Before Elections, US Cut Russian Trolls' Internet Access

Cyberwarfare / Nation-state attacks , Fraud Management & Cybercrime , Government

Mindful of Escalation, American Spies Cautiously Spar with Russia(jeremy_kirk) • February 27, 2019    Before Elections, US Cut Russian Trolls' Internet AccessA former office of the Internet Research Agency in St. Petersburg, Russia (Photo: Charles Maynes via Wikipedia/CC)

The U.S. military curtailed the internet access of an infamous Russian trolling operation around the mid-term elections last year to stem the spread of noxious disinformation, the Washington Post reported on Tuesday.

See Also: Live Webinar | The State of Adaptive Authentication in the Financial Industry

The plan by U.S. Cyber Command to undertake more aggressive action to prevent election interference and propaganda was outlined by The New York Times in October 2018. The Post's story adds more specific details about how the actual operation was carried out.

The operation targeted the Internet Research Agency, based in St. Petersburg, Russia. The IRA, whose employees numbered at least 1,000, was fingered by U.S. intelligence agencies in January 2017 as creating social media content seeking to divide U.S. voters and drive support for President Donald Trump's candidacy.

"They basically took the IRA offline. They shut'em down."
—Anonymous U.S. official

Leading the action was Gen. Paul Nakasone, who leads the U.S. Cyber Command. The Post reports that Nakasone also leads the Russia Small Group, a special CyberCom and NSA task force focused on Russian threats.

Although Facebook, Twitter and Google have mounted efforts since the 2016 presidential election to block their platforms from being used for nation-state disinformation and "fake news" campaigns, including trying to remove bogus accounts, U.S. officials suspected Russia would not cease its efforts.

According to one anonymous source quoted by the Post: "They basically took the IRA offline. They shut'em down."

Tapping on the Window

The midterm election response apparently also relied on a personal touch - akin to tapping on a window from afar.

In October 2018, the U.S. let Russian hackers know they knew their real names and online handles. They did this through emails, pop-ups, text and direct messages, the Post reports. The tactic so agitated the IRA that it thought insiders might be leaking the identities of employees, the Post reports.

Naming and shaming is a tactic increasingly used by the U.S. For example, federal indictments have outed alleged intelligence agency hackers in China and Russia.

In February 2018, the Justice Department announced an indictment against three companies and 13 Russians, 12 of whom worked for the IRA, on charges of election interference. The indictment grew out of Special Counsel Robert Mueller's ongoing investigation into collusion and election interference (see: US Indicts 13 Russians for Election Interference).

Any alleged nation-state hackers indicted by the U.S. face scant chance of prosecution, provided they remain in their home countries. But any such suspects travel abroad at their peril, because they may be detained by countries that are friendly with the U.S.

Knocking the IRA Offline

How exactly the U.S. intelligence establishment went about disconnecting the IRA from the internet is unknown. But it's likely the company had far lower levels of security than the GRU, the Russian military intelligence agency connected with the Fancy Bear hacking campaigns.

The IRA represents low-hanging fruit, writes Thomas Rid, a professor of strategic studies at Johns Hopkins University's School of Advanced International Studies, on Twitter.

As proof, the Post writes that after the IRA was disconnected from the internet, the U.S. learned of people inside the agency complaining about the disruption. Rid says this suggests that U.S. hackers had "real-time visibility into IRA communications directly after offensive operation."

Measured Responses

The U.S. has grappled with how to respond to aggressive cyber actions by other nations without escalating the conflict. But the U.S. has also cautiously removed barriers that its intelligence agencies previously faced, which now provides them with greater flexibility in how they respond.

In September 2018, the Trump administration rewrote its national cybersecurity strategy to allow for more offensive operations. The move was intended to allow the U.S. to pursue strategies that try to deter other nations and communicate that aggressive actions toward the U.S. will carry costs. The strategy also includes prosecutions and economic sanctions (see: White House National Cyber Strategy: An Analysis).

But the U.S. must be careful to not trigger damaging provocations. In April 2018, the U.S. and U.K. issued a rare joint warning that Russian state-sponsored hackers have been working for years to gain footholds in vulnerable routers, switches, firewalls and network intrusion systems (see: US, UK: Russian Hackers Deeply Embedded in Routers, Switches).

The hacking effort has capitalized on standard, age-old security problems: insecure configurations, unpatched devices and the use of outdated protocols.

But any government efforts that lead to an escalating tit-for-tat hack-a-thon between the two countries might lead to substantial, unintended economic consequences, including disrupting critical infrastructure, for example, via attacks that target utilities.