JEFFREY BROWN: Along with tanks and bullets came so-called cyber-attacks that began several weeks back and appear to be continuing.
Georgian government Web sites — including the president’s office, the parliament, and the foreign ministry — were defaced with anti-Georgian or pro-Russian images. And Georgia’s Internet system was crippled, as hackers manipulated computers to flood government, news, and information Web sites in a way that renders them useless.
Jose Nazario was one of the first security experts to pick up signs of the cyber-trouble. He’s a senior researcher for Arbor Networks, a private company that provides Internet security to businesses, governments, and other organizations.
Well, why don’t we start with a definition? What do we mean by a cyber-attack?
JOSE NAZARIO, Arbor Networks: Cyber-attacks are generally directed online, using online resource, against online resource of an adversary. So in this case, it is computers which have been compromised and built into a botnet, a network of computers that are under the control of attackers…
JEFFREY BROWN: Explain what — I’m sorry, explain what a botnet is? Because I’ve seen that word, and it’s a key one. What is it? What does it mean?
JOSE NAZARIO: These are computers that have been infected with malicious software that then changes the control of the computer to an attacker in a remote location. They continually listen for commands from this attacker and act upon them, basically turning them into slaves or zombies at the attacker’s command.
JEFFREY BROWN: So what more can you tell us about the specific targets in Georgia? And what kind of impact did it have?
JOSE NAZARIO: In mid-July, as there were some increased tensions between Russia and Georgia over these regions under dispute, we began seeing an attack commanded to a large botnet that was directed to flood the Georgian president’s Web site with requests to load the page repeatedly as fast as possible.
This caused it to be inaccessible, based upon our own monitoring, for some time. And these attacks lasted for a couple of days. Now, this pre-dates the skirmishes that we’re seeing now and have seen in the past week between Russian forces and Georgian forces.
Botnets spread specific attack
JEFFREY BROWN: Now, it attacks certain Web sites. Does it also have the ability to clog the entire Internet in a country like Georgia?
JOSE NAZARIO: Depending on the number of gateways, in a small country like Georgia, it would probably have only a handful of gateways to the outside world.
As that flood traffic comes into the network and as it approaches the target, it actually fills those pipes, those connections to the outside world and can, in fact, choke off other legitimate traffic. So it can, indeed, clog that communication infrastructure as it tries to flood a Web site.
JEFFREY BROWN: Now, you started to tell us how it is done. How easily is it done? Can it be done from anywhere?
JOSE NAZARIO: It does not require specialized hardware or specialized -- or uncommonly specialized software and tools. And it doesn't require much sophistication on the part of the user.
In fact, these kits can, in fact, be purchased on the underground for as little as $40, in some cases. And then they can be installed on people's computers through compromised Web sites or through other means, including spam e-mails. And then these computers begin listening for those attack commands and then acting upon them.
JEFFREY BROWN: Now, I said that you were one of the first to detect this. How do you do that? You're sitting here in the United States. What are you -- what are you looking for? And what happens to let you know that something's underway?
JOSE NAZARIO: We continually collect this malicious software by constantly scouring the Internet for it and analyze it. And we analyze thousands of these samples a day.
Once we've analyzed them, we know what they've commanded a computer to do. And so we then mimic what that bot would do, what that infected computer would do, and listen for those commands and catalogue them.
We then process these in a continuous basis -- we're processing thousands of these attacks a day. And we simply look for ones that have interesting triggers to them or ones that, you know, appear to be targeting interesting targets, including government sites, such as the president's Web site, the ministry, the parliament, the ministry of finance in Georgia, and news sites in Georgia.
Attacks increasing worldwide
JEFFREY BROWN: You just said thousands of attacks a day. So this is a common occurrence?
JOSE NAZARIO: This is, unfortunately, a very common occurrence. We're seeing an increase in -- over the past several years, a dramatic increase in the number of botnets and the number of attacks commanded by those botnets. And the size of those attacks has increased, as well, and can, in fact, flood, if you will, or disrupt the backbone of most major ISPs around the world.
JEFFREY BROWN: Now, once detected, what can be done to stop it? What happened in this case, in Georgia, for example? What did do you?
JOSE NAZARIO: We worked with others to try to shut down the servers that the hackers used to command their army of infected machines, those bots, to basically get the server shut offline and blocking access to that servers, such that those computers will no longer respond to those commands -- they simply cannot get them as a way to shut down these attacks.
We also worked with providers around the world to help them identify the traffic and begin blocking specifically that attack traffic, such that other traffic can pass to Georgia, for example, and even legitimate visitors can try to reach the Georgian president's Web site or these new sites that have been under attack.
JEFFREY BROWN: All right, and that gets us to the question of who did it. Once you detect that something is happening, what evidence -- what do we know so far about where this originated?
JOSE NAZARIO: At this point, we simply know where the servers have been located. We don't know, necessarily, who is behind them or anything deeper than that.
The servers for the most recent round of attacks that we detected that occurred just after or after the fighting began on the ground between Russian and Georgian forces, many of those servers were located in Russia. Others were located in other parts of the world.
But it's interesting to note that the server that was responsible for these presidential Web site attacks in mid-July was actually located here in the U.S. Once we detected that, we actually worked -- we sent some information to the FBI, to the State Department to have that server investigated and shut down to prevent those attacks from occurring.
Non-state actors responsible
JEFFREY BROWN: So no direct evidence leading this to the Russian government yet? Is there any way to know? I mean, will you know, in the end?
JOSE NAZARIO: As you may imagine, investigating an event like this online is going to be fraught with significant problems. We have, of course, tenuous clues. We have false clues that might be planted. We have lots of misdirection and misleading evidence.
And we have a huge opportunity for fraud and lying about who's accessed these computers or obscuring where the attackers are actually coming from, as they install these commands and begin to tell the botnets what to do.
It can take months, if not years, to come up with a definitive answer and a definitive picture here. But at present, we think that these are individuals who are non-state actors who have been involved in these attacks and who have been commanding these attacks. This is based upon the history of some of these botnets, which is...
JEFFREY BROWN: All right -- no, I'm sorry, finish your sentence.
JOSE NAZARIO: ... the history of these botnets has basically been targeting commercial or online gambling sites, nonpolitical targets.
JEFFREY BROWN: All right, Jose Nazario, thank you very much.
JOSE NAZARIO: Thank you.