How Russia May Have Attacked Georgia's Internet

On July 20, weeks before Russia stunned Georgia with a rapid invasion, the cyber attack was already under way. While Moscow baited Georgia with troop movements on the borders of the breakaway provinces of Abkhazia and South Ossetia, the "zombie" computers were already on the attack. Russian viruses had seized hundreds of thousands of computers around the world, directing them to barrage Georgian Web sites, including the pages of the president, the parliament, the foreign ministry, news agencies and banks, which shut down their servers at the first sign of attack to pre-empt identity theft. At one point the parliament's Web site was replaced by images comparing Georgian president Mikheil Saakashvili to Adolf Hitler. This was not the first Russian cyber assault—that came against Estonia, in April of 2007—but it was the first time an Internet attack paralleled one on land.

The labyrinthine ways of the Web and the complicated interfaces between the Russian government's clandestine services and organized crime make it impossible, at this point, to say with certainty who was responsible, or how far up the chain of command it went. The Russian military certainly had the means to attack Georgia's Internet infrastructure, says Jonathan Zittrain, cofounder of Harvard's Berkman Center for Internet and Society. Moreover, the attacks were too successful to have materialized independent of one another. Bill Woodcock, the research director at Packet Clearing House, a California-based nonprofit group that tracks Internet security trends, says the attacks bear the markings of a "trained and centrally coordinated cadre of professionals."

But who? Jart Armin, who has tracked Russian cybercrime, points to the possibility that a role was played by the notorious Russian Business Network, a cybermafia that specializes in identity theft, child pornography, extortion and other dark and lucrative Internet crimes. The RBN's political agenda is vague or nonexistent, but it often contracts out its services, and Armin says there is increasing evidence that it is connected to, or at least tolerated by, the Kremlin.

Indeed the timing is such that it's hard to discount some sort of Kremlin coordination, even if it's impossible to prove, and Woodcock argues that such cyber assaults have become a tool of Russian political leadership. As the attacks' political intentions became more specific, he notes, the operations have grown more complex. In addition to targeting Georgian government and media Web sites, Russian hackers brought down the Russian newspaper, apparently for expressing some pro-Georgian sentiment. "This was the first time that they ever attacked an internal and an external target as part of the same attack," he says.

Fighting back is tough. When Russian hackers made a name for themselves last year by bringing down the Web site of the Estonian parliament along with the sites of banks, ministries and newspapers, Estonian Foreign Minister Urmas Paet immediately accused the Kremlin of backing the attacks. But he was unable to produce evidence supporting his claims. Putin eventually named a suspect, or scapegoat, within his government. As Russian hackers waged a similar assault on Georgian sites over the past few weeks, Estonia—one of Europe's most wired countries—offered its better-defended servers to host many Georgian government Web sites. Lithuania and Poland have stepped up as well, prompting some excited bloggers to suggest that this is a digital Sarajevo, akin to the events of August 1914, the start of the first Internet world war. Certainly that's exaggerated, but the mutual defense going on in cyberspace shows that these nations take the Russian threat to their online infrastructure seriously.

Still, the nature of the Internet is such that it is almost impossible to respond quickly enough. The government doesn't maintain its own botnets—large networks of zombified computers standing ready to attack—but can rent one from a crime network, like the Russian Business Network. Then, through state-controlled media, the government can inspire waves of nationalists to amplify the destructive force. "Everybody with a laptop has the responsibility to attack the enemy—and you find out who the enemy is by looking at what the government is saying," Woodcock says.

While no one can say who wrote the malware that was used to cause Georgian servers to crash, it certainly proliferated on Russian Web sites in a user-friendly form. Gary Warner, a cybercrime expert at the University of Alabama at Birmingham, says he found "copies of the attack script" posted in the reader comments section at the bottom of virtually every story in the Russian media that covered the Georgian conflict, complete with instructions on how the script could be used to attack a specific list of Web sites. The efficiency is enough to make Russia's tanks and planes and ships, however deadly, appear downright anachronistic.