How the Russian GRU Intelligence Service uses Digital Marketing techniques to steal passwords and spread propaganda online

This was an article I originally wrote for the OTHJounal, an online journal about international security. My topic specifically focused on how the Russian GRU (Russia’s military version of the CIA) used simple digital marketing techniques to influence American voters in the 2016 election and to steal sensitive data.  I wish it were more complicated than it seems, but most of the news since the 2016 election has focused on stealing data or “hacking,” but what the news hasn’t told you is that the techniques used by the GRU were really just simple digital marketing and social engineering–techniques that are still being used to this day according to news reports.

No amount of software or hardware can account for the way these “hackers” tricked unsuspecting people into literally sending them their passwords through a fake password reset form. (Looking at you John Podesta.)

We’re only as secure as the dumbest person using the technology we have at our disposal–including email and even web browsing on social media websites. My aim would be to require more training for the tech ‘illiterate’ (Mostly baby boomers) so our overall security isn’t so reliant on the IT guy with the stakes as high as they are in international relations.


14-year-old Tim Toomey would never have believed you if you told him that his new hobby of tinkering with websites and wasting time in AOL chat rooms and email would help him understand (albeit later in life) the primary techniques behind ‘modern’ cyber warfare and online dissemination of propaganda. Typical college graduates nowadays have probably never had an AOL account and likely cannot tell you anything about the old software that makes email work. Your typical internet users’ only knowledge of email is what they see from their Gmail or Hotmail account. They think that hackers break into your online accounts by hammering obscure commands into a black and green terminal screen. That is almost never how it works, but once you start talking about the gritty details of cyber security, your typical internet users’ eyes glaze over. “BORING!”

To the uninitiated, digital security and hacking are a black box of magic only to be summoned by superintelligent mystical beings (hackers) as you see in movies. For that reason, the biggest threat to our nation’s security is not from terrorists or dictators in third world countries trying to develop nuclear weapons, but more so from the lack of even the most basic technical skills that our leaders, both in the private sector, military, and government currently possess. The only way to counter this lack of technical skill is with continuing education and training for everyone—just like you experience if you are learning a new weapons system on a predator drone. The times of ‘letting the IT department deal with it,’ ended the day everyone had access to email accounts on their phones.

I realize what I have stated is a pretty damning indictment of the technical acumen for your average internet surfer, and especially that of baby boomers, but I have good reason to; the evidence is overwhelming. Baby boomers spread more disinformation online than any other age bracket. To be fair, I am not giving the younger generation much credit either, but just imagine how much worse it is for the older generation who are still getting used to this new world where everyone is connected instantaneously. My father was a computer science major at Notre Dame in the 70s, and to this day barely knows how to use email. Throw in what happened in the 2016 election to John Podesta, and the recent news about cyber attacks and dissemination of online propaganda from foreign actors, and you’ll notice a pattern.

The people behind these attacks were not geniuses. The majority of them probably do not even consider themselves “hackers.” They likely do not know how to code or program. Most of these attacks were unsophisticated and did not require vast resources or skill, and that should scare everyone involved in national security.

As of right now, my generation is still transitioning into positions of power in terms of being in charge of major decisions for the country and forming policy that helps secure our most sensitive data. The millennial and gen-x generations have little to no input towards our current policies. With little hope for establishing new policies, given the glacial pace of change in the public sector, this means that the single biggest threat to our country that is the lack of understanding the baby boomers have regarding the importance of digital security. It is because they simply do not care, do not have the time, or because security causes headaches and roadblocks to get things done.

From what I have read in the news and heard (from lawmakers) on television in the past two years, it is clear that the general public still does not have much of a grasp on hacking or cyber warfare, much less how to securely communicate online. Those two things might not feel related, but as former US presidential candidate Hillary Clinton learned, those two things are very much related. The problem for the US in terms of defense is that cyber risk transcends the four traditional domains of conflict. No one really knows whose job it is to secure ‘the cyber’ domain, so it falls on a host of different three letter agencies and contractors that are guided by outdated policies that cannot keep up with the rest of the world. This process is not working so well, as many now know, based on the dominating headlines in the news cycle for the better part of the last two years.

Primarily, Russia is able to influence voters to either not show on election day or presenting polarizing topics (such as race relations) to persuade voters to vote for Donald Trump or not to vote at all. The Russians accomplished this through selective leaking of documents, emails, and digital propaganda pushed out by “trolls” via Facebook, Twitter, and a variety of other ad outlets online. In short, fake fan pages ran by these trolls paid digital advertising with outright lies and a few simple technologies that even Google and Facebook make use of (remarketing). If you have visited Amazon’s website to buy something, and subsequently visited Facebook, you may have noticed that same product following you around the internet; that is remarketing. Combine remarketing with some jarring political messages and a few zip codes-worth of stolen voter data or internal polling data, and you can reach people on almost any website by only paying a few pennies on the dollar. This only covers the propaganda angle of the Russian operation, though. What is more interesting to the now 34-year-old me, is the ‘hacked’ emails and leaked documents via Wikileaks.

The hacking techniques themselves were developed in the 1980s and ripe for a sub-plot in a season of Netflix’s Stranger Things. The work involved in this particular story, and most ‘modern’ cyber warfare, is actually less technical than ever before simply due to the fact that more people are online. These same people are providing more data and storing more sensitive information more often with a limited technical understanding of the underlying technology we have become addicted to. Facebook, Twitter, What’s App, Instagram, text messages, and many other apps and protocols offer varying levels of privacy and secured accounts, but getting into one can be as easy as guessing a few security question-answers that your victim has publicly provided. Most people use 2 to 3 passwords for just about everything. Other highlights of mainstream digital security related debacles include the Panama Paper leaks. That only happened because the company storing this sensitive data forgot to update a WordPress plugin (same software running the OTH Journal) on their site. The other highlight was when President Trump retweeted fake Russian trolls that were involved in the very propaganda that got him elected.

These cybersecurity issues keep me awake at night. As someone who knows a little bit about digital security and a little bit more about digital marketing, I am concerned that most of our elected officials and military leaders do not have an understanding of the basics of encryption and security. Understanding security requires training on how the technology works, and what to look for when you are clicking on links or downloading files from someone that emailed them to you. One of the first tricks I learned was how to spoof an email address. You might not know how easy it is to fake an email from Google or from a person you trust unless you have been trained; just like I do not know how to construct, reload and fire a sniper rifle without someone showing me each and every step of that process first.

By far, the scariest part about cyber warfare as it exists now is that it is insanely cheap in comparison to actual war. It does not take a supercomputer or even state-of-the-art high-speed encryption cracking software as you see in many Hollywood movies or TV shows like Mr. Robot. These simple, yet effective tactics give other countries the power to extract top-secret information, shut down power grids, and even sway elections that can impact the long-term health of our economy and national security. Will we do anything to prevent it? Can we? The dark truth is that today “hacking” can be done by anyone who is even moderately skilled at research.

To emphasize my point, take a look at any of the nearly 200 celebrities who had their iCloud accounts hacked over the past year. The former high school teacher who performed the hack was not some genius with a computer science degree and a supercomputer. He was just an average man who, according to the article, “accessed the iCloud, Yahoo!, Facebook and other email and internet accounts of more than 200 celebrities and non-celebrities by answering security questions he gleaned from the victims’ Facebook accounts.” This individual just knew how to use Facebook, and a password reset form, and that is the dark truth about digital security today that no one really wants to talk about. We are just happy we have virus scan, awesome search engines, and spam filters on our free email accounts. Am I right?

Celebrities are not the only people that are targeted with these techniques. A similar “hacking”  technique, commonly known as phishing or spearphishing, was used by the Russian hackers who stole John Podesta’s emails from the Democratic National Committee during the 2016 election cycle.

Simply put, phishing is when someone sends you a message with a hyperlink, typically in an email or even a text message, that looks almost identical to a password reset email or security alert from your bank. It probably has the same fonts, logos, colors, and even the verbiage or brand voice that your bank might use. It might even have a similar email address like [email protected] This can easily be faked, or spoofed, by whoever is sending the email. Throw in a couple of dollars for a domain and a cheap hosting account, and now you have a place you can put a fake “reset password” form.

If the bad actors performing the phishing campaign have done their research to garner real internal email addresses from an organization like the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (The Russian GRU) did, then they likely have a couple million dollars like any well-funded military or government agency would. If that is the case, like it was for the Internet Research Agency, then you can bet that the imposing email you received will be from a fake domain. Clicking on the link in that email will lead you to a fake web page that reflects the same quality of deception in the branding, coding, and even a similar domain name in the web address bar of your browser. More importantly, if you are not on a trusted, secure network, there is almost no way to identify a false domain in the address bar, because a local router you are connected to could be routing you to a different server altogether and not, in fact, Apple.com (like you would see in the example image below).

OTH, multi-domain operations, emerging security environment

If some unsuspecting victim, say Hillary Clinton’s Campaign Manager, John Podesta, clicks on the phishing email link, he would be taken to a website that looks nearly identical to the password reset form on Apple or Gmail. The only difference is that this is actually a website running on a server in eastern Europe, and the URL of the website is not yourbank.com. Instead, it is yourbank.ru, but you were not trained to look at that before absent-mindedly giving away your password. Now, these 400lb dudes in New Jersey working for the Russian GRU, have the ability to scrape and dump emails over to a third-party rogue actor (Wikileaks, perhaps?). This is exactly what happened in 2016 according to every three-letter intelligence agency we have.

If a 14-year-old kid like me can figure out how to edit text on a web page I downloaded with my web browser and get it uploaded to a cheap $8 domain name; you can be sure that foreign actors are going to take it quite a few steps further. Hence filling out that password-reset form and getting your information sent directly back to Russian intelligence agents.

More sophisticated developers could make a website look like the Wall Street Journal, where you need to login or create an account to view the article, and you are well on your way to a phishing scam you could tweet instead of emailing. The Russian GRU promoted full WordPress-powered websites on Twitter and published stolen information they obtained from the Democratic national Committee hack, as well as information from computers that they compromised with malware.

Malware is really just a fancy word for someone that opened an email attachment they should not have, which allows a hacker to gain access to any and all information stored on that computer’s hard drive. Hackers could then remotely take over your computer just like a GoTo Meeting or Join.Me, except hackers, do not have to turn on a screen share. Instead, they install software that can log what the targeted individual types into their computer and take screenshots. The hackers could then leak or use the gathered information to further surveil targets from an office in Russia. They even offered some of the stolen documents to an unnamed US Congressman as mentioned in the Justice Department Indictment on page 6.

Since the DNC hack, and a few congressional hearings later, it is no longer as easy as it once was to digitally advertise on popular social networks with political messaging. Political ads are now much more restrictive. The AI that moderates ads on Facebook can identify political ads without human intervention at all, but that does not mean that the techniques used to influence Americans have not evolved along with the new set of rules governing the publishing of political ads on popular social networks. One of the methods used to influence the 2016 election is still completely within the terms of service on Facebook, Reddit, Twitter, and many other popular websites. As recently as November 1, 2018, a company was able to pose as Cambridge Analytica and still get their ads published. The same thing happened a few days earlier, except this time it was VICE who posed as Mitch McConnell and all 100 United States Senators. Their ads were approved, “All 100 sailed through the system” they added.

This very same method was employed by GRU officers years ago to influence voters, and it was cheaper than you would think. These now indicted co-conspirators did exactly what you and I would do if we wanted to join a social network; they simply created an account and started buying.

The only difference was their accounts only looked like real people on Twitter and Facebook, and they were primarily used to garner a following before publishing propaganda and promote the leaks of illegally obtained data from the DNC. They also utilized social networks, like Facebook, to create fake fan pages that gained a following no differently than your average Instagram celebrities do by posting silly memes that people “like.” There are literally millions of bots active on Twitter and Reddit that gaslight with fake, precise messaging to influence you, just like I would as an advertiser to get people to buy products or concert tickets. They even ran influencer campaigns to amplify their messaging, just like I have advised past clients of mine to do. Identify more prominent users in your brand’s wheelhouse and get them to promote your content, because they will probably agree with it. The GRU officers did the same thing with plenty of prominent political figures, celebrities, and even Jack Dorsey, head of Twitter, who amplified propaganda straight from the Kremlin. If the founder of Twitter cannot even recognize propaganda, then who can?

The first simple step towards a solution is to stop with the “just let the IT guy deal with it” attitude (read more on this in the Dangerous Assumptions section). I do not think our country is asking for Cisco certification by our senior leadership, but that might not be a bad idea. At the very least, digital security and the importance of basic security measures like Virtual Private Networks, strong passwords, email encryption, and minimized usage of plain-text email exchange as a communication tool would go miles for our national security.

This should extend beyond just having an IT department or server stored in your own home. Leaders should be thoroughly trained and certified on the software that they are using, or else they should not be permitted to use it, just like the military would not entrust its personnel with weapons and expensive aircraft without the proper training and certifications. This includes even the simplest forms of digital communication.

Even if the Russians have gone eerily quiet, the same basic security measures listed above will still protect us from cyber warfare on behalf of other foreign adversaries.

We can get through this as a country, and it starts with taking ownership of our own personal digital security and making sure that those in charge of public policy and national security have the same tools as any tech-savvy millennial would have developed while growing up around modern technology that we use every day. As one of those millennials, I can vouch for the fact that the nation as a whole would benefit from knowing the basics of how technology works, so we can all be safer and better off in the future.