News

Russian Military, Organized Crime Involved in Georgia Cyberattacks

• By William Jackson
• 08/17/2009

Denial-of-service (DoS) and Web defacement attacks launched last year against Georgian Web sites were carried out by Russian civilians and sympathizers rather than the government, but were coordinated with the invasion of the former Soviet state and had the cooperation of both the Russian military and organized crime, according to a report being released today to U.S. government officials.

This coordination and military and cyberattacks could be the shape of warfare to come, said the U.S. Cyber Consequences Unit (US-CCU), an independent research institute that did the study.

"I think we have a pattern here that is going to be repeated with variations," in future conflicts, said Scott Borg, US-CCU director and chief economist.

Although the attacks themselves were unsophisticated and had little lasting impact, the tools and techniques used to launch them were sophisticated and showed signs of long-term planning, and they successfully interfered with the Georgian government's ability to gain and disseminate accurate information.

"The cyber campaign against Georgia must also be seen as part of a longer-term effort by Russia and other countries to test the uses of cyberattacks and the international response to them," the report says. Given the campaign's success and the lack of international response, "it would be very surprising if most future disputes and conflicts involving Russia and its former possessions or satellites weren't accompanied by cyber campaigns."

The US-CCU studies the real-world impact of hacking and other cyber hostilities on infrastructures and the institutions those infrastructures support. It was informed of the Georgian attacks almost immediately after they began on Aug. 7, 2008, and was able to monitor them through Aug. 16. Over the last year, the institute has studied logs and records of the attacks and examined the attack scripts themselves. The full 100-page report on the incident is being released only to U.S. government officials and select security professionals.

Attackers and activities showed "every sign of being civilian," but although there was little or no direct government involvement the attacks were timed to coordinate with military activities and demonstrated knowledge of the military plans.

"Many of the actions the attackers carried out, such as registering new domain names and putting up new Web sites, were accomplished so quickly that all of the steps had to have been prepared earlier," the report said. "Given the speed of action, the signal to go ahead also had to have been sent before the news media and general public were aware of what was happening militarily."

The Georgian campaign was not the first time military and cyber activities were combined, Borg said. "The Chinese have done this," he said, and the Russians appear to have done it in Estonia in 2007 and Lithuania in 2008. But, "I think this is a level of coordination and information sharing beyond what we have seen" between the military and their civilian supporters.

The attacks came in two waves. The initial wave used botnets apparently controlled by Russian organized crime to launch DoS attacks against Georgian government and news sites. A second wave recruited sympathizers in other countries through social networking sites and hacker forums and posted attack tools to enable them to launch their own attacks. The second wave expanded targets from an initial 11 sites to 43 others, including financial services and business sites as well as additional government sites.

The attacks used customized tools, the most effective of which was an HTTP-based attack that flooded servers with requests for nonexistent pages.

"The servers attacked by this tool rapidly exhausted their computing capacity searching for the pages that weren't there," the report said. "This tool, as posted, simultaneously targeted 17 different Georgian Web sites."

The US-CCU concluded that the attacks "significantly impeded" the ability of the Georgian government to respond to the invasion, interfering with its communications with the public and disrupting financial transactions.

"The channels of communication that were seriously disrupted during parts of the cyber campaign included e-mails, land-line phone calls and cell phones," the report said. The National Bank of Georgia was forced offline for 10 days, stopping most financial transactions.

Although little long-term damage appears to have been done by the attacks, the report raises the possibility that the DoS attacks could have been used as cover to insert spyware and other malware into critical systems, especially given the apparent cooperation of organized crime and the fact that financial institutions were targeted. "It would be surprising if some of the professional criminals involved didn't also try to exploit the situation for future financial gains," it said.

The US-CCU concluded that there is a need for an international organization to act as a global computer emergency response team to monitor political, economic and military conditions and look for warning signs of preparations for cyberattacks, providing early warning to likely targets. The Georgian attacks probably could have been predicted and mitigated, it said.

"There is an urgent need for an international cyber response force that could provide quick reactionary assistance to member countries, advising them on what to do and setting up the operations to do it," the report said.