2009-01-28

Cyberwar – The Cyber Iron Curtain: Now Kyrgyzstan – Part 2

The Kyrgyzstan DDoS Attacks of January, 2009: Assessment and Analysis

Note:
This post is a joint effort of HostExploit.com, Jeff Carr of IntelFusion and Greg Walton of InforWarMonitor.net. Further analysis may be forthcoming by individual contributors at their respective Web sites.

On January 18, 2009, a large scale DDoS attack began against Kyrgyzstan Internet service providers (ISPs). Key national Web server site Asiainfo.kg and the Kyrgyzstan official domain registration service Domain.kg have only been available intermittently from Jan 18th 09.

Russian-based servers primarily known for cybercrime activity have been identified through IP analysis with the attacks on Kyrgyzstan.

Figure 1 shows the Internet routing during the later stages of the Kyrgyzstan DDoS attacks.

Figure 3 provides a BGP (Border Gate Protocol) Internet traffic routing for the period of the 15thth of January 2009, with primary focus on highlighting the DDoS traffic against AS8511 Asiainfo of Kyrgyzstan.


Timeline of Political Events

January 17: Prominent opposition leader detained in Kyrgyzstan

January 17: Political confrontation intensifies. Opposition activists form new coalition UPM (United People’s Movement)

January 19: Two opposition leaders detained and charged

January 19: Russia presses Kyrgyzstan to close US base

January 20: Kyrgyzstan Opposition denied use of Parliament Press Center

January 21: Kyrgyzstan government targets opposition

January 22: Journalists ordered to file personal information

January 22: Kyrgyz Opposition Party denied registration

Analysis

The Kyrgyz cyber attacks during the week of January 18th fall right in line with an escalating series of repressive political actions by the Bakiev government against this latest attempt to form an opposition political party – the United Peoples Movement (UPM). Bakiev should know, since it was the Tulip Revolution in 2005 (and the last time that DDoS attacks were utilized in Kyrgyzstan) which brought him to power.

Opposition leader Omurbek Tekebaev has pointed out the similarities between 2005 and 2009: “Both then and now, you could see people mistrusted those in power, who lacked moral authority. Both then and now, public opinion was completely controlled by the authorities, and there was persecution of journalists and dissidents, criminal persecution of political opponents,” he said.(IWPR article)

This appears to be a cyber operation for hire by the Bakiev government to control information access against its political opposition. The likely culprits are Russian hackers with moderate skill levels who regularly engage in cyber crime.

There is no evidence that the Russian government is directly involved, however Moscow has complete control over the servers owned by JSC and Golden Telecom. To date, no action has been taken by the RF to deny access to these servers by Russian hackers.

Related Links:

Cyberwar – The Cyber Iron Curtain: Now Kyrgyzstan – Part 1

Kyrgyz Websites subject to unexplained failure and hacking during the Parliamentary Elections (2005)

The Kyrgyzstan Cyber Attack That No One Is Talking About

The Cyber Iron Curtain

2009-01-26

Cyberwar – The Cyber Iron Curtain: Now Kyrgyzstan – Part 1

Fig 1. The new Cyber Version of the Iron Curtain

Large scale DDos attacks have been underway against Kyrgyzstan Internet service providers (ISPs) for several days. This further establishes the emergence of the ‘Cyber Iron-Curtain’ as shown in the schematic diagram above. For examples, the key national web server site Asiainfo.kg and the Kyrgyzstan official domain registration service Domain.kg have only been available intermittently from Jan 18th 09. We are able to confirm the ‘usual suspects’ of well known organized cybercrime servers have been involved, (see Part 2 for details). Although upstream providers in Russia and Kazakhstan have ironically been stating they are refusing to pass traffic because of the scale of the attacks.



The reasons for the cyber attacks are sketchy, as the Kyrgyz President Kurmanbek Bakiyev is seen as pro Kremlin. However, as a coincidence which is similar to DDos of Lithuanian web sites last year, when the Lithuanian Prime Minister visited the US. President Bakiyev is to visit Moscow on February 3, to discuss the extension of Russian investment in the Kyrgyz energy sector and Russia are pressurizing Kyrgyzstan to close the US military air base used to support operations in Afghanistan. (Sydney Morning Herald - news link)



Another view is to effectively neutralize the recently unified opposition United People’s Movement (UPM). In its founding charter, the coalition seeks a new political system for Kyrgyz and the removal of President Kurmanbek Bakiyev from office. Complaining of widespread corruption, increasing human rights abuse, and the deterioration of living standards, the UPM is planning a series of protests for February and March.



The Kyrgyz state general prosecutor has launched criminal investigations involving at least four opposition leaders in recent weeks. This past weekend, opposition leader Omurbek Tekebayev, chairperson of the Ata Meken Party, was arrested on vague weapons charges as he headed for a meeting in the northwestern Talas region of Kyrgyz. He has since been released.



The cyberwar attacks on Kyrgyzstan have also by confirmed on IntelFusion and Information Warfare Monitor describing three out of the four Kyrgyz ISPs having been taken down, e.g. AS8511 ASIAINFO Autonomous System Bishkek, Kyrgyzstan and the Kyrgyzstan official domain registration service AS8511 ASIAINFO Autonomous System Bishkek, Kyrgyzstan



Hence from a ‘Cyber Iron-Curtain’ perspective there is now provided a ‘control at will’ by Russia of communication and increasing cyber influence over its former Soviet satellites, a modern parallel to Winston Churchill’s post second world war description of the Soviet sphere of influence. Separately, the blocking of these major websites in Kyrgyzstan suggests that we should probably move this country up the relative scale of importance for the monitoring cyberwar around the world.



Click here for the RSS feed for Part 2 and further reports.

2009-01-23

Majority of Top 100 Websites Host Malicious Content

A majority of the top 100 websites hosted either malicious content or masked redirects according to a Websense report.

Summarizing its significant findings during the six-month period ending in December 2008.


The highlights are:





Web Security

  • 77 percent of Web sites with malicious code are legitimate sites that have been compromised.The number of malicious Web sites identified by Websense Security Labs from January first, 2008 through January first, 2009 has increased by 46 percent.
  • 70 percent of the top 100 sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.
  • This represents a 16 percent increase over the last six-month period.

Messaging Security

  • 84.5 percent of email messages were spam. This represents a 3 percent decrease over the last six months.
  • 90.4 percent of all unwanted emails in circulation during this period contained links to spam sites or malicious Web sites. This represents almost a 6 percent increase in emails containing malicious links to compromised sites.
  • Shopping remained the leading topic of spam (22 percent), followed closely by cosmetics (15 percent) and medical (14.5 percent). This remained consistent over the last six months.
  • Pornography-related spam increased sharply by 94 percent, but still only represented 9 percent of all email spam. 6 percent of spam messages were phishing attacks, representing a 33 percent decrease over the last six months.
  • This represents a change in tactics as spammers concentrated on data-stealing Trojan horses and DNS poisoning tactics to lure victims to malicious sites.

Data Security

  • 39 percent of malicious Web attacks included data-stealing code.
  • 57 percent of data-stealing attacks are conducted over the Web.
  • This represents a 24 percent increase over the six-month period.

The full report is here
(PDF)

2009-01-16

Cyberwar - The Battle for Gaza (part 2)

Cyberwar as a word or term, does appear to be inflammatory for many and a cause of considerable debate. Quite simply it is reasonably defined as asynchronous warfare via the web, i.e. the occurrence of two or more processes at different times, and war in its self does not need to have governments fighting each other. As examples, most would agree The American War of Independence was a war, but fought by a section of the populace against a government, or ruling entity.

Propaganda, which can reasonably be considered as an element of cyber warfare, has always been seen as a crucial weapon or of war from the now classical literature of Thomas Paine’s pamphlet “Common Sense”, to the current website hacks or running battles within the social networks.

In the follow up to the earlier blog article, here we can initially consider the battle within the social networks. Within Facebook there has been considerable activity, The Jewish Internet Defense Force, a group that claims to have 5,000 members worldwide are reported to regularly attack the Facebook wall of the group “Support the Fight Against Cancer with Just a Click!”, which currently has 1,350,137 members and describes itself as a “cancer truth group” that appears to blame the “Zionist Jewish Mafia” for the disease. While on Facebook we also see as examples; “Israel is not a country!” with 8,878 members, in counterbalance we have "Palestine is not a country Delist it from Facebook as one!" with 3,649 members, and “End the siege on Gaza now….” with 45,806 members.

Within Wikipedia there are similar battles with TheJDIF’s own article being regularly defaced with swastikas or jihadist slogans. However at the same time they have produced a well researched blacklist of what they consider as “Heavily Biased Anti-Israel Wikipedia Editors”. The Wikipedia article on Hamas is being revised by one side of the argument or the other hourly, if we look at the article’s revision history.



The more conventional web site hacking reported earlier has shown a marked increase in activity not only against Israeli websites but to wider international targets. Notable targets from the many of the pro-Palestinian effort, have been; the United States Army's Military District of Washington website, NATO Parliamentary Assembly website in Brussels, the UNICEF website in Italy, Government websites in Colombia, and many international academic websites, for example University of Applied Sciences in Switzerland. Commercial websites continue to be targeted increasingly in USA, UK, Denmark, France, Netherlands, Australia, and a notable example of Google’s web site in Egypt.



The most reported hacker recently in this conflict recently is “Agd_Scorp / Peace Crew”, actually these are better known in hackers’ circles as the Turkish group “1923turk”of which 6,319 hacks and defacements can be attributed to over the last week. Other hacker groups of note in quantitative terms over the last week are “Cold z3ro”, “DNS Team”, and “FesH4ck3rs Team”. To complete this small effort on quantification, for webmasters it may be interesting that according to Zone-H.org an organization that has tracked hackers and hacking for many years, 70% of the attacks have been against web sites using Linux based servers. However this may more reflect the larger use of Linux over MS Windows for web serving operating systems.




For one final word of warning, from the world of the cyber criminals who take advantage of this and similar situation and has nothing to do with Gaza protests, thanks to Gary Warner of University of Alabama . Be cautious about fake CNN, other news reports, and UNICEF appeals relating to the Gaza conflict, appearing in your email box. These are actually virus laden that lead to the download of malware. From further analysis the hosting of which is by AS46475
Limestone Networks, Inc., Dallas Texas. This is the same IP hosting as Classmates.com recent malware and blacklisted by Spamhaus SBL71257

2009-01-05

CyberWar - The Battle for Gaza

Whatever your personal perspective of the rights and wrongs of the current Arab-Israeli war in Gaza, there is a second front being fought on the Internet. This form of warfare is a battle of words and often vivid imagery engaged by hackers from either side of the divide. The image shown here is a highly graphic example from a defaced Israeli commercial website, hacked by “DNS Team” today.

Many are familiar with the explosive form of botnet based DDos (direct denial of service) style of cyberwarfare carried out and widely reported, against governmental web sites in Estonia in 2007 or Georgia in August 2008. In fact this particular cyberwar in the Middle East has been ongoing since at least 2001. As the Internet mirrors the real world, this cyberwar waxes and wanes as the ground warfare fans the flames on the Internet at times such as this.

Of considerable interest to Internet security in general are the tactics utilized. As these reflect the application of many sophisticated cybercrime hacking techniques better known for commercial means, and is important to any commercial or governmental network operation.

Although at first sight it would seem this is only of consequence to Israeli or Arab web sites this is not the case. For example many US, French, Spanish, UK, and Danish web sites are currently being defaced by hacking at the current rate of hundreds per hour. Many such defaced hacks are merely an inconvenience for the webmaster, however many appearing over the last two days is also containing malware links. Many are also provided with redirects or flash links to Jihadist forums or blogs, caused by SQL attacks.

A few days ago the “Team Evil” Islamic group used a DNS attack on DomainTheNet's registration system server which redirected many well known Israeli web sites such as ynetnews.com, weather Forecast website, public utilities, and Bank Discount, and rerouting users to a page featuring anti-Israel messages. DomainTheNet is a multinational registration service provider (RSP), which offers registration and site-hosting services. The of the names used in the hacking; Team Evil, DNS Team, Tw!$3r, KaSPeRs HaCKeR CreW, PaLiSeNiaN HaCK, MoRoCcAn HaCkErZ, et. al., apparently emanate and have been reported as coming from Morocco.

In fact by tracking back to the associated routings and linked forums these activities are originating from Saudi Arabia and Turkey. As three embarrassing examples of the enemy within; Jihadist communication sites and forums; Anashed Net is registered in Saudi Arabia but hosted by Layered Tech and Raslny com is also registered in Saudi Arabia but hosted by SoftLayer, both hosts based in Plano Texas, USA. As Internet-Haganah (an Israeli website that tracks Jihadist sites) reports, Thabaat net which distributes Al Qaida propaganda is registered in Belgium and hosted in Denmark, ironically a key target for Jihadists due to the Islamic cartoon incident.

The Associated Press reported in 2006 that Team-Evil had begun hacking and vandalizing US government websites as early as 2004. In 2002, an Israeli hacker named Ehud Tannenbaum, known as "The Analyzer", was sentenced to 18 months in jail for breaking into the NASA, Pentagon, and Defense Ministry computer systems, among other virtual locations.

By way of even handedness it would be naïve to think this cyberwar is one sided, no Hamas or related web site is openly available as these were effectively taken down and have been kept offline from mid 2008 by the pro Israeli hackers “Fanat al-Radical”. A fascinating approach over the last few days is being made by an Israeli website ‘Help Israel Win’ which provides a download so your PC can become part of a worldwide pro-Israeli botnet. So far 7,786 have joined in, already a fairly powerful global computing force to, as they describe “Disrupt our Enemy’s Efforts”.

A final word of warning the download has been analyzed as ‘Win32/Injector.K’ a well known PC hijacking trojan used in cyber crime. As is the case in cyber warfare, who is who and whether the hacking is being directed by governmental intelligence forces, criminal groups, or hacktivists is always a question.