Academic journal article Military Review

The 2008 Russian Cyber Campaign against Georgia

Academic journal article Military Review

The 2008 Russian Cyber Campaign against Georgia

Article excerpt


IN AUGUST 2008, the Russian Army invaded Georgia. Numerous, coordinated cyber attacks accompanied the military campaign. This represents the first instance of a large-scale computer network attack (CNA) conducted in tandem with major ground combat operations. The attack had no direct connection to the Russian government, but had a significant informational and psychological impact on Georgia: it effectively isolated the Caucasus state from the outside world.

Security experts have identified two phases of the Russian cyber campaign against Georgia. The first phase commenced on the evening of 7 August when Russian hackers targeted Georgian news and government websites. (1) Russian Military Forecasting Center official Colonel Anatoly Tsyganok said these first actions were a response to Georgians hacking South Ossetian media sites earlier in the week. (2) The fact that the alleged counterattacks occurred only one day prior to the ground campaign has led many security experts to suggest that the hackers knew about the date of the invasion beforehand.

In the first phase of the attack, the Russian hackers primarily launched distributed denial of service (DDoS) attacks. A denial of service attack is a cyber attack that attempts to prevent the legitimate use of a computing resource. When multiple computers achieve this goal, a distributed denial of service attack has occurred. One way to categorize DDoS attacks is to differentiate between semantic and brute force attacks. A semantic DDoS takes advantage of either a feature or bug in some software on the target system. A brute force (or "flooding") DDoS attack occurs when the target system receives more Internet traffic than it can handle, which exhausts the command and control resources of the server, rendering it unavailable. (3) The DDoS attacks during this phase were primarily carried out by botnets. (4) A botnet is a group of computers on the Internet (termed "bots" or "zombies") that have been infected with a piece of software known as malware. The malware allows a computer "command and control" server to issue commands to these bots. Often, botnets launch spam email campaigns, but they can also be used to launch wide-scale DDoS attacks. The hijacking of the zombie computers typically occurs in the same manner as infections with other viruses (e.g., email scams, fake websites, infected documents). The communication from the command and control computer to the zombies can be conducted over seemingly innocuous channels on the network (such as a channel normally used for Internet chat) to prevent discovery. (5) Criminal organizations, such as the Russian Business Network (RBN), use and lease botnets for various purposes. (6) The botnets used in the onslaught against Georgian websites were affiliated with Russian criminal organizations, including the RBN. (7)

In this first phase, the attacks primarily targeted Georgian government and media websites. The Russian botnets relied on a brute force DDoS to attack these targets. (8) The Georgian networks, due to their fragile nature, were more susceptible to flooding than the Estonian networks Russian hackers attacked a year earlier. (9)

In the second phase, Georgian media and government websites continued to receive the attacks, but the Russian cyber operation sought to inflict damage upon an expanded target list including financial institutions, businesses, educational institutions, Western media (BBC and CNN), and a Georgian hacker website. (10) The assaults on these servers not only included DDoS, but defacements of the websites as well (e.g., pro-Russian graffiti on government sites such as a picture likening Georgian President Mikheil Saakashvili to Adolf Hitler). In addition, several Russian hackers utilized publically available email addresses of Georgian politicians to initiate a spam email campaign. (11)

To carry out website defacements, the Russian hackers resorted to another type of attack known as an SQL injection, which uses a text field on a webpage to directly communicate with the back end database (normally, a common SQL database--hence the name). …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.