Caucasus Internet War Reaches U.S., Azerbaijan Servers
Attacks on Internet sites in the conflict between Russia and Georgia and breakaway South Ossetia have followed Georgian government and broadcast Web sites to the U.S. servers where they're now hosted, to Azerbaijani news sites and possibly to mainstream Internet companies now hosting Georgian government content, industry officials said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The Georgian president’s Web site is being attacked on a U.S. server, said Tom Burling, acting chief executive of Web- hosting firm Tulip Systems. The site is getting about “68,000 attacks at any given time,” Burling said. “This may be the first time that a third party nation is being attacked as a part of one of these cyber attacks,” Burling said. Tulip’s CEO is stuck in Tbilisi, Georgia, Burling said.
The company brought over the Georgian president’s Web site and Rustavi 2 Broadcasting Web site after they were knocked down in Georgia, Burling said. The sites were moved to the U.S. due to the U.S. communications network’s size, which allows for easier handling of attacks than in Georgia’s limited infrastructure, Burling said. About 300 million attacks have been blocked in less than 24 hours, Burling said. Attacks brought down the Rustavi 2 Broadcasting Web site on a U.S. server, Burling said. The site was expected to be back online Tuesday afternoon, Burling said. The company as of 2:30 pm Tuesday had blocked about 5,700 individual subnets, or Internet neighborhoods, Burling said.
Attacks on Tulip’s servers “are coming from Russia,” Burling said, and from Ukraine, Canada and elsewhere: “The vast, vast majority are running out of Russia.” Thousands of devices are engaged in the attacks, Burling said. Hundreds of new attackers emerge as soon as others are blocked, Burling said. An official at Caucasus Online, the nation’s largest ISP, said Monday that the number of devices attacking Georgian sites was in the tens of thousands.
The cyber attack began before ground operations, Burling said. “The massive mobilization -- almost immediately -- of Russian-based organizations was unbelievable,” Burling said: “They just within moments had mobilized a massive amount of bot attacks… against Georgia and then against us.” “The cyber attacks predated any of the hostilities” by a couple of days, Burling said. The cyber attacks seemed to coincide with the start of operations in South Ossetia, said David Tabatadze of the Georgian Research and Educational Networking Association and that country’s Computer Emergency Response Team. The Georgian president’s website was knocked out in April and in early July, Burling said.
Finding the perpetrators will be nearly impossible, Burling said: “The only thing you can say is that regionally the attack is coming from Russia, but you can’t geographically say exactly where in Russia it’s coming from or track it exactly back to a particular internet user.” Botnets’ nature doesn’t lend itself to knowing who exploited gear, Burling said. Few people have been arrested or charged in such kinds of attack, Burling said: “It’s almost impossible to bring it back to the source.”
Many Georgian government Web sites have migrated activity to Google, YouTube and similar sites, Burling said. Georgia’s civilian population was urged to subscribe to a Google Group mailing list for news updates, Tabatadze said. “There are even some Google sites and some, basically some of the open forum sites, that as they are tapping videos and things like that, they are finding out the video sources are getting knocked down,” Burling said, conceding he has no direct knowledge of the aggression. An official with Caucasus Online said Monday that sites posting news about the conflict were being targeted. A Google press official rejected a request for comment on reports that its network may be targeted in attacks.
Individual nations “need to address” the problem “within their own borders,” Burling said. Equipment to prepare for and prevent the next attack would “cost everybody a fortune to put… in place,” Burling said. Access and the Internet’s openness would be “severely limited if we had to defend things on a constant basis,” Burling said. “The best way to handle it is to complete cut off the source,” Burling said: “Nations need to get serious about cutting off the source of these kind of attacks.” The Internet’s large and well known market in subversive materials has to be stamped out, Burling said. Viruses, exploits and phishing are sold on the Internet from unregulated countries, he said: “If the hosting nation doesn’t do anything about it, it’s not going to go away.”
A comparison can be made with nuclear non-proliferation, Burling said. “What it takes is a concerted effort by the major nations involved in Internet usage to say we are not going to stand for this,” he said. “It will take an international covenant signed off by the major Internet user nations” followed by enforcement by individual nations and “perhaps a way to penalize nations that violate it,” Burling said: “As long as you've got nations that are using that as a weapon, they of course aren’t going to want to participate in those kinds of covenants.”
Russia can be blamed at least for inaction against a large network that is actively participating in the attacks, a source said. Particularly troubling is perpetrators’ apparent willingness “to use it for political reasons as opposed to economic reasons” that drive much of phishing and virus activity, Burling said: “In this particular case, the motivation behind it is political; it’s warfare, not theft.”
Georgian government web sites affected by the distributed denial of service attacks included the Ministry of Foreign Affairs site, also hacked. The Ministry of Education and Science and the National Examination Commission Web sites, both hosted by GRENA, were brought down, Tabatadze said. “Many Ukrainian and Azerbaijani news servers were also attacked,” according to colleagues, he said. Azerbaijani news sites www.day.az, www.today.az, and www.ans.az were hacked Monday, he said. The Day.az news agency could not be reached Tuesday.
The situation could presage tough times for companies in political disputes if countries allow the activity to spill over into the Internet, Burling said. Some Georgian banks’ system administrators reported many attacks to their servers and online banking systems, Tabatadze said. The affected banks temporarily suspended all online systems, he said. The banks remain offline for fear of attacks and intrusions, Burling said. Numerous foreign Computer Security Incident Response Teams and security officials offered support and tried to prevent the attacks, Tabatadze said. Information collected is being circulated to other CERTS for action, Tabatadze said.
IP addresses press-ganged into battle came from a more diverse group of countries and companies than thought, said Tabatadze. They include Makedonski Telekom and other sources in Macedonia, Road Runner in the U.S., Volga Telecom addresses in Russia, Moscow Telecommunications Corporation, Telgua in Guatemala, France Telecom, Freebit and San-in Cable Vision in Japan, Free SAS/ProXad in France, Ukraine’s Universal Telecom, Business Communication Agency, Rostovelectrosviaz and the KHMOD Autonomous System in Russia, Link Egypt, AUNA Autonomous System in Spain, Telefonica in Spain, Telia Network in Sweden, Telefonica and O2 in the Czech Republic, Nexon in Australia, Telecom Italia, Amazon Web Services in Seattle, Belgacom in Belgium, and Qualitynet Co. in Kuwait and from Romania. A variety of attacks were waged, Tabatadze said. Voice traffic was getting through as of Tuesday morning, said an industry source working on the Georgian telecom network.