A new interview by Germán Realpe y José Luis Peñarredonda from enter.co with Colombian hacker/cracker Andrés Sepúlveda was published October 4th. I didn’t translate it entirely (yet) but there are some things that were not previously disclosed in the Bloomberg investigation published in March 2016.
If you’re not familiar with the Sepúlveda case, I recommend reading Bloomberg’s 9 month investigation titled How to Hack an Election. In short, Andrés Sepúlveda admitted to working with a rotating team of 7 to 15 hackers to manipulate information and rig elections across Latin America for almost a decade. He also confessed to rigging the 2012 presidential elections in Mexico in favor of PRI candidate and current president, Enrique Peña Nieto. He is currently serving 10 years in prison for crimes including abusive access of a computer system, violation of personal data, espionage and use of malicious software during the 2014 presidential election in Colombia.
Money was no problem. At one point, Sepúlveda spent $50,000 on high-end Russian software that made quick work of tapping Apple, BlackBerry, and Android phones. He also splurged on the very best fake Twitter profiles; they’d been maintained for at least a year, giving them a patina of believability.
Sepúlveda managed thousands of such fake profiles and used the accounts to shape discussion around topics such as Peña Nieto’s plan to end drug violence, priming the social media pump with views that real users would mimic. For less nuanced work, he had a larger army of 30,000 Twitter bots, automatic posters that could create trends.
Sepúlveda and his team did not hack any voting machines. They didn’t hack the electoral systems, they hacked public opinion.
The questions and answers below are out of order from the original interview. I pulled out some interesting parts; mostly information relevant to social media manipulation and disinformation campaigns – subjects that are hard to detect, poorly understood and have sweeping effects on society.
Q: Your case uncovered the manipulation of information in the Colombian presidential elections using social media. What were you and the team you worked with trying to do? What was the main objective?
A: The main objective was to win the election. Secondary objectives were to create disorder in the other campaigns, sabotage other actions, strengthen what was being done from the campaign, overcome the opposition and above all to misinform.
Q: What techniques and tools did you use to manipulate and control information in these election campaigns?
A: I had a platform that I developed. We had different providers, accounts on Facebook, Gmail, Twitter, Instagram, WhatsApp, Telegram … You could buy any number of accounts, and the program administered each account individually or in groups.
So I could send 200,000 WhatsApp messages in an hour. Or I could send a mention 10,000 times to a Twitter account. The program allowed me to do what I needed. It was relatively easy. The complicated part was to organize the accounts depending on the providers. What I did was centralize all of that so the attacks that were carried out were much more concrete and organized.
Q: How did you measure the success of these jobs?
A: By the amount of rumors that people began to create. Many times, while checking my Twitter or Facebook, I saw people beginning to spread rumors that I had been sowing. That happened especially in the 2014 elections.
The success of what I did was tangible: you could see what people were talking about; and based on that, you see how well your campaign had gone with whatever attack had been launched at the time.
Q: How can a common person, who has no knowledge of information security, know that they are being manipulated, or that something originated from a fake account?
A: It is increasingly difficult to tell, because it is very easy to spread a theme to real accounts. Once you manage to infect real accounts it becomes more difficult. There is no action on the internet that does not have a target. You will never see unemployed people creating a meme about a politician. That doesn’t exist. There’s a team that takes care of it.
I think the easiest way to know that one is the victim of an attack or propaganda is to look at the overall context of what is happening. For example, right now we are talking about the peace process, you can see the things on the internet. The opponents are involved in a campaign with their arguments and all of its themes, and those in favor are also bombarding the internet. Regardless of the side or the target, we will always be passive victims of this propaganda on the internet.
Q: Is it easy nowadays to hire a cracker or hacker that can manipulate political information?
A: There are people who can do things, but that doesn’t mean that they do them well. I always talk about my personal case: when I worked against other campaigns, they had response teams, but they never had an effective response to my attacks.
To do it efficiently and effectively depends on many factors. Some believe that managing a Twitter account is making a black propaganda campaign on the internet. There is a series of things that are done to make that a reality.
Q: Let’s talk about what you are currently doing. How long since you stopped working on elections and the manipulation of information?
A: Since May 5, 2014, the date of my capture.
Q: When you were buying information, was there a red line? Was there a moral or legal limit that you didn’t want to cross? Did you ever turn down an operation?
A: I never went after journalists or the media, I never attacked people for personal favors, nor a girlfriend or a friend of someone. I wasn’t interested in that type of attack. I also never worked for leftist or dictatorial governments. I always said no to that.
Q: Do you regret anything now?
A: I regret having been involved in politics; completely.
I’ll try to translate the rest of the interview soon, apologies it’s incomplete but it is late here and I can’t Spanish anymore tonight. =)