Wednesday, September 26, 2012

There was no Georgia cyber-war

A common feature of "cyber-war" discussion is the 2008 event where Russia attacked the country of Georgia with "cyber" attacks coordinated with military attacks. However, there's no evidence the cyber attacks were by the Russian government, or that they were anything more than normal "citizen hacktivism".

Georgia looms large in "cyber-war" rhetoric because people believe they have a smoking gun in the way that "the cyberattackers appear to have had advance notice of the invasion and the benefit of some close cooperation from a state organ". But that's not really what happened. The conflict didn't start with a surprise attack by Russia. Instead, the attack by Russia was the result of escalating tensions over weeks, and was in direct response to the Georgian invasion of the province a day prior. Both the cyber-attacks and military attacks happened at roughly the same time because both were in reaction to the same events.

Russian hacktivists are involved in all of Russia's conflicts, bot internal and external. This leads to an "Occam's Razor" situation. We know that Russian hackers would DDoS and deface Georgian websites anyway. We have the forum posts pointing to this. When the Russian people get upset, they launch DDoS from their personal machines, and from the botnets run by the criminal gangs. Russian hackitivism explains the attack, adding "government direction" is superfluous.

Moreover, the other evidence points to hacktivists rather than military strategists. The attacks had no military value. Hackers went after high profile sites. Sure, they impacted Georgia infrastructure, but that was only a side effect. When those sites were taken out of country, the DDoS attacks followed, instead of continuing to hit Georgia infrastructure.

The situation is a lot like the paranoid conspiracy theories in the Muslim world that America must've been behind the "Innocence of Islam" film. It's because they can't conceive of things like that happening without state sponsorship. This stupidity is exploited by those who want to cause riots. In much the same way, those who wish to fan the flames of cyberwar exploit the sentiment that DDoS/defacements must be directed by a nation state.

When I bring this up, people demand that I present evidence to the contrary, as if it's up to me to prove that the Russian government wasn't involved. That's like demanding evidence that there are no UFOs. I'm not trying to prove that the Russian government wasn't involved, I'm simply pointing out that there is no evidence to their involvement. We know such cyber attacks come with all major conflicts, but attribution of those attacks is still speculation. Indeed, I would be unsurprised to find out that Russian government was involved -- I'm just saying that no evidence of this has yet been published.

Cyberwar is a serious thing. Sadly, most people pounding the drums of cyberwar are the non-serious type. How they approach the Georgia DDoS attacks is a good litmus test for their seriousness.



Update: The Statfor article on the event is a good example of how this nonsense works. It starts with the text: Russia's offensive against Georgia began not with tanks or fighter jets, but in cyberspace. ...Georgian government and media Web sites began to crash the night of Aug. 7 -- well before Russian troops emerged ... in the breakaway republic of South Ossetia the following morning

What this article leaves out is how Georgia had invaded South Ossetia on August 7, and how the cyber attacks were in response to that invasion (as well as in retaliation to Georgian hackers attacking Russian sites), and not a prelude to surprise attack. Likewise, the Statfor article points out that the website of the Georgia President had been DDoSed on July 20. This ignores the fact that the conflict had already heated up, with South Ossetia separatists having shelled Georgian forces on June 14, and that Russian jets had been overflying South Ossetia on July 9. The point is: these cyberattacks didn't happen in a vacuum, but where most likely the normal hacktivist response to events in the news.



Update: Some wikipedia references:
http://en.wikipedia.org/wiki/Cyberattacks_during_the_2008_South_Ossetia_war
http://en.wikipedia.org/wiki/2008_South_Ossetia_war
http://en.wikipedia.org/wiki/Georgia%E2%80%93NATO_relations
http://en.wikipedia.org/wiki/South_ossetia
http://en.wikipedia.org/wiki/Georgian%E2%80%93Ossetian_conflict

Some "analysis" of the Georgia cyber attacks:
http://usacac.army.mil/CAC2/MilitaryReview/Archives/English/MilitaryReview_20111231_art013.pdf
http://www.scribd.com/doc/6967393/Project-Grey-Goose-Phase-I-Report
http://www.scribd.com/doc/13442963/Project-Grey-Goose-Phase-II-Report

13 comments:

Anonymous said...

According to a few Georgians tasked with defending their networks whose presentation I attended they were pretty much attacked with geographically selective attacks and so forth. DDoS was not the gist of the problem as they managed to track down one of the perpetrators to his own computer (by using a dir traversal attack on one of the botnet admin panels). It turned out to be some important generals' son if I recall it correcly.

That said; there's a DDoS factor, but the land attack was synchronized to the net as well.

Robert Graham said...

If you could cite actual evidence instead of rumors, that would be nice.

krypt3ia said...

Acutally Rob, the same could be said to you. I see no proof of your contention as well. Citation of data please?

Robert Graham said...

I'm not sure what you want me to cite. I can't cite any source saying there is a lack of evidence of UFOs, either. All I can do is point out that there is no evidence of UFOs.

There is no published evidence that the Russia government/military was behind the Georgia cyberattacks, either. The only evidence that anybody has shown is that since they happened at the same time, they must've been synchronized, which is a bogus argument.

pjt said...
This comment has been removed by the author.
decius said...

To summarize the arguments:
1. The DDOS attacks unfolded in conjunction with military activities, suggesting coordination.
2. The speed at which attacks took place suggests that they were prepared in advance.
3. The DDOS attacks targeted entities that would typically be military targets, but the military did not bother to target the DDOSed entities, which suggests that they didn't think that they needed to because the DDOS attacks were effective.

I do not know where to obtain the raw data to substantiate these arguments, but they are a lot more specific than an general observation that the attacks happened at the same time.

http://www.registan.net/wp-content/uploads/2009/08/US-CCU-Georgia-Cyber-Campaign-Overview.pdf

Robert Graham said...

"The speed at which attacks took place suggests that they were prepared in advance."

That's not true. It's one of those things non-serious people cling to in order to justify their cyberwar conspiracy theories, but it's just not true.

In fact, if that were so, it'd prove the OPPOSITE of your theory. Russia's actions were in response to Georgia's provocations. Russia didn't have a plan, Georgia did. Russia didn't plan their physical attacks, which means if cyber attacks were planned, there's no reason to think the government planned them.


slw said...

Any military has several attack plans prepared for any country they expect to come in conflict with. Just because your actions are in response to something does not mean you can't have a plan prepared well in advance.

That being said, I doubt DDoS is in very many of those prepared plans. It's far easier for one of your on-ground spies to rent a backhoe and "accidentally" cut some cable. More effective than DDoS.

Cyberwarfare seems to be primarily effective for espionage and sabotage. For infrastructure damage meatspace attacks generally give you more bang for your buck.

Unknown said...

I agree with Robert and think these points are, at best, spurious-

1. The DDOS attacks unfolded in conjunction with military activities, suggesting coordination.
More accurately, the attacks unfolded coincidentally with military activities, on it's own suggesting nothing but coincidence. Everyone talks about Santa Claus throughout the month of December, and on the 25th presents arrive under the tree... proof that Santa exists?!?!? Maybe for children :)

2. The speed at which attacks took place suggests that they were prepared in advance.
How 'slow' are 'attacks' supposed to be before they are viewed as non-state-sponsored? Do hacker gangs need to spin up their FTL's or something? It's not like two unfriendly nations that share a border don't also have populations that contain a criminal element that easily know what would be vulnerable online... that criminal element that derives it's revenues from attacking all day long online, no less.

3. The DDOS attacks targeted entities that would typically be military targets, but the military did not bother to target the DDOSed entities, which suggests that they didn't think that they needed to because the DDOS attacks were effective.
The DDOS attacks hit a variety of different sites in the Georgian infrastructure, and the Russian military stuck to the hard targets it hit because of the conventional military wisdom that prevailed over their ground strategy. That a DDOS took down important websites, but the military didn't follow-up by hitting their hosting facilities is ridiculous in terms of suggesting that this was a coordinated event. It's not like tank commanders and Spetnaz were told to hold off hitting certain buildings because the DDOS attacks were successful.

I think the disagreement with Robert is due to confusion- he's not saying there wasn't some sort of coordination. He's saying there was no evidence of it. And there would not be evidence of it- the US never stated to everyone in a press conference, "We launched Stuxnet everybody, it was us!", and the Russians didn't have Google+ hangouts to plan any DDOS attacks they may have carried out against Georgia. To point to coincidental events as actual evidence is to show one's leap of faith in the matter, not to prove a logical conclusion at all. You want conjecture? Fine. You want proof? Look elsewhere.

sesilia said...

its nice post about the security thanks for providing such useful information actually there should be proper councling about the Security Course it provides a better security tricks along with to brighten someone's career.....

rental mobil jakarta said...

Nice article, thanks for the information.

Anonymous said...

I can now cite the actual evidence

decius said...

This is an old thread but it keeps coming back up again and again, so I think its worth responding to some of the comments here.

First, Rob, you argue that Russia didn't have a plan. Of course they did. Every military has a plan for responding to high probability provocations by their neighbors.

Please read the document at the link I provided.

No, there is no evidence that the Russian Government was responsible for these DDOS attacks. But you guys go way, way beyond stating that there is no evidence. You make several factual assertions of your own that aren't supported by any data, such as the assertion that none of the targets had any military value, and you build upon those assertions to claim that the very idea that the Russian government may have been responsible is totally ridiculous and no serious people think that.

Plenty of serious people do think that, and they think it for reasons that are more nuanced than you give them credit for.

Rob, you've said this yourself. There is a real cyberwar. Those cyber actions often occur in conjunction with conventional warfare. That is exactly what the people on the other side of the debate are saying about this incident. That could be totally incorrect, but I think you dismiss it too readily.