In recent weeks, there have been plenty of stories—mostly unpleasant ones—covering clashes between journalists and security services. They include revelations about a new FBI unit apparently devoted to ferreting out anybody who talks to a reporter without permission, more news about Russian discord operations disguised as news organizations, and, of course, front-page stories like the gruesome murder of Jamal Khashoggi by Saudi government agents on orders from the crown prince himself.
It’s easy to despair, given the vast financial and technical resources of the state-sponsored groups seeking to undermine work in the public interest by underpaid journalists. But the one advantage reporters have over clandestine workers is that their main weakness—public exposure—is the primary business of the press.
Here are some new revelations of intelligence activity affecting journalists, from recent research and declassifications:
A new FBI [redacted] unit for investigating leakers
A partially declassified memo from the criminal division of the Department of Justice reveals that the FBI established a unit devoted to pursuing reporters’ government sources last year. “The complicated nature of—and rapid growth in—unauthorized disclosure and media leak threats and investigations has necessitated the establishment of a new Unit,” reads one of the longer unredacted sections in the memo.
The document, classified “Secret” and released under the Freedom of Information Act to The Young Turks reporter Ken Klippenstein, pointedly does not even disclose the name of this new unit. It also appears to grant the unnamed unit authority to pursue leaks that are not merely of classified material but of unauthorized material as well—which is not necessarily a crime. As Klippenstein notes in his article, the memo contradicts former Attorney General Jeff Sessions’s statement in August 2017 that the FBI had already created this “new counterintelligence unit;” the memo is dated November 10, 2017 and a second document establishing a new cost code for the unit is dated May of the following year.
Ransomware cripples newspapers across the US
An apparent malware attack on Tribune Publishing halted the delivery of not just its own print newspapers but also the LA Times and The San Diego Union-Tribune, which the company sold to billionaire Patrick Soon-Shiong but still share printing systems with Tribune. At Tribune alone, “Every market across the company was impacted,” a spokeswoman told multiple outlets, though she did not say how many papers specifically. The attack, which began December 27, also disrupted delivery of newspapers on the West Coast that use Tribune’s Los Angeles printing plant, according to The New York Times, which was also affected.
Initially mistaken for a server outage, the attack appears to have used a malware family called Ryuk to invade Tribune’s systems and lock employees out of its files. Ryuk, once it enters a computer system, encrypts the victim’s data and leaves a note demanding payment for the decryption keys—hence the term “ransomware” for Ryuk and other programs like it. Just before midnight on Thursday, editors of the sports section of Friday’s San Diego Union-Tribune found that they couldn’t send page files to their printers, the LA Times reported; the following day, the malware had spread through multiple papers’ systems.
No law enforcement or defense service has publicly blamed anyone for making Ryuk, but researchers have strong suspicions about its origins. It is believed to be a derivative of another malware family, called Hermes, which security experts say caused a far-reaching series of ransomware attacks on a number of auto manufacturers and the UK’s public health system in 2017. National Security Advisor Tom Bossert wrote in a Wall Street Journal op-ed that North Korea was “directly responsible” for the Hermes attacks; researchers at cybersecurity company CheckPoint wrote in August that Ryuk shares enough architecture with Hermes that the company believes North Korea is responsible for that program, too.
It’s not clear whether Tribune or any of the other papers affected paid the ransom Ryuk normally asks for. Analysts at security firm FireEye said in an analysis published last year that the real thing North Korean intelligence services want from the intrusions is money. In its first two weeks of operation, Ryuk netted its authors $640,000. The nation’s public services saw revenues plummet after UN sanctions in 2013. That, at least, they have in common with their targets.
The Oxford Internet Institute examines the troll farm
We also continue to learn more about disinformation campaigns on social media, and how they masquerade as news. Researchers at The Oxford Internet Institute called Twitter “a training ground for political polarization efforts” after examining hundreds of thousands of Twitter, Instagram, and Facebook posts from between 2012 and 2018. The companies provided by platforms to the Senate Intelligence Committee at the committee’s request. Though much of the news about Russian operations in 2016 has focused on Twitter, the platform was just the first step—Russian propagandists spread fake news items and invective first on Twitter, then on YouTube, then on Instagram, and lastly on Facebook. The Tow Center’s Jonathan Albright has said that the campaign saw by far the greatest success on Instagram.
The report, authored with network analysis company Graphika, singled out the Russian Internet Research Agency’s efforts to suppress the African-American vote for particular study, observing that the Black Matters accounts, which became notorious in 2017 after being exposed as a Russian influence campaign by ThinkProgress, ceased distributing inflammatory content through tech platforms after it was outed as part of the troll farm. Instead, the Black Matters Instagram page began to act like a conventional fashion publication, distributing beauty tips but also redirecting users to its website—which calls itself “a nonprofit news outlet”—where it was much more open with its political messaging.
More generally, the researchers expressed blunt concern that social media’s ad distribution tools were designed to manipulate public opinion exactly like propaganda. “Fine-grained control over who receives which messages is what makes social media platforms so attractive to advertisers, but also to political and foreign operatives,” the authors wrote. “A strong democracy requires high-quality news from an independent media, a pluralistic climate of opinion, and the ability to negotiate public consensus. But the IRA leveraged social media to manufacture and spread junk news, manipulate public opinion, and subvert democratic processes.”
One interesting note: The report notes that Twitter and, to a lesser extent, Facebook were more forthcoming with information related to Russian influence operations in the US media during the 2016 elections than Google, which managed to escape closer examination by revealing the least in response to the Senate committee’s request.