Inside Cyber Warfare - Jeffrey Carr [82]
In the face of such lengthy and complex negotiations, a tiny DoS attack that lasted for only a few days hardly seems like an instrument of Kremlin policy in this particular case.
In addition to these two possible explanations, a third may be a dispute between competing ISPs operating within the country. This possibility was recently presented to the author by a colleague who visited Kyrgyzstan and spoke personally with the parties involved.
A final lesson on the Kyrgyz DoS attack of 2009 is the value of alternative analysis, particularly on all questions of attribution.
* * *
[37] http://www.cisco.com/en/US/docs/internetworking/technology/handbook/bgp.html
Team Cymru and Its Darknet Report
“Who is looking at your SCADA infrastructure?” a briefing paper that Team Cymru published in early 2009, looks at scans that they spotted in a region of cyberspace where such scans should not have been occurring (i.e., no active services or servers reside there) and therefore any activity or traffic is deemed malicious to some degree. They referred to this region as a “darknet.” As explained in the briefing paper, “Traffic entering a Darknet normally comes from scans generated by automated tools and malware, looking for vulnerable ports with nefarious intent.” These ports belong to Supervisory Control and Data Acquisition (SCADA) systems.
SCADA systems are typically used by utility companies, nuclear power plants, water treatment systems, communications systems, and various industrial processes. Although these systems do have safeguards, they remain vulnerable to a variety of cyber attacks for a number of different reasons. A complicating factor in safeguarding them is the antiquity of the software employed, in some cases dating as far back as the 1970s. More modern SCADA software has updated security, but it relies on the public Internet. Generally speaking, attackers will scan for vulnerabilities and tailor their attacks based on what they find.
Team Cymru researchers recorded the IP addresses of the machines generating these port scans and identified a geographical location for each using traceroute (see Figure 9-4):
USA
The two main hotspots for scanning appear to emanate from IPs located in Houston, Texas, and Miami, Florida.
Western Europe
There are hotspots in London, United Kingdom, Seville, Spain, and locations in Scandinavia and Southern France.
Eastern Europe
Hotspots in this region include St. Petersburg and Moscow, as well as a location in the Ukraine and Bucharest, Romania.
Far East
By far the most concentrated grouping of hot spots, the Far East contains concentrations of SCADA-scanning IPs in Thailand, Hong Kong, Taiwan, Korea, Japan, and several locations in China.
The authors of this report believe that the scans are being generated by infected computers, hence the geolocation of scanning IPs should not be construed as evidence of espionage activities by a foreign government or nonstate actor from that region. The preceding information refers to scans of the following SCADA-associated ports: udp/20000, tcp/502, udp/2222, and tcp/44818.
Figure 9-4. Geographic origins of darknet scans for 2008
Using WHOIS
Any time an individual or company seeks to register a URL, they are legally required to provide accurate identifying data (name, address, contact information). This is an ICANN requirement and is enforced by many of the legitimate providers of domain registration services. Unfortunately, not all providers perform their watchdog duties as well as they should, including ICANN itself (although their rate of fraudulent registrations has decreased recently).
In the case of StopGeorgia.ru, the domain was registered to an alias that appeared on numerous spam sites (see Chapter 7). This works well with domain registration services that do not perform verification checks on all new applications.