August 13, 2008
Georgian Attacks: Remember Estonia?
Yet another update regarding the ongoing Georgian cyber attacks. For those that don't realize the significance of this some botherders and do-it-your-self hacktivists have pretty much succeeded in taking most of Georgia's government news outlets off line. Most of the gov.ge sites have now regrouped on the Blogspot platform but there are some residing on other providers.
I have been following this very closely and working with others to get a better picture of what is happening. The results of those efforts are being updated over at the Shadowserver news wiki but I'll repost it below the break for your convenience.
Here is the latest update:
Georgia and Estonia Have Something New in Common
Since last Friday (August 8, 2008) a large number of Georgian websites, both government and non-government alike, have come under attack. There has been a lot of speculation about whether or not foreign governments were involved in the attacks or if it is just the work of outraged citizens taking the action on their own. While no one could really say for sure who was behind the attacks, one thing was clear--the attacks were having a devastating impact on their targets. Even at this very moment, several Georgian websites are still unreachable.
We have been seeing constant distributed denial of service (DDoS) attacks against Georgian website from various command and control (C&C) servers since last Friday. In fact they were still on going. However, we have not observed an attacks against several of the different websites that are currently offline. While we of course do not have in sight into all DDoS attacks, we were still surprised to see these sites offline and not have observed any traffic destined for them. We were not real sure why this was until today.
Additional Attack Information
Shadowserver has received reliable information that one of the Georgian government websites was being attacked by dozens of Russian computers from several different ISPs throughout the country covering both dialup and broadband users. The traffic destined for the website is overwhelming ICMP traffic. Did we dare say Russian? Yes we did, however, let's be clear here: we were not pointing fingers and we are absolutely not implicating any government involvement (no reason to suspect this).
What does it mean though? Lots of Russians host and lots of ICMP traffic. Could this be a botnet that instructed all of its hosts to send an ICMP flood to the destination? Possibly. However, usually botnets are widely dispeared in several geographic locations. Why on earth would be see such an overwhelming amount of Russian hosts?
Is it possible the same thing that happened to Estonia is happening to Georgia? To put it quite simply, the answer is yes.
The Grass Roots Effect
Lots of ICMP traffic and Russian hosts sounds a lot more like users firing off the 'ping' command and a lot less like some evil government controlled botnet. It did not take us long to find out what is going on. Much like in the attacks against Estonia, several Russian blogs, forums, and websites are spreading a Microsoft Windows batch script that is designed to attack Georgian websites. Basically people are taking matters into their own hands and asking others to join in by continually sending ICMP traffic via the 'ping' command to several Georgian websites, of which the vast majority are government.
The following text is a redacted version of the script being posted:
@echo Call this file (MSK) 18:00, 20:00
@echo Thanks for support of South Ossetia! Please, transfer this file to the friends!
We have removed the actual commands and parameters of the script to avoid being a distribution point for it. However, you can see the raw list of targets that are being spread across the websites. This script has been posted on several websites and is even being hosted as "war.rar" which contains "war.bat" within it on one site. It would appear that these cyber attacks have certainly moved into the hands of the average computer using citizen.
It appears evident that the average user is now getting involved and helping to attack Georgian websites. We do not know the size of the attack, but with many most likely sympathetic and the message spreading from blog to blog and forum to forum, it might not slow any time soon. Whether it is through the use of a botnet or a personal machine, it is quite clear what kind of effect these attacks can have on an infrastructure that is unable to fend them off. We will continue to monitor the situation and report back any developments we observe.
Cross Posted at The Black Flag.