Coordinated Cyber Attacks Hit Websites Due To Russian-Georgian Conflict
Conflict between Georgia and Russia on the ground has been accompanied by the relaunch of cyber-attacks against Georgian government websites. The Georgian presidential (www.president.gov.ge) and other government websites (such as www.parliament.ge) were left inaccessible by assaults over the weekend, in a repeat of attacks in late July before tensions over the breakaway region of South Ossetia spilled over into armed conflict.
After a week of discussions on Russian Internet forums, a coordinated cyber attack has been launched against Georgia’s Internet infrastructure. The attacks have already managed to compromise several government web sites, with continuing DDoS attacks against numerous other Georgian government sites, forcing the government to switch to hosting locations in U.S: Georgia’s Ministry of Foreign Affairs moved to a Blogspot account.
The DDoS attack appears to be using a Russian malware variant from the Pinch family and a command and control server based in Turkey. Nationalist articles in Russian language papers are apparently inspiring Russia’s digital underground to get involved in assaults on Georgia’s web-facing systems.
Unconfirmed reports claim the notorious RBN (Russian Business Network) are behind the attacks and that Georgian internet servers were owned by foreign attackers on Thursday – the day before Russian tanks rolled into South Ossetia. The peak of DDoS attack and the actual defacements started taking place as of Friday. Several Georgian state computer servers have been under external control since shortly before Russia’s armed intervention into the state commenced on Friday, leaving its online presence in disarray. While the official website of Mikheil Saakashvili, the Georgian President, has become available again, the central government site, as well as the homepages for the Ministry of Foreign Affairs and Ministry of Defence, remain down. Some commercial websites have also been hijacked.
The Georgian Government said that the disruption was caused by attacks carried out by Russia as part of the ongoing conflict between the two states over the Georgian province of South Ossetia. In a statement released via a replacement website built on Google’s blog-hosting service, the Georgian Ministry of Foreign Affairs said that a cyber warfare campaign by Russia is seriously disrupting many Georgian websites, including that of the Ministry of Foreign Affairs.
The DDoS attacks are so sustained that Georgian President’s web site has recently moved to Atlanta. The original servers located in the country of Georgia were “flooded and blocked by Russians” over the weekend, Nino Doijashvili, chief executive of Atlanta-based hosting company Tulip Systems Inc., said Monday. The Georgian-born Doijashvili happened to be on vacation in Georgia when fighting broke out on Friday. She cold-called the government to offer her help and transferred president.gov.ge and rustavi2.com, the Web site of a prominent Georgian TV station, to her company’s servers Saturday.
More defacements of news sites and popular Georgian portals started taking place as well. Two news websites run by breakaway South Ossetia were hacked on Tuesday morning, officials from the secessionist authorities said. The front page of the website of the news agency, OSinform – osinform.ru – which is run by the breakaway region’s state radio and television station IR – retained the agency’s header and logo, but otherwise the entire page was featuring Alania TV’s website content, including its news and images. Alania TV is supported by the Georgian government, and targets audiences in the breakaway region. Another website of the breakaway region’s radio and television station, osradio.ru, was also hacked. Alania TV has denied any involvement, saying it was itself surprised to see its content on the rival news agency’s website.
Shortly after Civil.ge ran the story, it came under DDoS attack, and just like Georgia’s Ministry of Foreign Affairs it switched to a Blogger account in case the site remained unavailable. Moreover, the Shadowserver posted more details on the command and control servers used in the DDoS attacks:
With the recent events in Georgia, we are now seeing new attacks against .ge sites. www.parliament.ge & president.gov.ge are currently being hit with http floods. In this case, the C&C server involved is at IP address 79.135.167.22 which is located in Turkey. We are also observing this C&C as directing attacks against www.skandaly .ru. Traffic from your network to this IP or domain name of googlecomaolcomyahoocomaboutcom .net may indicate compromise and participation in these attacks.
Interests in cyber attacks as an adjunct to real-world conflict has increased since the denial of service attacks took out the internet infrastructure of Estonia in April last year. The attacks coincided with a dispute of the relocation of WWII-era monuments and affected Estonian parliament, bank, newspaper and government sites.
The assaults were blamed on Russian nationalists. Estonian Foreign Minister Urmas Paet suggested that the Kremlin may have had a hand in the attacks but no hard evidence has emerged to substantiate this accusation. Only one person, a locally-resident ethnic Russian, was convicted over the attacks.
More on CyberInsecure:
Posts
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.