On February 27, the Washington Post reported that the US Cyber Command successfully penetrated — and briefly took offline — the network of Russia's infamous “troll factory”, also known as the “Internet Research Agency,” in November 2018.
While multiple US officials touted the move as show of the country's relative savvy in the field of cyber warfare, Russian legislators are using the attack as justification for imposing greater control over the Russian internet.
Speaking on condition of anonymity to the Post, people privy to the operation said that “the president [Trump] approved of the general operation to prevent Russian interference in the midterms.” According to the Post's sources:
The operation “marked the first muscle-flexing by U.S. Cyber Command (USCYBERCOM), with intelligence from the National Security Agency, under new authorities it was granted by President Trump and Congress last year to bolster offensive capabilities.
Multiple sources have since confirmed that the attack indeed took place. BBC Russian, citing its own sources inside the “troll factory,” reported that USCYBERCOM’s offensive on the eve of 2018 midterm elections “wiped out the servers” of IRA’s US department.
In a response to the Washington Post’s report, RIA FAN (a media outlet known for its links to the IRA) confirmed that the attack occurred, but still mocked USCYBERCOM's incursion attempt, calling it a “complete failure” and emphasizing the fact that it was quickly contained. The authors also noted that the attacked did not cause significant damage to the IRA's system, or to the team’s morale.
How serious was this attack?
There is some debate as to how exactly devastating the attack was and whether it achieved the desired effect. RIA FAN described the attack in considerable technical detail, explaining how US CYBERCOM exploited standard vulnerabilities in a single IRA computer in order to execute an attack on the company's internal network.
После подключения мобильного устройства Apple iPhone 7 Plus к персональному компьютеру был произведен не только автоматический запуск iTunes и синхронизация данных пользователя, но и получен доступ в интернет со стороны ОС Windows и загружены некоторые файлы обновления системы, которые установились автоматически.
После этого компьютер стал по факту управляем удаленно и с него были проведены все необходимые процедуры для полноценного вторжения в локальную сеть ФАН. Стоит отметить, что вторжение в локальную сеть было проведено с IP-адресов, подконтрольных американским компаниям, в том числе, с серверов компании Amazon, которые обычно используются хакерами для заметания своих следов и скрытия настоящего источника атаки.
After connecting to a PC workstation, the [infected] Apple iPhone 7 Plus forced the launch of iTunes and user data synchronization, then accessed the internet via Windows OS and automatically downloaded and installed several system update files.
At this point, the infected workstation was being remotely controlled, opening the pathway for a full-scale attack on FAN’s intranet. It is worth noting that the intrusion originated from IP addresses controlled by US-based companies, including Amazon, often used by hackers to cover their traces and obscure the true source of attack.
The response in Russia
The IRA has taken these revelations as an opportunity to confirm its aggrieved status as a victim of unprovoked US aggression.
And what's more, USCYBERCOM’s efforts appear to have re-energized the regulatory push to insulate the Russian internet from the rest of the world, and introduce increased levels of network-wide surveillance.
The Washington Post’s article mentions this only in passing:
Kremlin spokesman Dmitry Peskov asserted Wednesday that “in general” there are a “huge number of cyberattacks against various Russian organizations, legal entities and private individuals from the territory” of the United States. “This is the reality now in which we live,” he told reporters. He added that such threats underscore the need for a “sovereign Internet” in Russia.
But inside Russia, USCYBERCOM’s November offensive is being spun for all it’s worth, in propagandistic terms.
Russian state media, officials and pro-government experts are having a “we told you so” moment: this is exactly why we need the “sovereign internet” law, they are saying, referring to the controversial Klishas bill that Runet Echo has covered in the recent months.
The proposed legislation seeks to establish state-regulated internet exchange points that would allow for increased monitoring and control over internet traffic moving into and out of the country. This in turn would give authorities much greater power to censor objectionable (and politically inconvenient) content online.
Those who oppose the bill saw the attack against IRA (and the Washington Post's coverage of the incident) as powerful ammunition for proponents of the bill:
Теперь мы знаем, чему обязаны законом «о суверенном рунете». В ноябре 2018 США провели кибератаку, отключив интернет «фабрике» Пригожина.
— Кононов (@nickolaykononov) 26 февраля 2019 г.
Now we know to whom we owe the “sovereign internet” bill. In November 2018 the US launched a cyberattack, pushing Prigozhin’s “factory” offline.
Так вот почему нам хотят сделать суверенный интернет…https://t.co/zslD4DlRQd
— David Kharebov (@dharebov) 27 февраля 2019 г.
So, that’s why they’ve been pushing for “sovereign internet” for us…
There is no proven link between the November cyber attack on IRA and the Klishas bill, filed for review in the Russian parliament in December 2018, and awaiting a second reading in March 2019. But the bill’s accompanying paper does identify “the aggressive nature of US National Cyber Strategy” as its primary motivation:
В подписанном Президентом США документе декларируется принцип “сохранения мира силой”. Россия же впрямую и бездоказательно обвиняется в совершении хакерских атак, откровенно говорится о наказании: “Россия, Иран, Северная Корея провели ряд безответственных кибератак, которые нанесли ущерб американским и международным компаниям, нашим союзникам и партнёрам и не понесли соответствующего наказания, что могло бы сдерживать кибератаки в будущем”. В этих условиях необходимы защитные меры для обеспечения долгосрочной и устойчивой работы сети Интернет в России, повышения надёжности работы российских интернет-ресурсов.
The document signed by the US President openly declares the principle of “peace through strength.” It also directly and without any corroboration names Russia as the culprit in a number of hacker attacks and openly calls for retaliation: “Russia, Iran, and North Korea conducted reckless cyber attacks that harmed American and international businesses and our allies and partners without paying costs likely to deter future cyber aggression.” In these circumstances, there is a need for preventive measures to ensure a long-term and sustainable functionality of the internet in Russia and improve the reliability of Russian internet resources.
Pro-Kremlin experts insist that the bill’s aim is not to isolate Russia from the outside, but, conversely, to protect its own internet infrastructure from outside attacks and prevent a country-wide blockage.
Речь идёт о том, что если нашей стране выключат интернет СНАРУЖИ, то он продолжит работать. То есть речь идёт о том, чтобы принять некоторые профилактические меры по тому, чтобы Рунет продолжил бы работать в худшем случае, если нам закроют доступ.
We are talking about a situation when someone switches off the internet for our country from the OUTSIDE, so that we are prepared to keep it going. This [bill] is about taking some preventive steps to assure the functionality of Runet in the worst case scenario, if we are denied access.
What Kasperskaya describes here is a significant exaggeration — what the US has done in Russia so far does not come close to a nationwide internet shutdown, and the likelihood that outsiders could even execute such a move (which would violate international human rights and cybercrime doctrine) is still remote.
While there is a legitimate argument to be made for a more robust and reliable national IT infrastructure (IRA’s weak spots were all foreign-made: a Windows workstation, an Apple iPhone and Western-made servers hosted outside of Russia), there is little doubt that this bill, as well as its accompanying initiatives, will be used to further “tighten the screws” on online freedoms in Russia.
As for USCYBERCOM, its attack appears to have achieved little in terms of deterrence, while handed the proponents of these restrictive policies an extra argument in their favor.