Cyberattacks in Georgia dissected – ties to Russian mob evident

by Steve Ragan - Aug 18 2009, 17:00

One year after the cyberattacks on Georgia, there is new information thanks to the non-profit research center US Cyber Consequences Unit (US-CCU). The report, sent to various government officials Monday, details some interesting observations based on information collected by US-CCU.

One observation is that the organizers of the cyber attack had advance notice of Russian military intentions to launch a ground assault on Georgia. The report says that organizers were tipped off about the timing of the Russian military operations, which is why the cyber attacks and the ground assault started almost instantaneously.

“Many of the cyber attacks were so close in time to the corresponding military operations that there had to be close cooperation between the people in the Russian military and the civilian attackers. When the cyber attacks began, they did not involve any reconnaissance or mapping stage, but jumped directly to the sort of packets that were best suited to jamming the websites under attack. This indicated that the necessary reconnaissance and the writing of the attack scripts had to have been done in advance,” the report reads in part.

Another observation is that the civilian attackers were aided by Russian organized crime. This conclusion comes from the fact that some of the webservers and addresses used to control and coordinate the attack were previously used by Russian criminal organizations. “Several servers used in the attacks were simultaneously hosting software ready to be used for other cyber crime. In addition, the specific botnets employed in the cyber campaign were ones closely associated with Russian organized crime,” the report explained. Based on the observations, the US-CCU concluded that the Russian criminals made no real effort to hide their involvement, “because they wanted to claim credit for it.”

Another discovery pointing to the notion that the attacks on Georgia were prepared well in advance was one of the website defacements that occurred during the cyber campaign. The defacement was prepared specifically for use against Georgia, two years before the actual attack. This information was obtained after the US-CCU analyzed the image used in the website defacement, where they learned it was created in March of 2006 and not used anywhere else online.

Yet, the attacks were restrained. The US-CCU said investigations into the attacks showed a number of Georgian critical infrastructures were accessible over the Internet at the time the Russian military launched their assault. However, they were left untouched despite the technical expertise of some of the cyber attackers. “The fact that physically destructive cyber attacks were not carried out against Georgian critical infrastructure industries suggests that someone on the Russian side was exercising considerable restraint.”

This point was reiterated when The Tech Herald spoke to Scott Borg, director and chief economist with US-CCU. We spoke to Borg on a number of things, but the first thing we wanted to know was why the Russian organized criminal community would help the military, where is their financial gain?

We asked this question, partly because of the connection to organized crime, as it is well-known those criminals do nothing unless there is something in it for them, and because of the section of the US-CCU report dealing with strategic consequences of the cyber campaign. In this section, there is the observation that if “...the conflict is viewed from a broader perspective, encompassing economic and cyber action, the real strategic focus seems to have been the Georgian oil and gas pipelines.”

Borg explained to us that there is considerable financial gain if the Russians undermine confidence in those pipelines. As mentioned in the report, he explained with a little more clarity that if confidence was lost in those pipelines, then anyone who used them would seek alternative routes for their oil and gas, which the Russians can provide, but the cost is higher than what the Georgians would charge.

Borg’s explanation, as well as the details from the report, makes perfect sense if you look at it from this angle. There is considerable financial gain for both the criminals and the Russian state, which is why it makes sense that the attacks were linked. They started and ended at the same time. When the Russian military launched their ground offensive, the cyber attacks started, when the military was done, the cyber attacks ended as well.

Borg also told us that it is “…quite possible that the Russians installed Spyware under the cover of all the noise.” Meaning, that while all the attention was focused on the military and cyberattacks, most officials and network experts were focused on dealing with just that one issue. While their attention was split, the attackers could have planted the Spyware without anyone being the wiser.

If that is the case, Borg is correct when it said it was possible that, “…they [meaning the Russians] laid the ground work for future attacks.”

The report goes on to cover details on methodology, such as using social networking to recruit attackers, followed by the use of various websites to post tools, suggested targets, and instructions for attackers to use. The postings were so complete, recruited attackers could take part in the attacks with limited to no computer skills.

In conclusion, the US-CCU said that there needs to be a cyber response force created that could provide reactionary assistance to countries who suffer the type of attach seen by Georgia. The response force would work with various CERT agencies, and have agreements and contracts in place that would allow private sector hosting companies and other services to be brought in if needed.

In addition, the US-CCU called for an internal organization that would offer risk advisories to member countries based on political, economic, and military circumstances, as well as advisories based on signs of actual preparations for a cyber campaign being detected.

The report is not public at this time, but more information about the US-CCU is here.

Around the Web