This article is more than 1 year old

When the bits hit the FAN: US military accused of knackering Russian trolls, news org's IT gear amid midterm elections

Despite fried RAID and deleted hard drives, Federal News Agency calls US Cyber Command attack a failure

A Russian news service is claiming that US attacks on it and an organisation accused of state-sponsored trolling has left storage systems damaged and international servers wiped after multiple malware attacks.

The Russian Federal News Agency (FAN) alleged earlier this week that US Cyber Command conducted an online attack against the self-described news organization in conjunction with Cyber Command's reported offensive operation against the Internet Research Agency (IRA), a Kremlin-linked Russian organization based in St Petersburg that US officials blame for spreading misinformation through social media to sow discord and interfere with elections.

The report lends support to claims that the US military conducted offensive cyber operations in Russia last year to prevent interference with the 2018 midterm elections.

FAN, according to the US government, is a part of Project Lakhta, the Russian-funded foreign influence operation. The publisher is said to have served as a conduit for concealing Project Lakhta activities and as such is currently subject to Treasury Department sanctions. The IRA is also said to be part of Project Lakhta. FAN nonetheless maintains it has nothing to do with the IRA and does not interfere with elections or engage in illegal activity.

Anatomy of a hack

Two weeks ago, General Paul Nakasone, head of US Cyber Command, hinted at Russia-focused operations in testimony to the US Senate Armed Services Committee. The military cyber group, he said, "undertook an initiative known as the Russia Small Group to protect the elections from foreign interference and influence."

On Tuesday, The Washington Post reported that US Cyber Command meddled with the Internet Research Agency's ability to access the internet during last year's midterms. No details about the nature of the disruption were disclosed, however.

FAN's unconfirmed account may help fill in some of the blanks, though bear in mind the organization is not considered a reliable news source in the West. Here's what the network claimed:

On November 5, 2018 at about 22:00 hours Moscow time, the RAID controller on the internal office of the FAN was destroyed and two out of four hard drives were disabled. The hard drives were also formatted on servers leased in Sweden and Estonia that were used to store data from the USA Really portal.

FAN claims that US Cyber Command sent an employee a malicious email attachment that installed malware on a Windows machine, but that network security measures prevented the intrusion from doing harm beyond that single machine. But this was just the start, FAN claims.


Bloke gets six months for fixing up Russia's US election trolls with bank accounts, fake identities


An Apple iPhone 7 Plus, the organization says, is what allowed the attackers to access FAN's local network. According to the group, an employee's iPhone automatically launched iTunes when connected to a USB cable, prompting synchronization and Windows updates on the host PC, which apparently allowed the takeover of the connected computer. The details are vague, admittedly.

The firm contends that the intrusion came from IP addresses associated with American companies, including Amazon – which, remember, runs a cloud service, AWS. And it says that it has revised its corporate security policy to prohibit connecting iPhones to computers.

Despite this, FAN characterized the US cyber attack as a failure due to the lack of trumpeting about the incident from US authorities.

The US Defense Department declined to comment. "We do not discuss classified cyberspace operations due to classification and operations security," a DoD spokesperson told The Register via email. ®

More about


Send us news

Other stories you might like