Professional Documents
Culture Documents
A short occasion of turbulence, reflecting the growing tensions in Georgian-Russian relations313, was visible in the Georgian cyber space on 19 July 2008, weeks before the more coordinated cyber attacks began on August 8. The website of the Georgian President Mikheil Saakashvili (www.president.gov.ge) became unavailable for more than 24 hours because of a DDoS attack. The Shadowserver Foundation314 observed at least one web-based command and control (C&C) server hitting the website with a variety of simultaneous attacks (TCP, ICMP, and HTTP floods), which took the website offline for more than 24 hours.315 However, the main phase of events began on August 8 316 when multiple C&C servers hit websites that were either Georgian - such as the website of the Georgian President, the central government site, and the homepages for the Ministry of Foreign Affairs and Ministry of Defence - or sympathetic to the country's cause.317 Georgian news portals such as Georgia Online (apsny.ge), News.ge, but also non-Geor- gian, but Georgia-sympathetic news sites and online discussion forums were also attacked.318 TBC, the largest commercial bank of Georgia, came under attack on the early morning of August 9.319 The Georgian government, reliant on its oficial websites as information distribution channels, had to look for ways to avoid information blockade. On Saturday, August 9, a Georgian expatriate Nino Doijashvili, chief executive of Atlanta-based hosting company Tulip Systems Inc., offered the Georgian government help and transferred president.gov.ge and rustavi2.com, the Web site of a prominent Georgian TV station, to her company's servers. 320 With Google's per- mission, the website of the Ministry of Foreign Affairs was transferred to a Blogger account.321 The Office of the President of the Republic of Poland provided a section on their website for official press releases of the Georgian government, and the Estonian government accom- modated the website of the Ministry of Foreign Affairs in a server located in Estonia, as well as sending two CERT-EE information security spe-cialists to assist in mitigation efforts.322 On August 10, Shadowserver reported new attacks against .ge sites: the website of the Georgian Parliament and President were hit with http-flood attacks. In this case, the IP ad- dress of the C&C server revealed it was located in Turkey.323 Again, the attacks were not limited to just government websites. Shadowserver reported at least six different C&C servers attack- ing various non-governmental websites. By august 11, the President's website was available again, but the central government site as well as ministries' websites mentioned above still remained down and some commercial websites were also hijacked. 324 A defacement attack against the President's website occurred in this timeframe, where a slideshow was inte- grated into the page displaying identical images of Saakashvili's and Hitler's public appearances in order to portray Saakashvili as Hitler. As of August 11, the site remained under a sustained DDoS attack. 325 On August 11, the Georgian Ministry of Foreign Affairs issued a press release, communicating "A cyber warfare campaign by Russia is seriously disrupting many Georgian websites, including that of the Ministry of Foreign Affairs. 326 The statement was released via a replacement website that the ministry had built on Google's blog- hosting service,
blogspot.com. The same course of action was also taken by Civil.ge, the largest Englishlanguage news site in Georgia, which had come under DDoS attack, and switched to a Blogger account in case the site remained unavailable.327 According to Arbor Networks, the attacks were all globally sourced, suggesting one or multiple botnets behind them.328 By August 12, most of the observed botnet attacks targeted against .ge sites began to subside and the attack model changed towards using a Microsoft Windows batch file that was designed to attack Georgian websites and was distributed and encouraged to use on Russian forums, blogs, and websites.329 On August 13, Shadowserver reported large-scale ICMP traffic from numerous Russian computers from several different ISPs throughout the country, covering both dialup and broadband users, and targeting Georgian governmental websites.330 The effect of it was continuous ICMP traffic via the 'ping' command to several Georgian websites.331 The last large cyber attack against Georgian websites was launched on August 27. The main target this time was the Georgian Ministry of Foreign Affairs that together with other sites came under a DDoS attack in the afternoon. The attacks mainly consisted of HTTP queries to the mfa.gov.ge website with the purpose of overloading the web server.332 The attacks started to wind down on August 28, due to the reason that most of the attack- ers were successfully blocked333; nevertheless, minor occurrences were detected even after that date that were indistinguishable from regular traffic and could therefore be attributed to regular civilians.
against Georgia for hackers.351 In summary, 36 major web sites were identified as targets for hackers, among those the Embassies of the US and UK in Tbilisi, the Georgian Parliament, Supreme Court, and Ministry of Foreign Affairs, several news and media resources, and numerous other sites.
According to Arbor Networks' data traffic analysis, major DDoS attacks were all globally sourced, suggesting a botnet (or multiple bot- nets) behind them.362 According to the Shadowserver Foundation ac- count from the initial days of the Georgian cyber incident, there were at least six different C&C363 (Command and Control) servers involved in the attacks; some of the botnets were either "DDoS for hire or "DDoS for extortion services which normally employ a regular pattern in attacking sites and rarely go after non-commercial sites. 364 The HTTP-based botnet C&C server was reported to be a MachBot controller, a tool that is frequently used by Russian bot herders365, and the domain involved with this C&C server had, according to Steven Adair of the Shadowserver Foundation, seemingly fraudulent registration information which tied back to Russia.366 There was some indication of the RBN involve- ment, which was referred to earlier in this paper (see 'Other types of attack' under 'Methods of cyber attack') 367. The security experts of Shadowserver stated that the involvement of RBN did not amount to more than providing hosting services to the botnet C&Cs, finding that RBN did not commit the DDoS attacks itself.368 There is no doubt regarding the involvement of the Russian hacker community in the cyber attacks: the coordination of and support to the attacks took place mainly in the Russian language and was conducted on Russian or Russia-friendly forums. However, there is no evident link to the Russian administration, and the Russian government has denied any involvement in the cyber assaults.369 The Project Grey Goose team was unable to find, in their research into the Russian hacker sites, any references to state organisations guiding or directing attacks, "be it because there was none, because the collection efforts were not far-reaching or deep enough to identify these connections, or because involvement by state organisations was conducted in a way to purposefully avoid attribution.370 The Project Grey Goose report did provide his- torical evidence that past and present members of the Russian government have endorsed cyber attacks initiated by their country's hacker population.371 Jeff Carr, the principal investigator of the Grey Goose project, concluded that the level of advanced preparation and recon- naissance suggests that Russian hackers were primed for the assault by officials within the Russian government and/or military, based also on evidence that the StopGeorgia.ru site was "up and running within hours of the ground assault -with full target lists already vetted and with a large member population. 372 Don Jackson, the director of threat intelligence at SecureWorks373, also pointed to the correlation between the types and patterns of activity of DDoS and the suspicious timing of the attacks, claiming it to have been "either one of the most coincidental mass cyber-attacks [he had] ever seen, or [] some sort of cooperation on some level.374 Jackson also reported that incident responders in Georgia had provided logs of network traffic to and from botnet C&C servers, and the latter had IP addresses that were in ranges belonging to Russian state-operated companies. These networks had been launch points for DDoS attacks against Georgian networks. Jackson warned, however, that those addresses could have been 'pwned' (gained unauthorised control over) by hackers.375 However, the possible involvement of some officials within the Russian administration is only backed by circumstantial evidence, and does not prove nor amount to official support to the cyber attacks by the Russian government. Many experts remain sceptical that the Russian
government had any role in the Georgian cyber attacks and consider them as 'unaffiliated attacks by Russian hackers and/or some rioting by enthusiastic Russian supporters'376. Sources indicate a connection between organ- ised crime and the Georgian cyber incidents. According to the above-referred study carried out by the Swedish National Defence University, the organisation provided in the registration details of stopgeorgia.ru was related to different criminal activities, such as forged passports and stolen credit cards - activities that normally should be prosecuted by the authorities. The Russian authorities have remained remarkably passive in prosecuting the organisation in this particular case.377 The Project Grey Goose report points out that the stopgeorgia.ru site - which provided information and tools for independent hackers to attack Georgian sites - was hosted by SoftLayer Technologies, Inc. (AS36351) of Plano, Texas, USA, the latter being controlled by Atrivo, a host listed as the 4th worldwide among webhosts facilitating the spread of malware, spam, financial scams, and identity theft.378 Atrivo's connection was cancelled and traffic routing stopped by its service providers in late September 2008 (based mostly on the fraud concerns, not necessarily its participation in the Georgian attack).37 Based on their data collection and analysis, the Grey Goose Project analysts discerned a pattern in the Georgian attacks, consisting of 5 stages: spreading encouragement to get involved in the cyber war against Georgia; publishing a target list of Georgian government web sites which had been tested for access and/or vulner- abilities; selection of types of malware to use against the target web sites; launching of the attacks; and result evaluation.382 The conclusions left little doubt that the Georgian cyber attacks were largely coordinated, not simply an ad hoc reaction of individual cyber-activists sympa- thetic to the Russian cause. As stated above, this may constitute a new development compared to the incidents in Estonia, where coordination was recognized only in the second phase of the cyber attacks.