US wiped hard drives at Russia's 'troll factory' in last year's hack

IRA news site reveals what happened last year on the day before the US midterms.

Russia planning to disconnect from the internet as a test Russia’s internet contingency plan is quickly approaching and officials are still planning an internet disconnect for testing purposes. Read more: https://zd.net/2GCsLjc

A cyber-attack by a US security agency against Russia's infamous troll factory has resulted in a destroyed server RAID controller and formatted hard drives.

The cyber-attack, first reported by the Washington Post earlier this week, was confirmed by the Federal News Agency (FAN), a Russian news site associated with the Internet Research Agency (IRA), also known as Russia's troll factory because of the organization's ability to start dissenting discussions and propagate fake news.

FAN not only confirmed the cyber-attack but also revealed what happened on that day, details not included in the Post's original report.

The Post cited sources in the US government and revealed that US Cyber Command (USCC), a division of the US Department of Defense, launched a cyber-attack against the IRA on November 5, 2018, a day before the US midterm elections.

US officials bragged about taking down the IRA's IT network before the midterms, crippling its ability to interfere in the voting process.

FAN confirmed that the IRA's IT network went down on that day but called the cyber-attack a "complete failure," "failed operation," and a waste of US taxpayer money --because, of course, they did.

The Russian news site said US hackers managed to infect one of its internal IT servers where the intruders destroyed a RAID controller and wiped two of the four hard drives attached to it, temporarily crippling its operation.

FAN said IRA's IT staff was aware of attempts to breach its network. Prior to the successful attack on the server's RAID controller, US hackers managed to infect one IRA computer with a "trojan" after fooling an IRA employee into opening a file attachment they received via email.

US cyber-operatives attempted to move laterally from this computer in search of the central server. However, the IRA's internal network had been intentionally divided just for these scenarios and FAN reported that the trojan and the US hacker's intrusion had been stopped at that computer only.

US hackers were successful in gaining access to the IRA's internal network and its server in another attack against an IRA employee's Apple iPhone 7 Plus smartphone. Details about how US operatives compromised the iPhone were not provided.

FAN reports that when the employee connected the smartphone to his Windows work computer via a USB cable, US hackers also infected the PC, which the Russian news site described as a computer "with fairly wide access rights."

The report claims that US hackers moved laterally through the company's network, eventually reaching its central server, and launching the coordinated attack at around 22:00, Moscow time, on November 5.

In addition to the attack on the IRA's internal network, FAN said that the US also gained access to servers the company had rented on Amazon's data centers in Sweden and Estonia.

The Russian site said attackers formatted the hard drives of these servers, which the IRA was using as mirrors for the USA Really news portal, in the event its Russian servers were ever blocked.

Further, FAN also reports that the US worked to have the USA Really TLS certificate revoked, rendering the site's content inaccessible.

"After this incident, the company's security policy prohibits the use of Apple phones to connect to personal computers," FAN said in its report.

FAN also confirmed a New York Times report from October 2018 in which the Times reported that USCC had been contacting IRA workers.

The Times didn't say what those messages were, but FAN claimed they were "threatening SMS messages in broken Russian from African mobile numbers and emails in broken Russian, urging journalists to 'think about their activities'."

In February 2018, the US indicted 13 Russian nationals and three Russian entities accused of meddling in the 2016 presidential election. One of those entities was the IRA, which also had accounts suspended from Facebook.

Related security coverage: