Cyberattacks during the Russo-Georgian War

During the Russo-Georgian War a series of cyberattacks swamped and disabled websites of numerous South Ossetian, Georgian, Russian and Azerbaijani organisations. The attacks were initiated three weeks before the shooting war began in what is regarded as "the first case in history of a coordinated cyberspace domain attack synchronized with major combat actions in the other warfighting domains (consisting of Land, Air, Sea, and Space)."[1]

Russo-Georgian War
Main topics
Related topics

Attacks

On 20 July 2008, weeks before the Russian invasion of Georgia, "zombie" computers were already on the attack against Georgia.[2][3] The website of the Georgian president Mikheil Saakashvili was targeted, resulting in overloading the site. The traffic directed at the website included the phrase "win+love+in+Rusia". The site then was taken down for 24 hours.[4][5]

On 5 August 2008, the websites for OSInform News Agency and OSRadio were hacked. The OSinform website at osinform.ru kept its header and logo, but its content was replaced by the content of Alania TV website. Alania TV, a Georgian government supported television station aimed at audiences in South Ossetia, denied any involvement in the hacking of the rival news agency website. Dmitry Medoyev, the South Ossetian envoy to Moscow, claimed that Georgia was attempting to cover up the deaths of 29 Georgian servicemen during the flare-up on August 1 and 2.[6]

On 5 August, Baku–Tbilisi–Ceyhan pipeline was subject to a terrorist attack near Refahiye in Turkey, responsibility for which was originally taken by Kurdistan Workers' Party (PKK) but there is circumstantial evidence that it was instead a sophisticated computer attack on line's control and safety systems that led to increased pressure and explosion.[7]

According to Jart Armin, a researcher, many Georgian Internet servers were under external control since late 7 August 2008.[8] On 8 August, the DDoS attacks peaked and the defacements began.[9]

On 9 August 2008, key sections of Georgia's Internet traffic reportedly had been rerouted through servers based in Russia and Turkey, where the traffic was either blocked or diverted. The Russian and Turkish servers were allegedly controlled by the Russian hackers. Later on the same day, the network administrators in Germany were able to temporarily reroute some Georgian Internet traffic directly to servers run by Deutsche Telekom AG. However, within hours the traffic was again diverted to Moscow-based servers.[8][10]

On 10 August 2008, RIA Novosti news agency's website was disabled for several hours by a series of Georgian counter-attacks.[11] Maxim Kuznetsov, head of the agency's IT department said: "The DNS-servers and the site itself have been coming under severe attack."[12]

On 10 August, Jart Armin warned that Georgian sites that were online might have been fake. "Use caution with any Web sites that appear of a Georgia official source but are without any recent news [such as those dated Saturday, Aug. 9, or Sunday, Aug. 10], as these may be fraudulent," he said.[8][10]

By 11 August 2008, the website of the Georgian president had been defaced and images comparing President Saakashvili to Adolf Hitler were posted. This was an example of cyber warfare combined with PSYOPs.[9] Georgian Parliament's site was also targeted.[9][8][13] Some Georgian commercial websites were also attacked.[10][8][13] On 11 August, Georgia accused Russia of waging cyber warfare on Georgian government websites simultaneously with a military offensive. The Foreign Ministry of Georgia said in a statement, "A cyber warfare campaign by Russia is seriously disrupting many Georgian websites, including that of the Foreign Affairs Ministry." A Kremlin spokesman denied the accusation and said, "On the contrary, a number of internet sites belonging to the Russian media and official organizations have fallen victim to concerted hacker attacks."[14] The Ministry of Foreign Affairs set up a blog on Google's Blogger service as a temporary site. The Georgian President's site was moved to US servers.[9][13] The National Bank of Georgia’s Web site had been defaced at one point and 20th-century dictators' images and an image of Georgian president Saakashvili were placed.[2] The Georgian Parliament website was defaced by the "South Ossetia Hack Crew" and the content was replaced with images comparing President Saakashvili to Hitler.[13]

Estonia offered hosting for Georgian governmental website and cyberdefense advisors.[15][3] However a spokesman from Estonia's Development Centre of State Information Systems said Georgia didn't request help. "This will be decided by the government," he said.[10] It was reported that the Russians bombed Georgia’s telecommunications infrastructure, including cell towers.[15] Private United States companies also assisted the Georgian government to protect its non-war making information such as the government payroll during the conflict.[16]

Russian hackers also attacked the servers of the Azerbaijani Day.Az news agency. The reason was Day.Az position in covering the Russian-Georgian conflict.[17] ANS.az, one of the leading news websites in Azerbaijan, was also attacked.[18] Russian intelligence services had also disabled the information websites of Georgia during the war.[17] The Georgian news site Civil Georgia switched their operations to one of Google's Blogspot domains.[15] Despite the cyber-attacks, Georgian journalists managed to report on the war. Many media professionals and citizen journalists set up blogs to report or comment on the war.[19][20]

Barack Obama, the U.S. presidential candidate demanded Russia halt the internet attacks as well as complying with a ceasefire on the ground.[10] The President of Poland, Lech Kaczyński, said that Russia was blocking Georgian "internet portals" to supplement its military aggression. He offered his own website to Georgia to aid in the "dissemination of information".[13] Reporters Without Borders condemned the violations of online freedom of information since the outbreak of hostilities between Georgia and Russia. "The Internet has become a battleground in which information is the first victim," it said.[18]

The attacks involved Denial-of-service attacks.[2][13][18] The New York Times reported on 12 August that according to some experts, it was the first time in history a known cyberattack had coincided with a shooting war. On 12 August, the attacks continued, controlled by programs that were located in hosting centers controlled by a Russian telecommunications companies. A Russian-language site, stopgeorgia.ru, continued to operate and offer software for Denial-of-service attacks.[2]

On 14 August 2008, it was reported that although a ceasefire reached, major Georgian servers were still down, hindering communication in Georgia.[20]

Analysis

The Russian government denied the allegations that it was behind the attacks, stating that it was possible that "individuals in Russia or elsewhere had taken it upon themselves to start the attacks".[2] Some sources have suggested that the Saint Petersburg-based criminal gang known as the Russian Business Network (RBN) was behind many of these cyber attacks.[8][9][10][2][21] RBN was considered to be among the world's worst spammer, child-pornography, malware, phishing and cybercrime hosting networks. It is thought that the RBN's leader and creator, known as Flyman, is the nephew of a powerful and well-connected Russian politician.[22]

Dancho Danchev, a Bulgarian Internet security analyst claimed that the Russian attacks on Georgian websites used “all the success factors for total outsourcing of the bandwidth capacity and legal responsibility to the average Internet user.”[9]

Jose Nazario, security researcher for Arbor Networks, told CNET that he was seeing evidence that Georgia was responding to the cyber attacks, attacking at least one Moscow-based newspaper site.[23]

Don Jackson, director of threat intelligence for SecureWorks, a computer security firm based in Atlanta, noted that in the run-up to the war over the weekend, computer researchers had observed as botnets were "staged" in preparation for the attack, and then activated shortly before Russian air strikes began on 9 August.[2] According to Jackson, this was lending credence to the idea that the Russian government was indeed behind the attack, rather than the RBN.[24] Furthermore, Jackson found that not all the computers that were attacking Georgian websites were on RBN servers, but also on "Internet addresses belonging to state-owned telecommunications companies in Russia".[24]

Gadi Evron, the former chief of Israel's Computer Emergency Response Team, believed the attacks on Georgian internet infrastructure resembled a cyber-riot, rather than cyber-warfare. Evron admitted the attacks could be "indirect Russian (military) action," but pointed out the attackers "could have attacked more strategic targets or eliminated the (Georgian Internet) infrastructure kinetically." Shadowserver registered six different botnets involved in the attacks, each controlled by a different command server.[25]

Jonathan Zittrain, cofounder of Harvard's Berkman Center for Internet and Society, said that the Russian military definitely had the means to attack Georgia's Internet infrastructure. Bill Woodcock, the research director at Packet Clearing House, a California-based nonprofit group that tracked Internet security trends, said the attacks bore the markings of a "trained and centrally coordinated cadre of professionals." Russian hackers also brought down the Russian newspaper Skandaly.ru allegedly for expressing some pro-Georgian sentiment. "This was the first time that they ever attacked an internal and an external target as part of the same attack," Woodcock said. Gary Warner, a cybercrime expert at the University of Alabama at Birmingham, said that he found "copies of the attack script" (used against Georgia), complete with instructions for use, posted in the reader comments section at the bottom of virtually every story in the Russian media.[3] Bill Woodcock also said cyberattacks are so cheap and easy to stage, with few fingerprints, they would almost definitely stay around as a feature of modern warfare.[2]

The Economist wrote that anyone who wished to take part in the cyberattack on Georgia could do so from anywhere with an internet connection, by visiting one of pro-Russia websites and downloading the software and instructions needed to perform a distributed denial-of-service attack (DDoS) attack. One website, called StopGeorgia, provided a utility called DoSHTTP, plus a list of targets, including Georgian government agencies and the British and American embassies in Tbilisi. Launching an attack simply required entering the address and clicking a button labelled "Start Flood". The StopGeorgia website also indicated which target sites were still active and which had collapsed. Other websites explained how to write simple programs for sending a flood of requests, or offered specially formatted webpages that could be set to reload themselves repeatedly, barraging particular Georgian websites with traffic. There was no conclusive evidence that the attacks was executed or sanctioned by the Russian government and also there was no evidence that it tried to stop them.[26]

In March 2009, Security researchers from Greylogic concluded that Russia's GRU and the FSB were likely to have played a key role in co-coordinating and organizing the attacks. The Stopgeorgia.ru forum was a front for state-sponsored attacks.[27]

John Bumgarner, member of the United States Cyber Consequences Unit (US-CCU) did a research on the cyberattacks during the Russo-Georgian War. The report concluded that the cyber-attacks against Georgia launched by Russian hackers in 2008 demonstrated the need for international cooperation for security. The report stated that the organizers of the cyber-attacks were aware of Russia's military plans, but the attackers themselves were believed to have been civilians. Bumgarner’s research concluded that the first-wave of cyber-attacks launched against Georgian media sites were in line with tactics used in military operations.[28] "Most of the cyber-attack tools used in the campaign appear to have been written or customized to some degree specifically for the campaign against Georgia," the research stated. While the cyberattackers appeared to have had advance notice of the invasion and the benefit of some close cooperation from the state institutions, there were no fingerprints directly linking the attacks to the Russian government or military.[29]

See also

References
  1. Hollis, David (6 January 2011). "Cyberwar Case Study: Georgia 2008" (PDF). Small Wars Journal. Archived (PDF) from the original on 4 March 2022. Retrieved 17 November 2020.
  2. Markoff, John (12 August 2008). "Before the Gunfire, Cyberattacks". The New York Times. Archived from the original on 30 March 2019. Retrieved 21 February 2017.
  3. Wentworth, Travis (23 August 2008). "How Russia May Have Attacked Georgia's Internet". Newsweek. Archived from the original on 4 March 2022. Retrieved 3 May 2014.
  4. Dancho Danchev (22 July 2008). "Georgia President's web site under DDoS attack from Russian hackers". ZDNet. Archived from the original on 5 March 2022. Retrieved 9 February 2015.
  5. "Georgia president's Web site falls under DDOS attack". Computerworld. 21 July 2008. Archived from the original on 11 August 2016. Retrieved 9 February 2015.
  6. "S.Ossetian News Sites Hacked". Civil Georgia. 5 August 2008. Archived from the original on 25 June 2017. Retrieved 25 January 2009.
  7. Jordan Robertson; Michael Riley (10 December 2014). "Mysterious '08 Turkey Pipeline Blast Opened New Cyberwar Era". Bloomberg.com. Archived from the original on 2014-12-25. Retrieved 2017-03-06.
  8. Keizer, Gregg (11 August 2008). "Cyberattacks knock out Georgia's Internet presence". Computerworld. Archived from the original on 3 May 2014. Retrieved 3 May 2014.
  9. Danchev, Dancho (11 August 2008). "Coordinated Russia vs Georgia cyber attack in progress". ZDNet. Archived from the original on 2 November 2014. Retrieved 4 May 2014.
  10. "Georgia: Russia 'conducting cyber war'". The Telegraph. 11 August 2008. Archived from the original on 4 March 2022. Retrieved 4 April 2018.
  11. Woodcock, Bill (11 August 2008). "The digital frontlines in the Georgia conflict". The Takeaway. Public Radio International. The World. Archived from the original on 2022-04-01. Retrieved 2022-03-07. This is part of a larger pattern for Russia, particularly over the last two years, which has targeted both internal opposition parties and the press within Russia, and external targets like Estonia, notably last year, Lithuania and some other countries that have had foreign policy that's disagreed with Russia's. The attacks, specifically in the Georgian case, have been from Russia against the presidential and parliamentary websites in Georgia; and from Georgia against RIA Novosti, the Russian state news agency.
  12. "RIA Novosti hit by cyber-attacks as conflict with Georgia rages". RIA Novosti. 10 August 2008. Archived from the original on 12 August 2008.
  13. Asher Moses (12 August 2008). "Georgian websites forced offline in 'cyber war'". The Sydney Morning Herald. Archived from the original on 14 September 2008.
  14. "Georgia says Russian hackers block govt websites". Reuters. 11 August 2008. Archived from the original on 24 January 2016. Retrieved 5 July 2021.
  15. "Estonia, Google Help 'Cyberlocked' Georgia (Updated)". 11 August 2008. Archived from the original on 4 March 2022. Retrieved 6 March 2017.
  16. Steven Korns and Joshua E. Kastenberg, Georgia's Cyber Left Hook, Parameters: Journal of the Army War College (2008), 59-64
  17. "Russian intelligence services undertook large scale attack against Day.Az server". Today.az. 11 August 2008. Archived from the original on 4 March 2022. Retrieved 11 August 2008.
  18. "Russian and Georgian websites fall victim to a war being fought online as well as in the field". Reporters Without Borders. 13 August 2008. Archived from the original on 2014-07-14.
  19. "Georgia: Regional Reporters". Global Voices. 24 August 2008. Archived from the original on 26 April 2015. Retrieved 27 September 2008.
  20. "Longtime Battle Lines Are Recast In Russia and Georgia's Cyberwar". The Washington Post. 14 August 2008. Archived from the original on 13 March 2018. Retrieved 20 September 2017.
  21. "Georgia States Computers Hit By Cyberattack". The Wall Street Journal. 12 August 2008. Archived from the original on 4 March 2022. Retrieved 3 August 2017.
  22. "The hunt for Russia's web crims". The Age. 13 December 2007. Archived from the original on 14 September 2014. Retrieved 25 January 2009.
  23. "Russia and Georgia continue attacks--online". CNET. 12 August 2008. Archived from the original on 4 March 2022. Retrieved 15 July 2014.
  24. "Expert: Cyber-attacks on Georgia websites tied to mob, Russian government". LA Times Blogs - Technology. 2008-08-13. Archived from the original on 2022-03-04. Retrieved 2020-11-17.
  25. "Unlikely That Russians Hacked Georgia Though Attacks Were Political | Cyber Talk Blog by Shimon Sheves". www.cybertalkblog.co.uk. Archived from the original on 2022-03-05. Retrieved 2017-04-16.
  26. "Marching off to cyberwar". The Economist. 4 December 2008. Archived from the original on 6 May 2009.
  27. Leyden, John (23 March 2009). "Russian spy agencies linked to Georgian cyber-attacks". The Register. Archived from the original on 1 October 2019. Retrieved 10 August 2017.
  28. Brian Prince (18 August 2009). "Cyber-attacks on Georgia Show Need for International Cooperation, Report States". eWeek.
  29. Mark Rutherford (18 August 2009). "Report: Russian mob aided cyberattacks on Georgia". CNET. Archived from the original on 22 August 2013. Retrieved 2 November 2011.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.