Inside Cyber Warfare - Jeffrey Carr [81]
For the purpose of investigating cyber attacks, the path is not nearly as revealing as the source. In the case of the attack data provided by individuals from ASIAINFO in Kyrgyzstan, some of the IPs resolved to Russian sources; for example, 78.37.132.241 was one of many attacking IPs, and it resolved to an AS network in St. Petersburg, Russia. Another IP (83.167.116.135) originated with Comcor TV in Moscow. Yet another, 86.60.88.191, originated in Riyadh, Saudi Arabia, and is blacklisted by a number of spam-tracking organizations.
In addition to running a traceroute on an attacking IP, it’s important to look at the timeline of conditions taking place within the country that is experiencing a cyber attack. The following timeline was created to help determine attribution in the 2009 Kyrgyzstan DDOS attacks. As of this writing, there is still no confirmation as to the party or parties responsible. What follows is merely my hypothesis of the most likely culprit, as published on the IntelFusion blog in January 2009.
Timeline of political events
January 17: Prominent opposition leader detained in Kyrgyzstan
January 17: Political confrontation intensifies; opposition activists form new coalition United People’s Movement (UPM)
January 19: Two opposition leaders detained and charged
January 19: Russia presses Kyrgyzstan to close US base
January 20: Kyrgyzstan Opposition denied use of Parliament Press Center
January 21: Kyrgyzstan government targets opposition
January 22: Journalists ordered to file personal information
January 22: Kyrgyz Opposition Party denied registration
Analysis
The Kyrgyz cyber attacks during the week of January 18, 2009, fall right in line with an escalating series of repressive political actions by the Bakiev government against this latest attempt to form an opposition political party—the UPM. Bakiev should know, since it was the Tulip Revolution in 2005 (and the last time that DDoS attacks were utilized in Kyrgyzstan) that brought him to power.
Opposition leader Omurbek Tekebaev has pointed out the similarities between 2005 and 2009: “Both then and now, you could see people mistrusted those in power, who lacked moral authority. Both then and now, public opinion was completely controlled by the authorities, and there was persecution of journalists and dissidents, criminal persecution of political opponents,” he said in an IWPR article.
This appears to be a cyber operation for hire by the Bakiev government against its political opposition to control information access. The likely culprits are Russian hackers with moderate skill levels who regularly engage in cyber crime.
There is no evidence that the Russian government is directly involved; however, Moscow has complete control over the servers owned by JSC and Golden Telecom. To date, no action has been taken by the Russian Federation (RF) to deny access to these servers by Russian hackers.
Alternate views
Don Jackson of SecureWorks, an information and network services security provider based in Atlanta, GA, looked at the same evidence and came to a different conclusion. Jackson wrote in the SecureWorks Research blog on January 28, 2009, that the Kyrgyzstan DoS attack was a way for the Kremlin to influence Kyrgyz President Kurmanbek Bakiyev to close the Manas airbase, thus denying the US military effort in Afghanistan a key airport facility.
The problem with this alternate view is that the Kremlin had a much more powerful lever with which to influence the Bakiyev government: money. The Kyrgyz economy was being hard hit by the global economic crash of late 2008/2009, and the Kremlin offered an aid package of $2 billion US in loans if Kyrgyzstan were to close Manas. The Kyrgyz Parliament agreed, and US forces were to be out of the base by August 1, 2009.
As of this writing, there is yet a new twist. On June 25, 2009, the Kyrgyz parliament ratified