With less than a month before Election Day, cybersecurity officials and social networks are on the lookout for a disinformation tactic that throws politics into chaos at the last minute: hack-and-leak operations.
Watch this: CISA director: Paper record key to keeping 2020 election secure
Nathaniel Gleicher, Facebook's cybersecurity policy chief, says the social network can now better recognize the signs of a disinformation campaign. It's been active cutting them out before they can grow an audience. In September, for example, Facebook took down fake accounts tied to Russia's Internet Research Agency, the organization that tried to meddle in the 2016 election.
"We have not seen the networks we removed in September engage in hack-and-leaks, but they are linked to actors who engaged in hack-and-leak operations in the past, and we know law enforcement agencies have been vocal publicly about being ready," Gleicher said at a press briefing on Thursday. "We anticipate that operations like what we saw last month could attempt to pivot at any time."
Social networks also have a better understanding of how these leaked posts go viral. It often starts with a vulnerability that tech platforms can't control: newsrooms.
Plugging the leak
Hackers can steal sensitive documents, but they won't have much political influence if there's no way to spread the information. To do that, hackers rely on social media and tricking journalists into giving the hacked material enough oxygen to catch fire.
It's unlikely the American public would trust stolen emails published by Russian hackers. But the hackers can launder the material if they pose as a news outlet or influence reporters to cover the documents.
In June 2016, Russian operatives launched "DCLeaks," an online persona that posed as American hacktivists who had obtained documents from the Democratic National Committee and wanted to "tell the truth" about decision-making in the U.S.
The DCLeaks website received more than 1 million page views before it was shut down in March 2017, according to the Senate committee's investigation.
The outreach to journalists took place on Twitter and Facebook under a DCLeaks account falsely registered under a US IP address.
Russian operatives also created a fake "Guccifer 2.0" persona, named after a Romanian hacker who stole documents information from the Bush family. This fake persona released thousands of documents obtained by Russian hackers and relied heavily on Twitter to contact journalists and the Trump campaign to do this.
Journalists were eager to publish the material and didn't question the source, according to the Senate committee's investigation.
In one exchange on Twitter between a Florida politics blogger and Guccifer 2.0, the reporter wrote: "Holy fuck man I don't think you realize what you gave me. I'm still going through that stuff and I find buried deep the turnout model for the Democrats' entire presidential campaign. This is probably worth millions of dollars. I'm going to post it tomorrow."
Four years later, tricking American journalists to post disinformation through social media is still a popular tactic for Russian operatives.
Facebook's September takedown showed the Russians are shaking up the script. The affected accounts posed as news editors who tricked freelance reporters into writing news articles for a propaganda site about US politics.
A Forbes report found that these reporters were recruited through Twitter messages, similar to the way DCLeaks and Guccifer 2.0 worked.
"When you look at the spread of operations, there are different factors that make or break the viral success of these leaks," said Camille Francois, chief innovation officer of the network analysis company Graphika. "The ability for the media to amplify really makes a campaign. If you are able to hit the right notes at the right time, you can have a successful dissemination very quickly."
She noted that in campaigns where disinformation actors tried to spread the leaks on social networks alone, they often quickly fizzled out before gaining traction.
Another reason why hack-and-leak campaigns have been harder to prevent this election cycle is that campaigns have gotten better at preventing cyberattacks in the first place. Initiatives like Google's Advanced Protection program and Microsoft's Defending Democracy program are securing accounts for politicians, while Twitter and Facebook also ramped up security measures for prominent figures.
There haven't been any successful breaches against campaigns, and intelligence officials said they haven't seen any successful attacks against election infrastructure, but the extra security measures haven't stopped hackers from trying.
"You see different actors competing against the same targets, but they are equipped differently, and not everybody has the abilities to go and grab the hacked material," Francois said.
'A whole-of-society effort'
Even with the increased security measures and experience with hacked materials from newsrooms, election security officials and tech companies are still vigilant about hack-and-leak operations.
Gleicher said Facebook frequently works with law enforcement agencies to investigate disinformation campaigns. A source familiar with the partnership said that law enforcement agencies often monitor for cyberattacks and warn Facebook about potential material that could be used as part of a hack-and-leak campaign.
"The information that we get from law enforcement are based on assets that these actors may be using that are not on our platforms but are on others," Gleicher said. "We have a pretty long history of getting information from law enforcement agencies that we can use to launch our own investigations."
It's meant finding and shutting down disinformation campaigns when they only have a couple of hundred followers instead of when they have hundreds of thousands, as the Russians did in 2016.
Russia's hack-and-leak campaign in October 2016 gave rise to the QAnon conspiracy group that Facebook recently banned. There haven't been any significant campaigns since, but everyone needs to play their cards perfectly to keep it that way, experts say.
"It has to be a whole-of-society effort," Francois said. "You see Facebook revisiting the infrastructure that was used in 2016 and making sure there's no accounts that are still surviving. Google is doing great work protecting people's emails. That actually really matters in this hack-and-leak scenario."