RBN - Georgia Cyberwarfare – Status and Attribution

The ongoing cyber siege of Georgia by Russian Internet servers is starting to show signs of weakness or rather weaknesses are being exploited.

Just as in “The Great Escape” there are always methods to bypass even the most sophisticated virtual fences.

Fortunately long term study of RBN (Russian Business Network) or Russia’s “FSB Cyber Warriors” techniques assist. Conventionally they are normally adept at trying to hide their true origins. For such a siege on the scale of this one they are openly showing more of their routing than they would like to, which will assist us now and in the future. In this case it helped pin point some obviously forged web sites, which are now offline, and assist in rerouting. Good lessons for future cyber wars.

To our many readers on ‘Lenta.Ru’ we would like to stress we are not anti-Russian. We have Russian based supporters and contributors. However we are anti; cyber criminal, hackers, and cyber war, hopefully Russia will realize this simply restricts all Internet users , including themselves, from the freedom of speech.

There was rightful indignation as the cyber war has extended to where the Russian news agency ‘RIA Novosti ‘was offline by DDos attack for 10 hours over Sunday night and Monday morning.

Georgia – Web Status

Russian based servers AS12389 ROSTELECOM, AS8342 RTCOMM, AS8359 COMSTAR and with the more recent addition of AS8631 Routing Arbiter for Moscow Internet Exchange, are still in a commanding position. AS9121 TTNet of Turkey still remains routed through the Russian servers, not directly to Georgia. But alternative links have been made to AS35805 UTG AS United Telecom of Georgia and other servers based in Georgia.

Due to this (at this time) the Georgian Foreign Ministry mfa.gov.ge is back online consistently and president.gov.ge is also now online and showing recent announcements. To demonstrate international solidarity, the web site of the President of Poland was also carrying Georgian state communications as a courtesy.

One interesting aspect has been president.gov.ge using a US based name server, which was also offline due to DDos from Thursday and until Monday pm. This could be considered a transgression by the FSB cyber warriors / Russian forces on US soil?

Note: we still show CyberDefcon = level 5

Georgia – Cyberwar Attribution

There has been a great speculation and discussion with regard to attribution. We do not in normal circumstances reveal this level of detail but due to the serious nature of this situation; (click on the diagram below to enlarge)

This is ‘stopgeorgia.ru’ which is also utilizing ‘stopgeorgia.info’ as a redirect; the web site itself provides DDos attack tools for download and as the screen grab shows the mostly .ge web sites as priority for attack. Note; also targeted for attack is the US embassy in Tbilisi.

This web site, as seen before is an open site to attract future FSB cyber warriors. How this is hosted and the domain registration provides more clues:

Stopgeorgia.ru – Hosted by AS36351 Softlayer of Plano Texas, well known as associated with Atrivo / Intercage malware hosting connectivity.

Stopgeorgia.info - Hosted by AS28753 NETDIRECT Frankfurt, DE / AS12578 APOLLO LATTELEKOM APOLLO Latvia.

Sponsoring Registrar: EstDomains, Inc.

Registrant: Domain Manager, Protect Details, Inc, Street1: 29 Kompozitorov St., Saint Petersburg, RU, Phone:+7.8129342271

Hopefully most Internet security observers will recognize the ‘usual suspects’ above?

Special thanks to Richard Stiennon and Cyrus Farivar