While Special Counsel Robert Mueller’s much-anticipated report found no evidence of conspiracy, Mueller describes in great detail how Russians easily manipulated social media companies like Facebook, Instagram, YouTube, Tumblr and Twitter to serve their own political ends.

The Internet Research Agency (IRA), funded by Yevgeniy Viktorovich Prigozhin (a Russian oligarch with ties to Russian President Vladimir Putin, and sanctioned by the U.S. Department of the Treasury in December 2016), operated hundreds of fake Facebook, Instagram, YouTube, Tumblr and Twitter accounts to spread pro-Trump and anti-Hillary Clinton messages leading up to the 2016 election, beginning as early as 2014, according to the Mueller report.

The scheme was simple but effective. According to the report, the IRA sent operatives to the U.S. in mid-2014 to “gather intelligence” and “obtain information and photographs” to fuel the barrage of fake posts and tweets leading up to the presidential election. The IRA targeted other presidential candidates, but focused on disparaging Clinton and supporting Trump by the summer of 2016.

“Some IRA employees, posing as U.S. persons and not revealing their Russian association, communicated electronically with individuals associated with the Trump campaign and other political activists to seek to coordinate political activities, including the staging of political rallies,” Mueller states in the report.

According to the report, the IRA reached “tens of millions of U.S. persons” through various social media accounts across different social media platforms.

“In November 2017, a Facebook representative (Facebook’s General Counsel Colin Stretch) testified that Facebook had identified 470 IRA-controlled Facebook accounts that collectively made 80,000 posts between January 2015 and August 2017,” Mueller writes. “Facebook estimates the IRA reached as many as 126 million persons through its Facebook accounts. In January 2018, Twitter announced it had identified 3,814 IRA-controlled Twitter accounts and notified approximately 1.4 million people Twitter believed may have been in contact with an IRA-controlled account.”

All of the IRA-controlled social media accounts claimed to be operated by U.S. citizens, even the political groups claiming to be grassroots activists.

“For example,” Mueller wrote, “one IRA-controlled Twitter account, @TEN_GOP, purported to be connected to the Tennessee Republican Party. More commonly, the IRA created accounts in the names of fictitious U.S. organizations and grassroots groups and used these accounts to pose as anti-immigration groups, Tea Party activists, Black Lives Matter protestors, and other U.S. social and political activists. … The IRA purchased dozens of advertisements supporting the Trump Campaign, predominantly through the Facebook groups ‘Being Patriotic,’ ‘Stop All Invaders,’ and ‘Secured Borders.'”

The IRA-controlled social media accounts were so convincing that Trump supporters and members of Trump’s campaign — like his son, Donald Trump, Jr. — frequently retweeted and shared the pro-Trump propaganda across social media, presumably unaware they were participating in a Russian propaganda campaign.

But manipulating social media companies is only half the story.

The report also details how easily Russians hacked the Democratic National Committee (DNC). The way Mueller describes it, it was practically child’s play.

Russian Federation’s Main Intelligence Directorate of the General Staff (GRU) hacked the DNC via a VPN connection from the Democratic Congressional Campaign Committee (DCCC) and also hacked computers and email accounts belonging to Clinton’s campaign, stealing hundreds of thousands of documents beginning in March 2016. No one even knew about it until the documents were released via WikiLeaks in the fall of 2016.

The GRU also stole voter information from the Illinois State Board of Elections and later conducted a spearphishing email attack against a voting technology company, VR Systems, which (Mueller said) the FBI believes granted the GRU access to “at least one Florida county government.”

During the 2018 midterms, Republicans mocked Sen. Bill Nelson (D-Fla.) for worrying about Russian influence in Florida elections.

The GRU did all this without local or state government knowledge. But the sheer laziness with regard to cybersecurity didn’t surprise Stuart Madnick, a professor of information technology and engineering systems at MIT’s Sloan School of Management.

“It’s not a surprise that anyone can be hacked with some effort,” he told InsideSources. “You can go down a list of companies that should have the expertise and resources to protect themselves. We pay a lot of attention to the things that happen at Yahoo or Facebook or Target, these are multi-billion dollar corporations. We forget there are hundreds of thousands of small organizations in the country, whether your local pizza company or local DNC [with little to no cybersecurity]. There are hundreds of thousands of organizations no different from the DNC, and according to a recent report, they’re now the prime target for cyberattacks.”

Ironically, the DNC misreported a cyber attack last summer ahead of the 2018 midterm elections, which the DNC later explained was just a cybersecurity test by the Michigan Democratic Party. Madnick says this just shows how uneducated, understaffed and under-resourced so many companies and organizations are when it comes to cybersecurity.

“I suspect the DNC does not have a huge IT department,” Madnick said.

The kind of manipulation and hacking social media companies, political and government entities experienced in 2016 shouldn’t have happened in the first place. As Madnick pointed out, republics and democracies have dealt with various forms of election interference for hundreds of years.

“The role media can play in elections is not new, all we’re seeing is a new twist on it with new technologies,” he said. “The ethical and moral issues have been around for a long time, and maybe need to be reexamined and thought about under the new circumstances.”

At the same time, given the DNC’s blunder last year and the fact that so many state and local governments suffer from a lack of funding and resources when it comes to IT management and cybersecurity, the U.S. is still extremely vulnerable to more cyber-related election interference.

Big Tech, too, still hasn’t addressed privacy concerns of users and Facebook only recently started offering more details about who pays for the political ads on its platform.

Yesterday, Facebook confirmed to the Verge that when it required users to verify their email addresses a month ago, Facebook uploaded users’ email contacts to Facebook’s servers without their consent. Facebook claims this was an accident and claims it fixed the problem, but Facebook’s method of email verification was also unorthodox, because it involved taking users’ email passwords.

Facebook’s behavior doesn’t exactly instill confidence in American voters going into 2020. Facebook still doesn’t even have a chief security officer.

“They are [all] relatively easy targets,” Madnick said. “You don’t have to look really hard to find a back door unlocked. If DNC gets broken into next year with a different technique, I wouldn’t be surprised.”