By Andrei Soldatov
The hacker attacks hit Russia’s top blogging service, LiveJournal just a few weeks after a remarkable Medvedev’s reaction to the events in Tunisia and Egypt: “Let’s face the truth. They have been preparing such a scenario for us, and now they will try even harder to implement it.”
Medvedev, having his own account in Livejournal, strongly condemned the attack. However, the attacks’ scope suggests that so-called patriotic hackers might be behind what seems to be a test of the ability to shut down social networks, using methods that keep a clear distance between the state and the perpetrators (the strategy that was so effective to carry out cyber attacks in Estonia, Lithuania and Georgia). Some people close to the Kremlin might find such a test particularly helpful, given the coming elections to the Parliament this year and the presidential campaign in 2012.
Facing the long conflict in the North Caucasus, the Kremlin found it particularly vexing that Chechen rebels could communicate effectively with the press and outside world through the Internet. The most important Chechen Web site was Kavkaz.org. Launched by Movladi Udugov, the main Chechen spokesman since the first Chechen war, the Web site soon became the principal mouthpiece for the Chechen leadership’s opinions and an effective propaganda tool.
During the first Chechen war, Russian and foreign journalists managed to slip through Russian lines and were well provided with information from the other side. Television and press coverage was welcomed by Chechen rebels, who granted access to scenes of destroyed Russian equipment and dead Russian soldiers.
Russia’s defeat in the first Chechen war was explained in Moscow by unpreparedness in the “information war.” When the second Chechen war broke out in 1999, Russian troops did their best to prevent journalists from getting information provided by rebels.
Lacking journalists in the field, the media turned to information provided directly by the rebels through Kavkaz.org. For instance, on May 7, 2000, Russian forces denied claims by rebels that they had shot down a Russian Su-24 jet fighter bomber. But then a picture of Chechen fighters holding parts of the plane’s wreckage appeared on Kavkaz.org, and the Army was forced to admit the claim was true.
On August 31, 1999, Kavkaz.org was attacked by hackers for the first time. They displayed on the home page a picture of Mikhail Lermontov, the famous Russian poet and a symbol of Russian em- pire in the North Caucasus, wearing a commando outfit and holding a Kalishnikov. Messages like “This site has been closed down at the request of Russian citizens,” signed “The Siberian Web Brigade,” were also posted on the Web site. Kavkaz.org came under attack again in January 2002 when a group of students in the Siberian city of Tomsk launched a “distributed denial of service” (DDoS) attack. The group consisted of seven people and was headed by Dmitry Aleksandrov, who had fled Chechnya for Tomsk in 1996. The students claimed to have pressured the rebel Web site for three years, attacking it and sending warning letters to host- ing providers in the United States and Canada. The FSB’s depart- ment in Tomsk appeared to be fully informed about the activity of the hackers, and put out a press release defending the students’ actions as a legitimate“expression of their position as citizens, one worthy of respect.”
After a major terrorist attack in Nalchik on October 13, 2005, the Russian Foreign Ministry complained that the Chechen Web site was still going strong on a Swedish server. “Unfortunately,” the ministry’s site said, “the Swedish authorities up to now have not taken any concrete steps to block the dissemination”of the Chechen Web site, which had now become Kavkaz-Tsentr. The official statement appears to have unleashed the unofficial hackers. Within twenty-four hours, the Russian Web site Mediaactivist.ru launched an attack against Kavkaz-Tsentr as well as Echo Moskvy radio, Novaya Gazeta, and Radio Liberty. The campaign was openly declared and had as its slogan “Let’s shut the mouths of the helpers of Kavkaz-Tsentr!” It resembled a spam-provoking campaign: Mediaactivist.ru posted a list of email addresses that hackers could attack with their letters.
But that protest quickly fizzled: The attacked media sent a warning to the host through which Mediaactivist.ru had been operating, and the Web site was removed from the Internet for spam activity.
On October 16, 2005, another Web site, called Internet Under- ground Community vs. Terrorism (www.peace4peace.com), was established and began to launch denial of service attacks on Kavkaz- Tsentr. In a statement the hackers said: “We are hackers of differ- ent specialties. Most of us have long been on the other side of the law, but that does not mean we are not patriots who will stand up for peace in the world.”
The efforts carried out by Russian diplomacy and unofficial hackers were partly successful. In May 2006 the Swedish authorities closed Kavkaz-Tsentr. The Web site was moved first to Georgia and in 2008 to Estonia.
In April 2007, for the first time, Web sites of a foreign government came under attack. Estonia had angered the Kremlin with its decision to move a Soviet war memorial out of the center of the capital. After a massive nationalistic campaign against Estonia in the Russian press, on April 27 Russian hackers launched a series of cyber attacks on the Web sites of the Estonian government, parliament, banks, ministries, newspapers, and broadcasters. Most of the attacks were the “denial of service” type. The attackers ranged from single individuals, using various low-tech methods like ping floods (a simple denial-of-service attack in which an attacker overwhelms the victim computer with echo request [ping] packets), to expensive rented botnets usually used for spam distribution. Russia denied any involvement, but Estonian Foreign Minister Urmas Paet accused the Kremlin of direct involvement in the cyber attacks, and Estonia then requested and received NATO assistance in responding to this new form of aggression.
Who exactly was behind the attack was never publicly acknowledged. Estonia failed to present proof of the Russian government’s involvement, and in September 2007 the country’s defense minis- ter admitted he had no evidence linking cyber attacks to the Russian authorities. “Of course, at the moment, I cannot state for certain that the cyber attacks were managed by the Kremlin or other Russian government agencies,” Jaak Aaviksoo said in interview on Estonian’s Kanal 2 TV channel. Meanwhile, Rafal Rohozhinsky, a leading expert in the field, argued that he had seen signs of government sponsorship in the malicious traffic. He pointed to armies of hijacked computers that started and stopped attacks in exact coordination at one-week intervals, implying that they had been rented for the purpose. In the end, the Russian state was never blamed, and no diplomatic measures ensued.
In June 2008, Lithuania was in the crosshairs. The former Soviet republic incensed Russia when lawmakers voted to ban public display of Nazi German and Soviet symbols. Lithuania’s stance prompted a massive cyber attack: On June 30 the National Com- munication Regulator’s office said that some three hundred Web sites, including those of public institutions such as the National Ethics body and the Securities and Exchange Commission, as well as a string of private companies, had found themselves under cyber siege. Their Web sites’ content was replaced with images of the red flag of the Soviet Union alongside anti-Lithuanian slogans.
In August 2008, the military conflict with Georgia in South Ossetia also included cyber attacks against Georgia’s Internet infrastructure. According to a Project Grey Goose report,* members of two Russian forums, StopGeorgia.ru and Xakep.ru,“spent a significant amount of time discussing the merits and drawbacks of different kinds of malware, including DDoS tactics and tools. . . . An analysis of the DDoS tools offered by the forum leaders showed basic but effective tools. Some forum members had difficulty using the tools, reinforcing the idea that many of the forum members had low to medium technical sophistication.” The attacks compromised several Georgian government Web sites and prompted the government to switch to hosting locations in the United States. Georgia’s Ministry of Foreign Affairs, in order to disseminate real- time information, was forced to move to a BlogSpot account.
In all these cases, the Kremlin did not have to use FSB resources to attack objectionable Web sites; it could simply steer the growing community of patriotic hackers in the right direction.
Andrei Soldatov is an intelligence analyst at Agentura.ru and co-author of “The New Nobility: The Restoration of Russia’s Security State and The Enduring Legacy of the KGB.” (PublicAffairs, September 2010, New York)
* Project Grey Goose is an open source intelligence initiative launched by a group of experts and academics in the fields of Internet security and cyberwar on August 22, 2008, to examine how the Russian cyberwar was conducted against Georgian Web sites.