Cyberwar – The Cyber Iron Curtain: Now Kyrgyzstan – Part 2

The Kyrgyzstan DDoS Attacks of January, 2009: Assessment and Analysis

Note: This post is a joint effort of HostExploit.com, Jeff Carr of IntelFusion and Greg Walton of InforWarMonitor.net. Further analysis may be forthcoming by individual contributors at their respective Web sites.

On January 18, 2009, a large scale DDoS attack began against Kyrgyzstan Internet service providers (ISPs). Key national Web server site Asiainfo.kg and the Kyrgyzstan official domain registration service Domain.kg have only been available intermittently from Jan 18^th 09.

Russian-based servers primarily known for cybercrime activity have been identified through IP analysis with the attacks on Kyrgyzstan.

Figure 1 shows the Internet routing during the later stages of the Kyrgyzstan DDoS attacks.

Figure 3 provides a BGP (Border Gate Protocol) Internet traffic routing for the period of the 15^thth of January 2009, with primary focus on highlighting the DDoS traffic against AS8511 Asiainfo of Kyrgyzstan.

Timeline of Political Events

January 17: Prominent opposition leader detained in Kyrgyzstan

January 17: Political confrontation intensifies. Opposition activists form new coalition UPM (United People’s Movement)

January 19: Two opposition leaders detained and charged

January 19: Russia presses Kyrgyzstan to close US base

January 20: Kyrgyzstan Opposition denied use of Parliament Press Center

January 21: Kyrgyzstan government targets opposition

January 22: Journalists ordered to file personal information

January 22: Kyrgyz Opposition Party denied registration

Analysis

The Kyrgyz cyber attacks during the week of January 18^th fall right in line with an escalating series of repressive political actions by the Bakiev government against this latest attempt to form an opposition political party – the United Peoples Movement (UPM). Bakiev should know, since it was the Tulip Revolution in 2005 (and the last time that DDoS attacks were utilized in Kyrgyzstan) which brought him to power.

Opposition leader Omurbek Tekebaev has pointed out the similarities between 2005 and 2009: “Both then and now, you could see people mistrusted those in power, who lacked moral authority. Both then and now, public opinion was completely controlled by the authorities, and there was persecution of journalists and dissidents, criminal persecution of political opponents,” he said.(IWPR article)

This appears to be a cyber operation for hire by the Bakiev government to control information access against its political opposition. The likely culprits are Russian hackers with moderate skill levels who regularly engage in cyber crime.

There is no evidence that the Russian government is directly involved, however Moscow has complete control over the servers owned by JSC and Golden Telecom. To date, no action has been taken by the RF to deny access to these servers by Russian hackers.

Related Links:

Cyberwar – The Cyber Iron Curtain: Now Kyrgyzstan – Part 1

Kyrgyz Websites subject to unexplained failure and hacking during the Parliamentary Elections (2005)

The Kyrgyzstan Cyber Attack That No One Is Talking About

The Cyber Iron Curtain

Cyberwar – The Cyber Iron Curtain: Now Kyrgyzstan – Part 1

Fig 1. The new Cyber Version of the Iron Curtain

Large scale DDos attacks have been underway against Kyrgyzstan Internet service providers (ISPs) for several days. This further establishes the emergence of the ‘Cyber Iron-Curtain’ as shown in the schematic diagram above. For examples, the key national web server site Asiainfo.kg and the Kyrgyzstan official domain registration service Domain.kg have only been available intermittently from Jan 18th 09. We are able to confirm the ‘usual suspects’ of well known organized cybercrime servers have been involved, (see Part 2 for details). Although upstream providers in Russia and Kazakhstan have ironically been stating they are refusing to pass traffic because of the scale of the attacks.



The reasons for the cyber attacks are sketchy, as the Kyrgyz President Kurmanbek Bakiyev is seen as pro Kremlin. However, as a coincidence which is similar to DDos of Lithuanian web sites last year, when the Lithuanian Prime Minister visited the US. President Bakiyev is to visit Moscow on February 3, to discuss the extension of Russian investment in the Kyrgyz energy sector and Russia are pressurizing Kyrgyzstan to close the US military air base used to support operations in Afghanistan. (Sydney Morning Herald - news link)



Another view is to effectively neutralize the recently unified opposition United People’s Movement (UPM). In its founding charter, the coalition seeks a new political system for Kyrgyz and the removal of President Kurmanbek Bakiyev from office. Complaining of widespread corruption, increasing human rights abuse, and the deterioration of living standards, the UPM is planning a series of protests for February and March.



The Kyrgyz state general prosecutor has launched criminal investigations involving at least four opposition leaders in recent weeks. This past weekend, opposition leader Omurbek Tekebayev, chairperson of the Ata Meken Party, was arrested on vague weapons charges as he headed for a meeting in the northwestern Talas region of Kyrgyz. He has since been released.



The cyberwar attacks on Kyrgyzstan have also by confirmed on IntelFusion and Information Warfare Monitor describing three out of the four Kyrgyz ISPs having been taken down, e.g. AS8511 ASIAINFO Autonomous System Bishkek, Kyrgyzstan and the Kyrgyzstan official domain registration service AS8511 ASIAINFO Autonomous System Bishkek, Kyrgyzstan



Hence from a ‘Cyber Iron-Curtain’ perspective there is now provided a ‘control at will’ by Russia of communication and increasing cyber influence over its former Soviet satellites, a modern parallel to Winston Churchill’s post second world war description of the Soviet sphere of influence. Separately, the blocking of these major websites in Kyrgyzstan suggests that we should probably move this country up the relative scale of importance for the monitoring cyberwar around the world.



Click here for the RSS feed for Part 2 and further reports.