From Silicon Valley to Staten Island, Russian troll sites kept online by American companies

U.K. seeks info on Russian-linked Facebook ads
U.K. seeks info on Russian-linked Facebook ads

The use of American companies to push Russian propaganda goes beyond social media sites like Facebook. Russians also used American internet services to keep their websites up and hide their true owners, according to internet records and two executives at internet routing companies interviewed by CNN.

The firms routing these websites' internet traffic include Cloudflare, a major Silicon Valley corporation, and a Ukrainian company's subsidiary in Florida.

The websites are part of a network run by the Internet Research Agency, a troll army based in St. Petersburg, Russia, with ties to the Kremlin. The groups, with names like "Don't Shoot Us" and "Black Matters," posed as black American activists. They posted videos showing police brutality against African Americans and attempted to organize protests across the United States. But they need internet infrastructure to keep sites online.

The use of the routing companies shows how Russian trolls tried to mask their efforts that also used Facebook, Google, Instagram, Twitter, and other popular social media platforms.

Related: Even Pokémon Go used by extensive Russian-linked meddling effort

CNN interviewed Sergey Kashyrin, an executive at the US subsidiary of the Ukrainian company, outside his home on Staten Island on Monday evening. He acknowledged that his internet service, Orlando-based Green Floid, played a role in keeping these Russian websites up and running.

"We cannot look at all our clients. It is just not possible," he said.

But Kashyrin said he's willing to turn over all evidence in his company's possession -- revealing the identities of customers and PayPal payment information -- to the FBI, congressional investigators and Special Counsel Robert Mueller's federal team looking into the Russian operation. He said government investigators have not yet reached out to him.

Internet records reviewed by CNN consistently point back to Kashyrin's small firm, its parent company ITL in Ukraine, and ITL executive Dmitry Deineka. The records identify the two companies as running internet infrastructure that kept at least three Russian websites online, possibly as a hosting service.

If Kashyrin's firm served as a host, it would have provided the computers that serve as a physical home to the digital site.

However, Kashyrin claimed instead that Russians quietly used his internet service as a proxy, and that the websites were hosted elsewhere. That would still mean his company provided computers that rerouted internet traffic to the true physical location hosting the site. Either way, Kashyrin's firm kept the website online -- even if it did so inadvertently.

Before and after the 2016 election, the Russian government maintained a classic Cold War-style "information war" on the United States, creating fake news and promoting protests in an attempt to meddle in American politics by stoking real tensions, according to public reports by American intelligence agencies and congressional investigators.

Russian agents used websites and social media campaigns, several of which have been identified by CNN and confirmed by entities with knowledge of these operations.

A mysterious group calling itself "Blacktivist" publicized black activist protests across the country and even sold Blacktivist T-shirts. DoNotShoot.us tracked police brutality against minorities. BlackMattersUs.com posed as a news site for African-Americans, but it peddled anti-Hillary Clinton content and called her "a candidate for the corporate elite."

The digital trails for all of these websites lead back to Kashryin's firm, Green Floid, and Deineka's firm, ITL. Internet records track what computers and services are involved in keeping a website up.

Deineka is plainly listed as the point-of-contact for Blacktivist.info, likely because his firm was used as a proxy service.

Deineka, ITL and Green Floid registered the site sergy.uaservers.net, which points to the IP address 107.181.161.172 — the same IP shared by both BlackMattersUs.com and BlackMattersUSA.com. Again, because these websites used their service.

Deineka runs another online service, Layer6.net, which plays a role in routing traffic to DntShoot.com -- which shares the IP address 107.181.174.34 with DoNotShoot.us. This too indicates that the Ukrainian firm was used.

CNN conducted this research using investigative software from DomainTools, a cybersecurity firm that maintains historical and current internet records.

The left-leaning news site ThinkProgress was the first to report on the connection between these websites, ITL and Green Floid. It was first discovered by Andrew Weisburd of the Alliance for Securing Democracy, an initiative by the public policy group German Marshall Fund.

On Tuesday morning, Deineka spoke to CNN from his office in Burgas, a Bulgarian port city on the coast of the Black Sea.

Deineka said he did not register Blacktivist.info in his name. As for the other websites, Deineka said ITL does not closely monitor all of its clients' online content. This is a standard industry practice, although some hosting and proxy services are willing to cut off clients who violate laws or company policy.

Deineka said his company had spotted anti-Ukrainian Russian propaganda activity on its platforms in 2014, and it stopped providing online services -- presumably forcing the Russians to find other internet infrastructure. His business partner in New York, Kashyrin, referenced that as well in his interview with CNN. Kashyrin said they stopped providing proxy services to keep the Russians out. However, CNN pointed out they actually continued service in 2015 and 2016, according to internet records. Kashyrin could not explain that.

Deineka and Kashyrin denied direct involvement with Russian online trolls. They both expressed moral disgust at the notion that Russia used their services to peddle propaganda meant to destabilize the West, citing what they said is their anti-Russian stance because of Russia's military capture of Crimea and eastern Ukraine.

"I'm from Ukraine. I have colleagues who lost their homes, who relocated from Crimea," Deineka told CNN. "How can I support the Russian government?"

All three of these Russian websites are still up. BlackMattersUs.com and DoNotShoot.us are still online, but "Blacktivist" is a blank page. Internet records do not show what online service is hosting them. All of them are now hiding behind proxies that shield the identities of the website's true operators.

These three Russian propaganda websites are tied to robust social media campaigns run by Russian trolls. Facebook and Twitter are starting to purge of this type of content, and they have taken down pages relating to these particular sites.

The names of those running the websites BlackMattersUS.com and DoNotShoot.us now remain hidden with the unwitting help of the San Francisco-based company Cloudflare.

Related: Cloudflare CEO questions his decision to terminate neo-Nazi website

Cloudflare provides protection from hackers, placing its computer servers between clients' websites and the outside internet. This allows Cloudflare to absorb cyberattacks, such as Distributed Denial of Service attacks that flood a website and take it down.

But Cloudflare's services can also be used as a mask, because the outside world can no longer identify who operates the website -- or the location of its physical home.

That's because Cloudflare serves as a guard that receives incoming internet traffic. It offers this service to legitimate companies, but in this case, it is also inadvertently assisting the Russian troll army's operations.

Cloudflare acknowledged to CNN its role as a proxy service when asked specifically about DoNotShoot.us earlier this month, but it said "terminating a customer wouldn't actually remove the content from the internet." Cutting off that customer would, however, stop the Russians from using that particular American firm as a shield.

Cloudflare also provided online services to the US-based neo-Nazi website The Daily Stormer, until it decided to drop the site earlier this year.

The company's CEO, Matthew Prince, made the decision to drop the site but later warned of the consequences of companies, like his, making such decisions.

"You win a lot of points for firing Nazis from using your service," Prince told CNN in August. "But it sets a dangerous precedent when a company that most of your viewers have never heard of is effectively deciding what can and cannot be on the internet."

However, Cloudflare said it would not consider dropping these Russia-linked websites unless compelled to by a court order.

"Cloudflare does not view its role to pass judgment of content that runs on our infrastructure and our network," the company's general counsel, Doug Kramer, told CNN on Tuesday night. "An open internet and an opportunity for all voices is a good principle. If we try to regulate in any way with our resources and capabilities, we would do more harm than good."

Cloudflare is, however, willing to pass along public complaints to the websites' operators, Kramer said.

Newsletter

CNNMoney Sponsors