After the five-day Russia-Georgia war, a chronicle of the cyber battle unfolds

The war between Georgia and Russia lasted just five days, as long as the new cease-fire holds. But cyber security experts will be picking through the ashes of the accompanying Internet battle for sometime to come.

Just as happened last year with the May 2007 cyber war between Russia and Estonia, Georgian web sites buckled under overwhelming waves of bogus traffic, sent from huge swarms of compromised computers. The attacks began as probes as early as July 20, according to Internet experts. As the war began on Friday, millions of extraneous requests — a so-called Distributed Denial of Service (DDoS) attack — took down Georgia’s banking and government sites.

“It’s just like Estonia,” said Graham Cluley, a security expert at Sophos who wrote a timeline for the cyber war on his blog. “In modern warfare, it’s not unusual to see opposing forces take over TV stations, radios and newspapers. In our century, taking over Internet sites is now part of the same kind of strategy.”

The first attacks reported by the Russian press noted that the web site of the South Ossetian government had been hit with a DDoS attack, just hours after the shooting started on Aug. 8. On Aug. 9, the Georgian Ministry of Foreign Affairs web site was defaced, with photographs of Georgian president Mikheil Saaskashvili juxtaposed with Adolf Hitler’s image (pictured above). A group called the South Ossetia Hack Crew claimed responsibility for the defacements.

Other web sites, including the National Bank of Georgia, were also defaced. The attacks against banks are particularly scary. If banks can’t function, then no one can get cash. That can lead to chaos fairly quickly, a condition the attackers no doubt wanted.

Sites including Google’s BlogSpot and the Polish government agreed to take over hosting the web sites of the Georgian government. Later, Georgia moved its web site to Atlanta, Ga., where it is being hosted by Tulip Systems, a company owned by Georgian-born Nino Doijasvili. Cluley said that the vast infrastructure of Google, with its many different servers and data center locations, make it especially hard to overwhelm. Nevertheless, Cluley noted that Estonia was sending its own cyber-security experts to help Georgia.

On Monday, a Russian website became a target, as the news agency RIA Novosti was hit with a DDoS attack.

Cluley said there is a growing dossier for cyber warfare. In September, 2007, the Chinese military was blamed for attacks on a Pentagon computer system serving U.S. Defense Secretary Robert Gates. And earlier this year, German foreign intelligence was accused of spying on a ministry in Afghanistan. Belgium and India also blamed China for attacks against their official computer systems. Gadi Evron, a security expert who spoke about the Estonia cyber war at Black Hat last year, wrote a post-mortem on the Estonia experience.

But while it may seem obvious who was attacking who in this case, it won’t be easy to show that the Russian government was behind the attacks. That’s because DDoS attacks are made with millions of compromised computers from around the world. It’s very hard to trace down where the attacks start, Cluley said. Spammers are easier to catch because they leave a money trail that can be traced. But with political attacks, it isn’t easy to hunt down anyone and hold the attackers responsible. And, of course, the cooperation of the Russian government would be necessary in any investigation of cyber attacks. Svetlana Gladkova notes on her blog that Russian hackers probably didn’t need guidance from the Kremlin to attack.

Evron raised some interesting questions in his post mortem. “Does an Internet attack warrant a reaction from NATO? What about the UN? Is there such a thing as a ‘just’ Internet war and what is a country’s right to defend itself against one?”

Evron recommends that Western nations work out agreements and treaties to cover cyber war and how to react to it in a fast-moving world.