August 13, 2008
Republic of Georgia Cyber Attacks "Part Deux"
I posted about the ongoing attacks against Georgian resources on August 11th. Since that time a lot of the media have been getting on the "lets blame the Russian Business Network and Russian Government" bandwagon without really putting things into context. I mentioned the RBN in the original post as an unverified point of interest (RBN is worth reading up on whether involved in this or not).
To clarify a few points Shadowserver's "Mike Johnson" has updated the wiki with a post titled "Georgian Websites Under Attack - Don't Believe the Hype". It warrants reading as it lays out a bit more historical information on the botnets involved.
An excerpt from that post is below.
We have been tracking these servers for a while now, some for a year or more (and before you ask, yes we've tried to get them shut down, but with little co-operation), so we know their history. We have seen many different DDoS attacks from these particular C&C servers, but there doesn't seem to be any rhyme or reason to it. What does seem apparent is that the targeted sites don't strike me as being something a government would go after. Without listing the actual targets, they fall into the following broad categories:
* Adult video websites
* Prostitution websites
* White supremacy websites
* Carder websites (sites that trade in stolen credit card numbers)
* Online gambling websites
* Virtual currency websites (think PayPal, but not nearly that legitimate)
* Russian news websites
* Random Russian websites
* Many other websites
The ddos attacks appear to be ongoing as of this morning (13 August 2008) and it is of note that the botnets involved continue to simultaneously attack other web sites that do not belong to the Republic of Georgia.
Update: For more context see Popular Mechanics interview with RBNexploit's Jart Armin.
(cross posted at The Black Flag)