Georgia hackers strike apart from Russian military

Hacker attacks that accompanied the Russian military offensive in Georgia were not the work of the Russian government as Georgia claimed, but of a loose network that had previously targeted pornography and gambling sites, Internet experts say.

The first attack started just after 2 p.m. Greenwich Mean Time on Aug. 8 - more than 12 hours after Russian tanks rolled through the Roki tunnel into Georgia - according to the Shadowserver Foundation, a volunteer group that monitors hacker activity.

Within hours after fighting erupted, Russian hackers had established a site, StopGeorgia.ru, that showed a list of Georgian Web sites targeted and which sites had been brought down, and allowed visitors to download a simple program to enable their own computers to join the attack, said Kimberly Zenz, a Russia specialist with Internet threat intelligence outfit iDefense.

“My own view is that 90 percent of this is being done by volunteers,” she said in an interview.

Among the sites targeted was the Georgian parliament’s Web site, where hackers juxtaposed pictures of Georgian President Mikhail Saakashvili with images of Adolf Hitler. Georgian officials, including Mr. Saakashvili, charged that the Russian government orchestrated the assault.

The first attacks were launched by botnets - networks of personal computers that have become infected with malicious software and are controlled by hackers. Botnets are used to send spam e-mail or to bombard Web sites with fake visits, the technique used against Georgia, and known as a Distributed Denial of Service, or DDOS, attack.

Shadowserver volunteers logged six botnets involved in the DDOS attacks on Georgian government and news sites, each controlled by a different command server. “We have been tracking these servers for a while now, some for a year or more,” Shadowserver volunteer Mike Johnson said in an e-mail.

Mr. Johnson said the hackers’ prior targets were mostly Cyrillic language sites in the Russian .ru suffix and mainly “from the ‘seamier´ side of the Internet” including pornographic video, gambling and prostitution sites.

Miss Zenz said that fit the profile of botnets being rented out or otherwise used for extortion. “Those kinds of sites will pay, rather than go to the authorities,” she said.

She said Russian hackers also were distributing lists of e-mail addresses for Georgian officials and of Georgian Web sites with security flaws, encouraging others to get involved in hacking or sending spam or malware.

Georgian hackers appeared to have responded, Miss Zenz said, by taking down sites that provided news about the Russian-backed Georgian breakaway province of South Ossetia and in one case replacing the Web site´s content with a news feed from a pro-Georgian service.

At least two of the three major Georgian Internet service providers appeared to have blocked access to Russian .ru Web sites for their subscribers last week, she added.

Several Georgian officials and others involved in monitoring and responding to the cyberattacks failed to respond to e-mail queries Monday, or were unavailable for comment.

Russian officials last week denied Georgian charges that they were behind the attacks - a he-said, she-said scenario that has become familiar in a conflict where much is not clear.

“You have charges from both sides,” White House spokesman Gordon Johndroe told reporters Monday, referring to Russian allegations and Georgian counterallegations of ethnic cleansing. “We take these charges seriously and are going to look into them.”

Story Continues →