Global Insights: Russia Refines Cyber Warfare Strategies

(Analyst's note: These findings are most interesting and certainly troubling.)

by Richard Weitz

The U.S. Cyber-Consequences Unit has recently issued a report documenting how Russia supplemented its conventional war against Georgia last August with a massive, well-integrated and pre-planned information warfare campaign against Georgia's Internet structure. The techniques were so successful that the unit has restricted distribution of the full report to U.S. government and certain other Internet security professionals. Only the executive summary (pdf) has been made available to the public.

The U.S. Cyber-Consequences Unit is independent, non-profit research institute affiliated with the Fletcher School of Law and Diplomacy at Tufts University. The report's main author, John Bumgarner, directs research at the unit. He and his team conducted a year-long investigation of the Russian campaign using a variety of sources, including monitored Internet traffic, Web site caches, and debriefings of Georgian victims.

According to the report, from Aug. 7 to Aug. 16, 2008, Russian citizens and their sympathizers launched a coordinated offensive that disabled dozens of important Georgian websites, including those of the country's president and defense minister, as well as the National Bank of Georgia and major news outlets. Initially, the main targets were the Internet pages of the country's main government institutions and new media, which would have played a central role in informing the Georgian public and the international community of the Russian attack. The target list subsequently expanded to include other government and media sites as well as Georgian business, education, and financial institutions. The combined effect of these attacks was to degrade the effectiveness of Georgia's national response to the Russian attack.

The techniques used by the Russian attackers suggest they had developed a detailed campaign plan against the Georgian sites well before the conflict. The attackers did not conduct any preliminary surveying or mapping of sites, but instead immediately employed specially designed software to attack them. The graphic art used to deface one Georgian Web site was created in March 2006 but saved for use until the August 2008 campaign. The attackers also rapidly registered new domain names and established new Internet sites, further indicating they had already analyzed the target, written attack scripts, and perhaps even rehearsed the information warfare campaign in advance.

Although the fighting that broke out on Aug. 7 of last year appears to have caught the parties by surprise, Russian cyber planners were undoubtedly aware that a war between Russia and Georgia was a viable option given protracted bilateral tensions. When the fighting did begin, this core group was able to use Russian-language social networking sites and other virtual mechanisms to recruit additional hackers as well as to supply them with malicious code and other tools. For example, they posted suggested targets and means of attack on public websites that could be employed even by people with limited computer knowledge. Social networking companies such as Facebook and Twitter typically do not monitor communications on their sites unless they receive complaints from users.

The most common attack techniques employed malign modifications of publicly available commercial software designed for administrators of computer networks. For example, the attackers amplified the intensity of certain "stress tests" designed to assess the capacity of servers to handle waves of HTTP packets. They also modified one program intended to add functions to Web sites so that the affected sites would request nonexistent Internet addresses chosen at random.

The report concludes that the timing of the Russian attacks and the nature of the targets indicate that the hackers, even if civilians, probably coordinated their operations with the Russian military even if no conclusive evidence exists of such collaboration. For example, the campaign began before the media had reported the start of the Russian offensive into Georgia.

The specific people involved in a cyber attack are typically difficult to identify since the Internet makes its easy to conceal identities through the use of proxy Web addresses and other means. The groups of computers attacking the Georgian sites were typically directed to do so from a computer at another location, creating malicious "botnets." The unit's report nevertheless concludes that, while some of the hijacked computers and virtual recruiting networks were hosted in the United States and other countries, the main servers that directed the attacks throughout the campaign consisted of 10 Web sites registered in Russia and Turkey. These sites are also heavily used (and presumably controlled) by Russian organized crime groups. According to the Wall Street Journal identification and credit-card information stolen from Americans were used to register nine of these sites, while one site was established using information stolen from a French citizen. It is possible that the cyber criminals, who typically attempt to extort payments from the commercial targets they attack, were seeking to advertise their contribution to the war to gain the gratitude (and ideally protection) of Russian government and military leaders.

Interestingly, the report concludes that some central controller probably instructed the attackers to limit the damage they inflicted. The attacks aimed merely to disable the Web sites through denial-of-service and Web site defacement attacks. They did not attempt to inflict physical damage, which might have occurred if they had, for instance, attempted to instruct the target's computers to take destructive actions such as erasing key data or overriding safety mechanisms protecting power, energy, or transportation systems. Yet, the effectiveness of the attacks that did occur indicates that some of the attackers probably could have conducted such destructive attacks. Ironically, the ability of the Russian attackers to disable important Georgian institutions through cyber attacks may have spared them from being destroyed by bombs and missiles, as the United States and allies did with Iraq's and Serbia's critical infrastructure to disrupt those countries' defenses in earlier wars.

Nonetheless, the moderation might have sought to demonstrate that Russia, if provoked, could destroy much of Georgia's critical civilian infrastructure. The Russian military might have aimed to convey that point as well by, for example, bombing targets near Georgia's vital Baku-Ceyhan oil pipeline without actually striking it. By demonstrating dominance in the cyber and military domains, as well as the inability of Tbilisi's Western allies to defend Georgia, Russian strategists might have aimed to underscore Moscow's security dominance within the former Soviet space as well as deter the Georgian government, and perhaps the leaders of the other former Soviet republics, from taking future actions that could threaten Russian interests.

Russian hackers were reportedly active again earlier this month when they attacked a Tbilisi computer user who posted web entries critical of Moscow's policies towards Georgia. From Aug. 6 and 7, the one-year anniversary of the Russian-Georgia War, his Facebook, Google Blogger, LiveJournal, Twitter, and YouTube accounts experienced a massive and simultaneous denial-of-service attack apparently aimed to prevent the Georgian from posting critical blog entries to mark the anniversary. The assault was so intense, involving networks of unsuspecting third-party computers that were instructed to flood the Web sites with traffic to deny access to others, that it caused the entire Twitter network to crash.

The Georgia campaign showed that Russia's offensive information operations have improved considerably since the April-May 2007 conflict with Estonia. Russians will likely seek to strengthen their cyber campaign plans even further based on what they have learned. Cyber warriors in other countries such as China are likely to borrow techniques from the Russian campaign. Investigators have found evidence that Chinese hackers have conducted pre-attack mapping of U.S. critical infrastructure such as commercial power networks and, most disturbingly, have already deployed software programs that they could employ to disrupt the networks.

The report concludes with three insightful recommendations. First, an international organization should be established to monitor the risks of cyber wars and provide early warning before attacks occur, allowing potential victims to prepare their defenses better. Second, the report calls for a global cyber response force that can rapidly assist countries under attack. Finally, states need to conduct more frequent cyber response exercises involving key public and private sector institutions with at least some foreign participation.

Meanwhile, the United States and other potential targets have been given yet another warning about the need to bolster their cyber defenses. The European Union finally convened its first ministerial meeting devoted to cyber security of critical infrastructures in late April of this year, while the U.S. military only authorized the establishment of a dedicated cyber command in June. The new CYBERCOM is not expected to become fully operational until at least a year from now. The White House continues to experience difficulties in establishing an effective policy for coordinating the diverse federal, state, and private sector computer networks associated with America's critical national infrastructures. One lesson of the Georgia War is that U.S. and NATO defenders need to accelerate their preparedness efforts.