The Kyrgyzstan DDoS Attacks of January, 2009: Assessment and Analysis
Note: This post is a joint effort of HostExploit.com, Jeff Carr of IntelFusion and Greg Walton of InforWarMonitor.net. Further analysis may be forthcoming by individual contributors at their respective Web sites.
On January 18, 2009, a large scale DDoS attack began against Kyrgyzstan Internet service providers (ISPs). Key national Web server site Asiainfo.kg and the Kyrgyzstan official domain registration service Domain.kg have only been available intermittently from Jan 18th 09.
Russian-based servers primarily known for cybercrime activity have been identified through IP analysis with the attacks on Kyrgyzstan.
Figure 1 shows the Internet routing during the later stages of the Kyrgyzstan DDoS attacks.
Figure 3 provides a BGP (Border Gate Protocol) Internet traffic routing for the period of the 15thth of January 2009, with primary focus on highlighting the DDoS traffic against AS8511 Asiainfo of Kyrgyzstan.
Timeline of Political Events
January 17: Prominent opposition leader detained in Kyrgyzstan
January 17: Political confrontation intensifies. Opposition activists form new coalition UPM (United People’s Movement)
January 19: Two opposition leaders detained and charged
January 19: Russia presses Kyrgyzstan to close US base
January 20: Kyrgyzstan Opposition denied use of Parliament Press Center
January 21: Kyrgyzstan government targets opposition
January 22: Journalists ordered to file personal information
January 22: Kyrgyz Opposition Party denied registration
Analysis
The Kyrgyz cyber attacks during the week of January 18th fall right in line with an escalating series of repressive political actions by the Bakiev government against this latest attempt to form an opposition political party – the United Peoples Movement (UPM). Bakiev should know, since it was the Tulip Revolution in 2005 (and the last time that DDoS attacks were utilized in Kyrgyzstan) which brought him to power.
Opposition leader Omurbek Tekebaev has pointed out the similarities between 2005 and 2009: “Both then and now, you could see people mistrusted those in power, who lacked moral authority. Both then and now, public opinion was completely controlled by the authorities, and there was persecution of journalists and dissidents, criminal persecution of political opponents,” he said.(IWPR article)
This appears to be a cyber operation for hire by the Bakiev government to control information access against its political opposition. The likely culprits are Russian hackers with moderate skill levels who regularly engage in cyber crime.
There is no evidence that the Russian government is directly involved, however Moscow has complete control over the servers owned by JSC and Golden Telecom. To date, no action has been taken by the RF to deny access to these servers by Russian hackers.
Related Links:
Cyberwar – The Cyber Iron Curtain: Now Kyrgyzstan – Part 1Kyrgyz Websites subject to unexplained failure and hacking during the Parliamentary Elections (2005)
The Kyrgyzstan Cyber Attack That No One Is Talking About