The first attack started just after 2 p.m. GMT on Aug. 8, according to the Shadowserver Foundation, a volunteer group that monitors hacker activity -- more than 12 hours after Russian tanks rolled through the Roki tunnel into Georgia, and once news reports about the conflict had been circulating for some time.
Within hours of fighting breaking out, Russian hackers had established a site, StopGeorgia.ru, where visitors could view a list of Georgian Web sites being targeted, showing which sites had been successfully brought down, and download a simple program that enabled their own computer to join the attack, according to Kimberly Zenz, a Russia specialist with Internet threat intelligence outfit iDefense.
"My own view is that 90 percent of this is being done by volunteers," she told United Press International, adding that, within a few days of being launched, the attacks had become more intense than those last year against Estonia.
Zenz's view is at odds with the Georgian government's charge that Russia's government and/or military were behind the attack. "It is extremely difficult for us to believe that this was not orchestrated at the highest levels," Patrick Worms, an adviser to the Georgian government, told UPI last week.
But one Israeli security specialist last week said the attacks were more akin to a cyber-riot than cyberwar.
"While Georgia is obviously under DDOS (Distributed Denial of Service) attack and it is political in nature … it is my opinion this is not warfare but just some … attacks by Russian hackers and/or some rioting by enthusiastic Russian supporters," wrote Gadi Evron, the former head of Israel's Computer Emergency Response Team.
Evron acknowledged the attacks could be "indirect Russian (military) action," but pointed out the attackers "could have attacked more strategic targets or eliminated the (Georgian Internet) infrastructure kinetically," i.e., with high explosives.
Indeed, a careful analysis of the attacks shows that the most damaging actions were likely carried out by organized hacker gangs.
The first attacks were launched by botnets -- networks of personal computers that have become, often unbeknownst to their owners, infected with malicious software and are controlled by hackers. Botnets are used to send spam e-mails or to bombard Web sites with fake visits, the technique used against Georgia and known as Distributed Denial of Service attack.
Shadowserver volunteers logged six different botnets involved in the DDOS attacks on Georgian government and news sites, each controlled by a different command server. "We have been tracking these servers for a while now, some for a year or more," Shadowserver volunteer Mike Johnson told United Press International by e-mail.
Johnson said their prior targets were mostly Cyrillic-language sites in the Russian .ru domain and mainly "from the 'seamier' side of the Internet" -- pornographic video, gambling and prostitution sites.
Zenz said that fit the profile of botnets being rented out or otherwise used for extortion. "Those kinds of sites will pay, rather than go to the authorities (to stop a DDOS attack)," she said.
She said Russian hackers were also distributing lists of e-mail addresses for Georgian officials and of Georgian Web sites with security flaws -- encouraging others to get involved in hacking or sending spam or malware.
Georgian hackers appeared to have responded, Zenz said, taking down sites that provided news about the Russian-backed Georgian breakaway province of Ossetia -- and in one case replacing the Web site's own content with a news feed from a pro-Georgian service.
At least two of the three major Georgian Internet service providers appeared to have blocked access to Russian .ru Web sites for their subscribers last week, Zenz added.
Several Georgian officials and others involved in monitoring and responding to the cyberattacks failed to respond to e-mail queries Monday or were unavailable for comment.
Russian officials last week denied Georgian charges they were behind the attacks -- a he-said, she-said scenario that has become familiar in this conflict in which so much is unclear.
"You have charges from both sides," White House spokesman Gordon Johndroe told reporters Monday, referring to Russian allegations and Georgian counter-allegations of ethnic cleansing. "We take these charges seriously and are going to look into them."
Zenz said that, despite the self-organized character of the cyberattacks, they were very sophisticated. For instance, the Russian attackers appeared to have tried to forestall any cyber-retaliation by taking down the two highest-profile Georgian hacker sites, hacker.ge and warez.ge, in their initial assault.
Moreover, the fact that news sites were among the first targets showed an awareness that this was a battle about perception as much as reality.
"This is all about trying to shape the message -- on both sides," she said, adding, "Georgian hackers are not as numerous or as good, and they don't have those botnets at their fingertips."
© 2008 United Press International. All Rights Reserved.
This material may not be reproduced, redistributed, or manipulated in any form.