Russian Cyber Attacks / Shaping Operations vs Georgia JULY-AUG2008

[roo_ster]

The attack on Georgia began before the Georgians shelled S Oss military outpost (placed conveniently next to inhabited residential buildings to maximize collateral damage).

In hindsight, it started on 20JULY2008, with the cyber equivalent of recon by the Russians into the Georgian networks. 

It began in earnest with massive cyber attacks on Georgian communications the day before.

IOW, the Russian attack was planned and was going to happen, sooner or later, no matter if the Georgians shelled the hell outta every S Oss village or went home and had tea.

To answer the question "Why start a cyber attack?" is simple.  At the top level, if you can stifle your enemy's external commo, you can use your media to plant stories: ethnic cleansing, "Georgia started it" , all that disinformation.  Also, nowadays much government commo is via the net.  Disrupt that and you slow the responses of your enemy.

Essentially, such a cyber siege is the net equivalent of blowing up telephone exchanges and blasting radio towers.

http://www.popularmechanics.com/blogs/technology_news/4277603.html

Russian troops invaded Georgia's South Ossetia on Friday, but Russian attacks on Georgias major Web sites and overall Internet access began a day earlier. Thats according to Jart Armin, editor of RBNexploitthe community blog that has been leading the reporting and analysis efforts on digital security in Eastern Europe this week, even as Russian officials ordered a stand-down today.

Official Georgian domains are currently so unreliable that the country is now using a Google-run Blogspot Web site to host information from the Georgia Ministry of Foreign Affairs.

RBNexploit describes itself as a small group of concerned Internet security experts who track the cybercriminal activity, specifically of the Russian Business Network (RBN), a group that's been widely associated with criminal activitymost frequently with identity theft, organized crime and denial-of-service attacks. RBNexploit has published a map of Russian attacks on Georgian servers. We spoke on Monday with RBNexploit's editor, digital-security blogger Jart Armin, to try to make sense of the nonphysical elements of Russia's attack on Georgia. Today, Armin followed up with us and reported that Web access in Georgia has improved significantly, partly because the Russian attacks have scaled back and partly because of support provided to Georgia by other European backbone servers. S.E. Kramer

What is going on in Georgia right now?
The first development of the cyberwar (which is really one-sided), between Russia and Georgia was on the 20th of July when we started to notice some hack attempts on the Web site of the president [Mikheil Saakashvili] of Georgia. They were coming from known cybercriminal servers inside Russia. That hack seemed to be a test because the sites went back online after a few hours and the attacks stopped.

Then, as of last Thursday, came a full-blown attack which can only be described as a cybersiege on the whole of Georgia's Internet space. It's basically being controlled now by a group of five all-Russian servers and one Turkish server, which is under some sort of direction from Russian cyberspace.

You're in a position now where it's very patchy trying to get any Internet communication in and out of Georgia since Thursday. Particularly the president's Web site will come on and then go back off again. Basically the reason [it comes back on] is that there are two sides to this war: people who want to open up and break the siege, and whoever in Russia is controlling this. We believe it's cybercriminal elements hired by the Russian government who are trying to close these routes down as they are opened up.

Does the RBN have a reason to attack Georgia, or do you believe that the Russian government has hired it?
Basically the RBN started as a very crude hacking group, hiring out expensive Web hosting to hide different users, particularly for the use of malware, cybercriminal usage, even child pornography. In the middle of last year, May 2007, we saw the first signs of them being hired [for international attacks] or being used by Russian government groups to actually start to take down Estonian government Web sites, which is pretty well reported. Although those [sites] came back online, what you have seen more recently is the attack on Lithuania's Internet infrastructure, by the same groups and same methods as the RBN used. It just happened to be at the same time as the president [Valdas Adamkus] of Lithuania's visit to Washington, D.C.

It seems to be a pattern: When Russia's neighbors start talking to NATO and get involved with the European community, or work to get better relations with the U.S., they start to come under attack. The attacks are ways of stifling the government's information activities. From Thursday, the day before the Russian troops invaded, you had the full-blown cybersiege in place. Basically no Georgian Web sites were available and a great amount of traffic was stopped. If you actually use the trace routes and see these servers in action, they were simply blockading all routes in and out of Georgia.

How does one fight a war like this? Can you do it from within Georgia? Or once those servers are shut down, is it something that has to be done from outside?
Two things. The smaller neighbors of Russia should watch out who controls their next stage of Internet servers, the actual pipelines. Unfortunately for Georgia, they had an agreement where the main switch for most of Georgia's Internet is through Moscow. Very logically, it's submarine fiber roots; you can read about [it] on the CIA Web site, which actually shows the limitations of Georgia, the near-reliance on physical routing through Russia. Georgia gets taken offline fairly easily because Russia is simply blocking all traffic coming in and out. Estonia learned last year; Lithuania is learning now, as even Ukraine is starting to learn, and a few othersthey have to start looking for alternative rooting for the Internet for their countries or else they're going to end up in the same situation as Georgia.

The lesson here seems to be "don't route your internet through Russia." Does that mean that it would be harder for companies like the RBN to attack countries that are not near Russia? Does the U.S. have reason to worry?
You're hearing this firstwe were given information on tracking of a particular botnet that's being used. This is pretty worrying because it has ended up in a fast-act corporation. This looks like it's actually on U.S. soil now. So part of these attacks can come from many different routes. That's the advantage but also the problem of the Internet. We also saw that one of the main servers of government Web sites in Georgia actually had a U.S. server address. We have not been able to contact that server, which is based in Atlanta, for four days, and the whole server has been offline.

So one can say that this is very worrying for the U.S. and other countries. The problem is that people can simply go on servers and use a credit card to buy whole swaths of Internet space and IP addresses and so on. These can be used as weapons against us as well. It's particularly worrying when you consider how easy it is to acquire some of this routing through U.S. servers or European servers or elsewhere.

The RBN has always been very adept at using these routes because you simply buy them, use a false credit card, use a false name, and register domains under false names, and you're in business.

When do you think Georgia will get its Internet back?
This is a two-way fight. It's interesting to me that one of the major Russian news servers, RIA Novosti, was taken offline on Sunday night/Monday morning. They're back online, but now you have a lot of Russian discussions about how was it that they got attacked. Of course, that's part of what's happening here. You get this level of activity between various factions.

You will start to get this attack and counterattackpeople in Georgia and in the world who are looking to return the favor.

Besides counterattacking, is there any way to defend yourself?
One way is not to rely too much on purely directed, solely physical pipelines, as has unfortunately proved a problem for Georgia. It also proves a problem for most of Eastern Europe. Hopefully one of the lessons learned is that these countries start to look at wider Internet services. Governments will start to look at making sure that certain countries don't have a monopoly of control over these pipelines.

Another way is to ensure that you have multiple name servers, which would also have helped Georgia. Let's say their sites were mirrored on U.S. servers, maybe Western Europe, maybe even Asia. This parallel, this mirroring of Web sites helps because even if one server is attacked, at least the other servers could come into action.

[mtnbkr]

To answer the question "Why start a cyber attack?" is simple.  At the top level, if you can stifle your enemy's external commo, you can use your media to plant stories: ethnic cleansing, "Georgia started it" , all that disinformation.  Also, nowadays much government commo is via the net.  Disrupt that and you slow the responses of your enemy.

Essentially, such a cyber siege is the net equivalent of blowing up telephone exchanges and blasting radio towers.

Not to keep beating the amateur radio drum, but this is exactly why "ham radio" is an important tool even in today's world of the Internet and cellphones.  An enemy might destroy your internet backbone or knock out towers, but they're going to have a hard time controlling the airwaves when the infrastructure is a lone guy in his attic with a radio and wire antenna.  Voice, digital, morse code, pick your poison.  They might control the official news outlets, but guerrilla stations can get the real story out.  With 5 watts and a wire, I can reach from Virginia to California without any infrastructure in between.  My station packs up small enough to fit in a shoebox.  I can use any DC power source providing between 9.6v to 13.5v (that includes many wall warts that convert 120v AC to some level of DC).

It never hurts to have more than one tool in the quiver.

Just saying...

Chris

[wmenorr67]

But they can find the freq you are transmitting on and do one of two things.  They can jam it so you can't communicate and/or track you down and take you out.  Nothing is fail safe.

[RadioFreeSeaLab]

mtnbkr, studying for the test right now.  Picked up an Icom IC-22A two meter on ebay.

[mtnbkr]

But they can find the freq you are transmitting on and do one of two things.  They can jam it so you can't communicate and/or track you down and take you out.  Nothing is fail safe.

Didn't say it was.  The point is that no infrastructure is required, which makes it more difficult to interrupt.  Sure you can jam a given band, but most radios operate over a variety of bands (I can work 1.8mhz to 440hmz and a variety of modes).  I can also get on the air, transmit my message, pack up and get out of there.  It's no magic bullet, but it is useful when your cellphone isn't.

Chris

[wmenorr67]

But they can find the freq you are transmitting on and do one of two things.  They can jam it so you can't communicate and/or track you down and take you out.  Nothing is fail safe.

Didn't say it was.  The point is that no infrastructure is required, which makes it more difficult to interrupt.  Sure you can jam a given band, but most radios operate over a variety of bands (I can work 1.8mhz to 440hmz and a variety of modes).  I can also get on the air, transmit my message, pack up and get out of there.  It's no magic bullet, but it is useful when your cellphone isn't.

Chris

True to a point.  But I know what our jammers and finders can do.

[RevDisk]

But they can find the freq you are transmitting on and do one of two things.  They can jam it so you can't communicate and/or track you down and take you out.  Nothing is fail safe.

Frequency hopping makes it much more difficult.  Also, mobile rigs are pretty easy to set up.   Plus, if you're halfway intelligent, you ALWAYS remote your radio.  Mil commo wire is insanely cheap and quite durable for what it is, especially if you bury it under an inch or two of dirt.  While definitely not fail safe, good commo guys can give electronic warfare folks a run for their money.

"Cyber war" is a phrase I intensely dislike.   "Information Warfare" or "Information and Electronic Warfare" give a much better description without media sensationalism and Hollywood dross.  It's cheap, effective and often offers excellent plausible deniability.   What more could you ask for? 

[mtnbkr]

But they can find the freq you are transmitting on and do one of two things.  They can jam it so you can't communicate and/or track you down and take you out.  Nothing is fail safe.

Didn't say it was.  The point is that no infrastructure is required, which makes it more difficult to interrupt.  Sure you can jam a given band, but most radios operate over a variety of bands (I can work 1.8mhz to 440hmz and a variety of modes).  I can also get on the air, transmit my message, pack up and get out of there.  It's no magic bullet, but it is useful when your cellphone isn't.

Chris

True to a point.  But I know what our jammers and finders can do.

No doubt, but the point was you're not reliant on someone else's infrastructure. 

Chris

[roo_ster]

"Cyber war" is a phrase I intensely dislike.   "Information Warfare" or "Information and Electronic Warfare" give a much better description without media sensationalism and Hollywood dross.  It's cheap, effective and often offers excellent plausible deniability.   What more could you ask for? 

Agreed. 

I was using the terms used in the article so that laymen would understand the connection between the article and my commentary.

[Manedwolf]

But they can find the freq you are transmitting on and do one of two things.  They can jam it so you can't communicate and/or track you down and take you out.  Nothing is fail safe.

Airport maintenance guys are pretty quick to find a plane with a stuck transmitter on the ramp by using an RDF.

[mtnbkr]

Finding transmitters is hardly difficult.  It's a sport of sorts for hams.  In that crowd, it's referred to as "Foxhunting".

Chris

[Balog]

To answer the question "Why start a cyber attack?" is simple.  At the top level, if you can stifle your enemy's external commo, you can use your media to plant stories: ethnic cleansing, "Georgia started it" , all that disinformation.  Also, nowadays much government commo is via the net.  Disrupt that and you slow the responses of your enemy.

Essentially, such a cyber siege is the net equivalent of blowing up telephone exchanges and blasting radio towers.

Not to keep beating the amateur radio drum, but this is exactly why "ham radio" is an important tool even in today's world of the Internet and cellphones.  An enemy might destroy your internet backbone or knock out towers, but they're going to have a hard time controlling the airwaves when the infrastructure is a lone guy in his attic with a radio and wire antenna.  Voice, digital, morse code, pick your poison.  They might control the official news outlets, but guerrilla stations can get the real story out.  With 5 watts and a wire, I can reach from Virginia to California without any infrastructure in between.  My station packs up small enough to fit in a shoebox.  I can use any DC power source providing between 9.6v to 13.5v (that includes many wall warts that convert 120v AC to some level of DC).

It never hurts to have more than one tool in the quiver.

Just saying...

Chris

So can any nutjob, or the evil .gov entity that shut down the net in the first place.

[wmenorr67]

But they can find the freq you are transmitting on and do one of two things.  They can jam it so you can't communicate and/or track you down and take you out.  Nothing is fail safe.

Frequency hopping makes it much more difficult.  Also, mobile rigs are pretty easy to set up.   Plus, if you're halfway intelligent, you ALWAYS remote your radio.  Mil commo wire is insanely cheap and quite durable for what it is, especially if you bury it under an inch or two of dirt.  While definitely not fail safe, good commo guys can give electronic warfare folks a run for their money.

"Cyber war" is a phrase I intensely dislike.   "Information Warfare" or "Information and Electronic Warfare" give a much better description without media sensationalism and Hollywood dross.  It's cheap, effective and often offers excellent plausible deniability.   What more could you ask for? 

I know.  It was always fun going out and playing cat and mouse games with the Signal Units when I was on active duty.  We would go out and set up our finders and jammers and see if we could shut them down.  What was really nice to do was, since I was at Ft Carson, shut down NORAD.  That usually got a response from a couple of low flying F-16's in about 5 minutes time.

[Gewehr98]

"Cyber war" is a phrase I intensely dislike.   "Information Warfare" or "Information and Electronic Warfare" give a much better description without media sensationalism and Hollywood dross.  It's cheap, effective and often offers excellent plausible deniability.   What more could you ask for?

This: 

http://www.afcyber.af.mil/

The vernacular is now firmly established. 

[RevDisk]

"Cyber war" is a phrase I intensely dislike.   "Information Warfare" or "Information and Electronic Warfare" give a much better description without media sensationalism and Hollywood dross.  It's cheap, effective and often offers excellent plausible deniability.   What more could you ask for?

This: 

http://www.afcyber.af.mil/

The vernacular is now firmly established. 

The formation of the USAF "Cyber Command" (BWHAHAHAHAHAHA, err ahem) has been temporary halted.  http://www.nextgov.com/nextgov/ng_20080812_7995.php

The AF trying to establish a "Cyber Command" is just money grabbing.  We HAVE a "Cyber Command" already, but without the really bad name.  It's called the Defense Information Systems Agency.  Anything DISA doesn't cover, the NSA does.  Anything the NSA doesn't cover, the service specific EW and IT organizations do.  Aside from trying to steal more money from the Army/Navy, why the heck should the USAF have a seperate "Cyber Command" apart from their existing IT support staff?

I know.  It was always fun going out and playing cat and mouse games with the Signal Units when I was on active duty.  We would go out and set up our finders and jammers and see if we could shut them down.  What was really nice to do was, since I was at Ft Carson, shut down NORAD.  That usually got a response from a couple of low flying F-16's in about 5 minutes time.

I was a Signal Guy.   I really wish I could share a couple stories.   When ya get back from the sandbox, let me know if you're on the East Coast.   

[Manedwolf]

"Cyber war" is a phrase I intensely dislike.   "Information Warfare" or "Information and Electronic Warfare" give a much better description without media sensationalism and Hollywood dross.  It's cheap, effective and often offers excellent plausible deniability.   What more could you ask for?

This: 

http://www.afcyber.af.mil/

The vernacular is now firmly established. 

Did some general read too much William Gibson and/or Tom Clancy?

Who calls it "cyberspace" outside of dated science fiction novels from the 1980's?