Russian Cyber Operations. Scott Jasper
an opposing force the effective use of cyberspace systems and weapons in a conflict.”85
Two distinctions exist between the Russian and US versions. The first is the originator, which for the Russians extends beyond the state apparatus to organized political groups, whereas the US definition infers the use of only the armed forces in military operations. The second is the target, which for the Russians is cyber infrastructure and for the United States is opposing force systems and weapons. This implies Russia intends to attack civilian cyber infrastructure in armed conflict, although in Russia the term cyber warfare is used primarily to signify US and allied activity.86 Yet both pretenses, the originator and the targets, of the Russian version were seen in the interstate war with Georgia in 2008 (see map 2.2). During the Russian incursion into Georgia, organized political groups took down civilian infrastructure and defaced websites in conjunction with kinetic military operations. Therefore, the disruptions and manipulations could have qualified as part of armed conflict.
2008 Georgian Invasion
In August 2008, Russian military forces mounted a large-scale land, air, and sea invasion of Georgia, ostensibly in response to Georgian artillery shelling of the South Ossetia capital of Tskhinvali. The Kremlin argued its actions were driven by an imperative need to defend the Russian peacekeeping contingent there and protect Russian citizens abroad.87 The real objectives were strategic and geopolitical, specifically to terminate Georgian sovereignty in South Ossetia and Abkhazia, bring down pro-American president Mikheil Saakashvili, and prevent Georgia from joining NATO.88 Russia had enacted a creeping annexation of the two separatist republics by granting the majority of their populations Russian citizenship and forging close economic and bureaucratic ties. They also had abused their mandate as peacekeepers—for instance, by staging additional troops, shipping containers of weapons, and repairing a key railroad line in Abkhazia.89 Russia also infiltrated advance elements of motorized rifle regiments into South Ossetia prior to hostilities. In addition, on July 19, hackers conducted a dress rehearsal “for an all-out cyberwar.”90 Unknown parties used a computer “located at a U.S. ‘.com’ IP address to command and control a multi-pronged DDoS attack” against Saakashvili’s website.91 The command-and-control server instructed its botnet to attack the website with a variety of flooding methods, exploiting the TCP-, ICMP-, and HTTP-type protocols (Transmission Control Protocol, Internet Control Message Protocol, and Hypertext Transfer Protocol, respectively).92 The website became unavailable for more than twenty-four hours. Although experts were unable to trace the attack, they identified the server as “a MachBot DDoS controller written in Russian and frequently attributed to Russian hackers.”93 Yet, in effect, the attack seemed to be from a civilian computer of a presumed ally of Georgia.
Map 2.2. Georgia
Source: Central Intelligence Agency, “Middle East: Georgia,” The World Factbook, https://www.cia.gov/library/publications/resources/the-world-factbook/geos/gg.html.
The first Russian interstate post-Soviet war lasted only five days, from August 7 to August 12, 2008. After initial skirmishes of forces already in Georgia near the city of Tskhinvali, large columns of Russian soldiers and tanks advanced into South Ossetia on the second day through the Roki Tunnel.94 On the third day, Russia opened a second front in Abkhazia, with military elements landing from the Black Sea and arriving by the repaired railroad line.95 Cyber operations against Georgian targets commenced at the onset of physical hostiles. Russian hacktivist websites posted lists of Georgian sites for patriotic hackers to attack, along with instructions and downloadable malware.96 The main phase of the cyber operations began on August 8, when multiple command-and-control servers hit Georgian websites. Among those targeted were the Georgian president, the central government, the Ministry of Foreign Affairs, the Ministry of Defense, and popular news outlets, such as the television station R2. TBC, the largest commercial bank of Georgia, came under attack the next day. On August 11, the website of the Georgian parliament was struck, and a defacement of the president’s website occurred, where a slideshow depicted doctored images comparing Mikheil Saakashvili and Adolf Hitler. A similar defacement and replacement happened at the National Bank of Georgia website, with President Saakashvili included within a gallery of twentieth-century dictators. Although military operations ended on August 12 by a cease-fire agreement, the DDoS attacks continued until the end of the month.97
The methods used to deface websites and launch DDoS attacks against numerous public and private targets in Georgia were similar to those used in Estonia the previous year. Lists of Georgian sites vulnerable to remote injections of Structured Query Language, or SQL (an attack technique that takes advantage of poorly secured application coding for databases), which would facilitate automatic defacements, were distributed on Russian-language websites and message boards, in addition to a Microsoft Windows batch script, with instructions to flood sites. The Russian blogs and forums were located in Estonia, the Russian Federation, and elsewhere.98 The websites StopGeorgia.ru and Xakep.ru appeared to coordinate targeting and attacking of Georgian websites.99 They provided DDoS attack tools and identified thirty-six major websites as primary targets. Also, botnets associated with criminals were used in both Estonia and Georgia. The largest DDoS attack against Estonia came from a botnet linked to a Russian cybercrime group operating out of Saint Petersburg, with connections to the Russian Business Network. In the Georgian conflict, the six command-and-control servers that launched the largest DDoS attacks were managed by a cybercrime group. The servers themselves were registered through www.naunet.ru, a known “bulletproof hosting” provider in Russia, and the domains used to launch the attacks were hosted by www.steadyhost.ru, a known front for cybercrime activities.100
The concerted and sophisticated DDoS campaign constrained the ability of the Georgian government to convey its narrative in the early stages of the conflict to the international community. Therefore, the significance of the disruptions and manipulations should not be understated, for although the domestic impact upon society was not as great as in Estonia, the state’s loss of control of the narrative in Georgia may have led to a delayed international response.101 Overall, the attacks were not particularly complicated since they were facilitated by prefabricated tools and techniques disseminated to willing participants. In addition, the attacks had limited operational or tactical benefit from a conventional military perspective. Yet the use of cyber operations set the conflict apart as the first of its kind in modern warfare. Additionally, the reliance on local proxies of dubious loyalties to carry out both conventional and unconventional tasks signaled a new way of warfare.102 These actors, in the form of peacekeepers, militiamen, and hackers, gave Russia a way to feign plausible deniability and avoid deploying more of its armed forces, including organic cyber assets.
A report by the US Cyber Consequences Unit, an independent, nonprofit research institute, concluded that “the cyber attacks against Georgian targets were carried out by civilians with little or no direct involvement on the part of the Russian government or military.”103 The forensic evidence fell upon patriotic hackers recruited by social networking forums and on criminal organizations, who contributed Web servers and botnets. However, the timing of the attacks indicates that the organizers had advance notice of Russian military intentions. For instance, the quick start of packet assaults meant the writing of attack scripts, registering of new domains, and hosting of new websites had to have been prepared before the public was aware of the invasion.104 Likewise, cyberattacks were close in time to corresponding military operations. Just before Russian air attacks on the city of Gori, hackers attacked governmental and news websites.105 Nonetheless, the Russian government denied involvement. Yevgeniy Khorishko, a spokesman for the Russian embassy in Washington, said that “it was possible