A Defense Technology Blog
See All Posts
  • Monsters of the Network, Part 2
    Posted by David A. Fulghum 6:25 PM on Aug 20, 2009

    Here are more of the details emerging from a series of  forensic studies of cyberattacks on Georgia. Analyses that have been on-going since the attack – launched by Russians and their sympathizers started in the summer of 2008.

    The data is in a new paper – only parts of which are available to the public put together by John Bumgarner, research director for security technology and Scott Borg, director and chief economist of U.S. cyber Consequences Unit.  The researchers were able to monitor attack activity over the internet as it was taking place. They also collected data after the conflict from web caches, companies hosting websites and the forums used by attackers. Information included extensive network traffic and security logs.

    While the attack itself is riveting because of its scale and military impact, Bumgarner cautions readers to look at the larger implications.

    “It's the sort of cyber campaign that we can now expect to accompany most future international conflicts,” he says in an interview with Aviation Week.  "This is what makes some of the details about the way the Georgia campaign was managed pretty interesting.  Russia is likely to run this playbook again with minor adjustments.”

    Bumgarner points to the implications of aligning waves of cyber attacks with the traditional military doctrine of first destroying and disrupting enemy communications. The attacks continued for weeks after ground operations ceased.

    Another striking revelation for the researchers was “how quickly a common citizen can be transformed into a foot soldier in a cyber conflict,” Bumgarner says.  “Patriotic rhetoric on social networking forums was instrumental  in the recruitment of individuals into a cyber army, which was needed to carry out the disruptive attacks against Georgian targets. This has shifted the role of the soldier onto the shoulders of civilians.  [Moreover,] Cyber attacks such as those conducted on Georgia via civilian proxy allow for plausible deniability.”

    The cyber attacks were carried out by civilians with little or no direct involvement by the Russian government or military, the researchers found. Most of those launching the attacks were Russians, but sympathizers from the Ukraine and Latvia also participated.

    There appeared to be a strategic focus on Georgian oil and gas pipelines which are in competition with Russia, the report states. Occupation of ports and railroad lines coupled with cyberattacks  “soon made all of the Georgian pipelines seem unreliable,” it says. “BP Azerbaijan shift[ed] its oil transport to the Russian Baku-Novorossiisk pipeline even though the costs were double those of the Georgian pipelines.”

    Organizers of the cyberattacks had advance notice of Russian military intentions and were tipped off about the timing of operations, the report says. The cyberattacks began with no reconnaissance or mapping stages and jumped directly to packets that were best suited to jamming the targeted web sites. Recruiting and arming participants for cyberattack was done on forums devoted to dating, hobbies, politics and other shared interests. All but one of the main forums were in Russian. The single English forum was hosted in San Francisco.

    Some webservers and addresses used to control and coordinate attacks had been used by Russian criminal organizations. Several were simultaneously hosting software for other cybercrime activities, Bumgarner discovered. Some zombie computers were used temporarily for criminal attacks on e-commerce sites. Specific botnets also were closely associated with Russian organized crime.

    Website postings were so productive that a further 43 targets were shut down or defaced in addition to the original 11, the report says. Postings contained both the cyberattack tools and lists of suggested targets. Three software applications flooded webservers with http packages. A fourth was used to request random, non-existent web pages. They proved far more effective in forensic tests than attacks the Russians had used to attack Estonia previously. The servers were attacked rapidly exhausted their computing capacity searching for pages that weren’t there.

    Attackers restrained from kinetic attacks that would have done lasting physical damage to Georgian infrastructure, news media and communications because they “were effectively shut down by cyberattacks,” the report goes on. However, the successful attacks nearly all produced benefits for the Russian military. For example, a website for renting electrical generators was jammed, “presumably … to reinforce the effects of physical strikes on the Georgian power grid.”

    Georgian attempts to stop the attacks were fruitless for various reasons.

    Filters to block Russian IP addresses and protocols used by the attackers were avoided by using foreign services to mask their actual IP address,” Bumgarner found. Finally, Georgia used the same system to shift its own website hosts to other countries – including Estonia and the U.S. where attack traffic could be more easily filtered and available bandwidth was greater. One counterattack capability effort came too late. It was a tool posted on Russian websites with instructions for Russian sympathizers to use it against Georgia. However, the attack script was designed to attack 19 Russian websites on a pre-loaded target list.

    Tags: ar99, Georgia, Russia, cyberattack

  • Recommend
  • Report Abuse

Comments on Blog Post