Before the Gunfire, Cyberattacks against Georgia

Här kommer en mycket intressant genomgång av den cyberkrigföring som den Georgiska regeringens drabbades av. Attacken utökades sedan till resten av det georgiska samhället -banker, massmedia, kommunikationsföretag etc.

Det intressanta är ju att man tydligen först ”övade” och finslipade taktiken mot Georgien med ett ”test” anfall den 20 juli. Två och en halv vecka INNAN kriget bröt ut.

För att sedan släppa loss det på allvar i samband med att kriget började den 8 -9 augusti.

Intressant timeing eller hur? Framförallt efter som Ryssland säger att man inte hade EN ANING OM VAD SOM HÄNDE. Och att man inte var förbered på kriget.

Jag redovisar här bara en liten del av det som hände. Materialet är för stort för att redovisas översiktligt i en blogg. Den här attacken var väsentligt mycket större och mer kordinerad jämfört med den som Estland drabbades av 2007.

”On Saturday, the RBN blog, which is run by security researcher Jart Armin, claimed there was a ”full cyber-siege” of Georgia. The RBN blog post claimed that the Russia-based servers AS12389 Rostelecom, AS8342 Rtcomm, and AS8359 Comstar were controlling all traffic to Georgia’s key servers.

According to the blog, German hackers managed to route traffic directly to Georgia through Deutsche Telekom’s AS3320 DTAG server for ”a few hours” on Saturday, but this traffic was intercepted and rerouted through AS8359 Comstar, which is located in Moscow.”

Här är en bild av en liten del av det som hände den 9 augusti. Och hur de Ryska servrarna AS12389 ROSTELECOM, AS8342 RTCOMM, och AS8359 COMSTAR, kontrollerar ALL trafik till de viktiga Georgiska servrarna

               Klicka på bilden så blir den större.

Här är en bild från det St. Petersburgs baserade kriminella nätverket ”the Russian Business Network” (R.B.N.) webbsida som visar hur de attackerar georgiska servrar och webbsidor. Lägg märke till att de även attackerar den Amerikanska Ambassaden i Tiblisi.

”This is ‘stopgeorgia.ru’ which is also utilizing ‘stopgeorgia.info’ as a redirect; the web site itself provides DDos attack tools for download and as the screen grab shows the mostly .ge web sites as priority for attack. Note; also targeted for attack is the US embassy in Tbilisi.”

Klicka på bilden så blir den större. 

Och här en bild på en traceroute som visar hur den Georgiska regeringens hemsida blockeras via TTnet Turkey den 9 augusti.

Klicka på bilden så blir den större.

Läs även andra bloggares åsikter om <a href=”http://bloggar.se/om/F%F6rsvar” rel=”tag”>Försvar</a>

http://www.nytimes.com/2008/08/13/technology/13cyber.html?_r=1&oref=slogin

August 13, 2008

Before the Gunfire, Cyberattacks

By JOHN MARKOFF

Weeks before bombs started falling on Georgia, a security researcher in suburban Massachusetts was watching an attack against the country in cyberspace.

Jose Nazario of Arbor Networks in Lexington noticed a stream of data directed at Georgian government sites containing the message: ”win+love+in+Rusia.”

Other Internet experts in the United States said the attacks against Georgia‘s Internet infrastructure began as early as July 20, with coordinated barrages of millions of requests – known as distributed denial of service, or D.D.O.S., attacks – that overloaded and effectively shut down Georgian servers.

Researchers at Shadowserver, a volunteer group that tracks malicious network activity, reported that the Web site of the Georgian president, Mikheil Saakashvili, had been rendered inoperable for 24 hours by multiple D.D.O.S. attacks. They said the command and control server that directed the attack was based in the United States and had come online several weeks before it began the assault.

As it turns out, the July attack may have been a dress rehearsal for an all-out cyberwar once the shooting started between Georgia and Russia. According to Internet technical experts, it was the first time a known cyberattack had coincided with a shooting war.

But it will likely not be the last, said Bill Woodcock, the research director of the Packet Clearing House, a nonprofit organization that tracks Internet traffic. He said cyberattacks are so inexpensive and easy to mount, with few fingerprints, they will almost certainly remain a feature of modern warfare.

”It costs about 4 cents per machine,” Mr. Woodcock said. ”You could fund an entire cyberwarfare campaign for the cost of replacing a tank tread, so you would be foolish not to.”

Exactly who was behind the cyberattack is not known. The Georgian government blamed Russia for the attacks, but the Russian government said it was not involved. In the end, Georgia, with a population of just 4.6 million and a relative latecomer to the Internet, saw little effect beyond inaccessibility to many of its government Web sites, which limited the government’s ability to spread its message online and to connect with sympathizers around the world during the fighting with Russia.

It ranks 74th out of 234 nations in terms of Internet addresses, behind Nigeria, Bangladesh, Bolivia and El Salvador, according to Renesys, a Manchester, N.H., firm that provides performance data on the state of Internet. Cyberattacks have far less impact on such a country than they might on a more Internet-dependent nation, like Israel, Estonia or the United States, where vital services like transportation, power and banking are tied to the Internet.

In Georgia, media, communications and transportation companies were also attacked, according to security researchers. Shadowserver saw the attack against Georgia spread to computers throughout the government after Russian troops entered the Georgian province of South Ossetia. The National Bank of Georgia‘s Web site was defaced at one point. Images of 20th-century dictators as well as an image of Georgia’s president, Mr. Saakashvili, were placed on the site. ”Could this somehow be indirect Russian action? Yes, but considering Russia is past playing nice and uses real bombs, they could have attacked more strategic targets or eliminated the infrastructure kinetically,” said Gadi Evron, an Israeli network security expert. ”The nature of what’s going on isn’t clear,” he said.

The phrase ”a wilderness of mirrors” usually describes the murky world surrounding opposing intelligence agencies. It also neatly summarizes the array of conflicting facts and accusations encompassing the cyberwar now taking place in tandem with the Russian fighting in Georgia.

In addition to D.D.O.S. attacks that crippled Georgia’s limited Internet infrastructure, researchers said there was evidence of redirection of Internet traffic through Russian telecommunications firms beginning last weekend. The attacks continued on Tuesday, controlled by software programs that were located in hosting centers controlled by a Russian telecommunications firms. A Russian-language Web site, stopgeorgia.ru, also continued to operate and offer software for download used for D.D.O.S. attacks.

Over the weekend a number of American computer security researchers tracking malicious programs known as botnets, which were blasting streams of useless data at Georgian computers, said they saw clear evidence of a shadowy St. Petersburg-based criminal gang known as the Russian Business Network, or R.B.N.

The attackers are using the same tools and the same attack commands that have been used by the R.B.N. and in some cases the attacks are being launched from computers they are known to control,” said Don Jackson, director of threat intelligence for SecureWorks, a computer security firm based in Atlanta.

He noted that in the run-up to the start of the war over the weekend, computer researchers had watched as botnets were ”staged” in preparation for the attack, and then activated shortly before Russian air strikes began on Saturday.

The evidence on R.B.N. and whether it is controlled by, or coordinating with the Russian government remains unclear. The group has been linked to online criminal activities including child pornography, malware, identity theft, phishing and spam. Other computer researchers said that R.B.N.’s role is ambiguous at best. ”We are simply seeing the attacks coming from known hosting services,” said Paul Ferguson, an advanced threat researcher at Trend Micro, an Internet security company based in Cupertino, Calif. A Russian government spokesman said that it was possible that individuals in Russia or elsewhere had taken it upon themselves to start the attacks.

”I cannot exclude this possibility,” Yevgeniy Khorishko, a spokesman for the Russian Embassy in Washington, said. ”There are people who don’t agree with something and they try to express themselves. You have people like this in your country.”

”Jumping to conclusions is premature,” said Mr. Evron, who founded the Israeli Computer Emergency Response Team.

_______________________________________

http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare-2-sat-16-00.html

RBN – Georgia CyberWarfare – 2 – Sat 16 00 East Coast, 20 00 GMT

Firstly welcome to the many blog readers from ”forum.ge”. Allow us to explain what is going on.

You can see and read us, we cannot get to you . Out bound email is also a possible problem so email rbnexploit@gmail.com (if and when you can) to get messages out and we will relay them to their destination.

To explain to everyone else this is a full cyber siege of Georgia‘s cyber space:

As an update; within the community, our friends in Germany had managed to pierce the siege and gain a direct routing to Georgia via AS3320 DTAG Deutsche Telekom for a few hours. this afternoon. For the time being AS8359 COMSTAR Direct Moscow region network CJSC COMSTAR Direct Smolenskaya Sennaya Sq, 27 block 2 119121 Moscow, Russia, have intercepted this and are redirecting this route of cyber traffic via their servers. The good news is other German servers are now also attempting to access Georgia servers directly.

We are receiving further offers to help reroute traffic which is underway in an attempt to lift the siege. Further offers are welcome.

For those of a technical nature we show the latest server routing map (see diagram below) which clearly shows the Russian based servers AS12389 ROSTELECOM, AS8342 RTCOMM, and AS8359 COMSTAR, controlling all traffic to Georgia’s key servers. For example here AS28751 CAUCASUS NET AS Caucasus Network Tbilisi, Georgia & AS20771 DeltaNet Autonomous System DeltaNet ltd 0179 Tbilisi Georgia

Even the Turkish (often RBN controlled) server AS9121 TTNet is now being blocked via COMSTAR, we understand via colleagues in Istanbul, the Turkish authorities are trying to regain control of these servers and provide direct routing to Georgia.

At this time all Georgia government web sites are unobtainable from US, UK, FR, and DE cyber space, as examples. All blog colleagues elsewhere please contact us if you are able to gain direct web access inbound.

We also relay, as requested, the warning not to depend on any web sites that ‘appear’ of a Georgia official source, but are without any recent statements i.e. Friday / Saturday Aug 8/9, as these are likely to be fraudulent.

_____________________________________________

http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare.html

RBN (Russian Business Network) now nationalized, invades Georgia Cyber Space

Sat – 2008 08 09 5:00 EST (click on figs for larger size)

As requested by community relay, the following is a report on the cyber war underway in parallel with conventional warfare. Many of Georgia’s internet servers were under external control from late Thursday, Russia’s invasion of Georgia commenced on Friday. It is further requested of any blog reader the information below is further relayed to the International Press and Community to ensure awareness of this situation. Also as much of Georgia’s cyberspace is now under unauthorized external control the following official press statement is circulated without modification. Report on the cyberwar below:

Official Press Statement from the Government of Georgia

Georgia seeks peaceful resolution to the conflict in South Ossetia Georgian troops mobilize to protect civilian population from rebel attacks TBILISI – Sat 09 August 2008 –

The Government of Georgia has sought to defuse the tense and violent situation in the South Ossetia region yesterday by declaring a unilateral ceasefire and appealing to the leadership of the separatist rebels to begin talks with the State Minister for Reintegration Temuri Yakobashvili. Despite calls for peace, separatist rebels continued to attack Georgian police posts and the civilian population.

Initially government forces did not return fire. However, at 8:30pm the village of Avnevi came under fire from separatists and the village was almost completely destroyed. The government-controlled village of Prisi also came under attack by separatists, which left several people wounded.

In response to separatist attacks on government-controlled villages, Georgian Armed Forces occupied several villages in South Ossetia early this morning. At around 5:30am, Russian Federation forces began moving into the conflict zone through the Roki tunnel, which connects Russia and Georgia and has been an entry point for the illegal transfer and sale of arms to separatist rebels. Two additional Russian units entered into Georgia through the Roki tunnel around 8:00am. The first Russian unit that entered Georgia through the Roki tunnel was killed as they attempted to cross the Gufta Bridge, which was also destroyed in the operation conducted by the government’s air command.

The Russian air force has also been conducting military operations in Georgia. Military fighter planes dropped bombs in four towns. The Russian air force also bombed the villages of Variani, injuring seven civilians, and dropped three bombs on Gori. The OSCE has confirmed the Gori operation was conducted by the Russian air force. So far several people have been killed and wounded, including innocent civilians.

In an effort to protect the civilian population, the President of Georgia Mikhail Saakashvili declared a unilateral ceasefire to be in effective between 3:00pm – 6:00pm Friday. During this time, the civilian population and the separatists were invited to cross the line of control. The government has also provided humanitarian assistance and full amnesty for those separatists that choose to surrender. As of 2:30pm, Georgian forces controlled 100% of Tskhinvali with just a few small groups still resisting government presence. Despite the ceasefire, Russia continued to take aggressive military action within Georgian territory.

At 4:30pm and 5:35pm, Russian military aircraft bombed a Georgian military base in Marneuli three times, in the southern part of the country about 30 kilometres from Tbilisi, resulting in the destruction of grounded Georgian military equipment, severe damage to a number of buildings, and several causalities.

Russian military aircraft also entered Georgian airspace at 3:05pm and dropped two bombs on the Georgian military airbase in Vaziani, just on the outskirts of the capital.

For confirmation and current status of the cyberwar:

Example – Nameservers for http://www.itdc.ge Georgia’s web development enterprise are continuously showing : * ns1.garse.net returned (SERVFAIL) * ns2.garse.net returned (SERVFAIL)

Two traceroutes to web site mfa.gov.ge – Georgia Foreign Affairs – show:

(a) From US – Ge = Blocked via TTnet Turkey

(b) From Ukraine – Ge = available & slow; note; cached (forged page),now only via redirect through Bryansk Ru

Other Georgia government websites e.g. mod.gov.ge (Ministry of Defense) – president.gov.ge show:

(c) From US – Ge = Blocked via TTnet Turkey

(d) From Ukraine – Ge = Blocked via TTnet Turkey

Internally – several Georgia based servers now only under external routing control e.g. AS28751 CAUCASUS NET AS Caucasus Network Tbilisi, Georgia & AS20771 DeltaNet Autonomous System DeltaNet ltd 0179 Tbilisi Georgia

Now only available via AS12389 ROSTELECOM AS JSC Rostelecom (Ru) and AS8342 RTCOMM AS RTComm RU Autonomous System (Ru) – servers – Georgia traffic through Deltanet being redirected via TTnet

It should be noted servers; AS8342 RTCOMM (Ru), AS12389 ROSTELECOM (Ru), AS9121 TTNet Autonomous System Turk Telekom (Tk) are well known to be under the control of RBN and influenced by the Russian Government. All efforts are being made to regain server control, and International assistance is requested to provide added Internet routing via neutral cyber space.

____________________________________________

http://news.cnet.com/8301-1009_3-10014150-83.html?hhTest=1

Georgia accuses Russia of coordinated cyberattack

Posted by Tom Espiner The Georgian embassy in the U.K. has accused forces within Russia of launching a coordinated cyberattack against Georgian Web sites, to coincide with military operations in the breakaway region of South Ossetia.

Speaking to ZDNet UK on Monday, a Georgian embassy spokesperson said that Web sites had been unavailable over the weekend, claiming this was due to Russian denial-of-service attacks.

”All Georgian Web sites have been blocked,” said the spokesperson. ”Georgia is working on redirecting Web traffic.”

At the time of writing, the Web site for the Ministry of Defense of Georgia was unavailable for viewing from the U.K. The Web sites for both the Georgian presidential office and the Ministry of Foreign Affairs of Georgia were available, but the spokesperson said this was due to Georgian redirection work.

”They are new (Web sites),” said the spokesperson. ”It was impossible two days ago (to access them).”

However, the spokesperson acknowledged that, as yet, Georgia could not confirm that Russia had been responsible, as the causes were still ”under investigation.” But the spokesperson asked: ”Who else might it be, though?”

In 2007, disruptions of Internet service in Estonia–like Georgia, formerly a political division of the Russia-dominated Soviet Union–prompted talk of those events as possibly the first-ever cyberwar. The exact nature of the disruptions, and who might be to blame, proved hard to pin down.

The Russian embassy in London said it had no information regarding cyberattacks against Georgia, but insisted there had been no military attack against Georgia. ”I’d like to draw attention to a misunderstanding,” said a Russian embassy spokesperson. There is no Russian (military) attack. There is peace enforcement in South Ossetia.”

According to a post on the Web site of the president of Poland, Lech Kaczynski, the Russian government blocked Georgian Web sites to coincide with ”military aggression.”

”Along with military aggression, the Russian Federation is blocking Georgian internet portals,” read a statement on the Polish presidential Web site. ”On request of the president of Georgia, the president of the Republic of Poland has provided the Web site of the president of Poland for dissemination of information.”

One of the statements made by the Georgian government on the Polish presidential Web site accused the Russians of bombing the port of Poti on the Black Sea, ”far from South Ossetia,” and of sending warships into the area.

”(Poti) serves as a vital energy-transit route to Europe,” read the statement. ”Over the past 48 hours, Russian forces have killed over 100 Georgian civilians and soldiers, after targeting residential complexes in Georgia, as well as airports, bases, and other vital infrastructure.”

A ”full cybersiege”?

The RBN Web site, which normally attempts to track the activities of the criminal Russia Business Network, kept a running commentary of technical developments over the weekend.

On Saturday, the RBN blog, which is run by security researcher Jart Armin, claimed there was a ”full cyber-siege” of Georgia. The RBN blog post claimed that the Russia-based servers AS12389 Rostelecom, AS8342 Rtcomm, and AS8359 Comstar were controlling all traffic to Georgia‘s key servers.

According to the blog, German hackers managed to route traffic directly to Georgia through Deutsche Telekom’s AS3320 DTAG server for ”a few hours” on Saturday, but this traffic was intercepted and rerouted through AS8359 Comstar, which is located in Moscow.

The RBN Web site also warned users not to trust any Web sites that appeared to be maintained by the Georgian government but did not have any statements about the weekend’s hostilities, as these had likely been intercepted and altered.

Security organization the Shadowserver Foundation reported in an update to an earlier blog post that it was also seeing cyberattacks directed against ”.ge” sites, with the Georgian Web sites being hit with HTTP floods. Shadowserver reported that the command-and-control server being used to launch the attacks was located in Turkey.

In July, Shadowserver security volunteer Steven Adair reported that the president of Georgia’s Web site had suffered a denial-of-service attack following a buildup of hostilities between Russia and Georgia over South Ossetia.

Tom Espiner of ZDNet UK reported from London.

Background information provided by CNET’s Rob Vamosi

Advertisements

Etiketter: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

2 svar to “Before the Gunfire, Cyberattacks against Georgia”

  1. Russia’s Disinformation Campaign over South Ossetia « UD/RK Samhälls Debatt Says:

    […] Disinformation Campaign over South Ossetia Som ett komplement till mitt inlägg Before the Gunfire, Cyberattacks against Georgia där det visade sig att den ryska sidan först “övade” och finslipade taktiken mot […]

  2. Russia’s War in Georgia and the background chronology to it « UD/RK Samhälls Debatt Says:

    […] till mina tidigare inlägg Russia’s Disinformation Campaign over South Ossetia och Before the Gunfire, Cyberattacks against Georgia kommer här en mycket intressant kronologi over händelseutvecklingen som lede fram till Rysslands […]

Kommentera

Fyll i dina uppgifter nedan eller klicka på en ikon för att logga in:

WordPress.com Logo

Du kommenterar med ditt WordPress.com-konto. Logga ut / Ändra )

Twitter-bild

Du kommenterar med ditt Twitter-konto. Logga ut / Ändra )

Facebook-foto

Du kommenterar med ditt Facebook-konto. Logga ut / Ändra )

Google+ photo

Du kommenterar med ditt Google+-konto. Logga ut / Ändra )

Ansluter till %s


%d bloggare gillar detta: