Georgia President's web site under DDoS attack from Russian hackers

Georgia President's web site under DDoS attack from Russian hackers

Summary: From Russia with (political) love? It appears so according to a deeper analysis of the command and control servers used by the attackers.

SHARE:

From Russia with (political) love? It appears so according to a deeper analysis of the command and control servers used byMechbot Command and Control Map the attackers. During the weekend, Georgia President's web site was under a distributed denial of service attack which managed to take it offline for a couple of hours. The event took place in a moment of real life tensions between Russia and Georgia, with Russia clearly demonstrating its position against Georgia's pro-Western government. Shadowserver's comments, which originally picked up the attack first :

"For over 24 hours the website of President Mikhail Saakashvili of Georgia (www.president.gov.ge) has been rendered unavailable due to a multi-pronged distributed denial of service (DDoS) attack. The site began coming under attack very early Saturday morning (Georgian time). Shadowserver has observed at least one web-based command and control (C&C) server taking aim at the website hitting it with a variety of simultaneous attacks. The C&C server has instructed its bots to attack the website with TCP, ICMP, and HTTP floods. Commands seen so far are:

flood http www.president.gov.ge/ flood tcp www.president.gov.ge flood icmp www.president.gov.ge

The server [62.168.168.9] which houses the website has been largely offline since the attack started. Passive DNS records show the system houses several other websites which are mostly unrelated to the Georgian government. However, the server does also host the Social Assistance and Employment State Agency website (www.saesa.gov.ge). This website along with the others on the host have been rendered inaccessible.

We do not have any solid proof that the people behind this C&C server are Russian. However, the HTTP-based botnet C&C server is a MachBot controller, which is a tool that is frequently used by Russian bot herders. On top of that the domain involved with this C&C server has seemingly bogus registration information but does tie back to Russia. "

Russia's most recent cyber attacks successfully attacking Estonia, Lithuania and now Georgia, all share a common motivation despite that these attacks are executed from different parties, with Estonia still remaining the only coordinated attempt to attack a country's Internet infrastructure next to Lithuania and Georgia's lone gunman attacks.

The DDoS against Georgia President's web site appears to be using a well known Russian malware variant from the Pinch family -- whose authors got arrested after operating for several years online in 2007 -- next to a command and control bot ( MachBot controller) primarily known to be popular in Eastern Europe, and including messages in the flood packets like “win+love+in+Rusia”, speak for itself. It's also interesting that despite that they've dedicated a new command and control server to be used specifically for this DDoS attack, one that haven't been seen in any third-party attacks, they made a small mistake further confirming the attacks has been launched by well known Russian botnet masters. Their mistake? Having the malware phone back to a well-known command and control seen in a great number of previous attacks, sharing DNS servers with a provider of DDoS attacks on demand, which despite announcing on its site that is no longer in business, continues offering botnets for rent services.

Russia's politically motivated, or perhaps politically tolerated attacks, are all the result of Russia's IT underground self-mobilization, feeling obliged to sent out a signal that they're in fact actively participating in the political life and monitoring everything. Moreover, nationalistic articles in Russian newspapers often further fuel the tensions and literally seek involvement from Russian hackers, so even when they speculate about non-existent hacker discussions on coordinated attacks against a particular country, such discussions actually start taking place and the result has been pretty evident ever since.

Machbot command and control locations image courtesy of Team Cymru.

Topics: Servers, Government, Hardware, Malware, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • Oh, its about the *another* Georgia.

    Is about the ex-commie Georgia and not the Ted Turner Birthplace.

    Anyways, a ddos attack can be done even for a single person, so there are not a real point to escalate this conflict in a full warfare.
    magallanes
    • UGLY American In Action

      Didja mean _the "other Georgia"_ or just _*another* Georgia_?

      Witless.
      PMC-CON
  • RE: Georgia President's web site under DDoS attack from Russian hackers

    Somebody needs to get a life.
    Billsey
  • Why bother?

    4.6 million in whole Georgia vs. 10.5 million in Moscow city ... Why bother! Only Georgian President is sole user of the site: he is only the guy who can afford a computer in Georgia because he is the only person who has decent salary in Georgia. (Your taxes at work dear fellow US citizens!)
    turtle-sf
    • Russia - the aggressor and warmonger!

      Russia is violating international laws every second there are russian soldiers om Georgian territory!
      Russia is the only aggressor in this war!
      Georgia has every right to assess its control over the former autonomus territory of South Ossetia!
      The same right that Russia has to assert its controle over similar territories inside Russia itself.
      Russia; get out of Georgia and take your so-called peacekeepers with you!!!
      And out of Abkhasia too!!!

      KS, Norway
      Firefox2008
      • You Sir, are an idiot.

        We see points like most of the residents of the region hold Russian passports ? making them Russian citizens.

        We see references that say that 99% of the people of South Ossetia WANTED to separate from Georgia. Should these people not have a choice?

        We see that the separation has been in place since 1991/1992 when the region separated from Georgia and was recognized as such. Now, all of a sudden almost 20 years later, it is ?illegal? and you want the area back?

        We see that Georgian forces have first FLATTENED the capital city ? killing THOUSANDS of people ? including peace-keeping troops. BEFORE any Russian response.

        Are all of these references incorrect? If there is a different truth, I?m sure everyone would love to know about it.

        On the surface, it seems that Georgia attacked first, and then received a response. If Russia had REALLY wanted to make a statement, they could have bombed Tiblisi into the stone age.


        http://www.hindu.com/2008/08/09/stories/2008080955291300.htm

        http://www.dw-world.de/dw/function/0,,12215_cid_3546524,00.html?maca=en-rss-en-all-1573-rdf

        http://motls.blogspot.com/2008/08/georgia-attacks-south-ossetia.html

        http://www.blogsofwar.com/2008/08/08/georgia-attacks-south-ossetia-russia-sending-in-troops/

        http://www.dailypaul.com/node/57423

        http://top.rbc.ru/english/index.shtml?/news/english/2008/08/08/08120354_bod.shtml

        http://www.newstin.co.uk/tag/uk/73017915

        http://news.yahoo.com/s/afp/20080808/ts_afp/georgiasossetiarussiaunrest

        http://www.iraq-war.ru/tiki-read_article.php?articleId=171340

        http://eldib.wordpress.com/2008/08/08/georgia-attacks-south-ossetia-russia-entering-with-tanks/

        http://edition.cnn.com/2008/WORLD/europe/08/07/georgia.ossetia/index.html
        Marty R. Milette
        • You Sir, are an idiot

          >We see points like most of the residents of
          >the region hold Russian passports – making
          >them Russian citizens.

          That's moot. Suppose the Turkish would have given out their passports to Chechens in 1996. Would that entitle them to an invasion of Russia, once the Russian military started the massacre of Chechens?

          >We see references that say that 99% of the
          >people of South Ossetia WANTED to separate
          >from Georgia. Should these people not have a
          >choice?

          That's simply not true. At least a third of the people in South Ossetia were ethnic Georgians who did not want to be separate from Georgia. This is even more so for Abkhazia, where Georgians were 50% of the population (whereas Abkhazians only 17%).

          Now, shouldn't these people have a choice as well? But they were driven out of Abkhazia and North Ossetia, in both cases with the help of the Russian military. A great many of them were killed in the process.

          >We see that the separation has been in place
          >since 1991/1992 when the region separated from
          >Georgia and was recognized as such.

          This is simply not true. These regions had never been recognized as independent. Even by Russia.

          >We see that Georgian forces have first
          >FLATTENED the capital city – killing THOUSANDS
          >of people – including peace-keeping troops.
          >BEFORE any Russian response.

          This is a lie. Tskhinvali has not been flattened. The sattelite damage assessment obtained by UNOSAT has shown that only a smaller part of the buildings in the city were damaged during the fighting. Whereas the Georgian villages in South Ossetia were destroyed completely in the aftermath.

          Now, 2,000 civilian casualties in Tskhinvali is a LIE - this number has not been confirmed even by the Russian state prosecutor's office. Human Rights Watch has stated several times that they have found this number to be an exaggeration. Besides, why do you think the Russians are so against the presence of any European observers in South Ossetia?

          >On the surface, it seems that Georgia attacked
          >first, and then received a response.
          Nope. South Ossetian rebels had been leveling the Georgian villages in South Ossetia with heavy artillery for a week before the Georgian attack.

          > If Russia had REALLY wanted to make a >statement, they could have bombed Tiblisi
          > into the stone age.
          Oh, I am sure they would like to. They tried hard to overthrow the Georgian government. But there was only as much they could do. You see, Russian leaders have their interests in the West: their accounts are there, their properties, even their families.
          freddymac
      • open your eyes

        Dear KS from Norway,

        you must be a frined of Mr. Saakashvili? he did good job, very well washed brains for western media people. But just open your eyes, stop listening propaganda and try to analyze the facts on your own. The fact is, Georgia has started this war. Tshinvali is destroyed and thousands of osetians are dead.

        http://www.youtube.com/watch?v=yCwTo9AdT2c
        http://www.youtube.com/watch?v=dcklR1mPCsM
        boris.zhenelman
        • open your eyes

          >The fact is, Georgia has started this war.
          >Tshinvali is destroyed and thousands of
          >osetians are dead.

          This is pure propaganda, just like they preach on Russian TV. To paraphrase you, open your eyes and get the facts. I do not want to repeat them here. See my post above.
          freddymac
  • RE: Georgia President's web site under DDoS attack from Russian hackers

    Saakshvili signed his death sentence on the day he authorized genocide in South Ossetia by ruthlessly murdering 2,000 innocent people. Guess, he should have stayed on as a student at Columbia, but the Washington puppet masters had more in store for him!
    tolik1
    • Re: Saakshvili signed

      >Saakshvili signed his death sentence on the
      >day he authorized genocide in South Ossetia by
      >ruthlessly murdering 2,000 innocent people.

      That's brainwashing. Human Rights Watch has stated many times that they have been there but were not able to confirm even one tenth of this number. This figure was taken by Lavrov from the top of his head on the second day of conflict to justify the Russian occupation of Georgia.

      Now, the ethnic cleansing of Georgians in South Ossetia is already a proven fact - the leader of the South Ossetian rebels has personally confirmed it in an interview. And this was done with the help of the Russian military.
      freddymac
    • Re: Saakashvili signed

      deleted by poster
      freddymac
  • Georgia President's web site under DDoS attack from Russian hackers

    Peace, brothers! No more fucking wars! Srakasvilli -
    chain dog.

    <a href="http://ca-drugstore.com/" title="Drugstore">Drugstore</a>
    Xrumer
  • RE: Georgia President's web site under DDoS attack from Russian hackers

    war in any manifestation - it is terribly bad!
    <a href="http://rudiva.com/">Single Russian Women</a> | <a href="http://ukrainianwomens.com/">Ukrainian Women</a> | <a href="http://dating.lovedove.ru/">Russian Date</a>
    Russian Girls
  • RE: Georgia President's web site under DDoS attack from Russian hackers

    It looks like the cyber attack has escalated into a full out war.

    <a href="http://toronto.condocatch.com">Toronto Condos</a>
    TorontoCondos