Cyberattacks during the Russo-Georgian War

During the Russo-Georgian War, a series of cyberattacks swamped and disabled websites of numerous South Ossetian, Georgian, Russian and Azerbaijani organisations. The attacks were initiated three weeks before the shooting war began.

Attacks
Georgia was already being attacked over the internet by 20 July 2008. The website of the Georgian president Mikheil Saakashvili was targeted, resulting in overloading the site. The Web site was barraged with the message "win+love+in+Rusia". The site then was taken down for 24 hours.

On 5 August 2008, the websites for OSInform News Agency and OSRadio became victims of the hacking. The content of OSinform website at osinform.ru was replaced by the media of Alania TV website. Alania TV, a Georgian government backed television station, rejected responsibility for the hacking of the competing news agency website. Dmitry Medoyev, the South Ossetian envoy to Moscow, claimed that Georgia was attempting to suppress information on the casualties of the August 1-2 incident.

On 5 August, Baku–Tbilisi–Ceyhan pipeline was subject to a terrorist attack near Refahiye in Turkey, responsibility for which was originally taken by Kurdistan Workers’ Party (PKK) but there is circumstantial evidence that it was instead a sophisticated computer attack on line's control and safety systems that led to increased pressure and explosion.

According to researcher Jart Armin, many Georgian servers were controlled from outside since late 7 August 2008. On 8 August, the DDoS attacks reached their climax. The defacements began.

On 8 August 2008, South Ossetian websites were attacked.

On 9 August 2008, Russian and Turkish servers, allegedly controlled by the Russian hackers, were used to direct major Georgian Internet traffic. Although on the same day some Georgian Internet traffic was temporarily redirected to Germany, the Georgian traffic was soon again diverted to Moscow.

On 10 August 2008, attacks took down the site of RIA Novosti for several hours. The next day, the sites of the Russian news agencies RIA Novosti, TASS, REGNUM News Agency, Lenta.ru, Izvestia and Echo of Moscow were being attacked.

On 10 August, Jart Armin warned that Georgian official sites may be compromised.

By 11 August 2008, the website of the Georgian president had been defaced and images comparing President Saakashvili to Adolf Hitler were posted. This was an example of cyber warfare combined with PSYOPs. Georgian Parliament's site was also targeted by the Denial-of-service attack. Attacks also targeted some Georgian commercial websites. On 11 August, Foreign Ministry of Georgia said that Russia was conducting cyber battle against Georgian government sites simultaneously with a military operation, while a speaker for the Kremlin responded than it was Russian media and organisations that were being attacked. The Ministry of Foreign Affairs started to use Google's Blogger service to spread news. US servers were allocated to host the website of the Georgian President. Among the victims of defacement were the websites of the National Bank of Georgia and the Georgian Parliament.

Estonia provided hosting for Georgian governmental website and cyberdefense advisors. Development Centre of State Information Systems of Estonia said that help had not been asked for by Georgia. Private United States companies also assisted the Georgian government to protect its non-war making information such as the government payroll during the conflict. It was reported that the Georgian communications infrastructure was being attacked by the Russian warplanes.

The servers of the Azerbaijani news agency, Day.Az, were also targeted by cyberattacks, orchestrated by Russian intelligence services due to news agency's coverage. ANS.az, one of the news websites in Azerbaijan, was also targeted. The Georgian news site Civil Georgia began using Blogspot to disseminate news. Despite the cyber-attacks, Georgian journalists succeeded in reporting on the war by using blogs.

The U.S. presidential candidate Barack Obama called for ceasing the cyber attacks on the Georgia. The President of Poland, Lech Kaczyński, criticized Russian obstruction of Georgian internet sites and proposed his website for spreading of the information. Reporters Without Borders criticized the internet attacks, "The Internet has become a battleground in which information is the first victim."

The attacks involved Denial-of-service attacks. The New York Times reported on 12 August that some experts noted this as the first time in history that a notable cyber attack and an actual military engagement happened at the same time. The attacks, originating from Russian hosting offices, did not cease on 12 August and stopgeorgia.ru, a Russian anti-Georgian website, was still running.

On 14 August 2008, The Washington Post reported that although a cease-fire was reached, communication infrastructure could not completely resume normal operation.

Analysis
The Russian authorities denied the allegations that they were responsible for the attacks, instead pointing the finger at ordinary citizens. It was asserted that the Russian Business Network (RBN), the group from Saint Petersburg, organised these cyber attacks. RBN was considered to be one of leading cyber crime networks in the world, whose founder allegedly is related to an influential person in Russian politics.

Dancho Danchev, a Bulgarian Internet security analyst, claimed that the Russian attacks on Georgian websites used “all the success factors for total outsourcing of the bandwidth capacity and legal responsibility to the average Internet user.”

Security researcher for Arbor Networks Jose Nazario told CNET that Georgian assault on the website of Russian newspaper served as a proof of actual Georgian response to the cyber attacks.

Don Jackson, an employee of Secureworks, observed that botnets were prepared to attack Georgia in advance before the war. These botnets became operational just before Russian bombing of Georgia commenced on 9 August. Don Jackson lent credence to the idea that the Russian government was behind the attack, rather than the RBN. Furthermore, Jackson found that not all the computers that were assaulting Georgian websites were controlled by RBN servers, but also were using "Internet addresses belonging to state-owned telecommunications companies in Russia".

The CNN reported that according to specialists, the cyberwar against Georgia "signals a new kind of cyberwar, one for which the United States is not fully prepared."

The ex-chief of Computer Emergency Response Team of Israel, Gadi Evron, believed the attacks on Georgian internet infrastructure resembled a cyber-rampage, rather than cyber-warfare. Evron admitted that although the attacks could be "indirect Russian (military) action," the attackers "could have attacked more strategic targets or eliminated the (Georgian Internet) infrastructure kinetically." Six distinct botnets, managed by distinct servers, were accounted for by Shadowserver Foundation.

Jonathan Zittrain, one of the founders of Harvard's Berkman Klein Center for Internet & Society, said that the Russian army was capable of targeting Georgia's Internet infrastructure, while Bill Woodcock, the research director at Packet Clearing House, suggested the attacks were professionally "coordinated". The Russian newspaper, pro-Georgian Skandaly.ru, was also targeted by attacks, upon which Woodcock commented "This was the first time that they ever attacked an internal and an external target as part of the same attack." The attack script against Georgia was discovered on almost every Russian news site by Gary Warner, an expert at the University of Alabama at Birmingham. Bill Woodcock also said cyber attacks would stay around as a part of military campaigns in the future due to their low-cost.

The Economist described in detail in December 2008 how detailed manuals how to carry out DDoS attack against Georgian sites was available for any volunteer on Russian sites, such as StopGeorgia. Even the US and UK embassies Tbilisi were designated targets. The paper could not definitely link the attacks to the Russian authorities.

In March 2009, Greylogic researchers assumed that the attacks were possibly conducted by Russian GRU and the FSB, who used the Stopgeorgia.ru forum as a facade to cover up the state responsibility.

John Bumgarner, member of the United States Cyber Consequences Unit (US-CCU) did a research on the cyberattacks during the Russo-Georgian War. The report, published in August 2009, concluded that the 2008 Russian cyber warfare against Georgia stressed the importance of worldwide partnership to ensure cyber safety. The report stated that the Russian military planning was known to the cyber attackers, who were supposedly civilians. Bumgarner’s research concluded that "The first wave of cyber-attacks launched against Georgian media sites were in line with tactics used in military operations." "Most of the cyber-attack tools used in the campaign appear to have been written or customized to some degree specifically for the campaign against Georgia," the research stated. The attackers possibly knew that the invasion of Georgia would begin before it even started.

Michael Chertoff wrote in 2011 that the 2008 war demonstrated that the cyber war was the war of the future. The US Department of Defense published the first cyber strategy.