Security

The blogger behind the Cyxymu accounts is blaming Russia for the attacks.

(Credit: Twitter)

The Georgian blogger whose Twitter, Facebook, and YouTube accounts were targeted in denial-of-service attacks on Thursday, says he thinks Russia's federal security service is behind it.

"This hackers was from Russian KGB," the blogger, who uses "Cyxymu" on his accounts, wrote in a tweet early on Friday, adding later: "My twitter is online! Thank you all for support after ciber attack from Russia!"

Because of the difficulty in tracing distributed denial-of-service (DDoS) attacks back to the source, unless someone takes credit for the attack or brags about it to online associates, it's nearly impossible to determine exactly who was responsible.

Cyxymu is identified as a 34-year-old economics lecturer named Georgy from Tblisi, Georgia, by The Guardian. His blog postings are critical of Russia's dealings with the Caucasus region and his screen name is a Latinized version of the spelling of Sukhumi, the capital of Abkhazia, a breakaway Georgian republic.

"Maybe it was carried out by ordinary hackers but I'm certain the order came from the Russian government," he is quoted as saying. His LiveJournal account was attacked last year, as well, according to the report.

The DDoS attacks came on the eve of the one-year anniversary of a significant military clash between Russia and Georgia, which have had an ongoing conflict. In the 2008 South Ossetia war that began on August 7, 2008, Georgia attempted to retake control of South Ossetia and Russia launched air strikes against Georgia.

"When the war started in South Ossetia last year I couldn't avoid being drawn into politics," the blogger said.

The Georgian government is investigating potential links between its citizen and the attacks, and there are suspicions that the attack came from Russia, Shota Utiashvili, head of the Department of Information and Analysis at the Ministry of the Interior, told CNN.

Twitter was down for hours on Thursday during the attack, and LiveJournal suffered an outage. Facebook, and Google--whose Blogger, Google Sites, and YouTube were also affected--were able to fend it off.

Whoever was behind the attack may also be responsible for a spam e-mail campaign launched before the DDoS attack and targeting the blogger's accounts. In that attack e-mails were sent out that looked like they came from the blogger and included hyperlinks to his accounts on the targeted sites. A Facebook spokesman and others said that a spam attack would not have been effective enough to cause a DoS outage.

On his Blogger account the Georgian posted a copy of a Russian language news article in which he himself says the spam attack did not cause the DDoS attacks.

The Cyxymu accounts were back up on Friday on Twitter and Facebook (where he's a fan of John McCain), but his LiveJournal account appeared to still be inaccessible though a cached version was available on Google. His YouTube account, meanwhile, never went down.

The targeted Cyxymu account was back up on Twitter on Friday.

(Credit: Twitter)

This story was originally published at CBSNews.com.

Somewhere deep in Washington's national security apparatus, more than a few old-timers surely pine for the clarity of the Cold War. Black versus white, American versus Russian, spy versus spy--the good old days.

Now, however, they face more ephemeral threats from shadowy foes that prefer to cloak their identities.

"There's a cyberwar going on," said Ed Giorgio, who spent nearly 30 years with the National Security Agency before starting an IT security consultancy in 2007. The problem, he says, is that identifying an online adversary isn't as easy as pinpointing an enemy tank formation.

"Adversaries are just as likely to be nationalists as they are likely to be countries," said Giorgio, echoing a theme that cybersecurity experts say is likely to shape the Pentagon's approach to building Internet defenses in an increasingly networked world.

The extent of the problem was hinted at earlier in the day by Defense Secretary Robert Gates. In an upcoming 60 Minutes interview, Gates told CBS News anchor Katie Couric that the United States is "under cyberattack virtually all the time, every day" and that his department will more than quadruple the number of experts to battle cyber attacks.

Last summer, Sen. Barack Obama's presidential-campaign computers came under cyberattack from an "unknown entity." His machines weren't alone; John McCain's computers were also attacked, according to a report appearing Wednesday on the site of Newsweek magazine.

The Obama attack was initially thought to be a piece of malware downloaded from a phishing site. Newsweek reports that "the next day, both the FBI and the Secret Service came to the campaign with an ominous warning: 'You have a problem way bigger than what you understand,' an agent told them. 'You have been compromised, and a serious amount of files have been loaded off your system.'"

The McCain campaign's computer system was also compromised over the summer. Newsweek confirmed with a top McCain official that the FBI had become involved. A federal investigation into both attacks is under way.

According to Newsweek Editor at Large Evan Thomas, the FBI and White House officials told the Obama campaign that a foreign entity or organization was likely responsible, not political opponents. Independently, Obama technical experts have speculated that the hackers were Russian or Chinese. The files accessed appear to be policy-related and thus potentially useful in future negotiations with a new presidential administration.

Earlier this year, during the primaries, an online prank had the Obama campaign site redirected to Sen. Hillary Clinton's campaign site.

The Newsweek report is part of a special edition that will be on newsstands November 6 through 16, and online November 5 through 7.

When political tensions flared last month between Georgia and its large neighbor to the north, the country was ready to block Internet traffic from Russia, hoping to avoid the denial-of-service attacks that shut down Internet service in Estonia for several days in 2007. Instead, most of the DoS attacks that were directed against Georgia came from an unlikely place: the United States.

"Russia is one of the most capable countries when it comes to launching system intrusion hacking attempts, distributed denial-of-service attacks, and operation of botnets," said Don Jackson, director of Threat Intelligence for SecureWorks. "Yet you'll notice the number of attacks coming from Russia are very low."

SecureWorks on Monday released a list ranking the countries with the most infected computers enlisted for use with botnets. On that list, Russia ranks 7th, far behind the United States, China, Brazil, South Korea, Poland, and Japan. The reason Russia is so low, Jackson said, is that hackers from Russia don't attack from within Russia.

Instead of attacking using Russian IP addresses, Jackson said, the hackers who wanted to attack Georgia used "computers and control servers located in Turkey while the bots (the infected computers) that they controlled were mostly in the United States."

In Wednesday's edition of the Daily Debrief, CNET security expert Robert Vamosi and I discuss the latest exchange of cyberattacks between warring countries Russia and Georgia. It's been concluded that the initial attacks on the Georgian president's Web site were not the work of another government or sanctioned agency, but rather, amateurs whose country or origin is still unknown. Regardless, the Web site of a Russian newspaper has since come under attack in retaliation, most likely at the hands of the Georgians.

As Vamosi points out, there've been a handful of such attacks over the last decade: during the Kosovo conflict in the late '90s, between Russia and other former Soviet nations, and even during the 2002 Winter Olympics. Vamosi is also quick to mention that the United States, among other countries, is starting to develop contingency plans if a cyberattack were to happen on our soil, or rather, on any U.S. domains.

Initial information suggests that Internet attacks on Georgian Web sites over the last two weeks are the work of kids, according to one researcher, while another says the intensity of these attacks is short-lived when compared with attacks in Estonia last year.

In an e-mail to CNET News, Gadi Evron, founder of the Zero Day Emergency Response Team, said that "although the impact on their Web sites is clear, I believe this may end up being just some kids who got overexcited, with Georgia being ill-prepared to say the least. "

Posting on CircleID, Evron wrote that there are botnet attacks against .ge Web sites, but the Internet infrastructure doesn't appear to be directly attacked. "Not every fighting is warfare," wrote Evron. "While Georgia is obviously under a DDoS attacks and it is political in nature, it doesn't so far seem different than any other online aftermath by fans. Political tensions are always followed by online attacks by sympathizers."

In May 2007, the Baltic nation of Estonia was attacked online and its Internet infrastructure crippled.

On Tuesday, Jose Nazario of Arbor Networks offered in a blog more information on the strength and duration of the attacks. "Compared to the May 2007 Estonian attacks, these are more intense but have lasted (so far) for less time. This could be due to a number of factors, including more sizable botnets with more bandwidth, better bandwidth at the victims, changes in our observations, or other factors."

Nazario also said that there is evidence that the Georgians had responded by attacking a Russian newspaper Web site.

This graphic shows the flow of botnet commands targeting Georgian Web sites.

(Credit: Arbor Networks)

Researchers studying botnets have reported an increase in attacks on Georgian Web sites, including that of the country's president, within the last two weeks. While the attacks--Web site defacement and denial-of-service packet floods--are reminiscent of the Internet attacks waged against Estonia in May 2007, Jose Nazario, security researcher for Arbor Networks, told CNET News that he's seeing evidence that Georgia is apparently fighting back, attacking at least one Moscow-based newspaper site.

As to the source, Nazario said that "almost all of the attacks are broadly and globally sourced. One attack appears to be very narrowly focused, possibly someone with some basic ping flood scripts." He said the exact tools being used had not been determined.

In a presentation at July's Usenix conference in San Jose, Calif., Nazario said Internet wars make for a "great, level playing field" because they're inexpensive to mount.

He also pointed out that Internet-based wars did not start last year with Estonia. He cited previous attacks on Kosovo, during its civil war in the late 1990s; Israel-Pakistan hacking peaked in the fall of 2000; and the 2002 winter Olympics, when a South Korean speed skater was ejected from a competition.

More recently, he said, there were attacks on the Ukraine in the fall of 2007; Chinese national attacks on CNN.com in April 2008; and attacks upon the Democratic voice of Burma in July. In July hundreds of Web sites were attacked in Lithuania.

Internet wars do make for plausible deniability; we may never know who's ultimately responsible (governments or agitated nationals) for these attacks.In each of these cases, Nazario said, "I can't go and talk to these people, so I have to infer what their intent was."

The Georgian embassy in the U.K. has accused forces within Russia of launching a coordinated cyberattack against Georgian Web sites, to coincide with military operations in the breakaway region of South Ossetia.

Speaking to ZDNet UK on Monday, a Georgian embassy spokesperson said that Web sites had been unavailable over the weekend, claiming this was due to Russian denial-of-service attacks.

"All Georgian Web sites have been blocked," said the spokesperson. "Georgia is working on redirecting Web traffic."

At the time of writing, the Web site for the Ministry of Defense of Georgia was unavailable for viewing from the U.K. The Web sites for both the Georgian presidential office and the Ministry of Foreign Affairs of Georgia were available, but the spokesperson said this was due to Georgian redirection work.

"They are new (Web sites)," said the spokesperson. "It was impossible two days ago (to access them)."

However, the spokesperson acknowledged that, as yet, Georgia could not confirm that Russia had been responsible, as the causes were still "under investigation." But the spokesperson asked: "Who else might it be, though?"

In 2007, disruptions of Internet service in Estonia--like Georgia, formerly a political division of the Russia-dominated Soviet Union--prompted talk of those events as possibly the first-ever cyberwar. The exact nature of the disruptions, and who might be to blame, proved hard to pin down.

The Russian embassy in London said it had no information regarding cyberattacks against Georgia, but insisted there had been no military attack against Georgia. "I'd like to draw attention to a misunderstanding," said a Russian embassy spokesperson. "There is no Russian (military) attack. There is peace enforcement in South Ossetia."

According to a post on the Web site of the president of Poland, Lech Kaczynski, the Russian government blocked Georgian Web sites to coincide with "military aggression."

"Along with military aggression, the Russian Federation is blocking Georgian internet portals," read a statement on the Polish presidential Web site. "On request of the president of Georgia, the president of the Republic of Poland has provided the Web site of the president of Poland for dissemination of information."

One of the statements made by the Georgian government on the Polish presidential Web site accused the Russians of bombing the port of Poti on the Black Sea, "far from South Ossetia," and of sending warships into the area.

"(Poti) serves as a vital energy-transit route to Europe," read the statement. "Over the past 48 hours, Russian forces have killed over 100 Georgian civilians and soldiers, after targeting residential complexes in Georgia, as well as airports, bases, and other vital infrastructure."

A "full cybersiege"?
The RBN Web site, which normally attempts to track the activities of the criminal Russia Business Network, kept a running commentary of technical developments over the weekend.

On Saturday, the RBN blog, which is run by security researcher Jart Armin, claimed there was a "full cyber-siege" of Georgia. The RBN blog post claimed that the Russia-based servers AS12389 Rostelecom, AS8342 Rtcomm, and AS8359 Comstar were controlling all traffic to Georgia's key servers.

According to the blog, German hackers managed to route traffic directly to Georgia through Deutsche Telekom's AS3320 DTAG server for "a few hours" on Saturday, but this traffic was intercepted and rerouted through AS8359 Comstar, which is located in Moscow.

The RBN Web site also warned users not to trust any Web sites that appeared to be maintained by the Georgian government but did not have any statements about the weekend's hostilities, as these had likely been intercepted and altered.

Security organization the Shadowserver Foundation reported in an update to an earlier blog post that it was also seeing cyberattacks directed against ".ge" sites, with the Georgian Web sites being hit with HTTP floods. Shadowserver reported that the command-and-control server being used to launch the attacks was located in Turkey.

In July, Shadowserver security volunteer Steven Adair reported that the president of Georgia's Web site had suffered a denial-of-service attack following a buildup of hostilities between Russia and Georgia over South Ossetia.

Tom Espiner of ZDNet UK reported from London.

Background information provided by CNET's Rob Vamosi