Russian nationalists waged a cyber war against Georgia. Fighting back is virtually impossible.

On July 20, weeks before Russia stunned Georgia with a rapid invasion, the cyber attack was already under way. While Moscow baited Georgia with troop movements on the borders of the breakaway provinces of Abkhazia and South Ossetia, the "zombie" computers were already on the attack. Russian viruses had seized hundreds of thousands of computers around the world, directing them to barrage Georgian Web sites, including the pages of the president, the parliament, the foreign ministry, news agencies and banks, which shut down their servers at the first sign of attack to pre-empt identity theft. At one point the parliament's Web site was replaced by images comparing Georgian president Mikheil Saakashvili to Adolf Hitler. This was not the first Russian cyber assault—that came against Estonia, in April of 2007—but it was the first time an Internet attack paralleled one on land.

The labyrinthine ways of the Web and the complicated interfaces between the Russian government's clandestine services and organized crime make it impossible, at this point, to say with certainty who was responsible, or how far up the chain of command it went. The Russian military certainly had the means to attack Georgia's Internet infrastructure, says Jonathan Zittrain, cofounder of Harvard's Berkman Center for Internet and Society. Moreover, the attacks were too successful to have materialized independent of one another. Bill Woodcock, the research director at Packet Clearing House, a California-based nonprofit group that tracks Internet security trends, says the attacks bear the markings of a "trained and centrally coordinated cadre of professionals."

But who? Jart Armin, who has tracked Russian cybercrime, points to the possibility that a role was played by the notorious Russian Business Network, a cybermafia that specializes in identity theft, child pornography, extortion and other dark and lucrative Internet crimes. The RBN's political agenda is vague or nonexistent, but it often contracts out its services, and Armin says there is increasing evidence that it is connected to, or at least tolerated by, the Kremlin.

Indeed the timing is such that it's hard to discount some sort of Kremlin coordination, even if it's impossible to prove, and Woodcock argues that such cyber assaults have become a tool of Russian political leadership. As the attacks' political intentions became more specific, he notes, the operations have grown more complex. In addition to targeting Georgian government and media Web sites, Russian hackers brought down the Russian newspaper Skandaly.ru, apparently for expressing some pro-Georgian sentiment. "This was the first time that they ever attacked an internal and an external target as part of the same attack," he says.

Fighting back is tough. When Russian hackers made a name for themselves last year by bringing down the Web site of the Estonian parliament along with the sites of banks, ministries and newspapers, Estonian Foreign Minister Urmas Paet immediately accused the Kremlin of backing the attacks. But he was unable to produce evidence supporting his claims. Putin eventually named a suspect, or scapegoat, within his government. As Russian hackers waged a similar assault on Georgian sites over the past few weeks, Estonia—one of Europe's most wired countries—offered its better-defended servers to host many Georgian government Web sites. Lithuania and Poland have stepped up as well, prompting some excited bloggers to suggest that this is a digital Sarajevo, akin to the events of August 1914, the start of the first Internet world war. Certainly that's exaggerated, but the mutual defense going on in cyberspace shows that these nations take the Russian threat to their online infrastructure seriously.

Still, the nature of the Internet is such that it is almost impossible to respond quickly enough. The government doesn't maintain its own botnets—large networks of zombified computers standing ready to attack—but can rent one from a crime network, like the Russian Business Network. Then, through state-controlled media, the government can inspire waves of nationalists to amplify the destructive force. "Everybody with a laptop has the responsibility to attack the enemy—and you find out who the enemy is by looking at what the government is saying," Woodcock says.

While no one can say who wrote the malware that was used to cause Georgian servers to crash, it certainly proliferated on Russian Web sites in a user-friendly form. Gary Warner, a cybercrime expert at the University of Alabama at Birmingham, says he found "copies of the attack script" posted in the reader comments section at the bottom of virtually every story in the Russian media that covered the Georgian conflict, complete with instructions on how the script could be used to attack a specific list of Web sites. The efficiency is enough to make Russia's tanks and planes and ships, however deadly, appear downright anachronistic.


http://www.newsweek.com/id/154965/output/print

"It could be assumed the Estonia attack has benefited the United States agenda more than any other country..."

... I like what you say about a chinese IP space attacks or cyber crime
might not be the chinese government or its people,but could as easily
be another government who is carrying out cyber attacks and cyber
crime and making all evidence point towards China...



...Age, should not be the issue here. you can get people of all ages
creating a bot net for whatever purpose, and the profiteering seen in
the scene nowadays, there is business incentive for bot nets to be
developed too. Not only do we have individuals and groups in the
hacker underground with reasons to create bot nets, we've now got the
entry into the soup of the U.S Cyber Command and other governments
entering into the political cyber space. So not only have you got the
romanian teen theory of yours, we've now got the possibility of
governments, including Russia, U.S and UK who may have a vested
interests for cyber attacks, cyber crime and cyber espionage to point
towards chinese IP space. And, just the same that the IP range is
coming from China, the code is written in chinese and the money to buy
a phishing domain was Chinese yuan, and the company the domain was
registered at doesn't conclusively mean the attack is coming from the
Chinese government or even its citizens.

The government hackers, and state sponsored hacks by RU, US, UK all
know to cover their tracks and have all bases covered to fool forensic
analysts later on. Any good cyber attack is planned in the notion that
you're working from the point of forensic analysis backwards, you
don't plan your cyber attacks from the frontend to the back, well
script kiddies and dumb hackers do.

You work your attack from the back to the front. Backwards hacking I
call it, or Microwaving. You cook your target from the inside
outwards... in the attack mode, but in the planning stages, you must
work back to front to avoid possible detection by your targets
forensic team when they go into post-attack investigative mode.

The target may be a government or corporation you're gathering
intelligence from, or in the case of bot net, the cyber crime and
profiteering or bandwidth data attack to take out key infrastructure
of a government or corporation. Remember the U.S cyber command wants
to destroy important data of its adversaries, so backups of important
documents are an extra need to be needed for when the U.S cyber
command gets underway.

Russia is home to one of cyber crimes biggest bot net the Storm Worm
and FSB (the russian secret service) is protecting the Russian
Business Network owners from being arrested by western powers. If you
really want to get bot net culture under control you must start with
the biggest bot net of them all, and perhaps the most worrying of all
bot bets, the government bot net or the state sponsored bot net who
are capitalizing from the huge revenue globally to be made from cyber
crime, which has been proved to be a bigger trade now than illegal
drug trafficking and selling of those drugs in our towns and cities.

The government's of our world have every reason to point their bot
net's forensic outcome towards China, and to publish propaganda to the
media to make the Chinese government and its citizens look like they
are the number one cyber threat to the west, when most probably, the
true source of attacks is coming from U.S, UK or Russia.

I believe the number one cyber threat to the west is Russia, _but_ I
believe the overall number one cyber threat to the internet and its
well being at large is that of the United States Cyber Command and its
shoulder to shoulder friends in the United Kingdom, who are likely to
share the same cyber political agenda as far as breaking into things,
attacking things, destroying data and other activities for the reason
of the long term strategic interest of national security for both US/
UK.

The national interest of US/UK won't necessary be the interest of the
internet at large and its survival as a country-less global
infrastructure for data exchange of government, e-commerce and
civilian of economic, security and leisure.

To conclude, the cyber threat from bot nets is no longer the teenager
or the humble individual anymore, its moved on from that. The true
threat now is from cyber command's of various countries who will do
anything they can to attack back their adversaries, if they are
attacked first, or if its in the national interest for a pre-emptive
cyber strike. Not only is government sponsored or government based
"attacks" the real threat now compared to the past when it was teen or
adolescents, its now militaries and its intelligence agencies who are
becoming the real problem on the internet, not the traditional
adolescent in its bedroom or college computer lab causing mayhem, its
now government cyber attacks, and government cyber crime is now the
new threat of today.

In your defense, the Estonia attack that everyone is getting worried
about as a proof of concept attack for world governments to wake up
and build cyber commands, turned out to of been carried out by a teen,
who was charged for creating a bot net, but he could easily be a
scapegoat plant for the Russian Business Network guys, who are widely
blamed for the Estonia attack by people in the know.

I'm not a government hacker for the UK, but I live in the UK as an
unemployed student. I know what's going on and I have monitored the
cyber security scene extensively for the last 9 years in many forms
and formats. I started off as a script kid on Yahoo--then worked my
way up, I currently run under my internet alias known to the security
community as "n3td3v". I have been misreported by the media and others
as a troll, this is not the case.

I continue to receive criticism for my outspoken and rude behaviour,
but in amongst that is true substance and cause in what I believe to
be the way things are in the cyber security landscape and the way its
developing towards 2010 and beyond.

n3td3v currently runs a news group on Google groups with over 4000
members and climbing, however please remember n3td3v operates as an
individual security researcher, there is no group of researchers
working under the n3td3v tag, and the members of the news group are
only the public at large who are not operated or controlled by me, it
is a news group for sharing information, news articles and other
commentry from around the world IP space.

Mark Seiden is no stranger to n3td3v, he knows me better than most on
the internet, he holds many n3td3v secrets and knows my true identity...

Mark Seiden is a high powered senior security consultant on a global
scale agenda, he advises and contributes to the security of many
government agencies and corporations around the world, His name is in
the top cyber elite's as a true recommended security expert for many
high level issues in the cyber world today. You can learn more, here
http://www.cutter.com/meet-our-experts/seidenm.html

This was in reply to Mark Seiden's "Cyberflexing" Blog post.
http://blog.cutter.com/2008/01/17/cyberflexing-what-were-in-store-for-in-2008/

An IRC transcript between n3td3v and a former U.S Navy cyber security expert
on the worries of the U.S cyber command and its upcoming impact on the
security community.
http://seclists.org/fulldisclosure/2008/Mar/0043.html

To highlight, the security community will no longer post
vulnerabilities to the mailing lists, when Af cyber based attacks, or
suspicious cyber attacks on different countries start to be reported
by our media and the security industry's businesses, especially if
power infrastructure is affected and we in the security community
start to personally suffer our quality of life due to unknown
attackers who are largely believed to be connected with the
establishment of the U.S cyber command.

For instance, if the U.S suffer a cyber attack, and its blamed on X
government or regime, are U.S hackers going to keep releasing
vulnerabilities to mailing lists, helping that X government obtain
further cyber ammo, or new technique/ research ideas. If the UK gets
hit by a cyber attack and its largely believed to be the U.S cyber
command, are U.K or the rest of the world going to continue to post
vulnerabilities, cyber ammo, or or new technique/ research ideas to
mailing lists? The answer is likely no, considering they won't want to
help the United States learn of new hack techniques, its likely the
uprise of U.S cyber command and a cyber war of real proportion would
slow down, if not kill the vulnerability release scene on the world
wide web and push the scene back underground into the dark ages before
wide spread full-disclosure was around.

If real case cyber attacks start to happen on big scale, that stops a
country from operating as it should, and the everyday life of security
researchers are disabled, or restricted because of national
infrastructure attacks by an individual, a group, a government, then
they aren't going to keep disclosing vulnerabilities to mailing lists
to help the cyber terrorist or cyber military to aid them in any
on-going attack, or help them gather ideas for later attacks after the
intial attack.

The government and its enemies will suffer from a lack of publically
disclosed vulnerabilities by security researchers, meaning the
government of whatever countries are going to have to be self
sufficient with research, zero-day discovery, and vulnerability
development, as in a time of cyber war, they won't have independent
security researchers from the security community publishing new
cutting edge cyber ammo to the mailing lists at large.

If a government and its enemies think people aren't going to notice
suspicious spectaculars connected with power outages then they need to
re-work what their strategy for covering it up will be to the world's
intelligence services and the security community at large.

If the Af cyber command think they are going to start attacking
things, destroying adversaries data and blacking out power grids of
enemy states and that, that kind of thing won't be cloaked by everyone
they have got to think again, because you've already declared you're
planning on cyber war once your offensive command and its staff are
trained and fully briefed and covert operation detail has been decided
upon.

The homepage of the upcoming U.S cyber command.
http://www.afcyber.af.mil/

A blog entry report on the scapegoat for the Estonia attack.
http://www.russophile.com/russia_blog/26159-one_russian_charged_estonia_bronze_soldier_denial_service_attack.html

The attack on Estonia and its impact on the security industry is not
fully known, although it was a landmark event for many cascading
events, political decisions and business marketing plans and media
news articles.

It could be assumed the Estonia attack has benefited the United States
agenda more than any other country, which the announcement of the Af
cyber command was based around that attack, so there is room for
speculation that there could have been underground deals with U.S, UK,
Russia and Estonia for this cyber attack to take place as a pathway
for a cyber war footing to mark the way for the Af cyber command and
to get funding for such a command.

My ending paragraph above cannot to proved and is unlikely to be, but
it has to be mentioned at the end of this response, as the real
beneficiaries of the Estonia cyber attack has been the United States
and funding of the new cyber command.

As noted by n3td3v previously, the security community and the security
industry are two different things, the security industry is eager to
use the Estonia attack to forward their business motives, and the
government are eager to use it to politically capitalise. While the
security community, a different species compared to the industry,
keeps sitting, watching, analyzing and working out the truth between
the propaganda lines spat out by our media and what's really going on
between governments in the underworld.

The security community is no fool to the security industry, we're
aware of what's going on and we're not gullible to the propaganda
being put infront of our computer screen and through media outlets and
business messages.

Yours,

n3td3v
http://www.security-express.com/archives/fulldisclosure/2008-04/0340.html


--------


"Russian nationalists waged a cyber war against Georgia. Fighting back is virtually impossible."
http://www.newsweek.com/id/154965/output/print