August 12, 2008, 3:23 PM — Security researchers Tuesday disputed claims that a well-known Russian hacker hosting network is responsible for cyberattacks against sites belonging to Georgia, the former Soviet republic that has been battling Russian military forces since Friday.
Rather than blame the notorious Russian Business Network (RBN) -- as researcher Jart Armin did over the weekend -- other researchers said Tuesday that it appears the attacks originated from a "hacker militia" of Russian botnet herders and volunteers.
"They mobilize themselves without a need for a central location to do so, distribute the targets, discuss the attack approaches, come up with a plan on the coordination, and you have everyone participating," Bulgarian security researcher Dancho Danchev said in an instant messaging interview early Tuesday.
Danchev and others have found evidence that points to a self-starting militia composed of volunteer hackers and cyber criminals who control large-scale bots, or collections of previously-compromised computers, as behind the escalating attacks that have knocked Georgian sites offline.
"A lot of it started with posting on blogs," said Kimberly Zenz, a senior threat analyst with VeriSign Inc.'s iDefense. "A bunch of youth groups posted something that was almost a manifesto that called on supporter to 'wage an information war' against Georgia."
That call to arms was only one of many, said Zenz and Danchev, both whom noted similarities to the attacks against several hundred Lithuanian Web sites early last month.
But while the forces assembled only appear to be uncoordinated to the untrained eye, they are in fact very coordinated, both researchers argued. In a lengthy blog post on ZDNet, Danchev spelled out the coordinated steps that someone -- or some group -- took to rally the hacker troops and turn them against specific targets.
"In the ongoing Russian versus Georgia cyberwar, we have an indication of lists [of Georgian governmental sites] actively distributed across Russian web forums," said Danchev in the blog entry. He also said there were signs that hackers had been provided simple distributed-denial-of-service (DDoS) tools, and that lists of Georgian sites vulnerable to SQL injection attacks had been circulating.
"Someone is coordinating activities," said Zenz, "by posting on blogs and forums instructions that essentially say 'This is what we're going to do.' But we don't know who's behind that."
That coordination, said Danchev, was sophisticated enough to launch DDoS attacks against one of the most popular hacker forums in Georgia as a preemptive strike. But the attacks weren't entirely successful, since limited retaliations against Russian sites have succeeded. "Georgian hackers, or pro-Georgian hackers, [launched] distributed-denial-of-service [attacks against] RIA Novosti," he said via IM. RIA Novosti is a Moscow-based news service.
The campaign against Georgia is just a sample of what the world should expect when there's armed conflict, said Zenz. "This is what happens," she said, "especially in Russia. Every time something happens, there are attacks. Name any crisis there in the past year, and I can point to a spike in attack traffic."
Russia in particular is well prepared for such militia attacks, agreed Danchev. "Countries visionary enough in the long term, sort of tolerate hacking activities, unless of course they target the country's infrastructure, in order for the country to later on mobilize them based on nationalist sentiments," he pointed out, citing Russia and China as the two biggest examples of nations that have taken to what he called "a people's information warfare concept."
"Russia does view [hackers] as a national asset," Zenz echoed.
Both Zenz and Danchev cited the attacks against Estonia, another former Soviet republic, in April and May 2007 as the first instance of popularized attacks by large numbers of volunteers. According to Danchev, both sides seemed to have learned important lessons from the 2007 campaigns.
"What the attackers learned is that security researchers are actively monitoring their conversations, and so in [the Russo-Georgia] campaign the conversation wasn't happening at the usual 'underground corners' but rather on mainstream forums," he said. "They've also learned how to better utilize the masses to participate in the attack, and that combination of tactics would improve the quality of the campaign."
On the defensive side, Danchev said that tactics used by Georgia, including moving important news to out-of-country blog hosts, showed that its country's IT professionals had picked up a few tricks from the Estonians.
"Both sides adapted," he said.
The future looks a bit grim, added iDefense's director of intelligence, Rick Howard. "Estonia was just the beginning," he said in a statement today. "Anyone picking a political fight with Russia today can now expect to deal with multiple forms and sources of electronic attack; not only from the Russian military, but also from the Russian government's unofficial civilian hacker assets."
Monday, Georgia's foreign ministry, which had shifted content from its usual Web site to a Google blog when the former came under attack, accused Russia of crippling its information infrastructure. "A cyberwarfare campaign by Russia is seriously disrupting many Georgian Web sites, including that of the Ministry of Foreign Affairs," the blog said Monday.
Tuesday morning, Russia's president, Dmitri Medvedev, said he had agreed to a European peace proposal. Fighting, however, was still continuing, according to news reports. Georgian officials also claimed that Russian aircraft had bombed villages after Medvedev's announcement.
