Report: Russian Hacker Forums Fueled Georgia Cyber Attacks
An exhaustive inquiry into August's cyber attacks on the former Soviet bloc nation of Georgia finds no smoking gun in the hands of the Russian government. But experts say evidence suggests that Russian officials did little to discourage the online assault, which was coordinated through a Russian online forum that appeared to have been prepped with target lists and details about Georgian Web site vulnerabilities well before the two countries engaged in a brief but deadly ground, sea and air war.
The findings come from an open source investigation launched by Project Grey Goose, a volunteer effort by more than 100 security experts from tech giants like Microsoft and Oracle, as well as former members of the Defense Intelligence Agency, Lexis-Nexis, the Department of Homeland Security and defense contractor SAIC, among others.
The group began its inquiry shortly after the cyber war disabled a large number of Georgia government Web sites. Starting with the Russian hacker forum Xaker.ru (hacker.ru), investigators found a posting encouraging would-be cyber militia members to enlist at a private, password-protected online forum called StopGeorgia.ru. Grey Goose principal investigator Jeff Carr said the administrators of the hacker forum were keenly aware that American cyber sleuths were poking around: Within hours after discovering the link to the StopGeorgia site, Xaker.ru administrators deleted the link and banned all access from U.S.-based Internet addresses.
At StopGeorgia.ru, project members unearthed a top-down hierarchy of expert hackers who doled out target lists of Georgian government Web sites to relative novices, complete with instructions on how to exploit vulnerabilities in the sites in order to render them inaccessible. Following a July defacement of the Georgian president's Web site that was blamed on Russian hackers, the Georgian government blocked Russian Internet users from visiting government Web sites.
But Carr said StopGeorgia administrators also equipped recruits with directions on evading those digital roadblocks, by routing their attacks through Internet addresses in other Eastern European nations. The level of advance preparation and reconnaissance strongly suggests that Russian hackers were primed for the assault by officials within the Russian government and or military, Carr said.
"The fact that the StopGeorgia.ru site was up and running within hours of the ground assault -- with full target lists already vetted and with a large member population -- was evidence that this effort did not just spring up out of nowhere," said Carr, speaking at a forum in Tysons Corner, Va., sponsored by Palantir Technologies, an In-Q-Tel funded company in Palo Alto, Calif., whose data analysis software helped Grey Goose investigators track the origins and foot soldiers involved in the cyber attack. "If they were planning ahead of the invasion, how did they know the invasion was going to occur? The only way they could have known that is if they were told."
Initially, security experts assumed that the sites were felled via "distributed denial of service" (DDoS) attacks, a well-known method of assault that uses hundreds or thousands of compromised personal computers to flood a targeted site with so much junk traffic that it can no longer accommodate legitimate visitors. But investigators soon learned that attackers were instructed in the ways of a far more simple but equally effective attack strategy capable of throttling a targeted Web site using a single computer.
Security researcher and Grey Goose investigator Billy Rios said attackers disabled the sites using a built-in feature of MySQL, a software suite widely used by Web sites to manage back-end databases. The "benchmark" feature in MySQL allows site administrators to test the efficiency of database queries, but last year hackers posted online instructions for exploiting the benchmark feature to inject millions of junk queries into a targeted database, such that the Web servers behind the site become so tied up with bogus instructions that they effectively cease to function.
"Not only can a small number of users bring down the back end databases, it indicates that there was some form of planning, reconnaissance, and some technical sophistication by some of the members," Rios said. "It also indicates that all the information from the attacked systems was most likely already compromised and pilfered before the injection point was posted."
While Grey Goose members could find no direct link between Russian government officials and the StopGeorgia.ru forum administrators, they claim it is unreasonable to conclude that no such connection exists.
"The historical record shows clear support by members of the Russian government and implied consent in its refusal to intervene or stop the hacker attacks," the report states, naming at least three Russian politicians and military officials who have previously endorsed coordinated cyber attacks against other nations as a show of nationalistic pride.
Oleg Gordievsky, a former colonel in the Russian KGB who defected to the British intelligence wing MI6 in 1985, spoke in 1998 at an international conference on crime and discussed how Russian hackers convicted of cyber crime are sometimes offered an alternative to prison -- working for the FSB" (the federal security service of the Russian Federation and a successor to the KGB).
According to a cyber warfare analysis by researchers at Dartmouth College, Moscow has a track record of offensive hacking into Chechen Web sites. The researchers provide this account of incidents in 2002, when Russian hackers used cyber warfare in to supplement the ongoing military conflict with Chechnya.
"In 2002, Chechen rebels claimed that two of their Web sites, kavkaz.org and chechenpress.com, crashed under hack attacks by the Russian FSB security service. The website crashes were reportedly timed to occur concurrently or shortly after Russian Special Forces troops stormed the Moscow Theater in which the rebels had taken hostages. "On October 26 ... our Web Site kavkaz.org was attacked by a group of hackers," said a spokesman for the Chechen rebel site run by Movladi Udugov. Following the attack on the site, which is based in the United States, Udugov said that he was "amazed Russia's special services can operate so freely on U.S. territory." The attacks on one site, chechenpress.com, fell under the category of brute-force denial of service (DoS) attacks, while on the other site, kavkaz.org, the attacks appeared much more sophisticated.
According to Chechen sources, the Web site was hijacked by hackers from the FSB. The FSB hackers reportedly accomplished this by changing the domain registration of the site and then eliminating the data for the site from the hosting server. Upon learning of these attacks, the rebels moved the information on the sites to kavkazcenter.com. However, that site was attacked just a week later, also apparently the work of FSB hackers.
In July, Russian hackers were blamed for a similar assault on Lithuanian government Web sites. In Security Fix's account of that attack, I posted a copy of a congratulatory letter sent to nationalist Russian hackers by Nikolai Kuryanovich, a former member of the Russian Duma. The missive is dated March 2006, and addresses the hacker group Slavic Union after the group had just completed a series of successful attacks against Israeli Web sites.
"In the very near future many conflicts will not take place on the open field of battle, but rather in spaces on the Internet, fought with the aid of information soldiers, that is hackers," Kuryanovich wrote. "This means that a small force of hackers is stronger than the multi-thousand force of the current armed forces."
The Grey Goose report concludes that the journeyman-apprentice relationship observed in the StopGeorgia forum will continue to be the training model used by nationalistic Russian hackers, and that those hackers are actively engaged in finding more efficient ways to disable networks.
In the meantime, Carr said, the Russian government will continue to deny any involvement in any nation-level cyber attacks.
"The Russian government has adopted this hands-off and satisfying position of deniability while enjoying the rewards achieved by the Russian hacker community," Carr said.
October 16, 2008; 3:15 PM ET
Categories: Fraud , From the Bunker
Save & Share: Previous: Microsoft's Patch Tuesday Includes New Rating Index
Next: Atrivo Shutdown Hastened Demise of Storm Worm
Posted by: What a bunch of bull | October 16, 2008 7:40 PM | Report abuse
Posted by: Zviad | October 16, 2008 9:25 PM | Report abuse
Posted by: Mattsoundworld | October 17, 2008 10:46 AM | Report abuse
Posted by: Pete from Arlington | October 17, 2008 11:47 AM | Report abuse
Posted by: Hans | October 17, 2008 11:59 AM | Report abuse
Posted by: j-man | October 17, 2008 12:11 PM | Report abuse
Posted by: SamEllison | October 17, 2008 12:40 PM | Report abuse
Posted by: laiquendi | October 17, 2008 12:43 PM | Report abuse
Posted by: JBE | October 17, 2008 2:09 PM | Report abuse
Posted by: Anon | October 17, 2008 2:28 PM | Report abuse
Posted by: Bob Pollock | October 17, 2008 3:14 PM | Report abuse
Posted by: j-man | October 17, 2008 3:54 PM | Report abuse
Posted by: Lisochek | October 17, 2008 4:37 PM | Report abuse
Posted by: bengtl | October 17, 2008 8:59 PM | Report abuse
Posted by: KevinDonae | October 17, 2008 9:10 PM | Report abuse
Posted by: mentyroper | October 18, 2008 9:25 AM | Report abuse
Posted by: VelkamoN | October 19, 2008 3:15 AM | Report abuse
Posted by: Abildbind | October 19, 2008 10:33 AM | Report abuse
Posted by: Crervogyalery | October 20, 2008 5:01 AM | Report abuse
Posted by: KevinDonae | October 21, 2008 10:54 PM | Report abuse
Posted by: RemInjextannoma | October 22, 2008 9:29 AM | Report abuse
Posted by: _wowmanjac_ | October 22, 2008 10:49 AM | Report abuse
Posted by: Waxpatexeque | October 22, 2008 11:37 AM | Report abuse
Posted by: _wowmanjac_ | October 22, 2008 12:29 PM | Report abuse
Posted by: fuytruiiil | October 22, 2008 12:35 PM | Report abuse
Posted by: Redehosselm | October 22, 2008 12:47 PM | Report abuse
Posted by: niki | October 22, 2008 1:43 PM | Report abuse
Posted by: Likvedator | October 22, 2008 3:51 PM | Report abuse
Posted by: ashlanfire | October 22, 2008 5:04 PM | Report abuse
Posted by: lechepenlechetg | October 22, 2008 6:21 PM | Report abuse
Posted by: Wolfman | October 22, 2008 9:40 PM | Report abuse
Posted by: easeliarpaper | October 22, 2008 9:47 PM | Report abuse
Posted by: adminsys | October 22, 2008 10:39 PM | Report abuse
Posted by: Hacker4lease | October 22, 2008 11:04 PM | Report abuse
Posted by: adminsys | October 22, 2008 11:27 PM | Report abuse
Posted by: _wowmanjac_ | October 23, 2008 1:29 AM | Report abuse
Posted by: MadMark | October 23, 2008 2:37 AM | Report abuse
Posted by: GYPEAFTEDGE | October 23, 2008 4:11 AM | Report abuse
Posted by: suntespb | October 23, 2008 4:26 AM | Report abuse
Posted by: liadiawrafe | October 23, 2008 5:36 AM | Report abuse
Posted by: Krestinochka | October 23, 2008 6:25 AM | Report abuse
Posted by: zGidz | October 23, 2008 9:27 AM | Report abuse
The comments to this entry are closed.