Skip to content
Biz & IT

Russians may not be responsible for cyberattacks on Georgia

New evidence suggests that politically active hackers, rather than the Russian …

Joel Hruska | 0
Story text

Earlier this week, we covered a report from the Georgian Foreign Ministry, claiming that the Russian Business Network (RBN) was actively engaged in cyberwarfare against Georgia—with the blessing and backing of the Russian government. There have been no new reports from that source, but several security experts have spoken up, and raised the question of whether or not the Russian government is actually involved.

According to Gadi Evron, former Chief information security officer (CISO) for the Israeli government's ISP, there's compelling historical evidence to suggest that the Russian military is not involved. He confirms that Georgian websites are under botnet attack, and that yes, these attacks are affecting that country's infrastructure, but then notes that every politically tense moment over the past ten years has been followed by a spate of online attacks. It was only after Estonia made its well-publicized (and ultimately inaccurate) accusations against Russia that such attacks began to be referred to as cyberwarfare instead of politically motivated hackers. Evron writes:

Running security for the Israeli government Internet operation and later the Israeli government CERT such attacks were routine…While Georgia is obviously under a DDoS attacks and it is political in nature, it doesn't so far seem different than any other online after-math by fans. Political tensions are always followed by online attacks by sympathizers. Could this somehow be indirect Russian action? Yes, but considering Russia is past playing nice and uses real bombs, they could have attacked more strategic targets or eliminated the infrastructure kinetically.

Arbor Networks' Jose Nazario offers additional proof of Evron's statements, writing: "While some are speculating about cyber-warfare and state sponsorship, we have no data to indicate anything of the sort at this time. We are seeing some botnets, some well known and some not so well known, take aim at Georgia websites…These attacks were mostly TCP SYN floods with one TCP RST flood in the mix. No ICMP or UDP floods detected here. These attacks were all globally sourced, suggesting a botnet (or multiple botnets) were behind them."

The image below was constructed using data Nazario collected over a period of three weeks, and shows the victims of these DDoS attacks as well as the location of the C&C server issuing the attack commands. According to him, "All of these are HTTP floods (ie rapid fire GET requests)."


Image courtesy of Jose Nazario, Arbor Networks

Given that the posts at RBNExploit finger the Russian Business Network as a part of this attack process, it's not unreasonable to hypothesize that the RBN might be working fist-in-glove with the Russian government, but Evron's wry comment on Russia's capability to destroy Georgian web access kinetically ought not to be dismissed.

The question of whether or not the Russian government backed these online attacks against Georgia is almost beside the point. One of the most basic tenets of conflict, any conflict, is that both attacker and defender must be able to accurately ascertain each others' identity. Throughout most of human history, and as recently as World War II, this was not a problem. With the subsequent rise of guerrilla/terrorist tactics, accurately identifying one's enemy on both an individual and national level has become more difficult, but not necessarily impossible.

Cyberattacks, whether they are government-backed or not, take this obfuscation to the next level. We've tracked the steady evolution of the malware industry from the basement to the big-time, and what is a government, ultimately, but just another customer? More to the point, how does the country being attacked determine if that attack is coming from another nation or a group of politically malcontent, computer-savvy individuals?

It's possible to answer such questions—both Evron and Nazario are in the business of doing so—but the analysis inevitably lags the actual events. The leaders of a nation under fire, as Georgia has been, do not have time to drink a cup of tea and wait for a comprehensive analysis of the situation. As the Internet continues to gain strength as a global communication network, the psychological and practical impact of losing access to it becomes greater. Such loss, combined with a standard physical attack on television and radio stations, could lead a defending nation to respond with a significantly higher use of force that it might have otherwise employed. At that point, the fact that the online attack was launched by political activists, rather than the government, becomes rather academic.

There is one final point I want to touch on that may explain the question Gadi Evron raises, namely, "why have these new attacks been classified as incidents of cyberwarfare, when so many attacks that came before them were not?" The fact that the alleged attacker is Russia, I think, explains much of this response. The Iron Curtain may have come down nearly two decades ago, but most folks over the age of 30 remember the Cold War and occasional Soviet crackdowns on dissident satellite nations all too well. For the citizens of the three nations that have accused Russia of cyberwarfare—Estonia, Lithuania, and Georgia—these weren't simply images on the nightly news, they were real-life events brought to you in living color.

In the years immediately following the end of the Cold War, Russia was far too occupied with its own internal problems to flex much muscle on the international stage, but the country's economy and social stability have improved tremendously even since Boris Yeltsin left office. Former President Vladimir Putin made no secret of his goal to reestablish Russia as a strong international power, and current President Dmitry Medvedev has shown no sign of deviating from that purpose.

Russia may no longer pose the same type of military threat to its former republics and Eastern Bloc neighbors that it once did, but the Russian bear has most definitely awoken, and is flexing its muscles. It's not hard to see how such actions, including the country's flat opposition to further NATO expansion, would make its neighbors very nervous, and could lead to premature accusations before evidence exists to support them.

Joel Hruska
0 Comments

Comments are closed.

Prev story
Next story