Wednesday, August 13, 2008
Editor's note: Here's an interesting article about a cyber-attack launched on select Georgian (government) websites, possibly the first indicator that Russia was going to go to war against Georgia. In future conflicts the precursor to armed conflict will not be a bomb being dropped on a city, or tanks massing at the border, but will be instead most likely be an attack by government/military sponsored hackers.
Georgia President’s web site under DDoS attack from Russian hackers
Originally posted on July 22nd by Dancho Danchev on : http://blogs.zdnet.com
From Russia with (political) love? It appears so according to a deeper analysis of the command and control servers used by the attackers. During the weekend, Georgia President’s web site was under a distributed denial of service attack which managed to take it offline for a couple of hours. The event took place in a moment of real life tensions between Russia and Georgia, with Russia clearly demonstrating its position against Georgia’s pro-Western government. Shadowserver’s comments, which originally picked up the attack first :
“For over 24 hours the website of President Mikhail Saakashvili of Georgia (www.president.gov.ge) has been rendered unavailable due to a multi-pronged distributed denial of service (DDoS) attack. The site began coming under attack very early Saturday morning (Georgian time). Shadowserver has observed at least one web-based command and control (C&C) server taking aim at the website hitting it with a variety of simultaneous attacks. The C&C server has instructed its bots to attack the website with TCP, ICMP, and HTTP floods. Commands seen so far are:
flood http www.president.gov.ge/
flood tcp www.president.gov.ge
flood icmp www.president.gov.ge
The server [126.96.36.199] which houses the website has been largely offline since the attack started. Passive DNS records show the system houses several other websites which are mostly unrelated to the Georgian government. However, the server does also host the Social Assistance and Employment State Agency website (www.saesa.gov.ge). This website along with the others on the host have been rendered inaccessible.
We do not have any solid proof that the people behind this C&C server are Russian. However, the HTTP-based botnet C&C server is a MachBot controller, which is a tool that is frequently used by Russian bot herders. On top of that the domain involved with this C&C server has seemingly bogus registration information but does tie back to Russia. “
Russia’s most recent cyber attacks successfully attacking Estonia, Lithuania and now Georgia, all share a common motivation despite that these attacks are executed from different parties, with Estonia still remaining the only coordinated attempt to attack a country’s Internet infrastructure next to Lithuania and Georgia’s lone gunman attacks.
The DDoS against Georgia President’s web site appears to be using a well known Russian malware variant from the Pinch family — whose authors got arrested after operating for several years online in 2007 — next to a command and control bot ( MachBot controller) primarily known to be popular in Eastern Europe, and including messages in the flood packets like “win+love+in+Rusia”, speak for itself. It’s also interesting that despite that they’ve dedicated a new command and control server to be used specifically for this DDoS attack, one that haven’t been seen in any third-party attacks, they made a small mistake further confirming the attacks has been launched by well known Russian botnet masters. Their mistake? Having the malware phone back to a well-known command and control seen in a great number of previous attacks, sharing DNS servers with a provider of DDoS attacks on demand, which despite announcing on its site that is no longer in business, continues offering botnets for rent services.
Russia’s politically motivated, or perhaps politically tolerated attacks, are all the result of Russia’s IT underground self-mobilization, feeling obliged to sent out a signal that they’re in fact actively participating in the political life and monitoring everything. Moreover, nationalistic articles in Russian newspapers often further fuel the tensions and literally seek involvement from Russian hackers, so even when they speculate about non-existent hacker discussions on coordinated attacks against a particular country, such discussions actually start taking place and the result has been pretty evident ever since.
Posted by Steve Douglass at 4:35 PM
BP shuts pipelines on fears over Georgia
By Isabel Gorst in Moscow
Published: August 12 2008 13:03 | Last updated: August 12 2008 13:03
BP shut down a pipeline carrying Caspian oil from Azerbaijan to the Georgian Sea on Tuesday citing concern about security in Georgia.
Toby Odone, a BP spokesman, said the 150,000 barrels a day pipeline from Baku to Supsa on the Georgian Black Sea had been closed as a “security precaution.”
A natural gas pipeline linking a BP-operated field offshore Azerbaijan with Georgia and Turkey has also been closed.
Exports through the Baku-Tbilisi-Ceyhan pipeline to the Turkish Mediterranean, the main artery for exports from BP’s huge Azeri field offshore Azerbaijan, halted last week after an explosion on the Turkish section of the pipeline. The pipeline carries 850,000 barrels a day
Kurdish separatists have claimed responsibility for the accident in Turkey.
Mr Odone said a fire at the site was extinguished on Monday, but the area was still “too hot” for repair work to begin and it was unclear when deliveries to the Ceyhan would recommence.
Mr Odone said “very small volumes of Azeri oil, less than 100,000 barrels a day,” are now being exported via railways across the Caucasus and a pipeline to Russia.
Mr Odone said BP was unaware of any attacks on oil and gas pipelines in Georgia despite Georgian claims that Russian warplanes had bombed the pipelines.
“We always knew the region was unstable and we will just have to wait and see what happens,” he said
Lado Gurgenidze, the Georgian prime minister, told the FT on Tuesday, that Georgian railways and oil ports and Black Sea ports were in working order.
Karim Massimov, the prime minister of Kazakhstan, said “no harmful action had been taken at Batumi” , a Georgian port owned by KazMunaigas, the Kazakh state oil company. However, Mr Massimov ordered a halt to exports across the Caucasus to Batumi on Monday.
The International Energy Agency warned on Tuesday that the conflict in Georgia threatens the strategic energy export corridor linking the Caspian and central Asia with western oil and gas markets.
“Recent escalation in the military engagement between Russia and Georgia poses a threat to certain key oil and gas pipelines which transit Georgia, the IEA said in a report issued shortly before Russia declared a ceasefire in Georgia.
The pipelines, built by foreign consortia with strong political backing from the US, have eased Russia’s stranglehold over oil and gas exports from the landlocked Caspian region
Posted by Steve Douglass at 5:30 AM