Can Fancy Bear Be Stopped? The Clear and Present Danger of Russian Info Ops


Former Secretary of State Colin Powell was curt to his former aide. Republican presidential candidate Donald Trump “is a national disgrace and an international pariah,” he wrote. In the leaked email, Powell, whose public persona is dignified and deeply appealing to both political parties, comes across as frustrated and upset by the 2016 presidential election. “I would rather not have to vote for her,” he wrote elsewhere, referring to Democratic nominee Hillary Clinton, describing her as having “a long track record, unbridled ambition, greedy, not transformational.”

It was the sort of juicy gossip political reporters just cannot ignore, and they predictably ran stories detailing who got burned and who got shade from the famously dignified and respectful Powell. Yet this email leak was the latest vanguard of what has become a sustained campaign of cyber operations by the Russian government, seemingly geared to manipulate the election. By aggressively hacking into email accounts and then selectively leaking documents meant to embarrass Hillary Clinton and the Democratic Party, Moscow is combining two different strains of security threats in a way no one is sure how to counter. Combining a traditional form of cyber operation (the actual email hacks) with targeted releases to affect a political outcome (information warfare), the Russian government has innovated a type of cyberwarfare that is catching both the media and policymakers off guard.

The Powell emails have been linked to a hacking group called Fancy Bear, and they have been behind some of this year’s biggest cyber operations on the United States. It is the same group that hacked into the Democratic National Committee and released emails in an effort to embarrass Hillary Clinton and hurt her campaign for the presidency. They hacked into the World Anti-Doping Agency in an effort to embarrass Venus and Serena Williams over exemptions they claimed for taking prohibited drugs during the Olympics. They leaked emails by former Supreme Allied Commander-Europe, Gen. Philip Breedlove to undermine U.S. policies in Europe. And now they’ve been linked to the Powell email leaks as well.

As cybersecurity firm ThreatConnect has documented meticulously, Fancy Bear is at the heart of a network of websites backed by the Russian state, most likely a military intelligence unit, and is engaged in a sustained information operations campaign. One of those related websites, called DC Leaks, which has also been linked to Russian intelligence, recently released Michelle Obama’s passport alongside sensitive travel information for the White House. This is happening in an election year.

To put it as bluntly as possible: Russian intelligence is breaking into senior officials’ computers in an effort to manipulate a U.S. presidential election.

Yet, the response from the White House has been muted. One reason might be that the U.S. government is still unsure how to respond. I reached out to a half-dozen current and former officials responsible for both public diplomacy and cyber security. None of them expressed confidence in which agency should take the lead in responding to a massive effort to leak private correspondence heavily weighted toward one party in an election. There’s never been an attack on the process of an American election like this, and given its openly partisan nature (the leaks seem to primarily target Democrats) many officials are reluctant to be seen engaging in partisan activity by pushing back too hard against the Kremlin. Complicating matters is the casual attitude Donald Trump has taken toward the leaks, at one point flat-out asking Russia to do more hacking against Democrats (one of Trump’s foreign policy advisers just came under investigation for his alleged backdoor negotiations with Russian officials).

But it goes deeper than that too: This isn’t the sort of “cyberwar” we were promised. When scholars and pundits talk about this set of threats, they are thinking of things like Stuxnet: sophisticated programs meant to destroy or disrupt infrastructure. From former White House officials to journalists, even to academics trying to debunk the worst of the fear mongering, the overwhelming focus is on tangible targets: the power grid, banking institutions, military installations, even voting machines. The idea of targeting one party and selectively leaking embarrassing emails just wasn’t on anyone’s radar. In hindsight, maybe it should have been.

•      •      •

For the last eight years, Russia has been expanding its information operations capabilities and deploying them against the United States and Europe. The 2008 invasion of the Republic of Georgia was, in many ways, the prototype that got it all started: Russia engaged in as much cyber and information warfare as it did conventional war with tanks and bombs. Some of this was the conventional cyberwarfare that garners so much attention: distributed denial of service (DDOS) attacks against Georgian websites, for example. But the Kremlin also made a concerted effort to create a friendly narrative about its invasion, to a degree that hadn’t been seen since the Cold War. The Russian government not only deployed its propaganda outlets to spin the conflict (one Western reporter working for them resigned in protest), but they directly approached journalists in the United States to buy positive coverage. Georgia fought back with its own efforts to spin the war, and mostly cemented its version of events in the West.

Less than 18 months later, the Kremlin released its updated military doctrine, which cemented “the intensification of the role of information warfare” in Russian foreign policy. One feature of modern military conflict, it said, is:

[T]he prior implementation of measures of information warfare in order to achieve political objectives without the utilization of military force and, subsequently, in the interest of shaping a favourable response from the world community to the utilization of military force.

A key task for modernizing the Russian military to be more effective in modern conflict, the doctrine concluded, is “to develop forces and resources for information warfare.”

This use of information warfare as a primary tool of warfare was put into play during the Euromaidan crisis in Ukraine, and later during the ongoing conflict in the Donbass region of Eastern Ukraine. Russia’s information operations about Ukraine have been so sophisticated and so extensive that it has become its own genre of research.

Yet Russia’s propaganda about Ukraine did not guarantee it a strategic victory. Broadly, the global consensus is that Russia was wrong to invade Ukraine, that its annexation of Crimea was flagrantly illegal, and that its attempt to conceal its role in the destruction of a civilian airliner with hundreds of innocents onboard was appalling. Meanwhile, Russia effectively achieved a stalemate in Ukraine and pivoted to Syria (where it is also working for a stalemate). The Russian government successfully distracted global attention from Ukraine and propped up a friendly government in Damascus. But this “success” came with grave costs: Sanctions have pushed millions of ordinary Russians into poverty. The Kremlin’s renewed alliance with Damascus has poisoned its relationship with other Gulf powers. Ukraine has transformed from a state within Russia’s orbit to one mostly hostile to Russian interests. Russia may not have “won” in Ukraine or Syria, but both Ukraine and Syria have suffered greatly as a result of Russia’s attempts to muddle the global response.

Russia’s big innovation in information warfare isn’t to create traditional propaganda: Very few Westerners read Sputnik as their primary source of news (according to HypeStat, it has 7 percent of the website traffic the New York Times does). As Edward Lucas explains, their intent isn’t to provide an alternative set of facts but to attack the very idea of facts. You don’t have to believe their version of events, but you will question whether there is a version of events.

The most corrosive force for this muddling of reality has been RT, the English-language propaganda channel formerly known as Russia Today. RT’s trick is a clever one: it rarely will directly praise or promote the Russian government; rather, its role is to sow confusion and doubt. In stark contrast to U.S. government-funded outlets like Voice of America or Radio Free Europe/Radio Liberty, RT does not have editorial independence from the Kremlin (the head of RT, Margarita Simonyan, reportedly meets with political operatives at the Kremlin to discuss the network’s coverage). Moreover, the United States does not block RT from broadcasting here, while the Russian government has interfered with both VOA’s broadcasting and routinely harasses RFE/RL’s correspondents.

RT, and its video broadcasting service Ruptly, target the United States and the Western international order writ large. This year, it has focused on the Democratic Party: Russian President Vladimir Putin nurses a nasty grudge against Hillary Clinton for her accurate assessment of the fraud in Russia’s 2012 elections, which resulted in massive protests in Moscow. The service is very good at what it does: it hired Larry King to give softball interviews with political figures critical of the United States (most recently Donald Trump). As of 2015, RT had a budget of  $400 million dollars (Fox News, in contrast, has an annual revenue of approximately $2.3 billion). RT has the most-watched channel on YouTube (there is confusion as to whether those are real viewers, or bots artificially inflating viewership, but there is no way to determine the exact source of views on a YouTube video). Casey Michel, a researcher at Columbia University in New York, describes the channel:

RT has perfected a method in which it injects anodyne, actual reportage into its lineup. In breaking news, for instance, RT remains a reliable source. The outlet’s perfected an amalgamation of the real and the fictional, the news alongside Newspeak, leaving viewers off-kilter along the way.

By flooding the zone with budget conspiracy theories about CIA agents fighting for fascist militias in eastern Ukraine, or how flight MH-17 was really shot down by the Jews, RT is more than just a lavishly funded propaganda channel. They effectively exploit weaknesses in Western journalism itself. By manipulating the instinctive push for equivalence in Western journalism, Russia is able to insert a factually wrong narrative and have it considered alongside an actual version of events as simply a competing perspective instead of being accurately described as a lie. Thus, when agents working for the Russian government release hacked emails under the guise of gossip journalism, it fits their false narrative: “Everyone is corrupt, everyone is a liar, but we’ll tell you the truths they want to hide.” Hook it up to an appealing, click-baity headline and thousands of otherwise innocent people spread it across social media, and it becomes its own self-reinforcing conventional wisdom.

•      •      •

Russia has been learning how social media helps spread stories for years. Adrian Chen followed one early effort Russia undertook on this front in 2014. He researched a Russian “troll farm,” where employees of the Russian government flooded social media feeds with dummy content. One type of behavior he noticed was hoaxing, whereby Russian troll accounts would try to fabricate some sort of emergency and then study how local media picked up on the story and covered it.This campaign of releasing emails, however, represents something new. While the media efforts by Russian propagandists have been difficult to counter, they have existed in a realm that is at least understandable: RT, Sputnik, et. al, are state propaganda, which means they can be evaluated as sources. Even if a story they publish is provably wrong, you can’t ignore what Foreign Minister Sergei Lavrov says about Russian troops in Crimea. The hacks are different: It’s not always clear at first where they come from, so it’s harder to evaluate their reliability (there is a reason the released emails are only those with insults and negativity, for example: people speaking positively of each other does not fit Russia’s narrative). And because they are, in fact, true (Colin Powell really sent those emails), they can’t simply be denounced as a lie. It is the most effective form of propaganda, because there’s nothing to denounce as a lie.

In hindsight, the hoaxing Chen covered seems like an experiment to see exactly how to goad the U.S. media into covering an event. They seem to have learned their lessons: despite the overwhelming sense from within the U.S. intelligence committee that the hacked emails from presidential candidates, generals, and secretaries of state are coming more or less directly from Russian intelligence, there is reluctance to cover it very closely: The veneer of unguarded honesty is irresistible to click-hungry reporters.

Journalists love gossip, and the leaked emails have given them a lot of it. But journalists aren’t always beholden to dumps of private documents. Wikileaks was widely criticized for publishing the personal information of donors to the Democratic National Party and Turkey’s ruling AKP party. When Sony’s emails were hacked and posted online, many journalists chose not to publish them, citing both privacy concerns and the possible source of the emails in North Korea. And when hackers exploited a flaw in iCloud security and dumped thousands of nude photos of celebrities online, most journalists collectively ignored the tranche of revealing images entirely, choosing instead to focus on how unethical it was to hack in the first place.

Yet the cries of “public interest” usually accompany the publication of stolen emails. This is wrong. From a normative perspective, publishing stolen emails, even if they come from current or former senior officials, is a fundamental attack on a free society. An open society simply cannot function if people cannot communicate privately. Colin Powell has been out of government for almost a decade; Philip Breedlove was retired when his correspondence was published. The idea that serving in government (or worse: your husband’s service in government) means you can never have private communication ever again is incredibly toxic. It is tantamount to censorship by denying them any space at all to talk to friends, colleagues, and family away from the public.

Moreover, these leaks don’t actually serve any public interest: they aren’t exposing corruption or illegal conduct. They are just gossip: who secretly hates whom, can-you-believe-this-brainstorm, stuff like that. But journalism thrives on gossip, especially if it’s gossip about an election. No one in the media seems to care that a hostile intelligence agency is feeding them gossipy news stories: They are too happy to have coverage of another scandal about the candidates. Russia just may have found an Achilles heel.

Yet no one seems to know how to respond to Russia employing the tools of cyberwarfare to further their information war. From a policy perspective, it is far from clear how to defend citizens and private organizations against a sophisticated attack on their private correspondence that will be used for a propaganda campaign during an election. The White House’s 2015 release of its Cybersecurity Strategy and Implementation Plan does not cover this sort of incident: it is focused more on traditional threats like national security leaks, infrastructure attacks, and identity theft. The National Cyber Incident Response Plan offers few clues, either. The FBI can do a forensic investigation of the affected email systems to identify and even prosecute specific hackers, but there is no sense of how to counter these leaks from an information operations perspective.

This has exposed a frightening vulnerability in our society. The worst gossip-chasing tendencies in the media and the lackadaisical security of many legacy email systems have created a perfect storm. From the government’s perspective, it isn’t clear how to characterize these attacks (Are they cyber? Propaganda? Something new?), so it isn’t clear which agency should be in charge of coordinating a response – or even if a response is possible. While both NATO and the European have opened their own offices to counter Russian disinformation, U.S. law tightly restricts how the government can disseminate information domestically. The revelation that the government of Russia is trying to influence a U.S. election by attacking candidates and disrupting media coverage should be a big deal, but it hasn’t yet sparked much urgency in the general public. This is not mere red baiting; a hostile government attempting to manipulate a presidential election is a crisis-level event.

For now, this leaves policymakers in a bind. There is ample evidence that Russia has targeted its information warfare to be both extremely effective and extremely difficult to defeat. What Russia is doing through these email leaks is not misinformation in the traditional sense – they are real emails – so simply denouncing them as propaganda would not make sense.

In the long run, there are other ways to defend against these and similar attacks. One way Fancy Bear has compromised email accounts it through “spearfishing,” whereby an email recipient is persuaded to open an attachment or click on the link that infects the system with malicious code. Training senior officials to be smarter about how they handle their email accounts, including how to respond to unexpected attachments and links from their friends, would have prevented a lot of these attacks from succeeding.

In the immediate term, however, there are a few ways the U.S. can respond. The Treasury Department can expand the list of sanctioned individuals within Russia to include those ordering and carrying out these hacks. Both intelligence officials and cybersecurity researchers think Fancy Bear is a unit of the GRU, Russia’s military intelligence agency. While Igor Sergun, the former head of GRU, was sanctioned over the invasion of Ukraine, he died earlier this year. The new GRU chief, Igor Korobov, should be added to the sanctions list as well. The sanctions could be applied to lower-level officials too, should they be identified.

Further, the White House should be more up-front about the nature of these hacks: publicly naming and shaming both the government of Russia and the specific Russian operatives who are engaged in this attack. This is far outside the realm of normal politics, where interests can be balanced and egos soothed. The enormity of Russia interfering with a presidential election requires a strong, public response.
Joshua Foust is a former intelligence analyst and a national security fellow at the Foreign Policy Research Institute. His website is