Showing posts with label USCCU. Show all posts
Showing posts with label USCCU. Show all posts

Aug 17, 2009

Hackers Stole IDs for Attacks

WASHINGTON -- Russian hackers hijacked American identities and U.S. software tools and used them in an attack on Georgian government Web sites during the war between Russia and Georgia last year, according to new research to be released Monday by a nonprofit U.S. group.

In addition to refashioning common Microsoft Corp. software into a cyber-weapon, hackers collaborated on popular U.S.-based social-networking sites, including Twitter and Facebook Inc., to coordinate attacks on Georgian sites, the U.S. Cyber Consequences Unit found. While the cyberattacks on Georgia were examined shortly after the events last year, these U.S. connections weren't previously known.

The research shows how cyber-warfare has outpaced military and international agreements, which don't take into account the possibility of American resources and civilian technology being turned into weapons.

Identity theft, social networking, and modifying commercial software are all common means of attack, but combining them elevates the attack method to a new level, said Amit Yoran, a former cybersecurity chief at the Department of Homeland Security. "Each one of these things by itself is not all that new, but this combines them in ways we just haven't seen before," said Mr. Yoran, now CEO of computer-security company NetWitness Corp.

The five-day Russian-Georgian conflict in August 2008 left hundreds of people dead, crushed Georgia's army, and left two parts of its territory on the border with Russia -- Abkhazia and South Ossetia -- under Russian occupation.

The cyberattacks in August 2008 significantly disrupted Georgia's communications capabilities, disabling 20 Web sites for more than a week. Among the sites taken down last year were those of the Georgian president and defense minister, as well as the National Bank of Georgia and major news outlets.

Taking out communications systems at the onset of an attack is standard military practice, said John Bumgarner, chief technical officer at the USCCU and a former cyber-sleuth at the National Security Agency and the Central Intelligence Agency.

The USCCU assesses the economic and national-security implications of cybersecurity threats and briefs top U.S. officials, officials in key industries and international institutions.

"U.S. corporations and U.S. citizens need to understand that they can become pawns in a global cyberwar," said Mr. Bumgarner, who wrote the report.

The White House completed a review of cybersecurity policy in April. Among the issues Obama administration officials are now studying is how laws of war and international obligations need to be reworked to account for cyberattacks.

Homeland Security department spokeswoman Amy Kudwa said she couldn't comment on a report that she hadn't seen and hadn't been released yet.

Last year was the first time such cyberattacks were known to have coincided with a military campaign.

The Georgian attacks, according to the group's findings, were perpetrated by Russian criminal groups and had no clear link to the Russian government. However, the timing of the attacks, just hours after the Russian military incursion began, suggests the Russian government may have at least indirectly coordinated with the cyberattackers, Mr. Bumgarner's report concluded.

"Russian officials and the Russian military had nothing to do with the cyberattacks on the Georgian Web sites last year," said Yevgeniy Khorishko, a spokesman at the Russian Embassy in Washington.

The USCCU plans to release a nine-page report on the attacks to the public on Monday.

Mr. Bumgarner traced the attacks back to 10 Web sites registered in Russia and Turkey. Nine of the sites were registered using identification and credit-card information stolen from Americans; one site was registered with information stolen from a person in France.

The 10 sites were used to coordinate the "botnet" attacks, which harnessed the power of thousands of computers around the world to disable the Georgian government sites as well as those of large Georgian banks and media outlets. The botnet attack commandeered thousands of other computers and instructed them to try to access the target Web sites all at once, overwhelming them.

The Russian and Turkish computer servers used in the attacks had been previously used by cybercriminal organizations, according to the USCCU.

Early reports last year pinned the attacks on the cyber equivalent of the Russian mafia, known as the "Russian Business Network." Mr. Bumgarner said it wasn't possible to connect the attacks directly to that group. Security experts disagree on whether the group still exists.

Some of the software used to carry out the attacks was a modified version of Microsoft code commonly used by network administrators to test their computer systems, Mr. Bumgarner found. The code remains freely available on Microsoft's Web site, he said, declining to name it.

A Microsoft spokesman declined to comment on the finding because he hadn't seen the report.

Once the botnet attacks had launched, Mr. Bumgarner said, other would-be attackers noticed them and started to collaborate on various Web forums, including Twitter and Facebook.

Mr. Bumgarner used data-mining tools to review Facebook pages (which some people don't keep private) and Twitter for certain Russian words that indicated they were likely involved in the attack. He saw users on those sites and others swapping attack code and target lists, and encouraging others to join.

"It's a difficult problem to handle," said Facebook spokesman Barry Schnitt, because it is impossible to detect such collaboration without monitoring conversations. Facebook has mechanisms to verify user identities and users can report inappropriate activities on the site, he said, but it doesn't monitor communications of its users.

Twitter didn't respond to requests to comment.

—Jessica E. Vascellaro contributed to this article.

Write to Siobhan Gorman at siobhan.gorman@wsj.com