John Leyden
The Register
December 14, 2007
Security researcher Jose Nazario has uncovered circumstantial evidence of the use of botnets in politically-motivated denial of service attacks.
Political events in the wider world are sometimes accompanied by hacking incidents in cyberspace, such as defacements and the like. Nobody paid much attention to the issue until the Estonian DDoS events of earlier this year when government and commercial sites in the small Baltic country were taken offline for days in April amid a row with Russia about relocation of a Soviet-era memorial to fallen soldiers and war graves.
Botnets orchestrated by Russian hackers are reckoned to have been used to fire up the Estonian attacks. Involvement of elements from the Russian government is suspected by some, though there’s nothing by way of evidence that the Kremlin had a hand in the assaults.
Nazario, a senior security researcher at Arbor Networks, has documented how botnets have featured in more recent politically motivated DDoS events. Attacks on the Ukrainian pro-Russian site of the Party of Regions, a party led by the Ukrainian Prime Minister Viktor Yanukovych, over the last three months were traced by Nazario back to networks of compromised machines.
Earlier DDoS attacks against the site of Ukraine President Viktor Yushchenko, a moderate Ukrainian nationalist, were not traced back to botnet activity.
Last week, Nazario traced attacks on the site of Gary Kasparov, famed Russian chess grand master turned anti-establishment politician, and namarsh.ru, another dissident site, back to a botnet. Both targeted sites seem to have weathered the assault largely unscathed (though the graphics on Kasparov’s site failed to load properly).
The motives, much less the perpetrators, of the attacks remain unclear. “I can dream up scenarios where Russian hackers attack Russian dissident websites and politicians’ websites (and why, for example, a Ukrainian site that is pro-Russian is attacked), but I don’t know who is at the keyboard,” Nazario writes. “I’ll keep watching these attacks and seeing what I can figure out, but so far it’s just a matter of guessing at motivations.”
Political DDoS? Ukraine, Kasparov
by Jose Nazario
I’ve been looking at politically motivated DDoS events for some time now, geopolitics has always fascinated me. This has been a hot topic for some time, really kicked into high gear earlier this year with the Estonian DDoS events. Recently there was a DDoS against the site for Ukraine President Viktor Yushchenko. With this in mind, I went looking for what may be more politically motivated DDoS attacks based on botnet tracking.
I first went looking for attacks against Ukrainian sites in the past 3 months, basing my analysis on botnet-driven DDoS events. This timeframe is from October, 2007, until a few days ago (early December, 2007). Most of the attacks were against what appear to be Ukrainian e-commerce sites. The only substantial politically motivated DDoS attacks of note in there are agianst the Party of Regions website. What’s interesting is that the Party of regions appears to be a Ukrainian pro-Russian site, and their leader is Ukrainian Prime Minister Viktor Yanukovych. The earlier DDoS events seen in the Ukraine that got attention were against the Ukrainian President site, who appears to share different politics. I wound up finding several controllers commanding attacks against a host of Ukrainian sites, but nothing that appeared to target Yushshenko’s site. The timeline I put together is below, so you can see what happened. The boxes and arrows show the C&C controller and the targets that the bots were told to attack.
Yesterday, however, I saw two DDoS targets commanded by a botnet master against Russian sites. The first is the website for Gary Kasparov, famed Russian chess grand master and now anti-establishment politician in Russia. This morning the site is offline (the HTML came from the Google cache, but all pics that called out to the real site failed to load). The site loaded for me OK during the attack yesterday, so I think this is not directly due to the attack I tracked.
The other Russian target site that got my attention was www.namarsh.ru, which appears to be (I don’t read Russian, so I’m relying on others’ information) another Russian dissident site. This site appears OK today.
Watching these sorts of attacks from afar is fraught with peril if you try and interpret motivations. I can dream up scenarios where Russian hackers attack Russian dissident websites and politicians’ websites (and why, for example, a Ukrainian site that is pro-Russian is attacked), but I don’t know who is at the keyboard. I’ll keep watching these attacks and seeing what I can figure out, but so far it’s just a matter of guessing at motivations.
No comments:
Post a Comment