# cyber-wars



## JackD (13 Aug 2008)

I found this article on the new York Times website: August 13, 2008
Before the Gunfire, Cyberattacks 
By JOHN MARKOFF
Weeks before bombs started falling on Georgia, a security researcher in suburban Massachusetts was watching an attack against the country in cyberspace.

Jose Nazario of Arbor Networks in Lexington noticed a stream of data directed at Georgian government sites containing the message: “win+love+in+Rusia.”

Other Internet experts in the United States said the attacks against Georgia’s Internet infrastructure began as early as July 20, with coordinated barrages of millions of requests — known as distributed denial of service, or D.D.O.S., attacks — that overloaded and effectively shut down Georgian servers.

Researchers at Shadowserver, a volunteer group that tracks malicious network activity, reported that the Web site of the Georgian president, Mikheil Saakashvili, had been rendered inoperable for 24 hours by multiple D.D.O.S. attacks. They said the command and control server that directed the attack was based in the United States and had come online several weeks before it began the assault. 

As it turns out, the July attack may have been a dress rehearsal for an all-out cyberwar once the shooting started between Georgia and Russia. According to Internet technical experts, it was the first time a known cyberattack had coincided with a shooting war. 

But it will likely not be the last, said Bill Woodcock, the research director of the Packet Clearing House, a nonprofit organization that tracks Internet traffic. He said cyberattacks are so inexpensive and easy to mount, with few fingerprints, they will almost certainly remain a feature of modern warfare. 

“It costs about 4 cents per machine,” Mr. Woodcock said. “You could fund an entire cyberwarfare campaign for the cost of replacing a tank tread, so you would be foolish not to.”

Exactly who was behind the cyberattack is not known. The Georgian government blamed Russia for the attacks, but the Russian government said it was not involved. In the end, Georgia, with a population of just 4.6 million and a relative latecomer to the Internet, saw little effect beyond inaccessibility to many of its government Web sites, which limited the government’s ability to spread its message online and to connect with sympathizers around the world during the fighting with Russia.

It ranks 74th out of 234 nations in terms of Internet addresses, behind Nigeria, Bangladesh, Bolivia and El Salvador. Cyberattacks have far less impact on such a country than they might on a more Internet-dependent nation, like Israel, Estonia or the United States, where vital services like transportation, power and banking are tied to the Internet.

In Georgia, media, communications and transportation companies were also attacked, according to security researchers. Shadowserver saw the attack against Georgia spread to computers throughout the government after Russian troops entered the Georgian province of South Ossetia. The National Bank of Georgia’s Web site was defaced at one point. Images of 20th-century dictators as well as an image of Georgia’s president, Mr. Saakashvili, were placed on the site. “Could this somehow be indirect Russian action? Yes, but considering Russia is past playing nice and uses real bombs, they could have attacked more strategic targets or eliminated the infrastructure kinetically,” said Gadi Evron, an Israeli network security expert. “The nature of what’s going on isn’t clear,” he said.

The phrase “a wilderness of mirrors” usually describes the murky world surrounding opposing intelligence agencies. It also neatly summarizes the array of conflicting facts and accusations encompassing the cyberwar now taking place in tandem with the Russian fighting in Georgia.

In addition to D.D.O.S. attacks that crippled Georgia’s limited Internet infrastructure, researchers said there was evidence of redirection of Internet traffic through Russian telecommunications firms beginning last weekend. The attacks continued on Tuesday, controlled by software programs that were located in hosting centers controlled by a Russian telecommunications firms. A Russian-language Web site, stopgeorgia.ru, also continued to operate and offer software for download used for D.D.O.S. attacks. 

Over the weekend a number of American computer security researchers tracking malicious programs known as botnets, which were blasting streams of useless data at Georgian computers, said they saw clear evidence of a shadowy St. Petersburg-based criminal gang known as the Russian Business Network, or R.B.N. 

“The attackers are using the same tools and the same attack commands that have been used by the R.B.N. and in some cases the attacks are being launched from computers they are known to control,” said Don Jackson, director of threat intelligence for SecureWorks, a computer security firm based in Atlanta.

He noted that in the run-up to the start of the war over the weekend, computer researchers had watched as botnets were “staged” in preparation for the attack, and then activated shortly before Russian air strikes began on Saturday.

The evidence on R.B.N. and whether it is controlled by, or coordinating with the Russian government remains unclear. The group has been linked to online criminal activities including child pornography, malware, identity theft, phishing and spam. Other computer researchers said that R.B.N.’s role is ambiguous at best. “We are simply seeing the attacks coming from known hosting services,” said Paul Ferguson, an advanced threat researcher at Trend Micro, an Internet security company based in Cupertino, Calif. A Russian government spokesman said that it was possible that individuals in Russia or elsewhere had taken it upon themselves to start the attacks.

“I cannot exclude this possibility,” Yevgeniy Khorishko, a spokesman for the Russian Embassy in Washington, said. “There are people who don’t agree with something and they try to express themselves. You have people like this in your country.”

“Jumping to conclusions is premature,” said Mr. Evron, who founded the Israeli Computer Emergency Response Team. 
http://www.nytimes.com/2008/08/13/technology/13cyber.html?_r=1&th=&emc=th&pagewanted=print&oref=slogin

Similiar attacks - if i remember correctly - have been directly towards Lithuania and Estonia.... another dimension to the on-going war?


----------



## geo (13 Aug 2008)

Interesting that these DDOS attachs have been directed at Georgia for the last month.
Does anyone know if any other country in the world was being targeted with this attention at the same time ???

The fact that Georgia has limited internet access & services is besides the point.  The fact that attacks were initiated against them a month before people started throwing shells at each other is significant.


----------



## stegner (13 Aug 2008)

> Interesting that these DDOS attachs have been directed at Georgia for the last month.
> Does anyone know if any other country in the world was being targeted with this attention at the same time Huh
> 
> The fact that Georgia has limited internet access & services is besides the point.  The fact that attacks were initiated against them a month before people started throwing shells at each other is significant.



Not really tensions have been quite high between the two for a long time, especially the past year.  http://www.youtube.com/watch?v=BypnhFI7HGY  http://www.youtube.com/watch?v=TZtIjN78T4A 
http://www.youtube.com/watch?v=F2WcXZ9oWnoThe Russians were merely probing in the event the hostilities broke out, which was at that time a distinct possibility.


----------



## geo (13 Aug 2008)

stegner.... is that what Russia was doing in the Baltic states a couple of years ago?
Merely probing?  just-in-case?


----------



## stegner (13 Aug 2008)

> stegner.... is that what Russia was doing in the Baltic states a couple of years ago?
> Merely probing?  just-in-case?



Not sure what you mean exactly.  Please elaborate on what Russia was doing in the Baltics.


----------



## Greymatters (13 Aug 2008)

JackD said:
			
		

> Other Internet experts in the United States said the attacks against Georgia’s Internet infrastructure began as early as July 20, with coordinated barrages of millions of requests — known as distributed denial of service, or D.D.O.S., attacks — that overloaded and effectively shut down Georgian servers.



Nice find.  Otherwise known as a 'clue' and a valuable indicator on warning checklists...


----------



## oligarch (13 Aug 2008)

D.D.o.S attacks are pretty easy to orchestrate and they don't require the sponsoring of any government or a large amount of capital. In fact, I can pay a dude who rents some servers 500 bucks and request that Saakashvili's site go down for a day. The question is... why would I want to do that? If we get into more advanced thinking here, with good capital, this stuff could be really powerful.


----------



## geo (13 Aug 2008)

stegner said:
			
		

> Not sure what you mean exactly.  Please elaborate on what Russia was doing in the Baltics.



http://www.guardian.co.uk/world/2007/may/17/topstories3.russia

From May 2007....

Russia accused of unleashing cyberwar to disable Estonia· 
+ Parliament, ministries, banks, media targeted
+ Nato experts sent in to strengthen defences


----------



## armyca08 (14 Aug 2008)

geo said:
			
		

> Interesting that these DDOS attachs have been directed at Georgia for the last month.
> Does anyone know if any other country in the world was being targeted with this attention at the same time ???
> 
> The fact that Georgia has limited internet access & services is besides the point.  The fact that attacks were initiated against them a month before people started throwing shells at each other is significant.




That is around 1 week after the Georgians started blocking humanitarian aid from Russia to S.O.

Also the reports say it wasn't " by the government" - Russia has a rather large hacking scene.


Although I'm a little surpised that the GE wasn't able to defend itself against these attacks by blocking IP blocks.

This would be no different then a multitude of other DDOS attacks against various companies.. and websites.


Ha it is also funny RBN - is the body that saw Putin rise to power in St. Petersburg (his political place of start) with the Business Network there.


I should add though google has backed Georgia --- openly. Including hosting it's foreign affairs blog. So said


----------



## Greymatters (14 Aug 2008)

oligarch said:
			
		

> D.D.o.S attacks are pretty easy to orchestrate and they don't require the sponsoring of any government or a large amount of capital. In fact, I can pay a dude who rents some servers 500 bucks and request that Saakashvili's site go down for a day. The question is... why would I want to do that? If we get into more advanced thinking here, with good capital, this stuff could be really powerful.



This isnt about shutting down Mom and Dads family photo homepage, which any Joe Hacker can do.  This is about a sustained operation against targeted nodes of communication for an entire region, over an extended period of time, and it takes more than a bit of hacking expertise to mount and maintain that type of operation, and more than a few bucks.   On top of that, it is in an area of the world where electronic communications are highly monitored, by people who feel quite free to crash in your front door if you show any skill at threatening 'national security' with your patched-together imports.


----------



## armyca08 (15 Aug 2008)

Not sure if you remember when the "underground" knocked down the RIAA - music industry websites, inlcluding breaking in and taking their tracks.
http://news.cnet.com/2100-1023-947072.html


this is just one of many times that there has been coordination.. but it really doesn't take a lot - ulitmately though the communicatios companies can filter webstreams to prevent this stuff on all ends... but it seems people let it happen.


----------



## armyca08 (15 Aug 2008)

PS 
"We do not have any solid proof that the people behind this C&C server are Russian."
The program was Machbot.


"Georgian hackers have retaliated with their own cyber attacks on Russian websites"

"The Russian government has officially denied any involvement in the web warfare. "


Anyone who has bots could launch these attacks..

I could download this program - obtain bots through a variety of methods and then point it at

62.168.168.9 - Geo Information 
IP Address 62.168.168.9 
Host web.caucasus.net 
Location  GE, Georgia 
City Tbilisi, 19 - 
Organization Caucasus Network ISP 
ISP Caucasus Network Ltd. 
Latitude 41°72'50" North 
Longitude 44°79'08" East 
Distance 1767.14 km (1098.05 miles) 


and there you have it.... the attack that took down 1 server hosting a bunch of websites.

This isbeing made to be a lot more than it is to assemble mystique and nostalgia. Trump reporting at its best



Before you go accusing people of doing something you should have actual proof they did it.



Here is what another site says about it summarized:

Atleast six C&C servers
servers were not able to be shut down over the last year.

Other types of sites targetted by the Georgian Attack C&C servers within the last year:
Adult video websites 
Prostitution websites 
White supremacy websites 
Carder websites (sites that trade in stolen credit card numbers) 
Online gambling websites 
Virtual currency websites (think PayPal, but not nearly that legitimate) 
Russian news websites 
Random Russian websites 
Many other websites


----------



## adaminc (17 Aug 2008)

A simple zombie botnet can easily provide enough computing and network power to DDOS a smaller nation like Georgia.


----------



## a_majoor (17 Nov 2008)

Cyberwar can concentrate on taking out the Internet's chokepoints

http://www.strategypage.com/htmw/htiw/articles/20081117.aspx



> *Squeezing The Chokepoint*
> 
> November 17, 2008: After years of efforts by Internet security firms and volunteer "white hat" (the good guys) hackers, governments are forcing ISPs (Internet Service Providers) to stop providing essential access for Internet criminals. The most recent take-down, of ISP McColo Corporation, caused worldwide spam traffic to decline by over 50 percent in one day. In the past year, two other similar ISPs, the Russian Business Network and Intercage, had similar, but not as dramatic, impact on spam traffic, and Internet based criminal activity in general, when they were shut down.
> 
> ...



The same methodology can be applied to cyberwar as well; seeking out and isolating the servers where DDoS and other cyber attacks against friendly governments and institutions originate.


----------



## Greymatters (26 Nov 2008)

Thucydides said:
			
		

> Cyberwar can concentrate on taking out the Internet's chokepoints
> 
> http://www.strategypage.com/htmw/htiw/articles/20081117.aspx
> 
> The same methodology can be applied to cyberwar as well; seeking out and isolating the servers where DDoS and other cyber attacks against friendly governments and institutions originate.



Thats a good article - is there a listing somewhere of known sites hosting criminal/fraudulent activities?


----------



## Flanker (27 Nov 2008)

Thucydides said:
			
		

> Cyberwar can concentrate on taking out the Internet's chokepoints
> 
> http://www.strategypage.com/htmw/htiw/articles/20081117.aspx
> 
> The same methodology can be applied to cyberwar as well; seeking out and isolating the servers where DDoS and other cyber attacks against friendly governments and institutions originate.



Following your recommendations you will need to isolate like 50% of Internet-connected computers 
FYI , most of cyberattacks come from residential PCs from US or Canada, infected by malware and listening for secret commands from IRC channels.
These PCs are sold en masse at underground markets as well as all required malware, documentation and support services.
So it does not take an einstein to mount a DDOS attack from anywhere in the world if required. It is very affordable.

Therefore all these insinuations on bad Russians or Chinese hacking "friendly government" sites are just ridiculous.


----------

