Kyrgyzstan Goes Offline - Russia Blamed

 

Atlanta-based managed security company SecureWorks reported the distributed denial of service attack on its blog yesterday. Calling it almost identical to the DDoS attack launched against Georgia during its conflict with Russia, the company says that the action has taken almost the entire country offline. Four ISPs are responsible for all of Kyrgyzstan's Internet traffic, according to Don Jackson, senior security researcher at SecureWorks.

The attackers were targeting media outlets carrying material in opposition to the Kyrgyzstan government, Jackson claimed, adding that he believes the attack to be politically motivated, and engineered by the Russian government. Kyrgyzstan has been debating whether to close a US airbase at Manas International Airport, near the Kyrgyz capital -- something that Russia would applaud given its proximity to the former satellite nation.

Kyrgyz President Kurmanbek Bakiev has been busily negotiating a deal with Russia, with which it already has a $180 million debt. Kyrgyzstan wants Russia to invest in its energy economy, and is also hoping for low interest loans. Bakiev is due to visit Moscow next month to thrash out a deal, making the US airbase a crucial bargaining chip. Jackson warned that while the Russians are angling for the airbase closure as part of the deal, opponents to the Kyrgyz government have voiced scepticism, providing the attacks on selected media outlets.

"By attacking these sites, you shut the opposition out, and when it comes down to this diplomatic ultimatum, it keeps the opposition from getting its viewpoint out, so that it doesn't garner political support from the US, or its allies and NATO members," said Jackson.

Jackson is also convinced that the Russians are behind the attack because much of DDoS traffic appears to be coming from Russian IP addresses -- something that is uncommon when dealing with commercial bots, he argues. The suggests to him that groups within Russia are orchestrating the attack using computers controlled for these purposes.

"The Russians learned from Georgia that we have a great degree of visibility into the known botnets. So there's more deniability if you can contain everything within your borders, where companies don't have any visibility," he said.

Whereas Georgia's Internet infrastructure is well-established, Kyrgyzstan has relatively narrow pipes for exchanging Internet traffic, making it more feasible to affect its networks without resorting to a high-volume commercial botnet, he added.

Two of the ISPs, at ns.kg and domain.kg, were attacked, affecting roughly 80% of the country's Internet traffic. The relatively undeveloped Internet infrastructure in Kyrgyzstan has made it difficult to gather intelligence about the attacks. SecureWorks has only been able to contact domain.kg to help them with the issue, and get access to a small subset of its logs. The ISP that SecureWorks has been able to contact has isolated those sites that have not been targeted onto a separate network, effectively sacrificing the target sites to the attackers.

Three months ago, the open source initiative Project Grey Goose published the results of an investigation into the techniques and perpetrators of the cyber assault against Georgia during the recent conflict with Russia. The project concluded that SQL injection-based attacks designed to tie up CPUs had been used during the attack, adding that although it could find no firm evidence of the involvement of Russian officials in the attacks, the country's support for private groups launching such attacks in its interests was well known.

"There is hard evidence that directly implicates parts of the Russian Government being involved in the Georgia thing, but not the DDoS part. In the case of Georgia it was an intelligence gathering and monitoring operation designed to make them route information through Russian networks where they could tap it," said Jackson, adding that shutting down the pipe to the west through Turkey and rerouting traffic through Russia was a key part of that attack. "The DDoS attacks made their enemies shut up, so they didn't do anything to stop it."

What’s Hot on Infosecurity Magazine?