Georgia Cyber Attacks From Russian Government? Not So Fast

In recent days, news and government websites in Georgia have suffered DDoS attacks. While these attacks seem to indirectly affect the backbone of the Georgian Internet, it is still there.

News reports popped up everywhere, along with supposedly informed technical analysis, claiming anything from the Georgian Internet routes being hijacked to Russia launching a cyber offensive, but with little proof.

Let’s try to understand what is really happening over there, and what it means.

Facts:

• 1.) There are botnet attacks against Georgian websites.
• 2.) These attacks affect the Georgian Internet infrastructure indirectly, due to the mass of traffic sent, but the Internet is still very much there.
• 3.) Some Georgian websites have been defaced with political statements.
• 4.) Unrelated, a media war is being fought.

Up to the Estonian war, such attacks would be called “hacker enthusiast attacks” or “cyber terrorism” (of the weak sort). Nowadays any attack of a political nature seems to get the “information warfare” tag. When 300 Lithuanian websites were defaced last month, “cyber war” was the buzzword, even though it ended up being an internal Lithuanian matter.

Running security for the Israeli government Internet operation and later founding the Israeli government CERT, I found that such attacks were routine. Seeing the panicked reaction this type of attack has generated seems quaint from my perspective.

Not all fighting is warfare. While Georgia is obviously under DDoS attacks that are political in nature, it doesn’t so far seem different from any other online aftermath by fans. Political tensions are always followed with online attacks by sympathizers.

DDoS attacks harm the Internet itself rather than just this or that website, which often requires some of us in the vetted Internet security operations community to get involved in mitigating the attacks, if they don’t just drop on their own. Our purpose is not to get involved in any local situation, but rather to preserve our common global critical infrastructure – the Internet.

Could this somehow be indirectly related to Russian military action? Yes, but there is no evidence to indicate it is the case as of yet. If anything, the opposite seems likely at this point in time.

Food for thought: Considering Russia was past playing nice and used real bombs, they could have attacked more strategic targets or eliminated the infrastructure kinetically. At this point, Internet operations will no longer allow them any plausible deniability.

The nature of what’s going on is just starting to clear up, but until we are certain anything state-sponsored is happening on the Internet it is my official opinion this is not warfare, but just some unaffiliated attacks by Russian hackers and/or some rioting by enthusiastic Russian supporters.

To be honest here, no one truly knows what’s going on in Georgia’s Internet except for what can be glimpsed from the outside, and what has been written by the Georgians on their blog (they opened a blog on Google’s blogger service soon after their websites were taken offline). They were probably a bit busy avoiding getting killed by Russian bombs, though.

Renesys has been following the Georgian Internet links, which seem to be there, but occasionally drop due to power failures. Unlike what was previously reported, most of Georgia’s outgoing routes are connected through Turkey rather than Russia, so Russian Internet service providers had little effect on stopping or hijacking connectivity to or from Georgia, if they indeed attempted it. This, however, raises an interesting question regarding what connectivity smaller countries have to the world, and where the bottlenecks are.

There have also been claims that Russian Business Network (RBN) – a criminal bullet-proof, law-proof, hosting organization – was behind the attacks. There is little evidence to support that at this time, although it has been clearly shown botnets using RBN’s services to stay beyond the reach of the law were part of the attacking force. RBN’s involvement and the possibility that Russian Internet service providers hijacked routes to Georgia is possible, but not enough information has been collected yet for us to be sure.

So it is clear their websites are under attack, and that Internet visibility-wise, the impact is real for the Georgians. And yet, it is simply too early and there is not enough information to call this an Internet war. It is too early to establish motive or who the perpetrator is, however much we may want to point fingers.

Following any political or ethnic tension, an online aftermath comes in the form of attacks, defacements, and enthusiast hackers swearing at the other side (which soon does the same, back). From a comic of the Prophet Muhammad to the war in Iraq, the Internet has given people a voice, even if sometimes expressed in irrational ways.

While Georgia’s suffering is real, such attacks are nothing but routine here in Israel. When I ran the defense for the Israeli government Internet operation and then the Israeli government CERT, such attacks would occur daily if not by the minute. Hackers on the other side would band together, talk, coordinate a date, exchange tools, and attack.

In fact, I unintentionally started bigger so-called “wars” on my own when talking to the Israeli press. One such example was three years ago when 180 Israeli websites were defaced by unaffiliated Turkish hackers. Enthusiasts responded to the news story in comments and then attacked the “other side.” I learned to avoid the press on such matters.

While I apologize for the analogy, after 9-11 Israelis were shocked. We were sympathizing, emphasizing and crying for the victims. What we did not understand was why people were still shocked 10 minutes past, as this was a normal every-day life happening for us over here. The same applies for cyberspace, where we have gotten used to this.

The difference in this attack was that the Georgian authorities, like numerous others around the world, were not prepared to fend off such an attack.

In my article “Battling Botnets and Online Mobs” (.pdf) for the Georgetown Journal of International Affairs coverage of the Internet war in Estonia, I quoted Martin van Creveld who predicted how our opponents will no longer be just countries, but organizations, decades ahead of his time. It is my stated belief that on the Internet playing field any individual or loosely affiliated group can be that player in an information warfare scenario.

How will we be able to tell if Russia was somehow sponsoring these attacks? If we end up suspecting it as likely, we probably would still never be able to know with complete certainty. That does not mean Russia won’t make use of these attacks to their benefit. In the aftermath of the Estonian war, Russia used the incident to create a stronger deterrence against the former Eastern-block nations, affecting international politics and the security of the region.

One claim which has been made is that these botnet attacks against Georgia had been staged for a while before the attacks. Shadowserver, as one reliable source, released information that shows how DDoS attacks are a regular occurance, world-wide, and that attacks against Georgian websites before the military engagement in the field in recent days were not necessarily relevant, as sites which were attacked ranged from gambling to pornography rather than political targets.

If it indeed isn’t Russia, who attacked is a much scarier notion as that means this was all done by kids (read amateurs).

Other seemingly unaffiliated action was in the form of spam e-mail messages. Call it outreach, call it propaganda or call it brilliance or even desperate measures, spammers who favor the Georgian side in the recent conflict have been spamming using e-mail to get their point across.

Depending on where in the world you are from, your ideological standpoint on Russia and your beliefs when it comes to what email should be like, you may judge the action as you will. I call it spam.

An Estonian colleague, Viktor Larionov, was quoted as saying that whether there is a cyber war in Georgia or not, we know there is in fact a media war in play just by switching channels between CNN, SkyNews and the two main Russian television channels – ORT and NTV. Both sides portray different facts and opinions.

Taking into consideration recent reports that Georgia has possibly lied about the extent and scope of the Russian attack in order to wage the PR war, everything else about this incident is now once again in question.

On a final note, it is often not understood that brute-force attacks (DDoS) destroy networks, which means most information warfare for much more important purposes such as espionage may lose their effectiveness. This calls for the attacker to consider a cost vs. benefit calculation in addition to deciding to take action.

Gadi Evron is recognized for his work and leadership in Internet security operations and is arguably the world’s top expert on botnets. He is also considered an expert on corporate security, counterespionage and cybercrime. He founded the Israeli Government CERT and chairs worldwide conferences, vetted working groups and task forces. He has authored two books on information security and is a frequent lecturer.