RBN –Georgia Cyberwarfare – Continuation..

On Friday August 15th and over the weekend another dimension has emerged on tracking RBN (Russian Business Network) server ranges. This concerns a new spam campaign which mocks Georgia's President, purporting to come from the BBC and spreads a new virus. This is very well described by UAB (University of Alabama) Spam Data Mine and on Gary Warner’s blog (see refs below).




The spam loads malware from various locations which in turn actually causes the virus to be delivered from a single location; the IP address: 79.135.167.49. The name of the malware is "name.avi.exe", and at the moment, only FOUR out of 36 anti-virus products detect it.
Why RBN or rather as in the title of this blog ‘RBN and Related Enterprises’? We have commented on before within the blog (see ref below) - 79.135.160.0/19 Sistemnet Telecom - AS9121 TTNet (Turkey) associated with AbdAllah_Internet - cybercrime hosting - thecanadianmeds.com etc., see Spamhaus’ many Rokso listings (refs below)




This provides a further element associated with Georgia and Mikheil Saakashvili with an ongoing attempt of character assassination. Similar to the linking of the President to Nazi images, as Lenta.ru displayed with one of this blog’s images.






RBN or Cyberwar or not? - Nomenclature

Given this opportunity there has been a great deal of discussion within the community, after the event, as to RBN (Russian Business Network) or not RBN, Cyberwar or Hacktivists, Russian or not………..


Without denigrating this important topic but “What walks like a duck, sounds like a duck, looks like a duck = maybe it’s a ______? (Fill in the blank)”


The cyber attacks against Georgia which first originated from IP space in TTnet Turkish Telekom (as this latest spam incident) were known RBN, and the subsequent server actions, botnet methodology, and tools used were also known RBN: there is no question about the facts, and there is no compelling reason to doubt the implications.


From a popular idiom the movie “The Usual Suspects” used the phrase regarding the arch criminal Keyser Soze – “The greatest trick the Devil ever pulled was to make us believe he does not exist.” This was and still is the RBN’s greatest skill; to avoid detection, use deception and cause most onlookers to consider other suspects, i.e. in this case hacktivists who are easily labeled unsophisticated, uncontrollable, and should be ignored as simpleton fanatics.


This provides a convenient transition to one sided CYBERWAR against Georgia by Russia. Do we really expect Russia, or for that matter any state aggressor to openly announce what methods of warfare they are using. For example there is no specific information from Russian government sources about Russian army actions still underway within Georgia despite the ceasefire. Nor do they inform us the 22nd Guards ObrSpN ‘Spetsnaz’ of Rostov Oblast, may have been operating within Abkhazia, and South Ossetia, dressed in the uniforms of the local militia since mid July 2008, if such an action was the case. Why would we expect them to announce CYBERWAR techniques also being used?


Two good sources of information may assist making a reasonable judgment:

Firstly the political, as Russian State Duma and member of the Security Committee Deputy Nikolai Kuryanovich stated in 2006 within a formal Russian parliamentary letter of appreciation to hackers who had taken down several Israeli web sites:

"In the very near future many conflicts will not take place on the open field of battle, but rather in spaces on the Internet, fought with the aid of information soldiers, that is hackers. This means that a small force of hackers is stronger than the multi-thousand force of the current armed forces." – Prediction or intent?


For the strategic a few days ago;
“Cyber-attacks are part of the information war, making your enemy shut up is a potent weapon of modern warfare.” As mentioned by Alexander Denezhkin, editor of the Russian journal - Cybersecurity.ru



Finally a reasonable conclusion associated with the nomenclature is to consider the absurdity of treating the cyber criminal and national cyber security problems as a separate matter. Consider if any country had such a successful and existing Internet ‘black ops’ entity as the RBN within its borders, is it not logical that it would utilize or capitalize on such skills?


Perhaps what many find unpalatable is the example from the history of the 20th century where there were similar apologists and we ignored developments in strategy and warfare such as the Blitzkrieg, at a huge later cost. This could be an early example of Russia’s hegemony or controlling its neighbors via an emerging “Cyber Iron Curtain”




Jart Armin - RBNexploit.com



Refs:

UAB Spam Data Mine

UAB Blog

CanadianMeds - Sistemnet - TTnet

Spamhaus (a)

Spamhaus (b)