4 X Security Team

In the wake of the Russian-Georgian conflict, a week worth of speculations around Russian Internet forums have finally materialized into a coordinated cyber attack against Georgia’s Internet infrastructure. The attacks have already managed to compromise several government web sites, with continuing DDoS attacks against numerous other Georgian government sites, prompting the government to switch to hosting locations to the U.S, with Georgia’s Ministry of Foreign Affairs undertaking a desperate step in order to disseminate real-time information by moving to a Blogspot account.

Who’s behind it? The infamous Russian Business Network, or literally every Russian supporting Russia’s actions? How coordinated and planned is the cyber attack? And do we actually have a relatively decent example of cyber warfare combining PSYOPs (psychological operations) and self-mobilization of the local Internet users by spreading “For our motherland, brothers!” or “Your country is calling you!” hacktivist messages across web forums. Let’s find out, in-depth.

The attacks originally starting to take place several weeks before the actual “intervention” with Georgia President’s web site coming under DDoS attack from Russian hackers in July, followed by active discussions across the Russian web on whether or not DDoS attacks and web site defacements should in fact be taking place, which would inevitably come as a handy tool to be used against Russian from Western or Pro-Western journalists. The peak of DDoS attack and the actual defacements started taking place as of Friday:

“Several Georgian state computer servers have been under external control since shortly before Russia’s armed intervention into the state commenced on Friday, leaving its online presence in dissaray. While the official website of Mikheil Saakashvili, the Georgian President, has become available again, the central government site, as well as the homepages for the Ministry of Foreign Affairs and Ministry of Defence , remain down. Some commercial websites have also been hijacked.

The Georgian Government said that the disruption was caused by attacks carried out by Russia as part of the ongoing conflict between the two states over the Georgian province of South Ossetia. In a statement released via a replacement website built on Google’s blog-hosting service, the Georgian Ministry of Foreign Affairs said: “A cyber warfare campaign by Russia is seriously disrupting many Georgian websites, including that of the Ministry of Foreign Affairs.”

After defacing Mikheil Saakashvili’s web site and integrating a slideshow portraying Saakashvili as Hitler next to coming up with identical images of both Saakashvili and Hitler’s public appearances, the site remains under a sustained DDoS attack. It’s also interesting to point out that the an average script kiddie wouldn’t bother, or wouldn’t even understand the PSYOPs effect of coming up with identical gestures of both parties and integrating them within the defaced sites.

What am I trying to imply? It smells like a three letter intelligence agency’s propaganda arm has managed to somehow supply the creative for the defacement of Georgia President’s official web site, thereby forgetting a simple rule of engagement in such a conflict - risk forwarding the responsibility of the attack to each and every Russian or Russian supporter that ever attacked Georgian sites using publicly obtainable DDoS attack tools in a coordinated fashion.

The DDoS attacks are so sustained that Georgian President’s web site has recently moved to Atlanta :

“The original servers located in the country of Georgia were “flooded and blocked by Russians” over the weekend, Nino Doijashvili, chief executive of Atlanta-based hosting company Tulip Systems Inc., said Monday.

The Georgian-born Doijashvili happened to be on vacation in Georgia when fighting broke out on Friday. She cold-called the government to offer her help and transferred president.gov.ge and rustavi2.com, the Web site of a prominent Georgian TV station, to her company’s servers Saturday.”

More defacements of news sites and popular Georgian portals started taking place as well :

“Two news websites run by breakaway South Ossetia were hacked on Tuesday morning, officials from the secessionist authorities said. The front page of the website of the news agency, OSinform - osinform.ru - which is run by the breakaway region’s state radio and television station IR - retained the agency’s header and logo, but otherwize the entire page was featuring Alania TV’s website content, including its news and images. Alania TV is supported by the Georgian government, and targets audiences in the breakaway region. Another website of the breakaway region’s radio and television station - osradio.ru – was also hacked. Alania TV has denied any involvement, saying it was itself surprised to see its content on the rival news agency’s website.”

Ironically, shortly after Civil.ge ran the story, it came under DDoS attack, and — just like Georgia’s Ministry of Foreign Affairs — it switched to a Blogger account in case the site remained unavailable. Moreover, the Shadowserver posted more details on the command and control servers used in the DDoS attacks, which geolocate back to Turkey and continue to remain online.

“With the recent events in Georgia, we are now seeing new attacks against .ge sites. www.parliament.ge & president.gov.ge are currently being hit with http floods. In this case, the C&C server involved is at IP address 79.135.167.22 which is located in Turkey. We are also observing this C&C as directing attacks against www.skandaly .ru. Traffic from your network to this IP or domain name of googlecomaolcomyahoocomaboutcom .net may indicate compromise and participation in these attacks.”

As always, this is just the tip of the iceberg, since on 79.135.167.22 we also have several other parked botnet command and control locations, like the following :

emultrix .org
yandexshit .com
ad.yandexshit .com
a-nahui-vse-zaebalo-v-pizdu .com
killgay .com
ns1.guagaga .net
ns2.guagaga .net
ohueli .net
pizdos .net

Let’s analyze the exact way in which the coordinated cyber attack was planned, a weekend’s worth of monitoring their activities :

- distribute a static list of targets, eliminate centralized coordination of the attack

Who was the only person ever arrested for participating in the Russian vs Estonia cyber “shock and awe” attack? A student who distributed a publicly available list of Estonian government web sites. In the ongoing Russian vs Georgia cyber war, we also have an indication of such lists actively distributed across Russian web forums. And now that the targets to be attacked are publicly known, it’s all up to the self-mobilization of the Russian Internet users.

As always, next to the hardcore hacktivists participating in the attack, there are the copycat script kiddies who seem to have found a way to enjoy the media interest into the individuals behind it. Sadly, they have no idea what they’re doing, nor how to do it. Here’s one such group, stopgeorgia.ru/stopgeorgia.info :

“We - the representatives of Russian hako-underground, will not tolerate provocation by the Georgian in all its manifestations. We want to live in a free world, but exist in a free-aggression and lies Setevom space. We do not need the guidance from the authorities or other persons, and operates in accordance with their beliefs based on patriotism, conscience and belief. You can call us criminals and cyber-terrorists, razvyazyvaya with war and killing people. But we will fight and unacceptable aggression against Russia in Space Network. We demand the cessation of attacks on information and government resources Runeta, as well as appeal to all media and journalists with a request to cover events objectively. Until the situation has changed, we will attack the Georgian government and information resources. Do not we have launched an information war, we are not responsible for its consequences. We call for the assistance of all who care about the lies of Georgian political sites, everyone who is able to inhibit the spread of black information. There is one formal mirror project - www.stopgeorgia.info. All other resources have nothing to do with the movement StopGeorgia.ru.

DRAFT IS UNDER WWW.STOPGEORGIA.RU. IN CASE OF USE NEDOSTUPNOSTI MIRROR PROJECT - WWW.STOPGEORGIA.INFO.”

- engaging the average internet users, empower them with DoS tools

Following a basic cyber warfare rule, that the masses are sometimes more powerful than the botnet master’s willingness to sacrifice hundreds and thousands of his bots, the current campaign has also thought of the average Internet users who are encouraged to use a plain simple HTTP flooder distributed for this purpose. The concept is nothing new; in fact, this is state of the art cyber warfare combining all the success factors for total outsourcing of the bandwidth capacity and legal responsibility to the average Internet user. Moreover, next to the do-it-yourself tools released, end users who are not so technologically sophisticated are given instructions on how to ping flood Georgian government web sites

- distribute lists of remotely SQL injectable Georgian sites

The last time we witnessed such a tactic aiming to achieve a great deal of efficiency by basically integrating a list of remotely SQL injectable sites into a web site defacement tool, was in May’s cyber conflict where Pro-Serbian hacktivists were attacking Albanian web sites by doing exactly the same thing. Surprisingly, Russian hackers have also started distributing lists of Georgian sites vulnerable to remote SQL injections, allowing them to automatically deface them

- abuse public lists of email addresses of Georgian politicians for spamming and targeted attacks

As it appears, a publicly available list of Georgian politics originally created by a lobbying organization, has started to circulate in an attempt to convince Russian hackers of the potential for abusing it in spamming attacks and targeted attacks presumably serving malware through live exploit URLs

- destroy the adversary’s ability to communicate using the usual channels

It’s been a while since I’ve last seen such a pro-active attempt to deny Georgian hackers the ability to communicate though their usual channels. One of Georgia’s most popular hacking forums has been down for over 24 hours and continues to be under a permanent DDoS attack on behalf of Russian hackers who have on purposely raised the issue of ensuring that they are unable to reach the local hacktivists and one another. No matter the attack, one should never underestimate other’s people’s ability to adapt to a certain situation - The Russian News and Information Agency - RIA Novost, was also a DDoS attack on Sunday :

“RIA Novosti news agency’s website was disabled for several hours on Sunday by a series of hacker attacks, as the conflict between Russia and Georgia over breakaway South Ossetia continued for a third day. Websites in both Russia and Georgia have been hit by cyber attacks since Georgia launched a major ground and air offensive to seize control of South Ossetia on Friday. Russia responded by sending in tanks and hundreds of troops. “The DNS-servers and the site itself have been coming under severe attack,” said Maxim Kuznetsov, head of the RIA Novosti IT department. RIA Novosti’s servers are now functioning as normal.”

The aggressiveness of the attacks is prone to accelerate in the next couple of days, due to the combination of the attacks tactics used, engaging even the less technical hacktivists next to the more sophisticated botnet master. Realizing what’s coming, Estonia has informally offered help to Georgia :

“Estonian officials say that the DDoS attacks targeted against Georgia were very similar to the attacks made against Estonian websites in 2007 after the removal of the Bronze Soldier monument. Unofficially, Estonia and Georgia have been discussing the possibility to send a special team of online security specialists to Georgia. A representative of the Development Centre of State Information Systems said that by now Georgia has not yet made a formal proposal. “This will be decided by the government,” said the official.”

Who’s behind this campaign at the bottom line? As we’ve already established a connection with well known provider of botnet services in the previous attack against Georgia President’s web site, a connection made possible to establish due to a minor mistake on behalf of the people behind the attack, there’s no connection with the current attacks and the Russian Business Network, unless of course you define the Russian Business Network as the script kiddies and the dozen of botnet masters paricipating who have somehow managed to build their botnets using RBN services in the past, and are now using them against Georgia’s Internet infrastructure.

Overall, contingency planning in times when you need to spread a message about what’s going in your country, but have you official government sites logically the de facto information sources in such cases shut down, is crucial for reaching out to the rest of the world who would disseminate the message using the long tail. Then again, this is perhaps the first time in such a cyber conflict –aiming to deny the targeted country’s ability to reach the world with real-time information on the real-life warfare events — where the targeted country is urging others to obtain this information through a third country President’s web site, in this case Poland, and using a blog to do so.

[Source: zdnet]