Hacking for Mother Russia

The attack on the Russian-speaking Georgian blogger who calls himself Cyxymu, or Georgi (interviewed here by my Faster Times colleague Will Dunbar) was, by the standards of previous episodes, small-scale and isolated. And according to experts this writer has been talking to, the temporary crippling of massive social networking sites says more about Twitter’s and Facebook’s frailties than about the scale of the operation.

Russia has a remarkably talented pool of hackers and cyber criminals, but just why so many viruses, phishing scams, and cyber attacks originate in the former Soviet Union isn’t clear. Perhaps it has something to do with the combination of very high levels of IT education with extremely poor job prospects. But as the attack on Georgi reminded the world, Russia’s hackers are not only talented and dangerous: they are also patriotic.

“Patriotic hacking,” the practice of taking on Russia’s enemies online, goes back at least as far as 2002, when a group of students from Tomsk attacked Kavkazcenter, a rather unpleasant website connected to the Islamist insurgency in Russia’s North Caucasus.

Three years later, after the October 13, 2005 insurgent raid on the town of Nalchik, the capital of the North Caucasus republic of Kabardino Balkaria, hackers again attacked the Islamist website. But this time they were more organized. A group calling itself the “Internet Underground Community vs. Terrorism” appeared, posting a recommended list of ways to attack the enemy, including distributed denial-of-service (DoS) attacks, the crude but effective method of crashing a site by bombarding it with requests for information.

The website  is now defunct, but it established a pattern for the cyber attacks that first hit Estonia in 2007 (one of the largest coordinated cyber-attacks ever) and later Georgia during last year’s war. “Internal” enemies have also been targeted, including the liberal radio stations Echo of Moscow and Radio Liberty and the newspaper Novaya Gazeta.

Put briefly, a group of self-acknowledged hackers band together, apparently spontaneously, to put their skills to patriotic use. The IUCT described themselves as “members of the hacker community, with a wide range of specialties,” who had “long been on the wrong side of the law, but that doesn’t prevent us from being patriots, fighters for World Peace.” They use Web forums to recruit “foot soldiers” – less technically sophisticated, but eager volunteers – and issue them instructions. Because of the reliance on a non-professional volunteer army, the tactics used are generally unsophisticated, though effective. Hence the preponderance of DoS attacks.

This model allows the cyber warriors to quickly raise an army. If you want to join in the fight but don’t know how to hack or to launch a DoS attack, you can find directions posted on any number of sites. During the Russia-Georgia August war, instructions were posted on the forums Xakep and StopGeorgia, helpfully listing target sites. This is one reason to believe that the attack against Georgi was isolated – it made use of a botnet, or a network of infected computers. During the war last year, by comparison, the overload came from thousands of volunteers making multiple requests from their own machines.

Such hacking also provides deniability. Because it is so easy to launch a DoS attack, it is easy to scoff at the idea that the Russian security services are coordinating these things. Who’s to say it’s not a bunch of bored 13-year-olds? No one has ever been able to prove a link between the patriotic hackers and the state. Even the Estonian government had to admit that there was no conclusive evidence of Russian government involvement in the 2007 attacks.

Maybe it is a bunch of bored teenagers – in fact, most of the hackers probably are. But researchers who watch the forums point out that even if the cyber-armies are rag-tag, there is a clear hierarchy to their organization. The vast majority of forum members appear to wait for instructions from an informal leadership. That led Jeff Carr, an IT expert who ran an investigation into the Georgian cyber war called Project Greygoose, to identify a “three-tier approach” to the Russian model of cyber warfare. “There’s what the Kremlin wants; there is an organized structure in terms of funding and authority that extends down through the leadership of the pro-Kremlin youth group Nashi, and there is a general population of unaffiliated hackers who will join in just for the exercise or the opportunity,” he said.

The problem with that extrapolation is that it is, well, an extrapolation. Although Nashi members have been implicated in cyber attacks in the past (a Nashi commissar in Transdniestria, a breakaway region of Moldova, claimed to have taken part in the attacks in May 2007) and it is certainly the kind of stunt Nashi or their rivals in the Young Guard might pull, the shroud of plausible deniability is impenetrable.

Georgi has written a letter to Russian President Dmitry Medvedev asking him to bring whoever has attacked his blog to justice, or “if it is not made by Russian hackers,” to “prove it.” If Medvedev wanted to, he probably could; the authorities can be fearsome in dealing with hackers who damage the Russian economy. But their attitude to the self-mobilized “patriotic” hackers is best summed up by a press release issued by the Tomsk Region directorate of the Federal Security Service when the students trying to bring down Kavkazcenter were caught in 2002. Their actions, said the FSB, did “not contradict Russian law,” but were “the expression of their political orientation, which is worthy of respect.”

Roland Oliphant is a staff writer for the current affairs website and e-journal Russia Profile. After graduating from the philosophy department of Edinburgh University in 2006 he moved to Russia in se ...read more


Follow Us