Before Elections, US Cut Russian Trolls' Internet AccessMindful of Escalation, American Spies Cautiously Spar with Russia
The U.S. military curtailed the internet access of an infamous Russian trolling operation around the mid-term elections last year to stem the spread of noxious disinformation, the Washington Post reported on Tuesday.
The plan by U.S. Cyber Command to undertake more aggressive action to prevent election interference and propaganda was outlined by The New York Times in October 2018. The Post's story adds more specific details about how the actual operation was carried out.
The operation targeted the Internet Research Agency, based in St. Petersburg, Russia. The IRA, whose employees numbered at least 1,000, was fingered by U.S. intelligence agencies in January 2017 as creating social media content seeking to divide U.S. voters and drive support for President Donald Trump's candidacy.
"They basically took the IRA offline. They shut'em down."
—Anonymous U.S. official
Leading the action was Gen. Paul Nakasone, who leads the U.S. Cyber Command. The Post reports that Nakasone also leads the Russia Small Group, a special CyberCom and NSA task force focused on Russian threats.
Although Facebook, Twitter and Google have mounted efforts since the 2016 presidential election to block their platforms from being used for nation-state disinformation and "fake news" campaigns, including trying to remove bogus accounts, U.S. officials suspected Russia would not cease its efforts.
According to one anonymous source quoted by the Post: "They basically took the IRA offline. They shut'em down."
Tapping on the Window
The midterm election response apparently also relied on a personal touch - akin to tapping on a window from afar.
In October 2018, the U.S. let Russian hackers know they knew their real names and online handles. They did this through emails, pop-ups, text and direct messages, the Post reports. The tactic so agitated the IRA that it thought insiders might be leaking the identities of employees, the Post reports.
Naming and shaming is a tactic increasingly used by the U.S. For example, federal indictments have outed alleged intelligence agency hackers in China and Russia.
In February 2018, the Justice Department announced an indictment against three companies and 13 Russians, 12 of whom worked for the IRA, on charges of election interference. The indictment grew out of Special Counsel Robert Mueller's ongoing investigation into collusion and election interference (see: US Indicts 13 Russians for Election Interference).
Any alleged nation-state hackers indicted by the U.S. face scant chance of prosecution, provided they remain in their home countries. But any such suspects travel abroad at their peril, because they may be detained by countries that are friendly with the U.S.
Knocking the IRA Offline
How exactly the U.S. intelligence establishment went about disconnecting the IRA from the internet is unknown. But it's likely the company had far lower levels of security than the GRU, the Russian military intelligence agency connected with the Fancy Bear hacking campaigns.
The IRA represents low-hanging fruit, writes Thomas Rid, a professor of strategic studies at Johns Hopkins University's School of Advanced International Studies, on Twitter.
A few remarkable details in this story: first, it appears that NSA had real-time visibility into IRA communications directly after the offensive operation pic.twitter.com/nzmO5Etzhm— Thomas Rid (@RidT) February 26, 2019
As proof, the Post writes that after the IRA was disconnected from the internet, the U.S. learned of people inside the agency complaining about the disruption. Rid says this suggests that U.S. hackers had "real-time visibility into IRA communications directly after offensive operation."
The U.S. has grappled with how to respond to aggressive cyber actions by other nations without escalating the conflict. But the U.S. has also cautiously removed barriers that its intelligence agencies previously faced, which now provides them with greater flexibility in how they respond.
In September 2018, the Trump administration rewrote its national cybersecurity strategy to allow for more offensive operations. The move was intended to allow the U.S. to pursue strategies that try to deter other nations and communicate that aggressive actions toward the U.S. will carry costs. The strategy also includes prosecutions and economic sanctions (see: White House National Cyber Strategy: An Analysis).
But the U.S. must be careful to not trigger damaging provocations. In April 2018, the U.S. and U.K. issued a rare joint warning that Russian state-sponsored hackers have been working for years to gain footholds in vulnerable routers, switches, firewalls and network intrusion systems (see: US, UK: Russian Hackers Deeply Embedded in Routers, Switches).
The hacking effort has capitalized on standard, age-old security problems: insecure configurations, unpatched devices and the use of outdated protocols.
But any government efforts that lead to an escalating tit-for-tat hack-a-thon between the two countries might lead to substantial, unintended economic consequences, including disrupting critical infrastructure, for example, via attacks that target utilities.