Cyber Incident Victim: Internet Research Agency
Date:
Nov 2018
Location:
Russia
Summary
A US cyber operation targeted a Russian entity linked to election interference, disrupting its IT infrastructure through coordinated attacks. Intruders compromised an internal server by destroying its RAID controller and wiping hard drives, while also formatting drives on rented cloud servers used for mirroring content. Initial access involved phishing an employee to deploy malware via email, followed by lateral movement after compromising a smartphone connected to a workstation with broad access rights. The attack temporarily crippled operations and led to the revocation of a TLS certificate, hindering access to associated websites. The entity claimed its segmented network contained some intrusions but revised security policies to prohibit connecting mobile devices to work systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On November 5, 2018, the US Cyber Command (USCC) executed a cyber-attack against the Internet Research Agency (IRA), a Russian entity linked to disinformation campaigns. The operation targeted the IRA’s internal IT infrastructure and external assets, commencing one day before the US midterm elections. Initial access was gained through a phishing email containing a trojan, which an IRA employee opened on a workstation. This allowed US operatives to establish a foothold, but the IRA’s segmented network architecture confined the intrusion to that single computer, preventing lateral movement. A secondary attack vector involved compromising an employee’s Apple iPhone 7 Plus smartphone, though the method of iPhone exploitation was not disclosed. When the compromised phone connected via USB to a Windows work computer with broad network privileges, attackers gained deeper access. They traversed the network to locate and attack a central server at approximately 22:00 Moscow time, destroying its RAID controller and formatting two of its four hard drives. Concurrently, USCC targeted servers leased by the IRA on Amazon data centers in Sweden and Estonia, formatting their drives. These servers hosted mirrors of the USA Really news portal, a backup intended to maintain operations if Russian servers were blocked. Additionally, US operatives revoked the TLS certificate for USA Really, rendering the site temporarily inaccessible.
The Federal News Agency (FAN), an IRA-linked outlet, confirmed the attack but dismissed it as a “complete failure,” asserting minimal operational impact. IRA IT staff detected prior intrusion attempts and had segmented their network to limit breach consequences. Post-incident, the IRA implemented a policy prohibiting Apple device connections to work computers. FAN also corroborated earlier reports of USCC sending threatening SMS messages from African numbers and emails in broken Russian to IRA employees, urging them to reconsider their activities. This incident followed the February 2018 US indictment of 13 Russian nationals and three entities, including the IRA, for election interference, which had already led to platform suspensions like Facebook removing IRA accounts. The 2018 cyber-attack underscored ongoing tensions between US cyber defenses and Russian disinformation efforts, with physical infrastructure damage and temporary service disruptions marking its immediate technical consequences.