It started in mid-October 2018, when Russian operatives of the Internet Research Agency started getting emails and direct messages on social media letting them know that the United States was watching them, that it knew their names and where they worked. Then, on Nov. 6, 2018, everything went dark for the Russians. The once-feared IRA found itself with no internet access at all.
As you might expect, the series of contacts from U.S. agencies had already rattled the Russians, and authorities inside the IRA were trying to figure out who had leaked the information to the Americans. Then, without warning, chaos.
Reportedly, the Russian operatives were complaining to their support teams that they’d been taken offline and investigations ensued, but the ability of the Russian operatives to access the internet didn’t return for several days, during which the IRA’s disinformation campaigns ceased and the attempts to interfere with the U.S. elections went nowhere.
Details of the attack, which was first covered by The Washington Post, began to emerge during hearings by the Senate Intelligence Committee in mid-February. Even though that briefing was classified, Gen. Paul Nakasone provided few details. At a later hearing before the Senate Armed Services Committee that same week, Nakasone was obliquely credited with enabling the 2018 mid-term elections to go as smoothly as they did.
In response to questions by the Committee, Nakasone declined to take credit, other than to say that safeguarding the election was the top priority of the U.S. Cyber Command and the National Security Agency, which Nakasone also heads. Having a common director for both agencies eases the lines of communications and played a direct role in the success of those cyber-operations.
As you might expect, the details of how those attacks on the Russian IRA were carried out aren’t known, nor are the details of how the U.S. Cyber Command managed to get the personal information of the Russian personnel. In fact, the existence of the attack is only vaguely acknowledged through comments from members of Congress.
Neither the NSA nor the U.S. Cyber Command was willing to respond to questions from eWEEK, despite repeated requests. Likewise, requests to the White House for comment went unanswered.
The attacks came about due to changes in administration policy that allowed the Cyber Command more latitude in how the organization conducts cyber-warfare, and in eliminating the requirement that the command get approval from other agencies. In addition, the recently passed National Defense Authorization Act redefined such cyber-operations as a traditional military activity, which removed some limits on such operations.
‘Persistent Engagement’ Behind the Operation
The operations against Russia are part of a policy called “persistent engagement” in which a group made up of specialists from the Cyber Command and the NSA continuously conduct actions against adversaries to keep them off balance and to make them devote resources to defense that they might otherwise use against the U.S.
It’s notable that the operation to take down the Russian operation was fairly limited. This isn’t because the folks at the Cyber Command couldn’t do more, but rather because it was tasked to simply protect the election and also not give the Russians a reason to escalate their operations. At this point, both sides have the capability to do serious damage to the data infrastructure in the other.
What it does instead is demonstrate to the Russian operatives that there’s a cost to attacking the U.S. cyber infrastructure, and to make sure that they know that a more serious attack will elicit a more serious response.
In addition, the attack on the IRA also sends the message to other nation-state cyber-operators that the U.S. can take them offline at will. The fact that we haven’t taken out the Chinese, the North Koreans or the Iranians doesn’t mean that the U.S. can’t. Instead, it demonstrates that a more serious attack from those interests will get a significant attack in return.
What This Means for Your Organization
For the average IT manager, the results of this new round of action by the U.S. are unclear. It would seem that the most likely outcome is that the level of attacks against U.S. companies may be reduced as the Russians and others spend more effort protecting themselves.
But for some attackers, notably the Chinese government-sponsored hackers, it’s likely to make little difference. Those attackers aren’t trying to take your company offline—they’re trying to steal your intellectual property, your processes and your trade secrets. Unless the U.S. Cyber Command decides to attack China as a result, you probably won’t see much difference.
What this means in the long run is that you must continue to ramp up your defenses. It doesn’t matter much who is attacking you, or even whether it’s a government or a cybercrime syndicate. What matters is that you’re being attacked.
But one thing you can do is report the details of any attack to the federal government and to other enterprises so that they know what to expect.