes report found that these reporters were recruited through Twitter messages, similar to the way DCLeaks and Guccifer 2.0 worked.
Without a legitimate news source to process the hacked material, leaks often fizzle out, researchers found. The 2017 hack-and-leak campaign against the French presidential election happened right before polls opened, but the material never spread after the electoral commission ordered media not to publish its content.
Newsrooms like The Washington Post have established policies against covering hacked material.
“When you look at the spread of operations, there are different factors that make or break the viral success of these leaks,” said Camille Francois, chief innovation officer of the network analysis company Graphika. “The ability for the media to amplify really makes a campaign. If you are able to hit the right notes at the right time, you can have a successful dissemination very quickly.”
She noted that in campaigns where disinformation actors tried to spread the leaks on social networks alone, they often quickly fizzled out before gaining traction.
Another reason why hack-and-leak campaigns have been harder to prevent this election cycle is that campaigns have gotten better at preventing cyberattacks in the first place. Initiatives like Google’s Advanced Protection program and Microsoft’s Defending Democracy program are securing accounts for politicians, while Twitter and Facebook also ramped up security measures for prominent figures.
There haven’t been any successful breaches against campaigns, and intelligence officials said they haven’t seen any successful attacks against election infrastructure, but the extra security measures haven’t stopped hackers from trying.
The attempted hacks never stopped. The Russian hacking group behind the DNC leaks in 2016 have targeted staff tied to Democratic nominee Joe Biden’s campaign, while hackers from China and Iran are also attempting to breach their networks.
The nine types of Facebook ads that Russian trolls paid for
Even when there aren’t successful hacks, disinformation campaigns have forged documents in faked leaks. In 2019, trade talks between the US and the UK “leaked” right before the general election.
Researchers found that a Russian disinformation group forged thousands of documents when hackers couldn’t steal any legitimate information. It helped that the forgeries were so low quality that most people could tell they were fake before sharing it on social media.
“You see different actors competing against the same targets, but they are equipped differently, and not everybody has the abilities to go and grab the hacked material,” Francois said.
‘A whole-of-society effort’
Even with the increased security measures and experience with hacked materials from newsrooms, election security officials and tech companies are still vigilant about hack-and-leak operations.
Gleicher said Facebook frequently works with law enforcement agencies to investigate disinformation campaigns. A source familiar with the partnership said that law enforcement agencies often monitor for cyberattacks and warn Facebook about potential material that could be used as part of a hack-and-leak campaign.
“The information that we get from law enforcement are based on assets that these actors may be using that are not on our platforms but are on others,” Gleicher said. “We have a pretty long history of getting information from law enforcement agencies that we can use to launch our own investigations.”
It’s meant finding and shutting down disinformation campaigns when they only have a couple of hundred followers instead of when they have hundreds of thousands, as the Russians did in 2016.
Russia’s hack-and-leak campaign in October 2016 gave rise to the QAnon conspiracy group that Facebook recently banned. There haven’t been any significant campaigns since, but everyone needs to play their cards perfectly to keep it that way, experts say.
“It has to be a whole-of-society effort,” Francois said. “You see Facebook revisiting the infrastructure that was used in 2016 and making sure there’s no accounts that are still surviving. Google is doing great work protecting people’s emails. That actually really matters in this hack-and-leak scenario.”