Expert: Cyber-attacks on Georgia websites tied to mob, Russian government


This article was originally on a blog post platform and may be missing photos, graphics or links. See About archive blog posts.

The massive digital attacks that drove some of the government of Georgia’s websites offline during the Russian invasion are being called the first overt act of ‘cyberwarfare’ -- or at least the most overt to date.

The Russian government denies responsibility, and it got some reputable defenders today. The ShadowServer Foundation, a nonprofit group that tracks criminal activity on the Net, said that ordinary Russian citizens were helping attack the Georgian government websites with the aid of programs distributed through friendly sites. Top security expert Gadi Evron went further, saying all of the blame might lie with a bunch of kids.


The most discussed of the recent technological assaults have been denial-of-service attacks that overwhelmed the government sites with constant requests for information and rendered them unavailable to people in Georgia seeking information. Researchers in touch with network administrators in Georgia said a lot of the malicious traffic has been coming from servers controlled by the Russian Business Network, a notorious group out of St. Petersburg that has been linked to child pornography and major phishing and identity-theft scams.

Some researchers have pointed out, correctly, that the Russian Business Network is not the Russian government. In fact, some say the network is just a hosting company that specializes in having criminal clients. Anyone can use its resources, the argument goes.

But researcher Don Jackson of SecureWorks has devoted a fair amount of time to the question, and in an interview he made a convincing argument that the Russian government, despite its denials, is indeed involved.

To begin with, whether the Russian Business Network is a major organization or merely a helper for a variety of other groups is beside the point. Criminals pay the bills: It is a criminal outfit.

On the main issue, the computers issuing commands to the computers that are, in turn, attacking Georgian sites aren’t all on Russian Business Network servers. Some are better-hidden but reside on Internet addresses belonging to state-owned telecommunications companies in Russia. Both are using MachBot, which is a software attack tool favored by Russian Business Network clients.

And it’s not just denial-of-service attacks: People are also infiltrating Georgia’s government networks to steal information, and websites are being defaced with propaganda.


Most crucially, there is the question of where and when. Many of the most serious attacks began just as the tanks began to roll, although the networks had been set up beforehand. And the choice of targets is especially telling. Official sites in Gori, along with local news sites, were shut down by denial-of-service attacks before the Russian planes got there.

‘How did they know that they were going to drop bombs on Gori and not the capital?’ Jackson asked. ‘I would say that from what I’ve seen firsthand, there was at some level actual coordination and/or direction [by the Russian government], especially in regard to the timing and the targets of some of the attacks.’

-- Joseph Menn