CircleID

As we all know by now, last week, on Thursday, August 7, Twitter was hit with a denial-of-service attack that took it down for several hours. Other social networking sites like Facebook, LiveJournal, Youtube and Blogger were also hit. They managed to repel the attack although Facebook was not quite as successful as the other larger players.

The theory floating about at the moment is that this was a politically oriented play designed to target one guy: a blogger.

We are nearing the 1-year anniversary of a the Russian/Georgian 2008 war. There is a pro-Georgian blogger by the username of "Cyxymu" who had accounts on all of these services. It is thought that these attacks were an attempt to silence his anti-Russian, pro-Georgian rhetoric. By DDoS'ing these services, Facebook, LiveJournal, etc, would be forced to bow to the pressure of these cyberattacks and would take his account offline.

One theory is that the attack came in the form of a huge spam blitz sent out that contained links to Cyxymu's sites at Blogger, Facebook, LiveJournal, and so forth. When people received the spam, they all started clicking on the links, driving tons of traffic to these sites and taking them offline. Thus, either Cyxymu succeeded in driving traffic to his pages but it all backfired when user's couldn't reach them, or someone spoofed Cyxymu and drove traffic to these pages, and it succeeded in taking down the entire service. The latter sounds unlikely, why would you drive traffic to someone's page if you want to discredit them? It's counterproductive. And secondly, you'd have to get the spam past the spam filters. And who would actually click on the link? Not enough to actually take down Facebook or Twitter.

Instead, other theories are that while spam like this did occur, more likely is that the people behind these attacks had botnets under their control which flooded these sites with DOS attacks and that's what took them offline. It was obviously a co-ordinated attack on the sites as it all occurred around the same time. It was not the result of people clicking on links in their spam email. This theory makes a great deal more sense.

Assuming that Cyxymu was not behind the spam run, the following questions come to mind:

1. Who was behind the spam run and cyberattack?
2. Why did they do it?

I have my own theory. Cyxymu was blogging/writing/Youtube'ing about the Russian/Georgian war anniversary and was publicly criticizing Russia. Some people in Russia obviously took offense to this and started a spam campaign as midirection. They attempted to make it look like Cyxymu was responsible for sending out a huge wave of advertising to drive traffic to his site, but by using spam as his medium, it would discredit Cyxymu (since only very unethical people use spam to market their opinions). In the meantime, the same people behind the spam campaign set up a DOS attack to take down all of these sites on the theory that people would think that Cyxymu's blitz worked and people clicked on these links, taking down the sites. The hope was that Facebook, LiveJournal, Twitter, and so forth, would remove Cyxymu's account for violating their Terms of Use.

That's my current working theory.

What about who was behind the attack? Was it the Russian government? Did they engage in state sponsorship of cyberwarfare? While possible, this attack follows a similar pattern of two episodes in recent memory. In 2007, the Estonian government came under cyberattack when they attempted to remove a Russian war memorial from one of its major cities. At the time, the Estonian government accused the Russian government of coordinating the attacks, but it turns out that an aide to a Russian politician in the Duma was responsible for it and acted "alone", that is, without direction from Russia explicitly. Of course, he still had lots of help from friends in the botnet community.

In 2008, during the first Russian/Georgian war, Georgia came under cyberattack, and also accused Russia of co-ordinating it. However, as Israeli security expert Gadi Evron points out, the attack probably was not coordinated by the Russian government. Both this incidence and the Estonian one appear to be co-ordinated cyber-riots, that is, a group of hackers who are fiercely patriotic got angry at anti-Russian rhetoric. They got together and took down the government's web sites in an attempt to "make them pay."

I would tend to lump this in the same category. While we don't know for certain who is responsible and why they did it (not yet, anyhow), we do know that whoever was behind these attacks can wreak a lot of havoc with only a small amount of resources and are probably well connected to the black market of botnet operators.

By Terry Zink, Program Manager. Visit the blog maintained by Terry Zink here.

Related topics: Cyberattack, Cybercrime, Security, Spam