Cyberwar rages on in Georgia

Government sites under attack from Russian hackers move to U.S.-based servers, including Atlanta's Tulip Systems.

Published August 12, 2008 9:45PM (EDT)

(Updated below)

Amid the obviously more serious real-word consequences in the ongoing Russia-Georgia conflict, the parallel virtual battle has been garnering a fair amount of attention. In sum, Russian hackers have been assaulting and disabling a number of Georgia's government Web sites -- largely, its seems, by employing botnet-driven denial of service attacks -- since the inception of the conflict. As always with this kind of cyberwarfare, it's difficult to sort out whether the Russian government is actively supporting the attacks, or just the tacit beneficiary of some of its gung-ho and computer-savvy citizens. As of a few minutes ago, the main government site in Georgia remained down. There have been reports of attacks on Russian sites as well. Monday the Wall Street Journal cited investigators who claimed to have traced the attack to a notorious cybergang called the Russian Business Network, but Wired's Danger Room found skeptics of that assessment.

So where did the Georgian government choose to turn when it became clear its own cyberdefenses couldn't stand up? The first option was Google-owned Blogger, which now hosts a replacement site from the Ministry of Foreign Affairs (whose main site was at one point defaced with a photo collage of Georgian President Mikheil Saakashvili alongside Hitler, but as of now is back up).

The more oddly serendipitous outcome, however, is that the Russian president's official Web site is now being hosted in the United States, by Atlanta-based Tulip Systems. The Associated Press reported in a short story Monday that Tulip CEO Nino Doijashvili, a native Georgian (the country), happened to be vacationing there when the fighting broke out:

She cold-called the government to offer her help and transferred and, the Web site of a prominent Georgian TV station, to her company's servers Saturday. Speaking via cell phone from Georgia, Doijashvili said the attacks, traced to Moscow and St. Petersburg, are continuing on the U.S. servers. The president's site was intermittently available midday Monday. Route-tracing performed by the AP confirmed that the sites were hosted at Tulip.

As far as I can tell, Tulip -- which also maintains an office in Georgia (the country) -- claims no particular expertise, beyond a typical hosting company, in fending off denial of service attacks. But the site seems to be holding up at this point. The company is no doubt relieved that it upgraded its facilities just a month ago. And depending on the outcome of the conflict, it'll no doubt be updating its "testimonials" page.

Wired's Danger Room and ZDnet's Zero Day are both tracking the cyberwar developments closely.

Update: A security expert contact of mine raises another question in all this: Since most of Georgia's Internet connections likely originate in Russia, why wouldn't the Russians just unplug the Georgians? It would seem at least as effective as denial of service attacks. The New York Times Bits blog reports that Georgia has connections through only Russia and Turkey, although the CIA World Factbook, at least, doesn't list a Turkey-Georgia fiber connection. At least one major cable into Georgia (as of 2002, it was the only one) originates from Soti, Russia. A planned cable to Bulgaria via the Black Sea isn't yet complete. But it's possible, of course, that the government is predominantly utilizing a satellite link.

Update 2: An informative Popular Mechanics interview with Jart Armin, editor of RBNexploit, confirms that most Georgian traffic is routed through Russia, but doesn't quite clear up the confusion over the attacks:

How does one fight a war like this? Can you do it from within Georgia? Or once those servers are shut down, is it something that has to be done from outside? Two things. The smaller neighbors of Russia should watch out who controls their next stage of Internet servers, the actual pipelines. Unfortunately for Georgia, they had an agreement where the main switch for most of Georgia's Internet is through Moscow. Very logically, it's submarine fiber roots; you can read about [it] on the CIA Web site, which actually shows the limitations of Georgia, the near-reliance on physical routing through Russia. Georgia gets taken offline fairly easily because Russia is simply blocking all traffic coming in and out. Estonia learned last year; Lithuania is learning now, as even Ukraine is starting to learn, and a few others.

So it does seem that indeed, Georgia is relying on connections through Russia. But it's not clear what he means by "Russia is simply blocking all traffic in and out." In the rest of the interview talks only about botnets clogging up the pipes, so my inference is that's all he means. Which again would point to non- Russian-government entities doing the attacking (as at least one expert concurs). If it was the Russian government, why wouldn't they just shut off the connections entirely?

Is the latest version of the "world's first cyber war" once again not to be? Or maybe we can just start calling it something different...

By Evan Ratliff

Evan Ratliff is a contributing editor to Wired magazine, and the co-author of "Safe: The Race to Protect Ourselves in a Newly Dangerous World."

MORE FROM Evan Ratliff

Related Topics ------------------------------------------