A master lock with ones and zeroes instead of the regular numbers.
Oct 7, 2020

Axios Codebook

Hello, and welcome to the latest edition of Codebook. This week, we’re thinking about how it’s been 30 years — and a lifetime, in political terms — since German reunification.

Today's newsletter is 1,199 words, a 4½-minute read.

1 big thing: Russia eyes far-right U.S. social media networks

Illustration: Sarah Grillo/Axios

The Russian troll farm central to Moscow's 2016 U.S. election interference campaign appears to be behind a new operation targeting U.S. voters on Gab and Parler, social media platforms favored by the far right.

Why it matters: The shift by Russia's Internet Research Agency to more marginal platforms may signal that the techniques and strategies that paid off for Russia in 2016 are seeing declining returns. If Moscow is trying to influence a broad swath of U.S. voters, being relegated to platforms unknown to 99% of Americans simply won’t get the job done.

Driving the news: The move to Gab and Parler was documented in a report from social media analytics firm Graphika and an accompanying Reuters investigation late last week. This is Russia's first known use of these platforms.

Details: The fake network described by Graphika revolved around an ostensibly Europe-based website called the Newsroom for American and European Based Citizens (NAEBC).

  • NAEBC’s stated purpose was to provide news and commentary about Europe and North America from a conservative perspective, but the vast majority of its content was U.S.-oriented and "focused on racial tensions and violence and always presented minorities and liberals in a negative light," says Graphika.
  • Stymied by more robust enforcement regarding disinformation operations on mainstream platforms, the IRA operators sought to build profiles and followings on alternative platforms favored by the far right, such as Gab and Parler.
  • Facebook, Twitter and LinkedIn have all taken down NAEBC-linked content on their site, while Gab and Parler have not.

Of note: To create believable identities for the fake editors and writers for the site, the Russian intelligence operatives created LinkedIn and other social media profiles and used AI-generated fake profile photos, employing technology “known as Generative Adversarial Networks (GAN), a technique that has become increasingly popular among information operations since 2019.”

By the numbers: The disinformation operation, which went public in June, failed to take hold in any meaningful way on mainstream platforms. For example, by the time its main account was removed from Twitter in late September, it had fewer than 200 followers.

  • Though still relatively small, its greatest success was on the far-right platforms: By late September, accounts associated with NAEBC had 14,000 followers on Parler and 3,000 on Gab.

The intrigue: Investigators believe that the IRA operation that created NAEBC was also responsible for the fake Peace Data website and organization, which focused on left-wing voters and engaged in anti-Biden messaging.

  • As in 2016, the Russians' 2020 strategy seems to be in increasing societal tensions through targeting “both ends of the political spectrum with divisive and hyper-partisan content,” says Graphika.
  • The Peace Data network involved 13 Facebook accounts and two pages, with 14,000 followers for one of these pages, Facebook disclosed in August. But the English-language page only had roughly 200 followers, and the sites had only invested $480 in advertising. Before it was taken down, Peace Data’s Twitter account had only 3,000 followers.

Between the lines: The alternative, ideologically driven social networks cropping up on the right have no equivalent on the left. Unless active-measures campaigns manage to infiltrate private left-leaning groups on platforms like WhatsApp, Discord or Telegram, inflaming tensions on the left side of U.S. politics via certain techniques may become increasingly hard to pull off as mainstream platforms get wiser to disinformation.

The bottom line: Focusing on niche platforms could help Russia and other hostile powers further radicalize a small sliver of the American electorate. The IRA's activities on Parler and Gab may augur a turn to a less visible, and more targeted, approach to ratcheting up domestic U.S. tensions.

2. Russia promised no election interference: White House official

In conversations last week in Geneva, national security adviser Robert O’Brien received assurances from his Russian counterpart, Gen. Nikolai Patrushev, that Moscow would “commit to not interfere in the elections,” O’Brien said in a CBS interview.

  • Yes, but: Russia has also feigned innocence around 2016 election meddling, and President Trump has in the past taken them at their word.

Driving the news: O’Brien told Patrushev that “there would be absolutely no tolerance for any interference with our Election Day, with our voting — with the vote tallies — and demanded [that] Russia not engage in that sort of thing,” he told CBS.

  • O’Brien conveyed some skepticism about how seriously to take the Russians’ word: “As President Reagan said, and as President Trump often says, it's trust but verify,” he said.
  • However, O’Brien did not say if he raised known current instances of Russian electoral interference, such as the IRA-orchestrated Internet and social media disinformation campaigns targeting U.S. voters.

Context: A recent CIA assessment found that Russian President Vladimir Putin is once again directing Moscow’s intelligence services to interfere in favor of President Trump. Social media companies and private analysts have also discovered and disclosed U.S.-focused Russian online disinformation operations.

3. Ransomware victims may be penalized for paying up, says Treasury

Illustration: Aïda Amer/Axios

Victims of ransomware attacks who pay criminals to release their data may be held liable for violating U.S. sanctions — even if they don’t know the true identity of their tormentors, advised the Treasury Department in a bulletin last week.

Why it matters: The move could doubly punish the victims of ransomware attacks.

Between the lines: The cyber criminals responsible for major ransomware attacks do not often volunteer their true identities to their victims, and the payment schemes are generally conducted anonymously using cryptocurrency.

  • It’s not just victims who might be subject to civil penalties for paying sanctioned ransomware attackers, says the Treasury, but also “those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments.”

Background: The Treasury, through its Office of Foreign Assets Control, sanctions entities and individuals deemed national security threats — including state-linked hackers, terrorists and even transnational cyber criminal groups. Under these sanctions, U.S. persons or businesses are totally forbidden from facilitating or carrying out any financial exchange with these entities.

  • Some of these sanctioned groups, like the Russian cyber criminal syndicate Evil Corp, act generally on their own behalf and are motivated by private profit.
  • But other sanctioned entities, like the Lazarus Group, which is directly connected with North Korean intelligence, use ransomware attacks to pad the coffers of foreign governments.

By the numbers: Reports of ransomware attacks increased 37% from 2018 to 2019, according to the FBI, with a 147% spike in “associated losses” during that period, per the Treasury bulletin.

4. Report highlights key flaws in cyber insurance

Insurers are pointing to clauses that exempt war-related damage from being covered in order to reject claims related to state-backed cyberattacks, notes a new report from the Carnegie Endowment for International Peace.

Why it matters: This “war exclusion” raises “doubts about whether adequate or reliable coverage exists for state-sponsored cyber incidents,” the report says.

Where it stands: Insurers’ use of this exclusion is currently being litigated, says the report, as a result of claims made after the catastrophic 2017 NotPetya incident, which led to an estimated $10 billion in losses across the globe.

Flashback: The NotPetya virus, which was Russian in origin, was aimed at disrupting and destroying Ukrainian online infrastructure, but soon infected systems worldwide.

The big picture: Some insurers’ “novel use of the war exclusion” in refusing to reimburse companies for nation-state cyberattack-related losses has helped contribute to an unsettled cyber insurance marketplace, says the Carnegie Endowment.

  • “Three years after NotPetya, it is still unclear how insurance can or should cover state-sponsored cyber incidents and other large-scale cyber risk. This fundamental uncertainty continues to inhibit the development of robust, socially beneficial cyber insurance markets,” says the report.

What’s next: The report suggests insurers could craft a new, more tailored "exclusion for cyber catastrophes," as well as a separate exclusion for "cyber losses arising from kinetic war" — that is, cyberattacks that accompany a conventional armed conflict between states.

5. Odds and ends
  • Antivirus pioneer and cryptocurrency activist John McAfee was indicted on tax evasion charges. (Justice Department)
  • Seven factors intermixing in America’s very dangerous October. (Wired)
  • Some COVID-19 trials were slowed by a ransomware attack. (New York Times)
  • A previously undisclosed state-linked Eastern European hacking group dubbed “XDSpy” has been targeting “military organizations, foreign ministries and private firms in Russia, Ukraine, Belarus and the Balkans with pinpoint espionage.” (CyberScoop)
  • Russian intelligence has long targeted Walter Reed. (SpyTalk)