Inside Cyber Warfare - Jeffrey Carr [13]
Counter-Surveillance Measures in Place
Forum administrators at both the well-known Russian hacker portal XAKEP.ru and StopGeorgia.ru were monitoring who visited their respective sites and kept an eye on what was being posted.
During one week of intensive collection activity at the XAKEP.ru forum, Project Grey Goose analysts experienced two incidents that demonstrated that operational security (OPSEC) measures were in effect.
Within hours after I discovered a post on XAKEP.ru that pointed to a password-protected StopGeorgia.ru forum named ARMY, that link was removed by the forum administrator.
After about a half-dozen Grey Goose analysts spent one week probing the XAKEP.ru forum for relevant posts, all US IP addresses were blocked from further forum access (a 403 error was returned). This lasted for about 10 days before the block was lifted.
The StopGeorgia.ru forum also had to fend off attacks from Georgian hackers who had temporarily taken down their forum and a “project site” from August 14 to 18, both of which were hosted on a US server owned by SoftLayer Technologies.
According to one conversation between two members of the StopGeorgia.ru forum (Alexander and CatcherMax), one Georgian hacker forum had over 10,000 members and blocked access to it from all Russian IP addresses. For that reason, members frequently discussed the use of various proxy servers, such as FreeCap.ru.
* * *
[1] Translated from the original forum post, which was written in Russian (Cnucoк nepвooчepeдHbIX цeлeй для amaк onyблuкoвaH Ha caйme: http://www.stopgeorgia.ru/?pg=tar Пo MHoгuM pecypcaM в дaHHbй MoMeHm вeдymcя DDoS- amaкu. Bce кmo Moжem noMoчь - omnucbвaeM. Cвou npeдлoжeHuя no дaHHoMy cnucкy npocьбa ocmaвляmь в эmoM monuкe.).
The Russian Information War
The following document helps paint a picture of how Russian military and political officials viewed the cyber component of the Russia-Georgia conflict of 2008.
Anatoly Tsyganok is a retired officer who’s now the director for the Center of Military Forecasting at the Moscow Institute of Political and Military Analysis. His essay “Informational Warfare—a Geopolitical Reality (http://en.fondsk.ru/article.php?id=1714)” was just published by the Strategic Culture Foundation. It’s an interesting look at how the July and August cyber war between Russia and Georgia was viewed by an influential Russian military expert. The full article discusses information warfare, but this portion focuses on the cyber exchange:
Georgia was also the first to launch an attack in cyberspace. When Tskhinvali was shelled on August 8 the majority of the South Ossetian sites were also knocked out. Later Russian media including Russia Today also came under cyberspace attacks. The response followed shortly as the sites of the Georgian President, parliament, government, and foreign ministry suffered malicious hacks. The site of Georgian President Saakashvili was simultaneously attacked from 500 IP-addresses. When the initially used addresses were blocked, the attacks resumed from others. The purpose was to render the Georgia sites completely inoperable. D.D.O.S. attacks overload and effectively shut down Internet servers. The addresses from which the requests meant to overload sites were sent were blocked by specialists from the Tulip Systems, but attacks from new 500 addresses began in just minutes. Cleaning up after a cyberspace attack took an average of 2 hours.
Part of what’s so interesting about this excerpt is Tsyganok’s choice of words. He clearly states that Georgia launched a cyber attack against Russia first. This presents the attack as a state action rather than a civilian one. He then carefully states the Russian response, i.e., “the response followed shortly.” Since the subject of this exchange is two