Report: US Cyber Command took Russian trolls offline during midterms
In October of 2018, US Cyber Command (USCYBERCOM) undertook a campaign to defuse information operations by a Russian operation identified in Justice Department filings as “Project Lakhta” seeking to influence or disrupt elections in the US. As Ars reported at the time, the measures being taken by USCYBERCOM—the military’s joint network-defense command, based at Fort Meade, Maryland—included identifying, tracking the activities of, and directly messaging individuals in Russia involved in disinformation operations. But a February 26 report by The Washington Post‘s Ellen Nakashima indicates that USCYBERCOM’s efforts went even further—including an attack on the Internet Research Agency, the organization at the heart of alleged Russian disinformation operations that “basically took the IRA offline,” according to an unnamed US official.
The operation was authorized under new guidelines set by President Donald Trump in September in a classified version of his executive order on cybersecurity. That policy move was crafted under the guidance of National Security Advisor John Bolton—who took over direct responsibility for White House cyber policy after the departure of former Cybersecurity Coordinator Rob Joyce and the elimination of that position from the National Security Council. Under Bolton’s direction, as Bolton himself said in a press call Ars attended in September 2018, previous restrictions placed on the use of offensive network and computer operations set by the Obama administration were lifted. “Our presidential directive effectively reversed those restraints, effectively enabling offensive cyber operations through the relevant departments,” Bolton said at the time.
It all depends what the definition of “attack” is
If the information shared with The Washington Post is true, this would indicate October’s operations were a significant escalation in US operations against Russia—targeting a private organization that, while operating allegedly in concert with Russian government goals, is not directly connected to the Russian federal government itself. It’s not clear whether the attack targeted the IRA’s infrastructure in St. Petersburg or if it targeted the devices of individuals within the organization.
An attack on telecommunications infrastructure connecting the IRA to the Internet, if such an attack occurred, would be considered under the “cyber norms” asserted by the North Atlantic Treaty Organization’s Tallinn Manual on the International Law Applicable to Cyber Warfare as a violation of sovereignty. But a targeted intrusion or use of infrastructure outside Russia to block or redirect communications from specific devices would be somewhat less provocative. And it’s likely that USCYBERCOM got some help, directly or indirectly, from social media platform companies.
Many of the “misleading” accounts operated by IRA on Twitter and Facebook were shut down in early 2018 as the two companies faced scrutiny from Congress over their role in the alleged Russian election interference of 2016. Russia decried the deletion of Russian accounts and advertisements as “censorship.” And while new accounts were doubtless created to replace them, social media companies are now much more actively cracking down on Russian accounts in general. Facebook and Twitter do not currently run server infrastructure in Russia (which, by the way, violates Russian law), so “shutting down” IRA access to social media platforms may not have required much (if any) active measures by USCYBERCOM against Russian networks.
In the end, anything done by USCYBERCOM may have been more about sending a message than actually achieving any meaningful disruption of Russian information operations. Unlike the “cyber bombs” launched against the Islamic State, any attacks staged against the IRA were unlikely to have done anything approaching permanent damage.
Of course, there were other things in October of 2018 that may have disrupted the IRA—which has rebranded itself as the Federal News Agency (FAN). On October 6, 2018, someone threw a molotov cocktail into the offices of the FAN, setting fire to several cubicles. No suspect was ever identified.
