Читать книгу Russian Cyber Operations - Scott Jasper - Страница 29

In August 2008, Russian military forces mounted a large-scale land, air, and sea invasion of Georgia, ostensibly in response to Georgian artillery shelling of the South Ossetia capital of Tskhinvali. The Kremlin argued its actions were driven by an imperative need to defend the Russian peacekeeping contingent there and protect Russian citizens abroad.⁸⁷ The real objectives were strategic and geopolitical, specifically to terminate Georgian sovereignty in South Ossetia and Abkhazia, bring down pro-American president Mikheil Saakashvili, and prevent Georgia from joining NATO.⁸⁸ Russia had enacted a creeping annexation of the two separatist republics by granting the majority of their populations Russian citizenship and forging close economic and bureaucratic ties. They also had abused their mandate as peacekeepers—for instance, by staging additional troops, shipping containers of weapons, and repairing a key railroad line in Abkhazia.⁸⁹ Russia also infiltrated advance elements of motorized rifle regiments into South Ossetia prior to hostilities. In addition, on July 19, hackers conducted a dress rehearsal “for an all-out cyberwar.”⁹⁰ Unknown parties used a computer “located at a U.S. ‘.com’ IP address to command and control a multi-pronged DDoS attack” against Saakashvili’s website.⁹¹ The command-and-control server instructed its botnet to attack the website with a variety of flooding methods, exploiting the TCP-, ICMP-, and HTTP-type protocols (Transmission Control Protocol, Internet Control Message Protocol, and Hypertext Transfer Protocol, respectively).⁹² The website became unavailable for more than twenty-four hours. Although experts were unable to trace the attack, they identified the server as “a MachBot DDoS controller written in Russian and frequently attributed to Russian hackers.”⁹³ Yet, in effect, the attack seemed to be from a civilian computer of a presumed ally of Georgia.

Map 2.2. Georgia

Source: Central Intelligence Agency, “Middle East: Georgia,” The World Factbook, https://www.cia.gov/library/publications/resources/the-world-factbook/geos/gg.html.

The first Russian interstate post-Soviet war lasted only five days, from August 7 to August 12, 2008. After initial skirmishes of forces already in Georgia near the city of Tskhinvali, large columns of Russian soldiers and tanks advanced into South Ossetia on the second day through the Roki Tunnel.⁹⁴ On the third day, Russia opened a second front in Abkhazia, with military elements landing from the Black Sea and arriving by the repaired railroad line.⁹⁵ Cyber operations against Georgian targets commenced at the onset of physical hostiles. Russian hacktivist websites posted lists of Georgian sites for patriotic hackers to attack, along with instructions and downloadable malware.⁹⁶ The main phase of the cyber operations began on August 8, when multiple command-and-control servers hit Georgian websites. Among those targeted were the Georgian president, the central government, the Ministry of Foreign Affairs, the Ministry of Defense, and popular news outlets, such as the television station R2. TBC, the largest commercial bank of Georgia, came under attack the next day. On August 11, the website of the Georgian parliament was struck, and a defacement of the president’s website occurred, where a slideshow depicted doctored images comparing Mikheil Saakashvili and Adolf Hitler. A similar defacement and replacement happened at the National Bank of Georgia website, with President Saakashvili included within a gallery of twentieth-century dictators. Although military operations ended on August 12 by a cease-fire agreement, the DDoS attacks continued until the end of the month.⁹⁷

The methods used to deface websites and launch DDoS attacks against numerous public and private targets in Georgia were similar to those used in Estonia the previous year. Lists of Georgian sites vulnerable to remote injections of Structured Query Language, or SQL (an attack technique that takes advantage of poorly secured application coding for databases), which would facilitate automatic defacements, were distributed on Russian-language websites and message boards, in addition to a Microsoft Windows batch script, with instructions to flood sites. The Russian blogs and forums were located in Estonia, the Russian Federation, and elsewhere.⁹⁸ The websites StopGeorgia.ru and Xakep.ru appeared to coordinate targeting and attacking of Georgian websites.⁹⁹ They provided DDoS attack tools and identified thirty-six major websites as primary targets. Also, botnets associated with criminals were used in both Estonia and Georgia. The largest DDoS attack against Estonia came from a botnet linked to a Russian cybercrime group operating out of Saint Petersburg, with connections to the Russian Business Network. In the Georgian conflict, the six command-and-control servers that launched the largest DDoS attacks were managed by a cybercrime group. The servers themselves were registered through www.naunet.ru, a known “bulletproof hosting” provider in Russia, and the domains used to launch the attacks were hosted by www.steadyhost.ru, a known front for cybercrime activities.¹⁰⁰

The concerted and sophisticated DDoS campaign constrained the ability of the Georgian government to convey its narrative in the early stages of the conflict to the international community. Therefore, the significance of the disruptions and manipulations should not be understated, for although the domestic impact upon society was not as great as in Estonia, the state’s loss of control of the narrative in Georgia may have led to a delayed international response.¹⁰¹ Overall, the attacks were not particularly complicated since they were facilitated by prefabricated tools and techniques disseminated to willing participants. In addition, the attacks had limited operational or tactical benefit from a conventional military perspective. Yet the use of cyber operations set the conflict apart as the first of its kind in modern warfare. Additionally, the reliance on local proxies of dubious loyalties to carry out both conventional and unconventional tasks signaled a new way of warfare.¹⁰² These actors, in the form of peacekeepers, militiamen, and hackers, gave Russia a way to feign plausible deniability and avoid deploying more of its armed forces, including organic cyber assets.

A report by the US Cyber Consequences Unit, an independent, nonprofit research institute, concluded that “the cyber attacks against Georgian targets were carried out by civilians with little or no direct involvement on the part of the Russian government or military.”¹⁰³ The forensic evidence fell upon patriotic hackers recruited by social networking forums and on criminal organizations, who contributed Web servers and botnets. However, the timing of the attacks indicates that the organizers had advance notice of Russian military intentions. For instance, the quick start of packet assaults meant the writing of attack scripts, registering of new domains, and hosting of new websites had to have been prepared before the public was aware of the invasion.¹⁰⁴ Likewise, cyberattacks were close in time to corresponding military operations. Just before Russian air attacks on the city of Gori, hackers attacked governmental and news websites.¹⁰⁵ Nonetheless, the Russian government denied involvement. Yevgeniy Khorishko, a spokesman for the Russian embassy in Washington, said that “it was possible individuals in Russia or elsewhere had taken it upon themselves to start the attacks.”¹⁰⁶

The lack of firm attribution to the Russian government does not change the legal classification of the cyber operations. Michael Schmitt and Liis Vihul find that “when cyber operations accompany kinetic hostilities qualifying as armed conflict (as with the conflict between Russia and Georgia in 2008), IHL [international humanitarian law] applies fully to all cyber operations that have a nexus to the conflict, whether they are launched by states, non-states groups or individual hackers.”¹⁰⁷ For example, IHL prohibits injurious or destructive cyberattacks against civilians and civilian objects. This determination is consistent with Rule 80 of the Tallinn Manual 2.0, which delineates that “cyber operations executed in the context of an armed conflict are subject to the law of armed conflict.”¹⁰⁸ The authors of the Tallinn Manual 2.0 agreed that “the law of armed conflict applied to the cyber operations that occurred during the international armed conflict between Georgia and Russia in 2008 . . . because they were undertaken in furtherance of those conflicts.”¹⁰⁹ The term international armed conflict is appropriate because there were hostilities between two or more states.¹¹⁰

The problem in the Georgian case is that in order to hold a state—in this matter, Russia—responsible for the cyberattacks under the law of armed conflict, it must be established that the cyberattacks can be directly connected with a particular state. Eneken Tikk points out that “the governing principle of state responsibility under international law has been that the conduct of private actors—both entities and persons—is not attributable to the state unless the state has directly and explicitly delegated a part of its tasks and functions to a private entity.”¹¹¹ She also states that the rules governing state responsibility codified into the 2001 Draft Articles on Responsibility of States for Internationally Wrongful Acts can be considered as a reflection of customary international law. Tikk concludes that in Georgia in 2008, as in Estonia in 2007, it has not been possible “to prove support by any certain state behind the cyber attacks.”¹¹² Therefore, the cyber operations alone in both cases do not constitute a breach of what can be regarded as a state’s international duty so as to even qualify as an internationally wrongful act and justify the use of countermeasures in kind in response.