Saturday, August 3, 2024

Analyzing the Russo-Georgian War of 2008

Introduction

The Russo-Georgian War of 2008 has the dubious honor of being the first instance where a kinetic attack (land-sea-air) was combined with cyber warfare. This paper starts with a recounting of the war, then describes two approaches to intelligence analysis: a purely academic approach, and a fact-based IT security approach. The intelligence generated by those approaches are then compared.

Map by Andrein at English Wikipedia – 26 August 2008

Background

Russia, along with South Ossetia and the Republic of Abkhazia, invaded parts of Georgia1 starting on 1 August 2008. When the war "officially" ended on 16 August, the results included the loss of Georgian territory, displacement of Georgians from South Ossetia, the collapse of diplomatic relations, the establishment of Russian military bases in the captured territories, etc.

For purposes of this paper, the important part of the war was the fact that it involved a cyber attack coordinated with the kinetic attack. This was the first war where there was such coordination.

Based upon an after-action review performed by the Georgia Minister of Foreign Affairs2, cyber attacks began on 20 July 2008, continued throughout the kinetic component of the war, and the last cyberattack occurred on 27 August. The following sites were targeted:

  • Georgian Parliament
  • Georgian Supreme Court
  • Ministry of Foreign Affairs
  • Central Election Commission
  • President Mikheil Saakashvili's official website
  • US and UK Embassies in Tbilisi
  • Various news agencies

The methods of attach included information exfiltration, website defacement, and distributed denial of service (DDoS) attacks.

The Georgian response was to create temporary websites on the Google Blogger platform and in general to move them to US servers, knowing that US servers would be difficult for the hackers to target. In addition, the President of Poland, Lech Kaczynski, offered to host Georgian websites.


Academic Analysis

In a 2010 paper3 published in the Small Wars Journal entitled "Cyberwar Case Study: Georgia 2008", David Hollis analyzes the cyber aspect of the Russo-Georgian War. He does this from a very academic standpoint, though, and as a result he is unable to answer crucial questions about the cyber attack. For example, he is unable to correctly identify the perpetrators!

Hollis attributes the cyber attack to hypothetical "cyber militias" or "hacker militias." He proposes these cyber militias exist, but he fails to not only answer but even raise some very fundamental questions about these militias, such as:

  • What is this militia's name?
  • How many people are in it?
  • How long have they been operational?
  • What is their physical location?
  • Who coordinated the cyber and kinetic components?

Hollis makes the leap to "cyber militia" with no real evidence! From the perspective of philosophy, he's making an unwarranted ontological claim.

At first glance, this doesn't seem to be a major problem: Hollis is just calling hacker groups or cyber criminal organizations by a different name: "cyber militias." The issue is that "cyber militia" is a loaded term, which slants the information analysts' perspective, and forces him to go down the wrong rabbit holes. Terms such as "hacker militia" and "cyber militia" are prejudicial language for two reasons. First, militias have a very specific nature, most importantly their command-and-control structure (this will be expanded upon shortly). Second, there is a potential ambiguity - cyber militias are an active topic in cyberwarfare research – does Hollis mean the same thing?

Hollis is cognizant of the first item, and from this he derives some unusual "lessons learned."


Operational and Intelligence Lessons Learned

From a security analyst's perspective, Hollis committed the error of focusing on one type of information (academic research) to the exclusion of other sources of information. It is worth reviewing the lessons Hollis derived from this approach because they're facinating unto themselves, and it makes for a sharper contrast with the results learned from IT security experts.

Hollis derives four "lessons learned."

Lesson 1: Engage Cyber Militias First

The first lesson is that cyber militias must be engaged. This lesson is both extremely common-sensical as well as radically unusual, for Hollis is stating that a country must make use of ALL the resources available to it, and to do otherwise is to leave "money on the table."

Like all things, militias have a specific nature, and to use militias is to use them according to that nature. Or, like Francis Bacon said, "nature, to be commanded, must be obeyed."

To engage a cyber militia for an operation, they must be SOLD on the concept. One of the characteristics of militias is their unusual style of command-and-control: they operate on persuasion instead of on orders. Another way of looking at this is that a military leader would find commanding a militia to be akin to "herding cats." This shows that Hollis is indeed somewhat aware of the "militia mindset."

Since members of a hacker militia would frequently be self-taught, they have their own ideas on how to proceed, so there must be discussions of tactics, techniques, and procedures (TTPs). They must be steered to desired targets ("centers of gravity"), and their actions should be coordinated with traditional operations.

In a cyber conflict, both sides will have their own hacker militias, and the defender's hackers can take steps to track and monitor the opposing county's cyber forces. This includes examining server and internet traffic logs for signs of probing operations. Of course, chat rooms and other forms of comms must be monitored.

Lesson 2: Target Choices

As Hollis described, Russia's hacker militias performed preparatory tasks such as identifying enemy assets, performing reconnaissance activities, as well as probing operations. These probing activities must be practiced "low and slow" – in other words below the enemy's threshold of concern. Hollis is caucious that hacker militias are "eager beavers," which will put their level of activity above the enemy's threshold of concern.

The defender's hacker militias must conduct their own recon operations in collaboration with their intel community. And of course, they must identify, monitor, and protect their valuable assets (key terrain).

Lesson 3: Geographic Targeting

Once their hacker militias were operational, Russia employed them to create a communications blackout of the areas of Georgia that will soon be attacked in real life (IRL). The desired consequences of this blackout are: federal and local govts were unable to contact those under attack; it generated panic; and it created doubts about the competence of the federal government of Georgia.

Notice that this technique of geographic targeting allows for feints and ruses.

For the defender, cyber targeting indicates the location of an upcoming ground or air assault. Again, this could be a feint or ruse!

Lesson 4: Possibility of Hacker vs Hacker Attacks

Since both attacker and defender (supposedly) have hacker militias, these militias will attack each other. The defender's militia will become an early target by aggressor to prevent retaliation. So, the government should monitor their internal hacker community.

This has application to other nations: neutral nations should monitor their own internal hacker community to prevent being pulled into the conflict.

Training Proposal

Hollis' paper concludes with one recommendation: that to best train cyber militias, cyberspace "ranges" should be developed and used for force-on-force activities. These must be air-gapped (computers not connected to each other, either wired or wireless), but somehow integrate with physical domain so as to investigate various attack/defend scenarios.


Concluding Remarks on Hollis' Analysis

Without proof of Russian cyber militias' existence, his lessons learned, and his training proposal, are really ideas for how a hypothetical militia should operate and train.

Notice the lack of actionable information relevant to the Russo-Georgian War: by taking a purely academic approach, Hollis is not able to identify the culprit of the cyber attacks against Georgia, and is unable to propose concrete methods to combat cyber militias above and beyond: get your own militia!


Factual Research by IT Security Analysts

We'll now look at the approach used by IT security firms to analyze the cyber component of the Russo-Georgian War. There are many, many IT security analysts in operation, and their research is frequently put behind pay walls – they are for-profit organizations after all! We'll look at the analysis of one of these security companies: Packet Clearing House. Their analysis4 was published in ACM Queue.

Packet Clearing House (PCH) is a well respected business and has been in operation since 1994, and have built major parts of internet infrastructure. They also have experience in state-on-state cyber attacks: they detected and analyzed a similar "cyber skirmish" in Estonia in 2007. Like all good IT security firms, their investigative approach is fact-based: they derived information from server logs and attack methods.

Before looking at the details of Packet Clearing House's analysis, the attack methods used gives information about the perpetrators' abilities.

Data exfiltration is not described in detail in any of the references used, but data scraping implies a fair level of programming ability, whereas system penetration implies a hacking background.

Website defacement definately involved a hacking component in order to break into server a server. The amount of defacement determines the level of programming ability by the perpetrator.

This is somewhat useful information, since the skill levels of the perpetrator limits the list of suspects.

The Culprit

The REAL information comes from the DDoS (distributed denial of service) attacks. As background, DDoS uses botnets, which are collection of internet-connected computers. Each computer is infected with a virus. Said virus repeatedly sends requests to a targeted computer, and these requests overwhelm the targeted computer.

Based on the IP addresses of the bots in the botnets, PCH determined that the botnets were located in Russia, China, and United States, and the server that directed the botnet attack was located in the US.

The IP addresses were the smoking gun – they allowed security researchers to identify the culprit: the IP addresses of computers in the botnet match those used by the Russian Business Network (RBN). RBN is based in St. Petersburg and may be state-sponsored. They started as an internet service provider, then moved into website hosting, and have hosted CP, spam, mafia sites, and malware. They have built botnets and rents them for $600/month. At one point in time, they were linked to 60% of all Russian cybercrime.

PCH's Recommendations

Based on the their investigation, PCH made several concrete recommendations:

  • Foster a robust physical infrastructure
  • Diversify the number of international connections
  • Create one of more internet exchange points (IXPs) within Georgia - IXPs permit internet connections between points within country, and no IXPs means that local connections must go outside country
  • Ensure domestic availability of domain name servers (DNS) - without DNS, websites cannot be reached using the website's name
  • Work with computer emergency response teams (CERTs) to coordinate defense against cyber attacks.

Georgia followed at least one of PCH's recommendations - they now have 3 IXPs


Comparison of Results

Using only an academic research approach, the culprit is something unknown (at the time): cyber militias. The actions were symptoms without known causes, and particular actors were not identified. Finally, only general remedial actions were recommended.

In contrast, by using all available information, PCH determined that the culprit is a known actor type: cybercrime organization. By tracing this organization's actions back to an actor, PCH was able to specify that actor: RBN. Finally, PCH was able to recommend extremely specific remedial actions.

Weaknesses of Georgia's network infrastructure were identified by PCH:

  • No domestic internet exchange points
  • No domestic domain name servers
  • Some reliance on servers located outside Georgia (Turkey and Russia in particular)
  • Overall result was to leave Georgia open to cyber attack

Finally, the strengths of Russian hackers were inferred by PCH:

  • Russian Business Network are talented hackers with years of experience
  • They exploited weaknesses in Georgian internet infrastructure
  • RBN began probing attacks prior to launching the DDoS attacks
  • Russians coordinated RBN attacks with military action
  • RBN continued internet attacks after kinetic component began


Conclusion

David Hollis' analysis of the Russo-Georgian War is extremely academic: it proposed the existence of hypothertical "cyber militias" on both sides of the conflict; it was unable to identify the actual perpetrators; and it provided no concrete remediation plans.

Meanwhile, the PCH used available data (both server logs as well as the histories of known Russian hacker groups) and were able to derive useful information: they identified the specific Russian cyber crime organization responsible for the attack; the devised a concrete plan to solidify Georgia's cyber defenses; and the Georgian government followed some of those recommendations.

The difference can be summarized as follows: what Hollis did not know, he invented. What the PCH did not know, they researched.

This is not to say that the academic approach has no value: Hollis' "cyber militia" concept my have future uses – for example, a research paper5 was published in 2023 supporting the idea that Ukraine should get its own cyber militia.


Footnotes

  1. Details on the kinetic aspects of the war can be found in Kofman, "Russian Performance in the Russo-Georgisn War Revisited."
  2. Georgia Minister of Foreign Affairs, Russian Cyberwar on Georgia.
  3. Hollis, "Cyberwar Case Study: Georgia 2008."
  4. Stapleton-Gray & Woodcock, "National Internet Defense – Small States on the Skirmish Line."
  5. Svantesson, "Regulating a “Cyber Militia” – Some Lessons from Ukraine, and Thoughts about the Future."

Bibliography

Georgia Minister of Foreign Affairs. Russian Cyberwar on Georgia. 10 November 2008. Retrieved 26 July 2024 from https://web.archive.org/web/20111117042929/http://www.mfa.gov.ge/files/556_10535_798405_Annex87_CyberAttacks.pdf

Hollis, D. "Cyberwar Case Study: Georgia 2008." Small Wars Journal, 2010. Retrieved 18 July 2024 from https://smallwarsjournal.com/blog/journal/docs-temp/639-hollis.pdf

Kofman, M. "Russian Performance in the Russo-Georgisn War Revisited." War on the Rocks, 4 September 2018. Retrieved 3 August 2024 from https://warontherocks.com/2018/09/russian-performance-in-the-russo-georgian-war-revisited/

Stapleton-Gray, R. & Woodcock, B. "National Internet Defense – Small States on the Skirmish Line." ACM Queue 9 (Issue 1), 19 January 2011. https://doi.org/10.1145/1922539.1929325

Svantesson, D. "Regulating a “Cyber Militia” – Some Lessons from Ukraine, and Thoughts about the Future." Scandinavian Journal of Military Studies 6 (No. 1) 11 July 2023. Retrieved 25 July 2024 from https://sjms.nu/articles/10.31374/sjms.195

No comments:

Post a Comment