A mountain of evidence points in one direction: Russia sought to sway the 2016 US election

Brad Heath | USA TODAY

WASHINGTON – For two years, cybersecurity researchers, spies and federal prosecutors have laid out a stunningly thorough chain of evidence to support one simple conclusion: The Russian government sought to sway the 2016 presidential election.

Federal agents have traced data and currency trails across continents, revealed inside knowledge of Russian spies’ computer network, and quoted the private emails of employees at a Russian internet firm working to influence voters. Cybersecurity researchers analyzed malware and followed clues buried in the details of stolen emails.

Those disclosures have left an unusually detailed public view of Russians' wide-ranging campaign to persuade and divide voters in the months before the presidential election. While the government sometimes shares its conclusions about national security threats, rarely does it take the risk of revealing so much of its evidence to the world.

“It’s unprecedented, both the activity that’s outlined and the fact that we’re privy to so much information,” said John Carlin, a former chief of the Justice Department’s National Security Division.

And it remains widely disbelieved.

As recently as July, about a quarter of voters said they thought there was “no Russian interference in the 2016 election,” according to an NPR/Marist poll.

President Donald Trump has long equivocated on the question. Last month, standing beside Vladimir Putin, he said the Russian president had been "extremely strong and powerful" in his denial of election interference and cast doubt on the work of U.S. intelligence agencies. Days later, Trump clarified his remarks and said he believed the government's conclusions, but then suggested after that on Twitter that the notion of Russian interference "is all a big hoax."

So President Obama knew about Russia before the Election. Why didn’t he do something about it? Why didn’t he tell our campaign? Because it is all a big hoax, that’s why, and he thought Crooked Hillary was going to win!!! — Donald J. Trump (@realDonaldTrump) July 22, 2018

Meanwhile, warning signs are pouring in that Russians might similarly target this year's midterm elections. Facebook said in July it had detected a sophisticated and secretive political influence operation. And Sen. Claire McCaskill, D-Missouri, said Russian hackers had unsuccessfully targeted her campaign's computers. Director of National Intelligence Dan Coats warned Thursday that spy agencies "continue to see a pervasive messaging campaign by Russia to try to weaken and divide the United States."

The most detailed disclosures about Russia's intervention in 2016 were a product of Mueller’s investigation. His office has so far brought criminal charges against 12 Russian intelligence officers and 13 other Russian nationals (plus three private businesses) over what he alleged were illegal attempts to involve themselves in the presidential election.

The Justice Department has used similar indictments in the past to respond to cyber attacks from foreign military forces; it also has brought cases against Chinese and Iranian officers. The charges offer a way for the government to say publicly that it knows what happened and who did it, and to alert the world that it is watching. Each indictment comes at a cost — any information the government reveals in court also risks compromising the tools officials used to gather it. But officials said the trade-off is sometimes worth it because it can help lessen new threats.

“One of the things we ought to be doing, ought to be trying as a country, is to develop some real antibodies to the virus that the Russians have tried to introduce into the body politic,” said David Kris, a former National Security Division chief and a founder of Culper Partners. “That’s especially well met with public disclosure.”

For all that is known, officials say there is more that remains secret. Officials won't say what that evidence is, because it remains classified, but they've given hints about the surveillance tools that informed their conclusions.

Adm. Mike Rogers, then the director of the National Security Agency, told lawmakers last year the laws authorizing the government to eavesdrop on foreign targets had been “instrumental” to its ability to gather intelligence on Russian actors targeting the election.

“In the intelligence world, it’s as incontrovertible as it can get,” said Rep. Adam Schiff, D-Calif., the top Democrat on the House intelligence committee.

That central conclusion — that Russia sought to interfere in the 2016 election — has become a rare point of agreement among political factions in Washington who seem to agree on little else. The FBI, CIA and National Security Agency concluded in a rare public assessment in early 2017 that Putin “ordered an influence campaign in 2016 aimed at the US presidential election,” and that he did so in part to help elect Trump.

Republicans and Democrats on the Senate intelligence committee unanimously backed that conclusion this year. Their Republican House counterparts also backed the conclusion that Russia conducted a “malign influence campaign” before the election, though it disputed Moscow’s motives.

Here are the threads that led to that conclusion:

THE FIRST DATA TRAILS

The Democratic National Committee revealed in June 2016 that hackers had compromised their computers and gained access to internal emails and the opposition research they had amassed on Trump. CrowdStrike, the company the DNC hired to investigate the intrusion, quickly said it had traced the intrusion to Russian government hackers.

Hackers similarly breached the Democratic Congressional Campaign Committee and Hillary Clinton’s presidential campaign.

Cybersecurity researchers quickly saw clues pointing to Moscow, particularly when the stolen files began appearing online.

For one thing, data embedded in the files showed that they had been edited by someone whose computer had Russian language settings. The malicious software that had been implanted on the DNC’s servers bore striking similarity to programs used in previous attacks that other governments had said were carried out by the Russians. Malware often forces infected computers to communicate with machines elsewhere on the internet, to receive commands and steal information. Researchers found the malware on the DNC network was communicating with the same computers as malware that had been used against the German parliament.

Researchers at SecureWorks studied emails stolen from Clinton’s campaign manager John Podesta and found another clue. Among the emails eventually published by the anti-secrecy group WikiLeaks was the original message that was thought to have tricked Podesta into revealing his password, a technique called "spearphishing" that's widely used by criminals to trick people into revealing bank or email passwords. Researchers followed the link in that email to the link-shortening service Bitly and found that whoever had created the link in Podesta’s email had created thousands of links to target other email accounts, including those of many people working for the Clinton campaign.

By itself, none of that is conclusive, said Matt Tait, a cybersecurity fellow at the University of Texas at Austin and former information specialist for the United Kingdom’s signals intelligence agency. But taken together, “you end up with a huge body of evidence,” he said.

RUSSIAN HACKERS INDICTED

Prosecutors working for Mueller offered more details on the hacking in July, when a grand jury indicted 12 Russian intelligence officers for breaking into Democratic political organizations to steal troves of internal records that they then made public.

The 29-page indictment hinted at the depth of the information the government assembled about the hacking campaign.

Prosecutors named 12 officers in Russia’s military intelligence service, known as the GRU. They detailed where the officers worked, who was in charge, and which ones sat at the keyboard as particular parts of the hacking operation were carried out. They alleged that one officer, Ivan Yermakov, assigned to one of the service's hacking units, started probing the DNC’s networks in March 2016. They said a different officer in the same unit, Aleksey Lukashev, composed the “spearphishing” emails that obtained Podesta’s password.

Prosecutors also hinted at still broader knowledge. They described the computer network through which hackers moved documents stolen from the DNC and DCCC. They detailed the dates on which hackers activated specific parts of their malware, which recorded users’ keystrokes and took digital pictures of what was on their screens. And they logged the search terms on a Russian computer server used by a separate Russian intelligence group in charge of leaking the stolen emails.

“That is incredibly detailed. They’ve given a lot away,” said Mary Carney, a former Justice Department lawyer. Prosecutors aren’t required to share that level of detail to bring a criminal case, “but the point is telling the story,” she said.

Mueller’s office did not say how the government gathered that information. Tait said some of it — particularly details about some of the searches the officers carried out — was so specific that it likely required real-time surveillance of the Russians' computer networks.

A spokesman for Mueller’s office declined to comment.

“The level of specificity was pretty remarkable,” said Sen. Mark Warner, D-Va., the top Democrat on the Senate intelligence committee. “There is an important education function, honestly. Not to relitigate 2016 but just to point out the fact that we’re still vulnerable.”

THE SOCIAL CAMPAIGN

Prosecutors offered a similarly detailed assessment in February of Russian nationals and businesses, some with ties to the Kremlin, that orchestrated a social media operation that appeared in millions of Americans’ Facebook and Twitter feeds as the 2016 campaign entered its final months.

A grand jury charged that 13 Russian nationals and three businesses sought to “interfere with the U.S. political and electoral processes.” The indictment included the names of low-level employees who worked for one of the companies, the St. Petersburg-based Internet Research Agency, who churned out social media posts preying on Americans' political divisions. Officials saw little need to guess at their motives; they quoted internal communications in which the company said its goal was to “spread distrust toward the candidates and the political system.”

Prosecutors tracked the PayPal accounts the company used to purchase social media ads, sometimes using the stolen identities of real Americans. (A California man separately pleaded guilty to trafficking in the stolen names.) They detailed visits by Internet Research Agency workers to the United States, and contacts with “unwitting members, volunteers and supporters of the Trump campaign.”

They identified the specific Facebook ads the company had placed. (Democrats on the House intelligence committee released an archive of all 3,500 this year, revealing an effort largely focused on dividing Americans along racial lines.) And they knew how the company tracked its posts to see which messages were hitting their mark.

More: We read every one of the 3,517 Facebook ads bought by Russians. Here's what we found

Prosecutors also revealed the government had been reading more than a year's worth of the Russians’ internal messages and private emails. In one, sent in February 2016, managers at the Internet Research Agency admonished their workers to “use any opportunity to criticize Hillary and the rest (except Sanders and Trump – we support them).”

A year and a half later – long after U.S. intelligence agencies and cybersecurity researchers mapped the trail back to Russia – the company seemed aware that the Americans knew what it was doing. “We had a slight crisis here at work,” one of the workers, Irina Kaverzina, said in an email to a relative in September 2017, “the FBI busted our activity (not a joke)."

Federal agents obtained a copy of the email.