170525_russia_flags_gty_1160.jpg
Getty

INVESTIGATION

How Russia Targets the U.S. Military

With hacks, pro-Putin trolls and fake news, the Kremlin is ratcheting up its efforts to turn American servicemembers and veterans into a fifth column.

In the fall of 2013, Veterans Today, a fringe American news site that also offers former service members help finding jobs and paying medical bills, struck up a new partnership. It began posting content from New Eastern Outlook, a geopolitical journal published by the government-chartered Russian Academy of Sciences, and running headlines like “Ukraine’s Ku Klux Klan – NATO’s New Ally.” As the United States confronted Russian ally Bashar al-Assad for using chemical weapons against Syrian children this spring, the site trumpeted, “Proof: Turkey Did 2013 Sarin Attack and Did This One Too” and “Exclusive: Trump Apologized to Russia for Syria Attack.”

In recent years, intelligence experts say, Russia has dramatically increased its “active measures” — a form of political warfare that includes disinformation, propaganda and compromising leaders with bribes and blackmail — against the United States. Thus far, congressional committees, law enforcement investigations and press scrutiny have focused on Kremlin leader Vladimir Putin’s successful efforts to disrupt the American political process. But a review of the available evidence and the accounts of Kremlin-watchers make clear that the Russian government is using the same playbook against other pillars of American society, foremost among them the military. Experts warn that effort, which has received far less attention, has the potential to hobble the ability of the armed forces to clearly assess Putin’s intentions and effectively counter future Russian aggression.

In addition to propaganda designed to influence service members and veterans, Russian state actors are friending service members on Facebook while posing as attractive young women to gather intelligence and targeting the Twitter accounts of Defense Department employees with highly customized “phishing” attacks. The same Russian military hacking group that breached the Democratic National Committee, “Fancy Bear,” was also responsible for publicly posting stolen Army data online while posing as supporters of the Islamic State in 2015, according to the findings of one cybersecurity firm. And the hacking group’s most common target for phishing attacks in the West has been military personnel, with service members’ spouses making up another prominent target demographic, according to another cybersecurity firm.

While the military and its contractors have long been the targets of cyberattacks from hostile foreign powers, the Russian campaign is noteworthy for its heightened intensity, especially since the imposition of Western economic sanctions following the 2014 annexation of Crimea, and for the novel tactics it is employing online. All of it amounts to a new kind of low-intensity or “hybrid” warfare that Western governments are still struggling to effectively counter.

“We are focused on the azalea bushes at the edge of a redwood forest,” said retired Gen. Philip Breedlove, who stepped down last June after three years as supreme allied commander of NATO, where he witnessed a surge in Russian active measures against Baltic states and in efforts to spread negative disinformation about the alliance’s soldiers stationed in Europe.

The active measures campaign has followed Breedlove home and into retirement. In July, emails hacked from his Gmail account werepublished on the Russian front site DC Leaks, and Breedlove said he was recently targeted with a series of more than a dozen sophisticated phishing emails purporting to come from his bank. Breedlove declined to name his bank but said it is used by the majority of his fellow officers, leading him to conclude the motives of the phishing attack were political rather than financial. “What Russia is doing across the gamut from our internal audiences to military audiences and others,” he said, “is quite astronomical.”

***

In the 20th century, intelligence agencies looking to build ties with foreign soldiers might have gone through the trouble of sending agents out to watering holes near military bases, waiting for servicemen to show up and gaining their trust one drink at a time.

Now, social media makes it cheap and easy to target soldiers and veterans in their virtual hangouts for intelligence-gathering and influence campaigns.

John Bambenek, a threat intelligence manager at Fidelis Cybersecurity, whose work has included investigating the DNC breach, said that Russia is one of several foreign powers using social media lures to gather intelligence on the U.S. military. “Some are quite unsophisticated (attractive woman sending friend requests), some get more complicated,” he wrote in an email. “Spies understand that a great deal can be discerned about what militaries are up to based on the unclassified behavior of soldiers.”

Forming connections on social media could help foreign states directly communicate with groups of American soldiers, a tactic employed in recent conflicts by both Russia and the U.S. During the first days of the annexation of Crimea, Ukrainian soldiers were bombarded with demoralizing text messages such as, “Soldier you are just a raw meat for your commanders.” Ahead of the 2003 invasion of Iraq, the U.S. military emailed Iraqi soldiers en masse encouraging them to surrender, according to Richard Clarke’s 2010 book “Cyber War.”

The Pentagon is clearly worried. Defense Department spokeswoman Linda Rojas declined to comment on specific activities, but said new technologies have made the military more vulnerable in cyber space. “The proliferation of internet-based communications and social media applications has elevated the potential for nefarious use that could affect our personnel,” she wrote in an email. Rojas also said the military was working to address the mounting threats posed by hacking and online influence operations. “We make every effort to educate and inform DoD personnel of these threats, while bolstering our network defense capabilities to protect IT infrastructure from outside intrusions,” she wrote.

Becoming Facebook friends with American soldiers also gives foreign agents the ability to post propaganda that will show up their news feeds.

Serena Moring, a former military contractor from a military family, said she first became concerned about pro-Russian sentiment among soldiers on social media last spring, when an unverified reportpurporting to relate the story of a Russian soldier who died heroically while fighting ISIS in Syria began circulating among American service members on social media.

“All of the response from the military guys was like, ‘That is awesome. That’s an epic way to die,’” recounted Moring, 39. “It was a very soldier-to-soldier bond that was created through social media.”

Moring said she has become further alarmed as friends of hers in the military, including military intelligence, have become avowed admirers of Putin, and that she now expends considerable effort arguing about Russia on Instagram and Facebook channels geared to military audiences.

In the Wild West of social media, it is difficult to sort out pro-Russian sentiment that is organic – Putin’s approval rating has surged among U.S. Republicans since 2015 and he is often the subject of positive coverage in right-leaning outlets like Fox News—from that which is manufactured. But Breedlove said much of the sentiment is being generated by a concerted Kremlin influence campaign. “People popping up on veterans’ sites and singing the praises of Putin, you can guarantee those are trolls and part of the army that’s sitting over there attacking us every day,” he said.

***

Putin has made the creation of a pro-Russian “alternative media ecosystem” to, in his words, smash “the Anglo-Saxon monopoly on the information stream” a top priority of his foreign policy. A significant prong of those operations is aimed at the American military community, and the Russian activity has ramped up in recent years as tensions have increased over sanctions, the annexation of Crimea and the expansion of NATO.

Veterans Today is a homegrown American site that was founded in 2003 in opposition to the invasion of Iraq and soon began publishing wild conspiracy theories. Before it partnered with Russia’s New Eastern Outlook in 2013, it had forged ties with Iran’s state-backed PressTV and counted among its editorial board of directors a former head of Pakistan’s intelligence services, publishing headlines like, “Israeli death squads involved in Sandy Hook bloodbath” and “Water Terrorism by India to Overawe Pakistan.

New Eastern Outlook “chose to work with VT after following us for a while and seeing us for the unique platform that we are,” Veterans Today managing editor Jim Dean explained in an article about the arrangement. He described it as a “marriage made in heaven.”

A Veterans Today bio for Dean lists several relatives and ancestors who served in the military and describes his membership in several military-themed groups but does not indicate he himself has served. The site’s chairman, Gordon Duff, served in the Marine Corps in Vietnam and began contributing to the site in 2008. In one 2012 interview he stated, “About 30% of what’s written on Veterans Today, is patently false. About 40% of what I write, is at least purposely, partially false, because if I didn’t write false information I wouldn’t be alive.”

Veterans Today is the flagship property of the “Veterans Today Network,” which includes a jobs board, a cancer foundation and a sister site, Veterans News Now, which describes itself as “an independent online journal representing the positions and providing news for members of the military and veteran community.” The network is also affiliated with the Veterans Housing & Education Foundation, which has the stated goal of raising $500 million in five years.

A form on VeteransTodayCancerFoundation.org, which as of this writing was down for maintenance, invited veterans in need to request help by filling out a form that asked them to submit personal details, including the handles for their social media accounts.

An administrator for the Veterans Today Network who asked that his name not be used said that the jobs board, HireVeterans.com, currently has 35,000 active resumes in its system and that it has partnered with “major companies in the U.S. in helping them find veterans for employment.” The jobs board lists dozens of featured employers – including Bank of America, Merck, Geico and Westinghouse – that according to the administrator have purchased premium annual memberships. A 2011 article by Fox Business recommends the jobs board to employers.

The administrator said that though Veterans Today and the jobs board were both owned by Success Spear LLC there would be no way for foreign states to access veterans’ personal information via their partnerships with Veterans Today. The administrator said the cancer foundation had not yet fully launched.

In October 2013, at the same time that Veterans Today began publishing content from New Eastern Outlook, its sister site Veterans News Now began publishing content from the Strategic Culture Foundation, a Moscow think tank run by Yuri Profokiev, a former head of Moscow’s Communist Party and member of the Soviet Politburo.

In October 2015, Veterans Today also partnered with a slickly designed, anonymously authored military affairs website called South Front that had been registered in Moscow that April just as Russia was ramping up its influence operations in response to Western sanctions.

Since then, the site has consistently published articles that push the Kremlin party line, both from its Russian partner and its own contributors. Now, in addition to learning about “The Coming Shift to Cosmic Fascism,” readers who cruise to Veterans Today — which has 45,000 Facebook followers and claims over 900,000 unique visitors per month — to catch up on the news or to check out the free services offered to veterans can read headlines like “Pravda: Ukraine indignant at 80% of Jews in power” and “Trump Humiliated: Syria Shoots Down 34 of 59 Cruise Missiles, Russia to Upgrade System Soon.” Recent contributions from South Front include “U.S. Suffers Reverses as Trump’s Plan to Aid Terrorists is Realized by Russia” and “The Political Uses Of Russophobia.” And recent contributions from New Eastern Outlook include, “If NATO wants peace and stability it should stay home” and “Brussels, NATO and the Globalists in Total Disarray.”

In late 2014, Duff and Dean attended a counterterrorism conference in Damascus at which Duff proclaimed to delegates from Russia, Syria, Iraq and Lebanon his theory that “the U.S. government is subservient to a worldwide criminal organization.” This March, the Veterans Today chairman attended a “VT Reception” in Damascus at which attendees gave speeches flanked by over-sized portraits of Assad and Putin, according to video he published to YouTube. Duff did not respond to a question about whether any foreign entities had been involved in funding his travel to Syria.

A State Department expert in Russian influence campaigns who was not authorized to speak on the record said he had taken note of Veterans Today’s partnership with New Eastern Outlook and that Southfront appears to be a Russian front that deliberately obscures its origins. The expert also described the Strategic Culture Foundation as a part of the Kremlin’s influence apparatus and noted that Russia has long sought to amplify the voices of Western conspiracy theorists.

Kate Starbird, a professor at the University of Washington who has studied the role of Veterans Today in the Russia-aligned “alternative media ecosystem,” described the website as an “active partner” in the dissemination of Russian propaganda.

Despite the often far-fetched claims and clunky feel of Veterans Today and other outlets used by Russian propagandists, Starbird said she has come to consider them potentially potent vehicles for disinformation. “I used to think it, and others like it, were quite fringe,” she said. “But the intentional targeting of U.S. military, active and retired, seems to be a strategy of information war. I have anecdotes from friends, family members and now strangers who tell me about their family members who are deeply engrossed in this information ecosystem.”

Joel Harding, a former Army intelligence officer who now works as independent researcher, describes Veterans Today, Veterans News Now and South Front as “Russian proxy sites.” Harding said that in combination with other components of Russian influence efforts, the sites could successfully influence the military community over the long term. “Veterans Today and Veterans News Now will not cause soldiers, marines, airmen, or seamen to defect or become pro-Russian, not by themselves,” he said. “But if someone regards them as a reliable source of truthful information, does not recognize that they are pushing Russian propaganda or information with a pro-Russian perspective, over time they will change.”

In an email, representatives of South Front who did not provide their names said the site has no links to the Russian government. They suggested that identifying South Front as part of the Kremlin’s influence apparatus would run contrary to the principles of freedom of speech and be discriminatory against Russians (one common tactic of Russian influence operations is to invoke Western values in their efforts to undermine Western societies). The Strategic Culture Foundation did not respond to messages requesting comment and emails sent to the contact address provided by New Eastern Outlook were rejected by the journal’s web servers.

Dean said he was not aware that researchers had identified Veterans Today as a vehicle for Russian propaganda. “We appreciate the publicity,” he wrote in an email. “Please ask them to keep up the good work.” He did not address a question about whether the site received funding from foreign entities. Debbie Menon, the Dubai-based, recently departed editor-in-chief of Veterans News Now did not respond to an email seeking comment.

***

In addition to influence operations, military personnel and veterans have been the subject of a disproportionate share of hacking attempts in Russia’s active measures campaign against the United States.

In fact, the Russian military hackers who breached the DNC appear to expend as much effort on current and former military personnel as on political targets. A security oversight by the hacking group, most commonly known as “Fancy Bear,” gave researchers a public window into the targets of thousands of its phishing attempts between March and September of 2015. Of the people targeted by Fancy Bear outside of the former Soviet Union, 41 percent were current or former members of the military, according to a report by cybersecurity firm SecureWorks. Authors and journalists made up 22 percent of Fancy Bear’s targets, NGOs 10 percent, political activists 4 percent and government personnel 8 percent. Of the journalists and authors targeted, more than one-fifth were spouses of military members who blog about military life.

The posting of hacked data, a novel tactic used in Russia’s assault on the American political system, has also been a component of the country’s active measures against the American military. Last summer, Russian hackers leaked emails stolen from Breedlove in an effort to embarrass NATO. And in 2015, a group calling itself Cyber Caliphate hijacked the Twitter account of the United States Central Command, directing the account’s followers to a site where the group had posted data stolen from the military. Cyber Caliphate purported to be supporters of ISIS, but in fact this was a “false flag” designed to obscure the true identity of the perpetrator, which was Fancy Bear, according to a report by the Cybersecurity firm Trend Micro that said French authorities confirmed the firm’s own analysis fingering the Russian hacking group.

As Washington comes to terms with the scope of Russian active measures, the hacking campaign against the military continues. Last month, Time reported that American counterintelligence officials concluded in March that Russian hackers were targeting 10,000 Department of Defense employees with highly targeted messages on Twitter designed to trick them into downloading malware that could compromise their Twitter accounts, computers and phones.

***

While there is no expectation of a “Red Dawn”-style Russian invasion of the United States, the Kremlin’s active measures campaign has the potential to blunt the military’s ability and weaken its resolve to counter future Russian military aggression elsewhere.

The active measures are not targeting the military and political system in isolation, but as part of a broader effort to subvert Western institutions including the news media, financial markets and intelligence agencies. Because of its multidimensional nature and use of unconventional tactics the U.S. government has struggled to effectively combat the effort. “This is obviously a really difficult challenge and a lot of people are worried that our response to date hasn’t been effective,” said one expert on active measures who recently testified on the issue before Congress.

And rather than abating after the presidential election, these campaigns have only continued to get more brazen, according to Strategic Cyber Ventures CEO Tom Kellermann, who has watched them closely.

In May and June of 2015, Kellermann, who was then the chief cybersecurity officer at Trend Micro, said the firm warned the FBI and the Office of the Director of National Intelligence that Kremlin hackers had drawn up a list of 2,300 people comprising the most powerful leaders in Washington and New York along with their spouses and lovers to target with a concerted hacking campaign. Kellerman said he does not know whether the government acted on the tip, which warned that the hackers had the ability to turn on microphones and cameras on the personal devices of their targets to obtain sensitive information about their personal lives. But he believes the campaign has successfully compromised American leaders, emboldening the Kremlin. “When you wonder why certain people act certain ways,” he said, “You have to remember these people have been warned that their dirty laundry could be aired.” (Spokespeople for the Office of the Director of National Intelligence and the FBI declined to comment.)

Kellermann cited the activities of the Shadow Brokers, a hacking group believed to be Kremlin-backed that began publishing data stolen from the NSA last summer and most recently published a leak in April. The upticks in online attacks are harbingers of armed aggression, said Kellerman, who predicted that conflict between the United States and Russia was most likely to break out in the Baltic region.

“I’m very, very concerned,” he said. “Cyberspace is always the precursor to kinetic reality,”

Shawn Musgrave and Andrew Hanna contributed to this report.

Advertisements