A View from Robert Lemos
Georgian Cyberattacks Traced to Russian Civilians
A report concludes that civilians and criminals carried out last year’s attacks with the help of the Russian government.
A year after Russian troops invaded the former Soviet state of Georgia, a report has concluded that the accompanying cyberattacks were carried out by organized crime and civilians with the aid of the Russian military.
The report, released by the U.S. Cyber Consequences Unit, is the result of an analysis of data collected during and after the attacks, which took place between August 7 and August 16, 2008. The US-CCU is a nonprofit research institute that focuses on analyzing cyber events and advising the U.S. government.
The attacks against Georgia initially targeted news media and government websites, making it hard for Georgians and the outside world to follow the events, the report states. Once the Russian military had established its presence inside Georgia, the list of targets expanded to include financial institutions and other businesses, universities, and more news media and government sites.
“These cyberattacks were designed to make it difficult to organize an effective response to the Russian presence,” the report says. “Many of them were intended to interrupt normal business operations. Others were intended to make the Georgian population uncertain about what to expect and what they should do.”
While the Russian military obviously benefited from the attacks, the US-CCU argues that the evidence indicates only civilians were involved.
“Although, it would, in principle, have been possible for the Russian military to have carried out some of these cyberattacks, disguising their involvement convincingly would have been very difficult and expensive,” the report states.
However, the US-CCU report concludes that the Russian military most likely gave the attackers a list of targets and, potentially the tools to conduct the attacks. Considering that the attacks happened at nearly the same time as the invasion of Georgia–and that there was no reconnaissance done prior to the attacks–the denial-of-service floods were probably preplanned, the report argues. The attacks also involved the cooperation of Russian organized crime, as many of the attacking computers also had software installed for other cybercriminal activities, according to the report.
In defending against the attacks, the Georgian government tapped groups of cybersecurity experts and initially filtered the Russian IP address space. However, the attackers soon used proxies and compromised computers in other nation’s address spaces, making the attacks harder to block.
The Georgians also apparently planted a counterattack tool, disguising it as another script to attack its own computers. Russian sympathizers who downloaded and used the program would instead attack 19 websites in Russia.
“No evidence of damage caused by this attack script came to the US-CCU’s attention, which suggests that any harm it caused was not extensive,” says the report.