At a glance.
- Election influence operations: China, Iran, and Russia.
- Iranian operators get a Twitter blue check for an impersonated account.
- Romanian operators cloak crime in politics.
- Belarus shuts down its Internet.
- US online propaganda of the deed.
- A motivation of Russian influence operations.
The adversaries' votes.
The US Office of the Director of National Intelligence on Friday released a statement on election interference. National Counterintelligence and Security Center (NCSC) Director William Evanina says that China, Russia, and Iran are all interested in various forms of interference. Briefly, China dislikes President Trump, whom it regards as unpredictable, and wants him out so that he can’t, in Beijing’s view, continue to damage Chinese interests. Iran also dislikes the incumbent and sees the prospect of his reelection as likely to mean increased pressure on the Islamic Republic, and pressure that would be designed to bring about regime change in Tehran. Iran also has a more general interest in undermining US institutions, the statement says. Russia has been busy denigrating former Vice President Biden, whom Moscow sees as dangerously connected with Ukraine, and with the Obama Administration’s disapproval of Russia’s armed, slow-motion reengorgement of that country. He’s also seen as part of an anti-Russian establishment. Thus China and Iran trend blue, Russia red. (The returns from Pyongyang aren’t in yet.)
Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs released the following statement today on the Office of the Director of National Intelligence’s update on election threats:
“One of the best tools our election officials and the American people have to help defend against election interference is transparency on the risks to elections. ODNI’s statement today demonstrates this commitment to providing transparency and continuing to raise awareness among the American public about the threats to our election systems. We’ve come a long way since 2016 and we appreciate the Intelligence Community efforts to continue to downgrade and share information as broadly as possible, and we encourage them to continue to do so.
“The threat information shared today is serious and troubling, but Americans should rest assured that we are working to ensure our elections remain secure. We have long said Russia and other nation-states are targeting our elections. We knew this to be true in 2016, we know its true today and we know they will continue to attempt to interfere. While motives may vary, one thing is consistent: They are attempting to interfere in our democratic process. That’s why we have spent the last several years preparing alongside our partners across all levels of government, campaigns, and tech companies to ensure the adversaries are not successful and American voters decide American elections.”
Blue-checked but bogus.
A verified but bogus Twitter account that had operated in the falsely appropriated name of Dr. Jaouad Mahjour, assistant director-general of the World Health Organization (WHO) has been traced to an Iranian threat actor. The account had followed an Iranian government line of disinformation, tweeting that the US Government (specifically the Trump Administration) had been pushing WHO to test vaccines on prisoners, immigrants, and Black Americans. The Daily Beast claims the operation looks like the work of Endless Mayfly, a Tehran-aligned actor known for impersonation operations. Endless Mayfly appears interested in exacerbating US racial fissures during the run-up to the election.
The interest here may be more financial than political.
According to the Washington Post, Facebook has disabled a Romanian network that was sending inauthentic messages expressing implausible support for President Trump. (One would have to be naive indeed to uncritically swallow a report that former President Obama and, a fortiori, former FLOTUS Michelle Obama, had thrown their wholehearted support to the reelection of President Trump.) The motivation is as likely to be financial fraud as it is influence.
Stop the press, seize the radio station, shut down the Internet.
And will no one rid me of this troublesome Telegram?
Shutting down the Internet is the twenty-first century analogue of the Twentieth Century’s seizure of the radio stations and the phone exchange, the Nineteenth Century’s occupation of the newspaper and telegraph offices. That’s what appears to be going on in Belarus, where Internet disruptions that began at the end of the country’s Presidential election continue.
Belarus has taken the official view that its Internet outage is the work of ill-intentioned foreign operators, but as Meduza says, domestic dissidents claim (and most observers are with them on this) that it's the work of Minsk itself. The opposition had predicted, as voting began, that the government would clamp down on the Internet, and that’s what appears to have happened. The country’s top-level domain, dot by, was also rendered largely inaccessible to people outside Belarus.
The Guardian sees the interdiction as a high-stakes gamble aimed at disrupting the ability of protesters to organize. Most such communication has moved to Telegram, which offers a degree of anonymity, is hosted where Minsk’s writ doesn’t run, and which has shown itself relatively resistant to being taken down.
Much of Belarus has been effectively incommunicado this week, with some telephone service also reporting disruption. The Internet blocking has been run through Beltelecom, the national telco, and the Belarusian National Traffic Exchange Centre.
One probably unintended consequence of the shutdown is that the remaining channels tend to be particularly susceptible to rumor, misdirection, and speculation. In many social channels, the clock is always striking thirteen, the Martians have landed, and the Man is out to get you. If President Lukashenka doesn’t like that result, he might usefully consult the Man in the mirror.
Back to Telegram for a moment. Radio Free Europe | Radio Liberty has an account of how Telegram became the principal remaining online conduit of communication in Belarus. Telegram founder Pavel Durov, a Russian now in exile, tweeted that "We enabled our anti-censorship tools in Belarus so that Telegram remained available for most users there. However, the connection is still very unstable as Internet is at times shut off completely in the country." The Warsaw-based NEXTA group of Telegram channels seems to have been most prominent in the penetration of Minsk's Internet lockdown.
Persistent engagement and signalling the adversary.
The US State Department is offering a reward for information concerning attempts to hack US elections. Reuters reports that text messages communicating the offer and a link to Rewards for Justice have been turning up in Iranian and Russian devices. Who sent the texts isn’t clear, but there’s speculation that the messaging was done on behalf of the US Government. US Cyber Command referred Reuters to the State Department, and State had nothing to say.
The US National Security Agency and Federal Bureau of Investigation this morning issued a joint alert concerning a hitherto undiscussed malware toolset operated by Russia's military intelligence service, GRU. The report describes Drovorub, malware deployed by APT28, which of course is Fancy Bear. Drovorub is a multifunctional "Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server."
The report is detailed and interesting. "Drovorub," which means "woodcutter," is GRU's internal name. That NSA is willing to offer so much information is striking. The report's authors say, in an accompanying FAQ, “We’re sharing this information with our customers and the public to counter the capabilities of the GRU GTsSS, an organization which continues to threaten the United States and its allies. We continuously seek to counter their ability to exploit our Nation’s critical networks and systems.” But it also seems likely that this is an instance of what NSA's sister organization, US Cyber Command, would call "persistent engagement," which it's said for the last couple of years it intends to visit on adversaries like Russia. Effectively saying "I know what you did last summer" (or this summer) and then showing that you do in fact know, can be as menacing in cyberspace as it is in a horror movie.
Observations on the motivations of Russian influence operations.
What are the objectives of Russian disinformation? It's seemed for some time that in style and substance Russian influence operations are negative, not positive. That is, they're more interested in opportunistic disruption of the foreign adversary than they are in convincing people to accept some relatively stable set of beliefs. The Chinese and Iranian styles of disinformation, while sometimes content with disruption, in general have some positive (from their point view) persuasive purpose, "death to Israel," for example, or "buy Huawei," or "we had nothing to do with that epidemic."
An essay in Foreign Affairs, despite the paradoxical title "There is No Russian Plot Against America," reaches a similar conclusion, suggested by its subtitle: "The Kremlin's Electoral Interference is All Madness and NO Method." As the author argues, "The mainstream view in the U.S. media and government holds that the Kremlin is waging a long-haul campaign to undermine and destabilize American democracy. Putin wants to see the United States burn, and contentious elections offer a ready-made opportunity to fan the flames." And that view is misguided and mistaken. Russia's government sees itself as threatened and encircled. Its insecurities are exacerbated by a sense of disregard, by fears that the world doesn't take it entirely seriously as a great power.
Compare George Kennan's famous Long Telegram from 1946, which also concluded that Russian foreign policy was significantly driven by internal insecurities. Where it says "Soviet," substitute "Russian":
"At bottom of Kremlin's neurotic view of world affairs is traditional and instinctive Russian sense of insecurity. Originally, this was insecurity of a peaceful agricultural people trying to live on vast exposed plain in neighborhood of fierce nomadic peoples. To this was added, as Russia came into contact with economically advanced West, fear of more competent, more powerful, more highly organized societies in that area. But this latter type of insecurity was one which afflicted rather Russian rulers than Russian people; for Russian rulers have invariably sensed that their rule was relatively archaic in form fragile and artificial in its psychological foundation, unable to stand comparison or contact with political systems of Western countries. For this reason they have always feared foreign penetration, feared direct contact between Western world and their own, feared what would happen if Russians learned truth about world without or if foreigners learned truth about world within. And they have learned to seek security only in patient but deadly struggle for total destruction of rival power, never in compacts and compromises with it...
"In summary, we have here a political force committed fanatically to the belief that with US there can be no permanent modus vivendi that it is desirable and necessary that the internal harmony of our society be disrupted, our traditional way of life be destroyed, the international authority of our state be broken, if Soviet power is to be secure...
"All Soviet propaganda beyond Soviet security sphere is basically negative and destructive."