Home » Data Protection » Malware/Cybercrime

Industry View

Georgia Cyber Attacks From Russian Government? Not So Fast

It is natural for people to link cyber attacks against Georgia to the Russian government's military actions. But industry expert Gadi Evron says the evidence so far indicates otherwise

By Gadi Evron

August 13, 2008 — CSO —

In recent days, news and government websites in Georgia have suffered DDoS attacks. While these attacks seem to indirectly affect the backbone of the Georgian Internet, it is still there.

News reports popped up everywhere, along with supposedly informed technical analysis, claiming anything from the Georgian Internet routes being hijacked to Russia launching a cyber offensive, but with little proof.

Let's try to understand what is really happening over there, and what it means.

Facts:

1.) There are botnet attacks against Georgian websites.
2.) These attacks affect the Georgian Internet infrastructure indirectly, due to the mass of traffic sent, but the Internet is still very much there.
3.) Some Georgian websites have been defaced with political statements.
4.) Unrelated, a media war is being fought.

Up to the Estonian war, such attacks would be called "hacker enthusiast attacks" or "cyber terrorism" (of the weak sort). Nowadays any attack of a political nature seems to get the "information warfare" tag. When 300 Lithuanian websites were defaced last month, "cyber war" was the buzzword, even though it ended up being an internal Lithuanian matter.

Running security for the Israeli government Internet operation and later founding the Israeli government CERT, I found that such attacks were routine. Seeing the panicked reaction this type of attack has generated seems quaint from my perspective.

Not all fighting is warfare. While Georgia is obviously under DDoS attacks that are political in nature, it doesn't so far seem different from any other online aftermath by fans. Political tensions are always followed with online attacks by sympathizers.

DDoS attacks harm the Internet itself rather than just this or that website, which often requires some of us in the vetted Internet security operations community to get involved in mitigating the attacks, if they don't just drop on their own. Our purpose is not to get involved in any local situation, but rather to preserve our common global critical infrastructure - the Internet.

Could this somehow be indirectly related to Russian military action? Yes, but there is no evidence to indicate it is the case as of yet. If anything, the opposite seems likely at this point in time.

Food for thought: Considering Russia was past playing nice and used real bombs, they could have attacked more strategic targets or eliminated the infrastructure kinetically. At this point, Internet operations will no longer allow them any plausible deniability.

The nature of what's going on is just starting to clear up, but until we are certain anything state-sponsored is happening on the Internet it is my official opinion this is not warfare, but just some unaffiliated attacks by Russian hackers and/or some rioting by enthusiastic Russian supporters.