Georgian cyberattacks suggest Russian involvement, say researchers

Speed, sophistication of August attacks point to likely government link

The hackers who launched cyberattacks against the former Soviet republic of Georgia two months ago probably had links to the Russian government, even though no hard evidence has been uncovered of official involvement, a report by an all-volunteer group of experts said today.

"Just because there was no smoking gun doesn't mean there's no connection," said Jeff Carr, the principal investigator of Project Grey Goose, a group of around 15 computer security, technology and intelligence experts that investigated the August attacks against Georgia. "There probably is a connection" between the hackers and the Russian government, said Carr, "and one of the reasons why I say that is what I've been saying all along. The military invasion was on [Aug. 8], and within 24 hours, there was one well-formed group with target lists and a Web site and members.

"I can't imagine that this came together sporadically," he said. "I don't think that a disorganized group can coalesce in 24 hours with its own processes in place. That just doesn't make sense."

Project Grey Goose started its probe with a Russian hacker forum, Xakep.ru, which in turn led investigators to a password-protected Web site, StopGeorgia.ru. Although the group declined to get specific about how it obtained access to the latter, the experts were able to find correlations between the attacks on Georgia's Internet servers and the discussions on Xakep.ru and the postings on StopGeorgia.ru.

Two months ago, shortly after Russia and Georgia military forces clashed over the breakaway provinces of South Ossetia and Abkhazia, Georgia's governmental Web sites were knocked offline by digital attacks. Hackers, perhaps some of the cybercriminals who had links to the notorious Russian Business Network, were initially suspected. Although within days, some security researchers were blaming a loosely organized "militia" of Russian hackers for the continuing attacks.

Project Grey Goose had its own take on how the hackers were organized. According to Carr and the group's report, the hierarchy was on a leader-follower, or journeyman-apprentice, model. A smaller number of "leaders" provided the hacking tools, called out application vulnerabilities and named targets. The "followers," although novice hackers, carried out the actual attacks.

There was little sign of a militia organization, where members were recruited. "There was more of a top-down relationship," said Carr. "At the very top, there was probably some channel of communication [to the Russian government], but from there it was self-organized and very informal."

Carr said it was unreasonable to think that, if the Russian government was not directly involved, it had no hand in the attacks. "The reasonable conclusion is that [the Russian government] sees this as a convenience, and uses it as a way to distance itself from the hackers while at the time having a relationship with them," he said.

The group's report put it somewhat differently. "We assess with high confidence that the Russian government will likely continue its practice of distancing itself from the Russian nationalistic hacker community, thus gaining deniability while passively supporting and enjoying the strategic benefits of their actions," the report stated.

That conclusion was similar to one reached by other security researchers in August. At the time, Kimberly Zenz, a senior threat analyst at VeriSign Inc.'s iDefense Labs, said that the Russian government views hackers as a "national asset" that can be put into play during any shooting war or political crisis of its choosing.

Project Grey Goose also spelled out how it believed the Russian hackers were able to knock offline so many Georgian servers so quickly. Rather than launch a traditional distributed denial-of-service attack with a large-scale botnet, the hackers used SQL injection and Blind SQL injection attacks that exploited vulnerabilities in the MySQL databases that many servers rely on for their back-end databases. The advantage: Because such exploits stress the servers' processors, the hackers were able bring down their targets using a small number of attacking machines.

Carr confirmed that the attack technique was more than just unusual. "It is unique. It also demonstrates an adaptive process and shows that nationalist hackers are aggressively improving their types of attacks," he said. Security researcher Billy Rios was instrumental in uncovering the attack tactics, Carr added.

The fact that the hackers used such exploits, the group concluded, was another clue that preparations may have begun long before the two countries' military forces engaged. "It shows planning, organization, targeted reconnaissance and evolution of attacks," the report stated.

Next on the group's agenda, said Carr today, is a more in-depth investigation into Russian hacking groups and their involvement in cyberwarfare. He declined to get more specific, however.

"Our belief was that if you got a group of intelligent people together and involved and turned them loose -- with no crap -- and trusted in their knowledge and motivation, then what would the end result look like?" Carr said. "Why not try it?"

Project Grey Goose's report can be viewed on several sites, including Scribd.com.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon