Raphael Satter on brilliant spies, terrible spies, and “medium” spies

Raphael Satter’s beat at the Associated Press covers straightforward crime reporting and high-tech espionage, with a special fondness for people who are bad at their jobs. His most recent scoop, shared with colleague Isabel Debre, chronicled Facebook’s purge of “coordinated inauthentic activity” on accounts run by an Israeli company called the Archimedes Group, “a Tel Aviv–based political consulting and lobbying firm that publicly boasts of its social media skills and ability to ‘change reality.”

The group was trying to influence elections in the Global South—both South America and sub-Saharan Africa—but they have plenty in common with Satter’s highest-profile subject in recent months: the “Mysterious operative [who] haunted Kaspersky critics,” according to one headline from April. The operative, “Lucas Lambert,” and a different man, “Michel Lambert,” clumsily tried to get prominent critics of the controversial Russian cybersecurity company Kaspersky Lab to say something compromising that might be used against them. Satter’s work has involved Russian cybersecurity before. In 2017, he acquired a dataset from Secureworks, a cybersecurity firm, that provided vital insight into the clandestine electioneering work of the notorious hacking unit at the GRU—a Russian government intelligence service—codenamed Fancy Bear.

Satter, 36, makes a point of including interesting characters in potentially dry cybersecurity stories. He spoke with CJR about his process—and bubble baths. This interview has been edited for length and clarity.

How did you first become interested in reporting on the technical end of the intelligence world?

I joined the AP about 14 years ago, and when I first joined I was an editorial assistant and I was the only person in the office who could even pretend to code HTML. That made me the tech whiz, even though anyone who’s interacted with me would know that’s pretty far from the truth.

I was in London around the time of WikiLeaks and I was pretty impressed with the operational security that went into that organization, and I would meet with the associates—and they’d all have a pile of laptops. Some would have notes that said “do not connect to the internet,” and they used PGP [an email encryption protocol] and they used Tor [an anonymized browser], both of which were unfamiliar to me at the time. I visited the [Ecuadoran] embassy [in London] when Assange took refuge there. I was intrigued by the kinds of measures they were taking and I asked myself, “What do they know that I don’t if, they’re taking these measures?” After the Snowden revelations, a lot of other people joined and started playing around with Signal [an encrypted messaging program] and PGP.

Sign up for CJR's daily email

 

How did you come across the “Lambert” story?

I owe all of this to Citizen Lab at the University of Toronto and, in particular, a researcher there called John Scott-Railton. We’ve had many occasions to talk; he was the one who originally put me down that rabbit hole. He had a fairly decent idea of what was going on more or less immediately—John is a smart guy and one of his colleagues had been called to a meeting and the colleague came away from the meeting feeling very disturbed.

 

You reported a very similar but less amusing story in December, when you unearthed an apparent spear-phishing attempt on a prominent critic of the Saudi government, Ali al-Ahmed including emails impersonating Jamal Khashoggi, who was recently murdered, likely by the Saudi government.

This is an interesting case, because Ali al-Ahmed is not a hard-to-find person. He’s very well known to people who are interested in Saudi issues. He’s been quoted more or less regularly since September 11th—it’s not as if I had to do any particular digging to get the guy. But what journalists don’t do enough of when they talk to people like Ali who are politically exposed and well known on the dissident scene, is talk about the things that are interesting to them. He’d been in touch with me for a couple of years before we met in person. We sat down for coffee and he talked to me about all the projects he was working on, and to be honest they weren’t really of interest to me.

ICYMI: The fascist next door: How to cover hate

At the end of the meeting I said, “This is all great, I’m not sure I can do anything with it, but have you gotten any weird emails lately?” I’d suggest every journalist do that! He said, “Oh, yeah, I get them all the time!” I said, “What do you mean ‘all the time?’” And he turned his computer around and my eyes goggled. It wasn’t about cut-price pharmaceuticals or penis enlargement. It was very targeted, and some of it was very chilling. He never really brought it up to anyone else, because he sort of saw it as natural.

 

How else would you suggest reporters go about trying to break stories like yours?

I don’t think there’s anything different about cybersecurity journalism: Meet people. Meet them for coffee if you can’t afford lunch. And just keep asking questions. In your first sit-down meal with someone at FireEye [a cybersecurity consultancy that often works with the US government], they’re rarely going to say, “I’m working on this amazing report, and here it is!” If you ask questions and people remember that you’re interested, they’ll think of you a couple of years down the line and say [to themselves], “Oh, I’ll give this person a call!”

Persistence is key. Being really dogged about asking for that one thing is important—that’s how I got the SecureWorks dataset. They put out a report in mid-June of 2016 talking about how they had been able to gain access to the targeting data of Fancy Bear, and how they’d been able to mine that data for insights. That report was written about in The New Yorker and in Motherboard and I know some journalists did ask for the raw data, and when they heard “no,” I guess eventually they stopped. And when I heard, “Eh,” I kept going. After, I believe it was a month, month-and-a-half of fairly dogged requests, and calling in favors from people I knew would be able to put in a good word, and when we published the first story, they were inundated by calls from other journalists asking for it. Everyone knew that they had this, but very few people knew to ask.

 

I think there’s a sense that you can do amazing journalism without picking up the phone, just by surfing the internet from your laptop. Is that true?

Definitely, but not with my brain attached to it. If someone else was behind my laptop, they could do a much better job. There are reporters who are much better at the kind of stuff you’re talking about than I am. I write for the AP, so by necessity I have to find that human story. Our readers, overwhelmingly, don’t care or understand what a zero-day is, and so we’re not going to waste time explaining it to them unless it’s very far down in the story. I’d much rather write a story about how a woman was surprised by Russian hackers masquerading as Isis hackers while she was having a bubble bath in her Colorado bathtub than about an unsecured AWS server. That’s why I try to find those stories.

 

What would you like to see more of on the beat?

What I’d like to see more of is work like Lorenzo Franceschi-Bicchierai and Joseph Cox’s “When the spies come home” series. It’s about domestic surveillance apps—“spouseware”—they’ve just done one fantastic story after another, but I think that’s an area where there’s still really good journalism to be done. They’ve written about a woman tracked by an abusive partner, for example.

READ: Audit suggests Google favors a small number of major outlets

State-sponsored espionage is covered pretty aggressively—what I’d be interested in seeing is neither your husband or your parents, nor the NSA, but the middle stuff. Large corporations, for example—how they track you, with companies able to track your phone’s location. I’d encourage people to look into that. There’s more to be done there—not the scary spies or the creepy spies, but the faceless, corporate, medium spies.

Has America ever needed a media watchdog more than now? Help us by joining CJR today.

Sam Thielman is the Tow editor at the Columbia Journalism Review.