When resentment against a pro-Georgian blogger boiled over into a distributed denial-of-service attack against social networking sites Aug. 6, it seemed to echo the cyber-attacks that occurred when Russia invaded Georgia in August 2008. Experts say this type of hacktivism will likely continue to increase, leaving countries with the question of what to do in response to similar incidents happening in conjunction with military action.
A new report from the U.S. Cyber Consequences Unit, of which a summary was released Aug. 17, focuses on the cyber-attacks that accompanied Russia’s military assault and calls for the creation of an international organization to provide risk advisories when political, economic or military circumstances make a cyber-attack likely or when warning signs of such an attack are detected.
The report stated that, as many people have suspected, the organizers of the cyber-attacks were aware of Russia’s military plans. However, the attackers themselves are believed to have been civilians. Their targets included media, government and financial sites, according to the report.
“The first wave of cyber-attacks launched against Georgian media sites were in line with tactics used in military operations,” John Bumgarner, US-CCU’s research director for security technology, told eWEEK.
“There were several key command and control (C&C) servers used to coordinate the global botnet(s) used in the DDoS attacks,” Bumgarner continued. “The exact number of computers compromised globally is unknown, but probably numbered in the tens of thousands.”
Georgia’s initial technical response to the attack was to install filters to block Russian IP addresses and protocols used by the attackers, the report stated. Hacktivists circumvented this by using foreign servers to mask their IP addresses, and changing the protocols they used. They utilized software to spoof IP addresses as well.
Georgia’s second response-to shift the hosting of its Websites to other countries where attack traffic could more easily be filtered out-was more effective, according to the report.
In such a situation, the existence of an international cyber-response force could have prevented some of the disruption, the report contended.
“If Georgia had been able to call on this sort of apparatus, the interruptions in its online activities would probably have lasted only a few hours or even a few minutes, rather than several days,” the report stated. “In addition, a well-prepared international team could have collected forensic evidence, making it possible to answer the questions about the cyber-campaign that still remain open. One of these important unanswered questions is what spyware and other malicious code the attackers may have left behind.”
For all the confusion the attacks caused, there is actually a silver lining, according to Bumgarner.
“In traditional warfare these attack techniques would have been 1) aerial bombardments, which would have inflicted physical damage to the target or 2) electronic jamming, which would have disrupted the communication of these targets,” he said. “The [disruptive] cyber-techniques used in 2008 spared the Georgian targets from long-term physical damage.”