The affidavit of an FBI special agent, and the Russian documents attached to it, offer a rare glimpse into the inner workings of a vast Russian network of disinformation.

Last week, the U.S. Department of Justice indicted two Russians — both employees of state broadcaster RT — accused of illegally funnelling $9.7 million into a Tennessee media company.

The unsealed indictment said the founders of the unidentified company — widely reported to be Tenet Media — knew their funding came from “the Russians.” Far-right influencers hired by the company, including Tim Pool, Benny Johnson and Dave Rubin, have said they were unwitting “victims” of the alleged scheme.

The indictment and its associated documents show a side of Russian influence operations people in the West rarely see, said Roman Osadchuk of the Atlantic Council’s Digital Forensic Research Lab in Washington.

Normally, he said, “we’re looking at something that surfaces, the open side of things, like what’s being published on social media. Here we definitely see something from the inside.

“So this was unique.”

The affidavit also reveals the growing sophistication of Russia’s disinformation methods, said Robert English, a Russia expert at the University of Southern California at Annenberg.

“It’s on the cusp of becoming, you know, a really disturbing, distorting actor in global politics,” he said.

While the indictment doesn’t name the Tennessee-based outlet, details in the court document match those of Tenet Media, a company founded by Canadian far-right commentator Lauren Chen and her husband Liam Donovan.

The affidavit supports the the U.S. Department of Justice’s request for the seizure of 32 internet domains and includes descriptions of Russian disinformation projects in both their original Russian and in English.

The Department of Justice alleges that the author of at least some of the descriptions is Ilya Gambashidze, founder of two companies — the Social Design Agency and Structura — that worked directly with Russian President Vladimir Putin’s office to create a series of influence campaigns. The Social Design Agency created the content, while Structura focused on dissemination.

Gambashidze’s writings, cited at length in the U.S. Department of Justice documents, reveal a keen understanding of political dynamics in the West, through the eyes of a man looking for pressure points to exploit.

They also show Gambashidze understood something that Russian propagandists have known since Communist times — that it’s a waste of time to try openly to promote Russia’s cause in the West.

When dealing with a U.S. audience, “there is no point in justifying Russia and no one to justify it to,” Gambashidze wrote in a project proposal called “Project Good Old USA,” which was among the supporting documents released by Washington.

A long history of spreading conspiracies

As a former KGB officer, Putin has always appreciated the value of working in the shadows.

“What amazed me most was how one man’s effort could achieve what whole armies could not,” he wrote in his autobiography.

If he’s comparing the lacklustre performance of the Russian Army in Ukraine to the success of Russia’s internet influencers, he could be forgiven for believing that today more than ever.

The KGB’s efforts to interfere in U.S. elections go as far back as 1968. It attempted to popularize the slogan “Reagan means War” in 1980, and in 1985 staged the successful disinformation campaign Operation Denver — the conspiracy theory that HIV was created in a CIA lab.

The FBI alleges that Putin charged one of his most trusted deputies, Sergei Vladilenovich Kiriyenko, with shepherding disinformation projects aimed at Germany, France, Mexico, Israel and the U.S. presidential election.

“What’s happened in Canada or the U.S. is already disturbing but not yet critical,” said English. “In Europe, and also everywhere from Qatar to Kazakhstan, Azerbaijan in particular, we have seen [the Russians] swing elections. We have seen them turn committee decisions in the European Parliament and other institutions of the European Union. No doubt it has been more effective there.

“And with AI and with ways of multiplying their impact through technology, the future is pretty grim. And that’s not even taking into account the use of deep fakes and fabricated evidence.”

Plans for a ‘guerrilla media campaign’

In his 2022 proposal for a “Guerilla Media Campaign in the U.S.,” cited in the Department of Justice documents, Gambashidze compares the two parties on the American political scene. The department redacted the names but there is no doubt which party is which.

Democrats, he writes, are “far-left globalists who advocate for perversion of traditional moral and religious values, while supporters of the [Republican Party] are normal people whose priority is to preserve traditions of the American way of life.”

In the same document, Gambashidze zeroes in on race.

Democrats, he writes, “are also people of color and supporters of ‘affirmative action’ and ‘reverse discrimination’, i.e. infringement on the rights of the white population of the United States, while [Republicans] are the victims of discrimination by people of color.”

Gambashidze identifies the cost of living as a key pressure point. Americans, he writes, are “suffering from rising prices, primarily for gasoline, historically high inflation and the actual impoverishment of white taxpayers, a significant part of the middle class. Under these circumstances, the recipients of public assistance, unemployed people of color and residents of large cities end up being privileged groups of the population.”

Those white Americans, he adds, “are afraid of losing the American way of life and the ‘American dream’. It is these sentiments that should be exploited.”

The first goal of the “guerilla media” program, Gambashidze writes, is “to secure victory of the Republican Party candidate” and the top themes to be used in that effort are inflation and “unaffordable prices for food and essential goods … risk of job loss for white Americans” and “privileges for people of color, perverts and the disabled.”

The campaign’s secondary goals, Gambashidze adds, are “to increase the percentage of Americans who believe that the US ‘has been doing way too much to support Ukraine’ to 51%” from 41%, to raise the number who believe the war should be ended soon even if it means Ukraine surrenders territory from 43% to 53%, and to drive [U.S. President Joe] Biden’s approval rating down to 29%.”

But Gambashidze also warns Russian propagandists to take care not to harp too much on Ukraine or Russia-specific matters that could attract attention: “The amount of the highly resonant content and hot topics should not exceed 20 percent of the total volume of all publications.”

Sleepers on the internet

Russia is famous for its use of “illegals” or long-term sleeper agents, a Cold War tradition that continues to this day.

That same tradecraft appears in the Department of Justice indictment and its associated documents. They describe a disinformation scheme — dubbed Operation Doppleganger by the DoJ — that allegedly used sleeper cells of influencers whose job was to quietly generate a following, without flagging themselves as overly political.

One of the documents released by Washington is Gambashidze’s original written proposal for Doppleganger. 

Producers of Doppleganger material would masquerade as regional news groups, he wrote in Russian. Their target audiences would include swing-state voters, voters in a small group of very red states, “U.S. citizens of Hispanic descent, American Jews, Community of American gamers, users of Reddit and image boards, such as 4chan (the ‘backbone’ of the right-wing trends in the US segment of the Internet).”

“The objective,” he continued, “is to create and for at least five months moderately promote news groups in swing states through Facebook, Reddit and X (Twitter) — a total of 18 communities, one community per media outlet in six states: Nevada, Georgia, Arizona, Pennsylvania, Michigan, and Wisconsin.

“While in a ‘sleeping’ state, communities attract an audience through targeted advertising, planting, and organic reaches. At the right moment, ‘upon gaining momentum’, these communities become an important instrument of influencing the public opinion in critically important states and portals used by the Russian side to distribute bogus stories disguised as newsworthy events.”

Those bogus stories — entirely fake webpages not searchable by Google that mimic websites for legitimate news organization like the Washington Post’s — gave Doppelganger its name.

The goal: spread anxiety and conflict

Doppleganger posts mimicking both U.S. and European media outlets have been appearing online since 2022.

While some of those fake pages have conveyed key Russian messages about Ukraine — such as a phoney Fox News story titled “Sad Outcome and Tragic Finale: Zelensky Loses in War and Diplomacy” — others just sought to generate anxiety and discontent.

Those anxiety-inducing fake posts include one titled “Young Americans Face a Poverty-Stricken Old Age,” about the supposed future collapse of medicare and social security.

It may not seem obvious what benefit Russia derives from scaring U.S. millennials about their retirement prospects, but Russia’s themes always connect back to its objectives.

Gambashidze’s written proposal suggests a fake reader comment that could be appended to a Doppleganger story to sound an isolationist note: “Our country should solve its own problems and let other countries solve their own problems.”

It also pitches a “text factory” that would churn out content linking support for Ukraine with domestic economic pressures for U.S.-based influencers to repeat. Gambashidze’s pitch offers one suggested message for the text factory: “Last night, the House of Representatives approved the allocation of 40 billion dollars to Ukraine, while American families have to do without baby food.”

The message there, said Osadchuk, is that “it’s not your war. Here is problem X,Y and Z and you should be focusing on them instead of helping other countries.”

Taking both sides of an issue

During the Cold War, the nations of the West also aimed propaganda messages at the Soviet Bloc. But there was an important distinction between those messages and Soviet propaganda, at least in theory: Western governments held that it was important that the messages be consistent, because it would undermine their credibility to be seen speaking out of both sides of their mouths.

The Russians don’t appear to care much about consistency. Because their goal is to spark conflict and polarize societies, they are often active on both sides of the most controversial issues.

In the DOJ affadavit, Gambashidze presents a plan for a social media campaign targeting Israeli and American Jews. The stated goal of the campaign, aimed at right-wing Israelis, “is to rip Israel out of the general Western anti-Russian agenda.”

“The right-wingers also want better relations with Russia,” Gambashidze writes, adding that “the current head of Israeli government is considered a ‘friend of Putin.'”

The document proposes to boost the Israeli right. “Influencing the public opinion of Israel will impact the public opinion of Jewish voters in the U.S. prior to the 2024 Presidential Elections,” Gambashidze writes.

But at the same time, Russia appears to support some of the loudest anti-Israel voices on social media, such as pro-Putin U.S. influencer Jackson Hinkle, who has spread false negative stories about Ukraine, appeared as a speaker at pro-Russia rallies and is sometimes retweeted by Russian official sources.

The same is true of left and right. While Russian disinformation in North America and Europe currently tends to push right-wing and white supremacist themes, in Africa it pushes anti-colonialist narratives that present the West as an arrogant white exploiter.

Russian disinformation appears equally happy promoting the far-left and the far-right, since the goal is to weaken the centre.

“The idea to make people disrespect, hate and basically not speak to each other from both of the wings,” said Osadchuk. “Basically, making society more polarized, unstable and thus not able to come to some conclusion that would be beneficial for both of the wings for the whole country.”

While Doppelganger is clearly aimed at energizing and radicalizing U.S. Republicans or those leaning Republican, he said, there may be other Russian disinformation programs that seek to push Democrats further to the left. “The whole scope is unknown,” he told CBC News.

English said that closing websites is not a long-term solution, since the same content will soon pop up elsewhere.

“We also just have to inculcate internet hygiene and critical reading and thinking skills. Because there’ll always be one more way to reproduce, to create some new kind of content to get around some technical technological block or some legal obstacle,” he said.

“As long as our people are basically dumb, are being more and more dumbed-down and take things at face value, only read what they like and wallow in all of these websites, Instagram, when their main source of news is Twitter … I don’t know that we’ll ever be able to get a handle on this until we have more intelligent media consumers again.”

Thirty-five years ago, a misguided AIDS activist developed a piece of malware that encrypted a computer’s filenames—and asked for US $189 to obtain the key that unlocked an afflicted system. This “AIDS Trojan” holds the dubious distinction of being the world’s first piece of ransomware. In the intervening decades the encryption behind ransomware has become more sophisticated and harder to crack, and the underlying criminal enterprise has only blossomed like a terrible weed. Among the most shady of online shady businesses, ransomware has now crossed the $1 billion mark in ransoms paid out last year. Equally unfortunately, the threat today is on the rise, too. And in the same way that the “as a service” business model has sprouted up with software-as-a-service (SaaS), the ransomware field has now spawned a ransomware-as-a-service (RaaS) industry.

Guillermo Christensen is a Washington, D.C.-based lawyer at the firm K&L Gates. He’s also a former CIA officer who was detailed to the FBI to help build the intelligence program for the Bureau. He’s an instructor at the FBI’s CISO Academy—and a founding member of the Association of U.S. Cyber Forces and the National Artificial Intelligence and Cybersecurity Information Sharing Organization. IEEE Spectrum spoke with Christensen about the rise of ransomware-as-a-service as a new breed of ransomware attacks and how they can be understood—and fought.

Guillermo Christensen on…:

Guillermo ChristensenK&L Gates

How has the ransomware situation changed in recent years? Was there an inflection point?

Christensen: I would say, [starting in] 2022, which the defining feature of is the Russian invasion of Eastern Ukraine. I see that as a kind of a dividing line in the current situation.

[Ransomware threat actors] have shifted their approach towards the core infrastructure of companies. And in particular, there are groups now that have had remarkable success encrypting the large-scale hypervisors, these systems that basically create fake computers, virtual machines that run on servers that can be enormous in scale. So by being able to attack those resources, the threat actors are able to do massive damage, sometimes taking down an entire company’s infrastructure in one attack. And some of these are due to the fact that this kind of infrastructure is hard to keep updated to patch for vulnerabilities and things like that.

Before 2022, many of these groups did not want to attack certain kinds of targets. For example, when the Colonial Pipeline company [was attacked], there was a lot of chatter afterwards that maybe that was a mistake because that attack got a lot of attention. The FBI put a lot of resources into going after [the perpetrators]. And there was a feeling among many of the ransomware groups, “Don’t do this. We have a great business here. Don’t mess it up by making it so much more likely that the U.S. government’s going to do something about this.”

How did you know the threat actors were saying these sorts of things?

Christensen: Because we work with a lot of threat intelligence experts. And a threat intelligence expert does a lot of things. But one of the things they do is they try to inhabit the same criminal forums as these groups—to get intelligence on what are they doing, what are they developing, and things like that. It’s a little bit like espionage. And it involves creating fake personas that you insert information, and you develop credibility. The other thing is that the Russian criminal groups are pretty boisterous. They have big egos. And so they also talk a lot. They talk on Reddit. They talk to journalists. So you get information from a variety of sources. Sometimes we’ve seen the groups, for example, actually have codes of ethics, if you will, about what they will or won’t do. If they inadvertently attack a hospital, when the hospital tells them, “Hey, you attacked the hospital, and you’re supposed to not do that,” in those cases, some of these groups have decrypted the hospital’s networks without charging a fee before.

“There was a feeling among many of the ransomware groups, ‘Don’t do this. We have a great business here.’”

But that, I think, has changed. And I think it changed in the course of the war in Ukraine. Because I think a lot of the Russian groups basically now understand we are effectively at war with each other. Certainly, the Russians believe the United States is at war with them. If you look at what’s going on in Ukraine, I would say we are. Nobody declares war on each other anymore. But our weapons are being used in fighting.

Back to top

And so how are people responding to ransomware attacks since the Ukraine invasion?

Christensen: So now, they’ve taken it to a much higher level, and they’re going after companies and banks. They’re going after large groups and taking down all of the infrastructure that runs everything from their enterprise systems, their ERP systems that they use for all their businesses, their emails, et cetera. And they’re also stealing their data and holding it hostage, in a sense.

They’ve gone back to, really, the ultimate pain point, which is, you can’t do what your business is supposed to do. One of the first questions we ask when we get involved in one of these situations—if we don’t know who the company is—is “What is effectively the burn rate on your business every day that you’re not able to use these systems?” And some of them take a bit of effort to understand how much it is. Usually, I’m not looking for a precise amount, just a general number. Is it a million dollars a day? Is it 5 million? Is it 10? Because whatever that amount is, that’s what you then start defining as an endpoint for what you might need to pay.

Back to top

What is ransomware-as-a-service? How has it evolved? And what are its implications?

Christensen: Basically, is it’s almost like the ransomware groups created a platform, very professionally. And if you know of a way to break into a company’s systems, you approach them and you say, “I have access to this system.” They also will have people who are good at navigating the network once they’re inside. Because once you’re inside, you want to be very careful not to tip off the company that something’s happened. They’ll steal the [company’s] data. Then there’ll be either the same group or someone else in that group who will create a bespoke or customized version of the encryption for that company, for that victim. And they deploy it.

Because you’re doing it at scale, the ransomware can be fairly sophisticated and updated and made better every time from the lessons they learn.

Then they have a negotiator who will negotiate the ransom. And they basically have an escrow system for the money. So when they get the ransom money, the money comes into one digital wallet—sometimes a couple, but usually one. And then it gets split up among those who participated in the event. And the people who run this platform, the ransomware-as-a-service, get the bulk of it because they did the work to set up the whole thing. But then everybody gets a cut from that.

And because you’re doing it at scale, the ransomware can be fairly sophisticated and updated and made better every time from the lessons they learn. So that’s what ransomware as a service is.

How do ransomware-as-a-service companies continue to do business?

Christensen: Effectively, they’re untouchable right now, because they’re mostly based in Russia. And they operate using infrastructure that is very hard to take down. It’s almost bulletproof. It’s not something you can go to a Google and say, “This website is criminal, take it down.” They operate in a different type of environment. That said, we have had success in taking down some of the infrastructure. So the FBI in particular working with international law enforcement has had some remarkable successes lately because they’ve been putting a lot of effort into this in taking down some of these groups. One in particular was called Hive.

They were very, very good, caused a lot of damage. And the FBI was able to infiltrate their system, get the decryption keys effectively, give those to a lot of victims. Over a period of almost six months, many, many companies that reported their attack to the FBI were able to get free decryption. A lot of companies didn’t, which is really, really foolish, and they paid. And that’s something that I often just am amazed that there are companies out there that don’t report to the FBI because there’s no downside to doing that. But there are a lot of lawyers who don’t want to report for their clients to the FBI, which I think is incredibly short-sighted.

But it takes months or years of effort. And the moment you do, these groups move somewhere else. You’re not putting them in jail very often. So basically, they just disappear and then come together somewhere else.

Back to top

What’s an example of a recent ransomware attack?

Christensen: One that I think is really interesting, which I was not involved with, is the attack on a company called CDK. This one got quite a bit of publicity. So details are quite well known. CDK is a company that provides the back office services for a lot of car dealers. And so if you were trying to buy a car in the last couple of months, or were trying to get your car serviced, you went to the dealer, and they were doing nothing on their computers. It was all on paper.

It appears the threat actor then came back in and attacked a second time, this time, harming broader systems, including backups.

And this has actually had quite an effect in the auto industry. Because once you interrupt that system, it cascades. And what they did in this particular case, the ransomware group went after the core system knowing that this company would then basically take down all these other businesses. So that it was a very serious problem. The company, from what we’ve been able to read, made some serious mistakes at the front end.

The first thing is rule number one, when you have a ransomware or any kind of a compromise of your system, you first have to make sure you’ve ejected the threat actor from your system. If they’re still inside, you’ve got a big problem. So what it appears is that they realized they [were being attacked] over a weekend, I think, and they realized, “Boy, if we don’t get these systems back up and running, a lot of our customers are going to be really, really upset with us.” So they decided to restore. And when they did that, they still had the threat actor in the system.

And it appears the threat actor then came back in and attacked a second time, this time, harming broader systems, including backups. So when they did that, they essentially took the company down completely, and it’s taken them at least a month plus to recover, costing hundreds of millions of dollars.

So what could we take as lessons learned from the CDK attack?

Christensen: There are a lot of things you can do to try to reduce the risk of ransomware. But the number one at this point is you’ve got to have a good plan, and the plan has got to be tested. If the day you get hit by ransomware is the first day that your leadership team talks about ransomware or who’s going to do what, you are already so behind the curve.

It’s the planning that is essential, not the plan.

And a lot of people think, “Well, a plan. Okay. So we have a plan. We’re going to follow this checklist.” But that’s not real. You don’t follow a plan. The point of the plan is to get your people ready to be able to deal with this. It’s the planning that is essential, not the plan. And that takes a lot of effort.

I think a lot of companies, frankly, don’t have the imagination at this point to see what could happen to them in this kind of attack. Which is a pity because, in a lot of ways, they’re gambling that other people are going to get hit before them. And from my perspective, that’s not a serious business strategy. Because the prevalence of this threat is very serious. And everybody’s more or less using the same system. So you really are just gambling that they’re not going to pick you out of another 10 companies.

Back to top

What are some of the new technologies and techniques that ransomware groups are using today to evade detection and to bypass security measures?

Christensen: So by and large, they mostly still use the same tried and true techniques. And that’s unfortunate because what that should tell you is that many of these companies have not improved their security based on what they should have learned. So some of the most common attack vectors, so the ways into these companies, is the fact that some part of the infrastructure is not protected by multi-factor authentication.

Companies often will say, “Well, we have multi-factor authentication on our emails, so we’re good, right?” What they forget is that they have a lot of other ways into the company’s network—mostly things like virtual private networks, remote tools, lots of things like that. And those are not protected by multi-factor authentication. And when they’re discovered, and it’s not difficult for a threat actor to find them. Because usually, if you look at, say, a listing of software that a company is using, and you can scan these things externally, you’ll see the version of a particular type of software. And you know that that software does not support multi-factor authentication perhaps, or it’s very easy to see that when you put in a password, it doesn’t prompt you for a multi-factor. Then you simply use brute force techniques, which are very effective, to guess the password, and you get in.

Everybody, practically speaking, uses the same passwords. They reuse the passwords. So it’s very common for these criminal groups that hacked, say, a large company on one level, they get all the passwords there. And then they figure out that that person is at another company, and they use that same password. Sometimes they’ll try variations. That works almost 100 percent of the time.

Back to top

Is there a technology that anti-ransomware advocates and ransomware fighters are waiting for today? Or is the game more about public awareness?

Christensen:Microsoft has been very effective at taking down large bot infrastructures, working with the Department of Justice. But this needs to be done with more independence, because if the government has to bless every one of these things, well, then nothing will happen. So we need to set up a program. We allow a certain group of companies to do this. They have rules of engagement. They have to disclose everything they do. And they make money for it.

I mean, they’re going to be taking a risk, so they need to make money off it. For example, be allowed to keep half the Bitcoin they grab from these groups or something like that.

But I think what I would like to see is that these threat actors don’t sleep comfortably at night, the same way that the people fighting defense right now don’t get to sleep comfortably at night. Otherwise, they’re sitting over there being able to do whatever they want, when they want, at their initiative. In a military mindset, that’s the worst thing. When your enemy has all the initiative and can plan without any fear of repercussion, you’re really in a bad place.

Back to top

From Your Site Articles

Related Articles Around the Web