- The Washington Times - Thursday, July 31, 2008

The Web site of President Mikhail Saakashvili of Georgia was brought down last week by hackers apparently based in Russia, the latest in a string of cyber-attacks suffered in neighboring countries experiencing friction with Moscow.

The attack was monitored by several U.S. Internet-watch operations, including the center run by the Department of Homeland Security’s (DHS) Computer Emergency Response Team (U.S.-CERT).

An official at U.S.-CERT, who was authorized to speak to the media but not to give his name, said the center was “not involved in any response,” but had passed information about the incident, called a distributed denial-of-service attack (DDOS), to DHS intelligence analysts.

The official said the attack did not look like a prelude to, or opening salvo in, any wider assault. “We don’t think it is part of anything larger,” he said.

DDOS attacks work by bombarding the server where the site is based with bogus messages and requests from networks of computers that, often unbeknownst to their owners, have been infected by malicious software and taken over by hackers.

Such bot-nets, short for robot-networks, can be rented from the hackers that run them, known as bot herders, and have been used before in cyber-war attacks like the one on Estonia last year.

The flood of messages makes the server unable to deal with legitimate Web traffic, so those trying to visit the site will experience abnormal delays and may not be able to reach it at all.

In Lithuania, 300 Web sites were defaced earlier this month after a law was promulgated banning the public display of Soviet-era symbols.

Estonian government Web sites were pounded by a massive series of DDOS attacks in April and May 2007, after a decision to move a monument honoring Soviet World War II soldiers. The attacks were believed to be part of a series of protests from Russia and ethnic Russians in Estonia.

Russia and Georgia have been feuding recently over Russia’s deployment in May of about 400 soldiers to Abkhazia, a separatist region in Georgia. Moscow supports the separatists, and officials in Georgia say Russia is attempting to annex the region.

A spokesman for the Georgian president denied to local news outlets that the cyber-attack took place.

“It’s not true; the Web site didn’t stop even for a minute over the weekend,” Vano Noniashvili told the Georgian Messenger.

But security analysts who tracked the attack on Mr. Saakashvili’s Web site say it, and other, unrelated sites hosted on the same server, were unreachable or cripplingly slow for up to 24 hours.

“It happened,” said Marcus Sachs of the SANS Institute, a nonprofit computer-security research outfit that runs a 24-hour watch operation known as the Internet Storm Center.

Mr. Sachs said incident handlers at the center saw the first reports of the attack posted by a volunteer security-monitoring operation called ShadowServer, but then independently confirmed the attack was in progress.

“We can see the commands being issued to the bot-net by its command-and-control server,” Steven Adair of ShadowServer said.

“This was the first and [so far] only attack command we have seen issued,” Mr. Adair said, adding the group had been “monitoring that bot-net for some time.”

“We didn’t expect it to be so interesting,” he said.

Mr. Adair and Jose Nazario, senior security researcher at Arbor Networks, confirmed that the president’s site, www.president.gov.ge, had been affected.

Mr. Nazario said that although the company providing Internet service to the U.S.-based command-and-control server had taken it offline shortly after the attack began, it was too late by then, because the slave computers in the bot-net already had received their attack instructions.

“That didn’t stop the attack,” he said. “The attack stopped when it was over.”

Neither Mr. Noniashvili nor his deputy responded within 24 hours to an e-mail request for clarification. Officials at the Georgian Embassy in Washington said the press spokesman was out of the country, and no one could add anything to the spokesman’s denial.

One reason officials are sometimes reluctant to talk about such incidents is that, since bot-nets can be rented anonymously, there is often no way to tell who is really behind a cyber-attack.

Mr. Nazario noted that the bot-net commands contained the phrase “Win love in Russia,” which he said was “a not very subtle way to leave no doubt about where they came from.”

Mr. Adair said the registration information for the Internet domain controlled by the command server gave a Russian contact address. “The WHOIS contact information was in Russia,” he said, referring to the massive database that lists the occupant of every piece of Internet real estate.

But Mr. Adair acknowledged it is easy to provide bogus information in the database, and that cyber-criminals often do so.

One Internet-security analyst, who was in Russia at the time, said Russian network specialists were of the opinion that Ukraine was behind the attack and was trying to pin the blame on Russia.

“Attribution is always a problem,” Mr. Nazario said.



Click to Read More

Click to Hide