Florida nearly got hacked.
While Russian cyber-troops were spear-phishing state and local election systems around the country, troll farmers were going after the hearts, minds and emoticons of voters on social media, working with grassroots efforts to drum up support for Trump and sow dissension among Democrats.
The most recent indictment by the U.S. Justice Department in July is the first by special counsel Robert Mueller to directly implicate Russian military intelligence officials in the attempt to disrupt the election.
An earlier indictment implicated Russian agents working at a St. Petersburg troll farm that duped both Clinton and Trump supporters in Florida and helped organize pro-Trump rallies.
'Clear and present danger':
Combined with a National Security Agency report leaked by a former Army intelligence contractor with the made-for-spy-novel name of Reality Winner, they paint a picture of a two-pronged attack on the U.S. electorate and its voting systems – and show how far Russia went to influence the presidential election, especially in the big swing state of Florida.
Winner, who obtained and leaked the document while working for a military contractor to the NSA, pleaded guilty to a single count of espionage and was sentenced to 63 months in prison.
"We wouldn't be talking about this if she didn't release that," Ion Sancho, former supervisor of elections for Leon County, told the Tallahassee Democrat.
As federal prosecutors unveil the depth and technological sophistication of the international hacking scheme, state and county officials insist that election systems were not compromised.
“The Department has systems in place that are constantly analyzing and flagging potential suspicious activity," said Sarah Revell, a spokesperson for Secretary of State Ken Detzner. "Additionally, any information the Department receives from federal partners is reviewed and verified. The Department verified that there was no evidence any potential hacking attempts were successful in 2016.”
But that assurance offers little comfort to Sancho.
“The state might not have gotten hacked, but it definitely got poked and prodded,” Sancho said. “What I saw in 2016 was an expedition. It wasn’t an attack but an information gathering effort.”
Forensic evidence gathered by federal investigators showed it was a close call.
Even if they didn't disrupt the election system hardware, they succeeded on the ground in boosting support for Trump in a purple state that voted for Obama four years earlier.
And the U.S. intelligence community Thursday confirmed that the 2018 mid-term elections and 2020 are vulnerable to a Russian attack.
"This is a threat we need to take extremely seriously and to tackle and respond to with fierce determination and focus,” FBI Director Christopher A. Wray said.
Spear-Phishing and Spoofing
Sept. 30, 2016: the FBI and Department of Homeland Security held a secret conference call with Florida’s 67 county supervisors of elections.
Most supervisors declined to comment, but Sancho felt it was his duty to let people know what was discussed so he contacted the Tampa Bay Times and Associated Press.
“Florida was one of the lucky states,” Sancho said. “None of the other states received information about the Russian hacking attempts except Florida.”
Federal officials told the supervisors that a foreign nation penetrated a vendor that did work in Florida. “Everybody knew they were talking about the GRU and VR Systems,” Sancho said.
The GRU is the Main Intelligence Directorate of the Russian government. In a federal indictment that dropped July 13, just three days before Trump’s historic meeting with Russian President Vladimir Putin in Helsinki, Mueller accused 12 members of the GRU of conducting a large-scale and sophisticated cyber attack to disrupt the 2016 U.S. presidential election.
The indictment reads like a cross between the cyber-hacker television show "Mr. Robot" and "Mission: Impossible." Russian agents or "cyber actors" used spear-phishing and spoofing tactics to gather the usernames, passwords and other personal information of staff with Hillary Clinton’s campaign. They used those stolen credentials to gain access to files on the computers of Democratic campaign committees.
They stole thousands of emails and documents, then set up false Facebook and Twitter accounts, DC Leaks and Guccifer 2.0, to leak that information to congressional candidates, lobbyists, bloggers and news outlets.
Two agents, Anatoliy Sergeyevich Kovalev and Aleksandr Vladimirovich Osadchuk, were given the job to infiltrate state and county election boards offices to identify “website vulnerabilities,” the indictment said.
Around August 2016, Kovalev and his co-conspirators hacked into the computers of an election-system vendor that has contracts with several states, the indictment said. It's believed that the unnamed company is VR Systems, whose software is used to verify voter registration information. If hacked, it wouldn't affect election results but it could cause serious disruptions and confusion at polling precincts.
“The spear-phishing email contained a link directing the employees to a malicious, faux-Google website that would request their login credentials and then hand them over to the hackers,” the Intercept reported in June 2017 based on an NSA report.
The NSA document leaked last summer mentions "firstname.lastname@example.org" and the EViD system used by VR Systems. A public records request by the Intercept produced emails confirming that VR Systems was the vendor in question.
The actors targeted seven of the company’s employees, but the email server rejected three of the malicious emails as being sent to non-existent addresses, according to the leaked NSA report. It wasn't clear that the spear-phishing compromised all intended victims, the NSA report said, but it found based on follow-up targeting that at least one account was compromised.
Prodding for website vulnerabilities
In October, Kovalev and crew poked around the websites of counties in Georgia, Iowa and Florida to identify vulnerabilities, the indictment said. They then designed an email account to look like it came from VR Systems, and sent 122 spear-phishing emails to try to infect the computers of people administering elections in those states.
“Given the content of the malicious email it was likely that the threat actor was targeting officials involved in the management of voter registration systems,” the NSA report said.
Again, it wasn't clear how successful the attempt was or what potential data could have been obtained, the report stated.
A request for comment from VR Systems was referred to its public relations firm, SalterMitchell, which directed the Democrat to the company's website FAQ page.
"That's really all that we are going to say about this," April Salter, CEO and founder of SalterMitchell, told the Democrat.
On its FAQ page, VR Systems said it was "led to believe among those 122 election officials, one or more may be our customers, but we do not have any evidence to support that."
VR Systems said it became aware of the spear-phishing email on Nov. 1, 2016, when a customer sent a screenshot of "an obviously fraudulent email purporting to come from our company."
About 40 minutes later, the company sent a warning to all its customers urging them not to open the email or click on the attachment.
The company hired a threat intelligence firm which conducted a byte-by-byte analysis of the systems and found no breach as a result of the spear-phishing attack, the FAQ page said. The company said its email was not hacked.
Eight counties – Clay, Collier, Citrus, Escambia, Hillsborough, Pasco, Putnam and Volusia – reported receiving the email. All said it was quarantined before any staff had a chance to open it, preventing hackers from gaining access to vital information.
"Security protocols for phishing emails were followed by all counties," Revell said.
Leon County received the alert notice from VR Systems to be on the lookout but didn’t receive any spear-phishing email, said Supervisor of Elections Mark Earley, who was in charge of voter management systems at the time.
Hacking the hearts and minds of voters
Efforts by Russia to undermine the 2016 presidential election go back as early as 2014, according to a February indictment by Mueller. Federal prosecutors charged 13 Russians working for the Internet Research Agency with waging an information war against the U.S.
According to the evidence, those on the front lines of the political battlefield swallowed it hook, line and sinker.
"The social media and news manipulation seemed to be most successful and devastating," Douglas W. Jones, a University of Iowa computer science professor whose expertise is in electronic voting systems, told the Democrat. "We have to assume Russia feels its efforts were successful and have to assume they are going to try again, probably on a larger scale."
The St. Petersburg troll firm Internet Research Agency likely was financed by a businessman with close ties to the Russian intelligence community and Putin. The organization's goal was to “wage information warfare against the United States of America” and spread distrust toward the candidates and the political system in general, the February indictment said.
Fake online personas gain support for pro-Trump rallies
See the Facebook ads Russians bought to target Hispanic Americans
The Russian trolls stole personal information from U.S. residents, which they used to open PayPal accounts and make phony driver’s licenses to create hundreds of fake online personas and social media accounts to amass “hundreds of thousands of online followers,” the indictment said.
They also used the fake personas to contact unwitting Trump campaign staff involved in local community outreach, supplied volunteers for flash mob events, staged several unofficial Trump rallies and raised money for at least one event in Miami.
Using the fake persona “Matt Skiber,” the conspirators contacted a real Facebook User with the account “Florida for Trump” in August 2016 and sent the following message:
“Hi there! I’m a member of Being Patriotic online community. Listen, we’ve got an idea. Florida is still a purple state and we need to paint it red. If we lose Florida, we lose America. We can’t let it happen, right?"
The Russians bought Facebook ads for Florida Trump rallies, reaching around 60,000 users. They helped stage “Florida Goes Trump” rallies around the state. They used a fake @March_for_Trump Twitter account to recruit and pay someone to wear a costume of Clinton wearing a prison uniform at a West Palm Beach rally.
The stunt was so popular that a Cape Coral resident built a caged Clinton in his front yard, NBC2 reported.
"I feel like I'm doing my little part at least in my little neck of the woods," Gary Howd said.
Russian-backed ads drive division among Democrats
The ads stoked division among Democrats by promoting U.S. Sen. Bernie Sanders in the Democratic primary while showing Hillary Clinton smiling at a woman in a hijab. Other ads target topics like gay rights and Black Lives Matter.
The ads also attacked U.S. Sens. Ted Cruz and Marcio Rubio – rivals of Trump in the GOP primary.
Around Aug. 15, 2016, the Russians “received an email at one of their false U.S. persona accounts” from a Florida political activist who was chairman for the Trump campaign in an unidentified county, the February Mueller indictment said.
In another case, the real “Florida for Trump” Facebook account contacted the Russians
and responded to the false U.S. persona “Matt Skiber” account with instructions to contact a member of the Trump Campaign (“Campaign Official 1”) involved in the campaign’s Florida operations and provided Campaign Official 1’s email address at the campaign domain donaldtrump.com.
That same day, the Russians used the email address of a false U.S. persona, email@example.com, to send an email to Campaign Official 1 at that donaldtrump.com email account, which read in part:
“Hello [Campaign Official 1], [w]e are organizing a state-wide event in Florida on August, 20 to support Mr. Trump. . . . [W]e gained a huge lot of followers and decided to somehow help Mr. Trump get elected. You know, simple yelling on the Internet is not enough. There should be real action. We organized rallies in New York before. Now we’re focusing on purple states such as Florida.”
Susie Wiles, a member of Ballard Partners, was campaign chairman for the Florida Trump campaign. She told Politico she didn't remember running into any groups planning rallies or working with the campaign that seemed unusual.
“We looked out for things when people came to rallies," Wiles told Politico. "We weren't looking for fake Americans that were really Russians. The world seems different now."
About this story
This story is a combination of original reporting, previous reports from The Intercept, Politico and members of the USA Today Network, two federal indictments, NSA documents, and a Department of Homeland Security report.