Nart Villeneuve

The Internet-based attacks surrounding the Russia-Georgia conflict in August 2008 have resurfaced thanks to a report by the U.S. Cyber Consequences Unit (US-CCU). Because the report is top secret, all that is publicly available is a summary.

There are a number of reports on the Ru-Ge incident. While some are very well done, noticeably absent from these reports are attempts to provide and explore alternative explanations. Since attribution in these type of attacks is difficult (to put it mildly) analysis is often infused with a predisposition toward a certain conclusion and all evidence is interpreted in only one direction. (Morozov’s “10 easy steps to writing the scariest cyberwarfare article ever” is applicable to most of them.)

Since there is basically no “smoking gun” in cyberspace the credibility of one’s claims depends on how well one explores alternative explanations.

One of the Ru-Ge issues I have been thinking about concerns timing. In the US-CCU report summary the issue of timing is raised. The US-CCU concludes:

The organizers of the cyber attacks had advance notice of Russian military intentions, and they were tipped off about the timing of the Russian military operations while these operations were being carried out.

Why? Because they “had” to be.

Many of the cyber attacks were so close in time to the corresponding military operations that there had to be close cooperation between people in the Russian military and the civilian cyber attackers.

Maybe, but are there other possible explanations?

First, the timing of the war itself is unclear. The NY Times reports that Georgia believes that the Russians had crossed the Roki Tunnel by 3.41 a.m on August 7, 2008. The Russians say it was not until 2:30 p.m. on August 8, 2008 after Georgia had begun shelling Tskhinvali at 11:30 pm August 7, 2008. The NYT reports that “Western intelligence” indicates that the Russians “may have moved to secure the entire tunnel either on the night of Aug. 7 or early in the morning of Aug. 8.”

Second, the timing if the internet-based attacks is unclear. The CCD COE report cites a STRATFOR report which claims:

“Russia’s offensive against Georgia began not with tanks or fighter jets, but in cyberspace. STRATFOR knows firsthand that Georgian government and media Web sites began to crash the night of Aug. 7 — well before Russian troops emerged on the south side of the Roki Tunnel in the breakaway republic of South Ossetia the following morning.”

Shadowserver, a trustworthy and awesome group, documented DDOS attacks begining on August 8, 2008. The attacks were from known C&C’s some of which have been around for more than a year and have attacked unrelated sites. In fact, the same C&C’s attacked www.president.gov.ge on July 20, 2008.

Dancho Danchev wrote an informative post in which he stated that following the July attack there had been discussions on DDOS and defacements and the use should it be needed:

The attacks originally starting to take place several weeks before the actual “intervention” with Georgia President’s web site coming under DDoS attack from Russian hackers in July, followed by active discussions across the Russian web on whether or not DDoS attacks and web site defacements should in fact be taking place, which would inevitably come as a handy tool to be used against Russian from Western or Pro-Western journalists. The peak of DDoS attack and the actual defacements started taking place as of Friday

US-CCU says that because the attacks materialised so quickly in connection with the Russian kinetic attacks the internet-based attacks must have been prepared in advanced and that “the signal to go ahead also had to have been sent before the news media and general public were aware of what was happening militarily.” Well, we already know that there was a DDOS in July by the same C&C’s that attacked in August. Also, there had been “active discussions across the Russian web” after the July attacks on DDOS and defacement of Georgian and related targets. And from limited logs that I’ve seen there were a variety of attacks, including SQL injection, occuring over this period.

Moreover, some of the web sites that were defaced had been previously defaced. mfa.gov.ge was defaced 2008/04/17 (and three times in 2000, suggesting it has a history of insecurity) and parliament.ge was defaced on 2008/03/14. (Zone-H’s gov.ge defacement archive).

News media had been consistently reporting on the ongoing conflict in the region. For example, CNN reported on August 7, 2008 that Georgia had accused Russia of bombing Georgian territory. And the Russian incursion into Georgian was widely reported on August 8, 2008.

It is unclear if the attacks began before the Russian kinetic attack, or afterward. Part of the reason is that when the Russian kinetic attack began is unclear. This makes the correlation of the internet and kinetic attacks unwieldy.

The botnets were in place (busily attacking unrelated targets), had been used previously against www.president.gov.ge, and could be issued commands at any time. The web sites that were defaced had been previously defaced and mfa.gov.ge had a long history of insecurity. The global news coverage of the crises indicated that the crises was escalating and that a Russian bombing campaign may have started on August 7th.

In my view there is an alternative explanation that deserves to be explored: potential attackers who had been discussing potential attacks since July 20, 2008 and following the events could have been ready to respond as the crises predictably escalated without advance knowledge of the Russian attack or any explicit coordination with the Russian military.

I just read a great post by Jose Nazario suggesting that there hasn’t been much evidence of the use of botnets. But the most interesting point he makes is where he points out that the site under attack could take offensive action against the people participating in these “refresh” style attacks:

The attackers who participate by loading these pages and going off to dinner, sleep, or on with their days open themselves up to attacks back through drive-by attacks. Imagine a simple scenario: the victims modify their sites to include some code like LuckySploit that commits a simple set of attacks. The attacker’s machine reloads the page (this is, after all, part of the attack). Hit a browser or accessory bug and bam, the attacker has been attacked. Now you’ve got a foothold on the attacker’s machine and, if you’re a sophisticated cyberwar player, you can use this to further understand your adversary. This is a dangerous strategy. If you’re going to employ this kind of attack you need to remember you may be putting your “army” at risk.

That’s interesting because it has happened before. A similar type of campaign back in 1998 by EDT was focused on the Pentagon and the site under attack retaliated:

In September 1998, the Electronic Disturbance Theater, a group of activists that practices politically driven cyber civil-disobedience, launched an attack aimed at disabling a Pentagon Web site by flooding it with requests. The Pentagon responded by redirecting the requests to a Java applet programmed to issue a counteroffensive. The applet flooded the browsers used to launch the attack with graphics and messages, causing them to crash.

(Also, the defacers are getting into it: A gov.ir site was defaced too (http://www.marivan.gov.ir/Election.htm))

There have been a variety of good reports (zdnet, sans, fp ) on the DDOS campaigns targeting Iranian sites after the election. However, one of the things I’ve noticed is the tendency to characterize this as something relatively new. But this has been happening for at least a decade! See, http://www.fraw.org.uk/download/ehippies/archive/op-01.html , http://www.fraw.org.uk/download/ehippies/archive/op-01a.html, http://www.thing.net/~rdom/ecd/archives.html

I think that one of the issues that’s being overlooked is the mobilization and participation component. To just DDOS a site its easier to use/buy/rent/etc… a botnet. That involved few people, it is easy, and its is effective. To get a bunch of people to basically refresh a site (even if they are using some rudimentary automated tools) requires participation. I have doubts about whether the downtime of the targeted sites is due to this type of attack. I suspect that there are likely other attacks involved that do the heavy lifting.

“But to think that it takes a lot of people to execute an act of civil disobedience on the Internet is naiive. Programs make a difference, not people.” — Oxblood Ruffin, cDc

Anyway, I’m finding that these sites are unavailable:

16/06/09 12:18 http://ahmadinejad.ir/ 217.218.155.110 503
16/06/09 12:18 http://www.justice.ir/ 62.193.12.10 503
16/06/09 12:18 http://www.iranjudiciary.org/ 62.18.21.156 (51, ‘Network is unreachable’)
16/06/09 12:18 http://rajanews.com/ 10.7.222.162 (51, ‘Network is unreachable’)
16/06/09 12:18 http://www.farsnews.com/ 77.104.73.15 (61, ‘Connection refused’)
16/06/09 12:18 http://www.leader.ir/ 62.220.121.130 (61, ‘Connection refused’)
16/06/09 12:18 http://www.president.ir/ 80.191.69.11 timed out
16/06/09 12:18 http://www1.farsnews.com 77.104.73.16 timed out
16/06/09 12:18 http://www.irna.ir/ 81.12.51.146 timed out
16/06/09 12:18 http://www.police.ir/ 81.28.32.52 timed out
16/06/09 12:18 http://www.mfa.gov.ir/ 217.172.99.41 timed out

The defacers seem to be out too:

http://zone-h.org/mirror/id/9003285