Cyberattacks during the Russo-Georgian War

During the Russo-Georgian War a series of cyberattacks swamped and disabled websites of numerous South Ossetian, Georgian, Russian and Azerbaijani organisations.

Attacks
On 20 July 2008, weeks before the Russian invasion of Georgia, the "zombie" computers were already on the attack against Georgia. The website of the Georgian president Mikheil Saakashvili was targeted, resulting in overloading the site. The traffic directed at the Web site included the phrase "win+love+in+Rusia". The site then was taken down for 24 hours.

On 5 August 2008, the websites for OSInform News Agency and OSRadio were hacked. The OSinform website at osinform.ru kept its header and logo, but its content was replaced by the content of Alania TV website. Alania TV, a Georgian government supported television station aimed at audiences in South Ossetia, denied any involvement in the hacking of the rival news agency website. Dmitry Medoyev, the South Ossetian envoy to Moscow, claimed that Georgia was attempting to cover up the deaths of 29 Georgian servicemen during the flare-up on August 1 and 2.

On 5 August, Baku–Tbilisi–Ceyhan pipeline was subject to a terrorist attack near Refahiye in Turkey, responsibility for which was originally taken by Kurdistan Workers’ Party (PKK) but there is circumstantial evidence that it was instead a sophisticated computer attack on line's control and safety systems that led to increased pressure and explosion.

According to Jart Armin, a researcher, many Georgian Internet servers were under external control since late 7 August 2008. On 8 August, the DDoS attacks peaked and the defacements began.

On 9 August 2008, key sections of Georgia's Internet traffic reportedly had been rerouted through servers based in Russia and Turkey, where the traffic was either blocked or diverted. The Russian and Turkish servers were allegedly controlled by the Russian hackers. Later on the same day, the network administrators in Germany were able to temporarily reroute some Georgian Internet traffic directly to servers run by Deutsche Telekom AG. However, within hours the traffic was again diverted to Moscow-based servers.

On 10 August 2008, RIA Novosti news agency's website was disabled for several hours by a series of attacks. Maxim Kuznetsov, head of the agency's IT department said: "The DNS-servers and the site itself have been coming under severe attack."

On 10 August, Jart Armin warned that Georgian sites that were online might have been fake. "Use caution with any Web sites that appear of a Georgia official source but are without any recent news [such as those dated Saturday, Aug. 9, or Sunday, Aug. 10], as these may be fraudulent," he said.

By 11 August 2008, the website of the Georgian president had been defaced and images comparing President Saakashvili to Adolf Hitler were posted. This was an example of cyber warfare combined with PSYOPs. Georgian Parliament's site was also targeted. Some Georgian commercial websites were also attacked. On 11 August, Georgia accused Russia of waging cyber warfare on Georgian government websites simultaneously with a military offensive. The Foreign Ministry of Georgia said in a statement, "A cyber warfare campaign by Russia is seriously disrupting many Georgian websites, including that of the Foreign Affairs Ministry." A Kremlin spokesman denied the accusation and said, "On the contrary, a number of internet sites belonging to the Russian media and official organizations have fallen victim to concerted hacker attacks." The Ministry of Foreign Affairs set up a blog on Google's Blogger service as a temporary site. The Georgian President's site was moved to US servers. The National Bank of Georgia’s Web site had been defaced at one point and 20th-century dictators' images and an image of Georgian president Saakashvili were placed. The Georgian Parliament website was defaced by the "South Ossetia Hack Crew" and the content was replaced with images comparing President Saakashvili to Hitler.

Estonia offered hosting for Georgian governmental website and cyberdefense advisors. However a spokesman from Estonia's Development Centre of State Information Systems said Georgia didn't request help. "This will be decided by the government," he said. It was reported that the Russians bombed Georgia’s telecommunications infrastructure, including cell towers.

Russian hackers also attacked the servers of the Azerbaijani Day.Az news agency. The reason was Day.Az position in covering the Russian-Georgian conflict. ANS.az, one of the leading news websites in Azerbaijan, was also attacked. Russian intelligence services had also disabled the information websites of Georgia during the war. The Georgian news site Civil Georgia switched their operations to one of Google's Blogspot domains. Despite the cyber-attacks, Georgian journalists managed to report on the war. Many media professionals and citizen journalists set up blogs to report or comment on the war.

Barack Obama, the U.S. presidential candidate demanded Russia halt the internet attacks as well as complying with a ceasefire on the ground. The President of Poland, Lech Kaczyński, said that Russia was blocking Georgian "internet portals" to supplement its military aggression. He offered his own website to Georgia to aid in the "dissemination of information". Reporters Without Borders condemned the violations of online freedom of information since the outbreak of hostilities between Georgia and Russia. "The Internet has become a battleground in which information is the first victim," it said.

The attacks involved Denial-of-service attacks. The New York Times reported on 12 August that according to some experts, it was the first time in history a known cyberattack had coincided with a shooting war. On 12 August, the attacks continued, controlled by programs that were located in hosting centers controlled by a Russian telecommunications companies. A Russian-language site, stopgeorgia.ru, continued to operate and offer software for Denial-of-service attacks.

RT reported on 12 August that during the previous 24 hours its website had been attacked. The security specialists said that the initial attacker was an IP-address registered in the Georgian capital Tbilisi.

On 14 August 2008, it was reported that although a ceasefire reached, major Georgian servers were still down, hindering communication in Georgia.

Analysis
The Russian government denied the allegations that it was behind the attacks, stating that it was possible that "individuals in Russia or elsewhere had taken it upon themselves to start the attacks". It was asserted that the Saint Petersburg-based criminal gang known as the Russian Business Network (RBN) was behind many of these cyber attacks. RBN was considered to be among the world's worst spammer, child-pornography, malware, phishing and cybercrime hosting networks. It is thought that the RBN's leader and creator, known as Flyman, is the nephew of a powerful and well-connected Russian politician.

Dancho Danchev, a Bulgarian Internet security analyst claimed that the Russian attacks on Georgian websites used “all the success factors for total outsourcing of the bandwidth capacity and legal responsibility to the average Internet user.”

Jose Nazario, security researcher for Arbor Networks, told CNET that he was seeing evidence that Georgia was responding to the cyber attacks, attacking at least one Moscow-based newspaper site.

Don Jackson, director of threat intelligence for SecureWorks, a computer security firm based in Atlanta, noted that in the run-up to the war over the weekend, computer researchers had observed as botnets were "staged" in preparation for the attack, and then activated shortly before Russian air strikes began on 9 August.

Gadi Evron, the former chief of Israel's Computer Emergency Response Team, believed the attacks on Georgian internet infrastructure resembled a cyber-riot, rather than cyber-warfare. Evron admitted the attacks could be "indirect Russian (military) action," but pointed out the attackers "could have attacked more strategic targets or eliminated the (Georgian Internet) infrastructure kinetically." Shadowserver registered six different botnets involved in the attacks, each controlled by a different command server.

Jonathan Zittrain, cofounder of Harvard's Berkman Center for Internet and Society, said that the Russian military definitely had the means to attack Georgia's Internet infrastructure. Bill Woodcock, the research director at Packet Clearing House, a California-based nonprofit group that tracked Internet security trends, said the attacks bore the markings of a "trained and centrally coordinated cadre of professionals." Russian hackers also brought down the Russian newspaper Skandaly.ru allegedly for expressing some pro-Georgian sentiment. "This was the first time that they ever attacked an internal and an external target as part of the same attack," Woodcock said. Gary Warner, a cybercrime expert at the University of Alabama at Birmingham, said that he found "copies of the attack script" (used against Georgia), complete with instructions for use, posted in the reader comments section at the bottom of virtually every story in the Russian media. Bill Woodcock also said cyberattacks are so cheap and easy to stage, with few fingerprints, they would almost definitely stay around as a feature of modern warfare.

The Economist wrote that anyone who wished to take part in the cyberattack on Georgia could do so from anywhere with an internet connection, by visiting one of pro-Russia websites and downloading the software and instructions needed to perform a distributed denial-of-service attack (DDoS) attack. One website, called StopGeorgia, provided a utility called DoSHTTP, plus a list of targets, including Georgian government agencies and the British and American embassies in Tbilisi. Launching an attack simply required entering the address and clicking a button labelled "Start Flood". The StopGeorgia website also indicated which target sites were still active and which had collapsed. Other websites explained how to write simple programs for sending a flood of requests, or offered specially formatted webpages that could be set to reload themselves repeatedly, barraging particular Georgian websites with traffic. There was no conclusive evidence that the attacks was executed or sanctioned by the Russian government and also there was no evidence that it tried to stop them.

In March 2009, Security researchers from Greylogic concluded that Russia's GRU and the FSB were likely to have played a key role in co-coordinating and organizing the attacks. The Stopgeorgia.ru forum was a front for state-sponsored attacks.

John Bumgarner, member of the United States Cyber Consequences Unit (US-CCU) did a research on the cyberattacks during the Russo-Georgian War. The report concluded that the cyber-attacks against Georgia launched by Russian hackers in 2008 demonstrated the need for international cooperation for security. The report stated that the organizers of the cyber-attacks were aware of Russia's military plans, but the attackers themselves were believed to have been civilians. Bumgarner’s research concluded that the first-wave of cyber-attacks launched against Georgian media sites were in line with tactics used in military operations. "Most of the cyber-attack tools used in the campaign appear to have been written or customized to some degree specifically for the campaign against Georgia," the research stated. While the cyberattackers appeared to have had advance notice of the invasion and the benefit of some close cooperation from the state institutions, there were no fingerprints directly linking the attacks to the Russian government or military.