Author: Andria Gotsiridze, Cyber Security Consultant, Founder of Cyber Security Studies & Education Center

The usage of cyber-attacks in an armed conflict originates from the 2008 Russia-Georgia war. A mass cyber-attack undertaken parallel to on-going military operations is the first precedent of the usage of cyberspace in armed conflicts.

The 2007-2008 DDos attacks undertaken against Estonia and Lithuania were punitive operations and represented a sort of a political message, the aim of which was to incite civil unrest and mass panic, yet were not attempts of implementing any kind of military tasks or providing informational support to military actions.

The usage of cyber elements such as defacement and the DDos attacks in the 2008 Russia-Georgia war was a direct and well organized accompanying process to conventional action, aiming to simplify the implementation of military tasks for the Russian armed forces, create an informational vacuum, gain informational superiority and establish the Russian narrative about the conflict.

Later, during the armed confrontation in Ukraine, Russian cyber-attacks became even more forceful:  apart from traditional results, Russia used the capacities of large mobile telephone network companies for secret surveillance and psychologically influencing the clients of those companies, also using the acquired data to determine the locations as well as the coordinates for artillery attacks. In 2015, the cyber-attack organized by Russia delivered a kinetic effect:  the usage of high-tech malware during the attack caused parts of the Ukrainian energy grid to go down.

In order to study the transformation of Russian cyber operations in modern conflicts, it is interesting to reconstruct the nature of cyber-attacks used in the 2008 Russia-Georgia war, their chronology and the measures aimed at the minimization of their effect.

Due to Georgia’s starkly pro-Western policies, the Kremlin started preparing a military operation in 2006-2007. The formulation of the mechanisms and the scenario for the cyber-attack probably took place in the same period. Parallel to the large-scale attacks waged by Russian land, naval and airborne forces, a mass DDos attack was waged against Georgia’s communication grids – paralyzing the banking sector, transport companies, telecommunication providers and government websites.

It is important that the very first attack on Georgian cyberspace took place substantially earlier as compared to the launch of conventional operations – July 19 when the official website of the President of Georgia went offline for almost 24 hours as a result of a DDos attack. This attack can also be regarded as the main rehearsal of the following mass cyber-attacks. In the same period, Russian actors were constantly scanning Georgian communication grids.

In August 2008, Russian armed forces invaded Georgia after which the main phase of the cyber-attack commenced:

  • The websites of the President of Georgia, Government of Georgia, Ministry of Foreign Affairs of Georgia and the Parliament of Georgia as well as informational portals (apsny.ge, news.ge) and non-Georgian yet Georgia-friendly media websites and forums came under attack on August 8.
  • TBC Bank, which was the largest commercial bank in Georgia at that time, was attacked on August 9.
  • A new wave of cyber-attacks took place against the Parliament of Georgia and the President of Georgia on August 10.
  • Most of the governmental websites, excluding that of the President, were not functional on August 11. A defacement attack was undertaken on the President’s website on the same day, placing fascist symbols on it, as well as photos equating President Saakashvili with Hitler.
  • Similar attacks were undertaken against the websites of the National Bank and the Ministry of Foreign Affairs of Georgia, placing photos of 20th century dictators there.
  • It is important to note that those Azerbaijani websites that were covering the conflict objectively, neutrally or in Georgia’s favor (www.day.azwww.today.azwww.ans.az) also suffered defacement attacks.
  • The same was true for Russian opposition websites and personal websites of Russian opposition-minded politicians (http://www.skandaly.ruhttps://www.newsgeorgia.ge/http://www.kasparov.ru/)1.

Having acquired informational superiority2 by blocking Georgian official and private information channels, the Russian media sources started blaming Georgia for the launch of the conflict. Fake materials were being disseminated about the Georgian armed forces attacking “sleeping Tskhinvali” and killing thousands of ethnic Ossetian citizens which was supposedly followed by the intervention of Russian military forces in order to “stop the bloodshed and the ethnic cleansing of the Ossetian population.”3

Similar to the attacks undertaken against Estonia, Russian websites published software necessary for the cyber-attack, together with the instructions. Russian hacktivist website stopgeorgia.ru published the addresses of targeted Georgian websites, respective downloadable malware (malicious software) and instructions for the attack. Theoretically, the aforementioned scheme enabled any pro-Russian activist to contribute to the cyber-attack without any prior preparation, therefore providing the means for camouflage for the cyber-attack that was supervised by Russian state structures.4 And the Kremlin did use this factor:  officially denying state participation in these mass cyber-attacks in its public statements5 attributing the attacks to pro-Russian volunteers and hacktivists. However, despite numerous denials from the Russian side and the fact that it is rather difficult to legally attribute the organization of a cyber-attack to anyone, the trace of government support in this mass attack is quite clear. The majority of the botnets whose servers were located in Turkey and in Russia and which, through their attacks, caused the paralysis of Georgian informational space – practically an informational blockade, belonged to a Russian cyber-criminal grouping RBN.6

The high leve7 of coordination of the performed attacks with one another and also other attacks unambiguously confirms that this was part of a single campaign, the planning and preparation of which preceded Russian conventional actions by at least several weeks. For example, subsequent studies showed that apart from the July 19-20 attacks on Georgian government servers, the targets were being scanned constantly. In certain cases, the cyber-attacks matched Russian conventional actions geographically as well:  the disabling of informational and governmental websites preceded aviation attacks.

The Government of Georgia that relied on its websites for disseminating information during the aggression was forced to look for ways to break the information blockade. Already on August 9, the websites of the President of Georgia as well as the Rustavi 2 broadcasting company were transferred to the servers of an Atlanta-based company, Tulip Systems Inc., which was run by a Georgian emigrant, Nino Doijashvili. With the permission of Google, the Ministry of Foreign Affairs of Georgia used a blogger’s account to circulate information and the Administration of the President of Poland allocated space for publishing information while Estonia placed the website of the Ministry of Foreign Affairs of Georgia on its servers and sent specialists to Georgia to eradicate the results of the cyber-attack.8

Due to the fact that in 2008 Georgia was not highly dependent on informational technologies (seven internet users per 100 people as compared to 57/100 in Estonia and 32/100 in Lithuania),9 the cyber-attack had no serious detrimental effect for the state; however, the Kremlin still partly managed to muffle the information channels and establish a Russian narrative about the Russia-Georgia war. The 2008 attack on Georgia is considered to be the first case of a mass cyber-attack undertaken parallel to ongoing military operations. The computer incident reaction group from local academia, with the help from Estonia, the US and Poland, managed to implement counter-measures in shortest time possible and break the information vacuum.

 

1 Steven Adair.  “Georgian Websites Under Attack – DDoS and  Defacement.” Shadowserver Foundation, August 11, 2008, https://wiki.shadowserver.org/wiki/pmwiki.php/Calendar/20080811?logdate=201005

2 Informational superiority (информационное превосходство) –  the capacity to acquire, process and disseminate information that prevents the adversary from performing the same functions. Definition: А.В. Манойло, А.И. Петренко Д.Б. Фролов. Государственная информационная политика в условиях информационнопсихологических конфликтов высокой интенсивности и социальной опасности: Учебное пособие. М.: МИФИ. – 392 с.. 2004.

4 Michael Connell, Sarah Vogler. Russia’s Approach to Cyber Warfare. 2017. CNA’s Occasional Paper series. The work was performed under Federal Government Contract No. N00014-16-D-5003. Copyright © 2017 .

5 Representative of the Russian Embassy in Washington, Yevgeniy Khorishko:  “Russian officials and  the Russian military had  nothing to do with the cyberattacks on the Georgian websites last year.” Gorman, Siobhan. “Hackers Stole IDs for Attacks.” Wall Street Journal, 24 August 2009, ხელმისაწვდომია : https://www.wsj.com/articles/SB125046431841935299

6 Michael Connell, Sarah Vogler. Russia’s Approach to Cyber Warfare. 2017. CNA’s Occasional Paper series. The work was performed under Federal Government Contract No. N00014-16-D-5003. Copyright © 2017 .

7 At the outset of the 2007 cyber-attacks on Estonia, disorganized cyber-attacks undertaken under an emotional affect were prevalent, later replaced by coordinated and highly professional attacks. In the case of Georgia, the cyber-attacks had a high level of coordination already at the initial stage.

8 Eneken Tikk, Kadri Kaska, Liis Vihun. International Cyber Incidents: Legal Considerations. CCD COE, 2010.

9 Eneken Tikk, Kadri Kaska, Liis Vihun. International Cyber Incidents: Legal Considerations. CCD COE, 2010.