The present Russian government has long been waiting for just such an opportunity in Georgia. The question I have -- and which would be difficult to answer from anywhere, let alone Tbilisi where I am now -- is how much Russian armor and equipment was coming down into South Ossetia whether or not Georgian forces reacted to the increasing attacks from the Ossetian side.

If the Russian government was buying botnet access, then it's plausible that they had to give their suppliers a few days' lead time, and that was enough time for the buyers to respond to a bigger market by firing up a new attack. But this is also an obvious leak of intentions, and you have to guess that the Russian government won't want to keep doing that.

Imagine if this crimesyndicate had been in charge in the run-up to the Millennial turnover.

Nothing happened, of course, at midnight of 2000, because the run-up administration made this a priority.

The crimesyndicate wouldn't have bothered.

Love, C.

I just reread Bruce Sterling's "Zenith Angle" and was impressed by how, well, naive it seems just a few years later. At the time it seemed horrific.

He describes the piddling little dotcom meltdown as a huge economic disaster, for example. As perhaps it seemed then. Hoo ha. And the espionage? I'll leave it to the extperts to say.

In retrospect, seems like failure of imagination, failure of nerve, compared to today's daily news.

Well, except for the clear insight that nobody's going to do anything really energetic to fix the known problems. That has certainly continued to be true.

Hoodathunkit, as they say over at http://calculatedrisk.blogspot.com/

The Russians would lie? Shocked, shocked I am...

Well, hey, at least Condie Rice gets to use that PhD research now.

One of the notable characteristics of the mails used to hook people into the botnet was that they were professional-- no spelling errors, no stupid formatting screwups, and the content changed at least twice over a period of a day or two. Everybody knew right off that this wasn't your usual Nigerian in an internet cafe.

A couple of problems with this interpretation:

1. There are lots of botnets, and as far as I know no evidence tying the CNN scam into the Russian cyberattack.

2. Do you really think Russia would build a botnet on spec for a specific operation? Undoubtedly they've had one or more prepared at all times for close to a decade. And so have we. If not, then there's some serious idiocy going on.

Botnets aren't new this month or year (though probably this century). It might be newsworthy if a year went by without there being a new botnet built. That one was noticed by the news a week before some other even that involves some botnet (perhaps not even that one) isn't noteworthy.

1. I'm suggesting that the close timing is the evidence.

2. Botnets degrade over time.

Well, I'm going to buck consensus here on the way you're pulling this together.

If you're running a criminal syndicate like RBN, it's always a good time to hook computers into your botnet. They are always experimenting with better ways to hook people in. Number of bots (and aggregate outbound bandwidth) can be directly converted into income, either insourced (send spam, host kiddy porn, etc.) or outsourced (rent it out for DDOS, other spammers, etc.) Was last year's Storm worm outbreak the preparation for a Russian war? Nope.

BTW, some people who should know tell me the recent CNN/MSNBC runs have not been Storm but from a different worma nd botnet, based on analysis both of the mail and the downloaded malware. The BBC headline stuff is yet a third worm/botnet, less professionally done.

Note also, it's possible that the reported DDOSes are in fact coming from some different source than the RBN. Even though RBN has been singled out in discussion here, they're only one of a number of syndicates, many of them Russian but not all. There are Ukrainian spam syndicates, and others based in other Eastern European countries. Anywhere with a historically good educational system, lousy economy, and problems with corruption in the political and judicial establishment is a good base for this type of criminal enterprise.

Using your existing botnet for a "cyberwar" isn't a main revenue source - I doubt the FSB is paying in cash - so I would expect the Russian groups view it as some combination of "patriotic duty" and buying protection, probably mostly the latter. Much like the Mob controlling the police in Prohibition, with bribes in booze and cash, while narcing on rival bootleggers.

Now as to the main question - was Russia trying to set up for, and if possible provoke, a war in Georgia? Sure, I think there are plenty of indicators there. The degree of preparation can be seen on the military side, and it might well be that some of the reports of S. Ossetian "militias" shelling Georgian territory and troops with Russian weapons were correct. I just don't think the spam wars are in any way indicative of it.

The other party who bears responsibility for this, besides Saakashvili himself? The American politicians and Israeli arms suppliers and trainers who seem to have duped him into believing empty promises of Western support. The Israelis were apparently warned by Russia to get the hell out of Georgia and did, back in April. That suggests months of planning, not days or weeks.

mjfgates: The Nigerians and the Russian groups operate completely differently. The fact that the CNN stuff wasn't Nigerian 419 is no more indication of military planning than it is for the American/Canadian pill spammers.

Botnets continue to grow, so they don't necessarily degrade. (Any particular type of infection gets less effective with time, but that doesn't mean the botnet can't start using a new vulnerability to infect move zombies.)

The botnet you mention didn't start in August, it became publicly known then.

"The other party who bears responsibility for this, besides Saakashvili himself?"

And to no small measure the S. Ossetian leadership. But who needs to negotiate on anything when Russia has written you a blank check, backed up by at least one army? Why not have a little bandit kingdom in the mountains, kept in place by the Russian military?

albatross @ # 2 -

I don't have faith that the Russians under Putin really care that much about positive world opinion.

That poster is pure brilliance.

Also, wasn't there an attack on the Latvian internet awhile back... No, checking that, I was thinking about the attack on Estonia in April 2007, which date I found in a post about an attack on Lithuania in July. Looks like Russia has been honing its ability to eff up its neighbors for quite awhile, and this is going to be a major problem.

Huh.

For the last month or so, I've had zero spam on my own site, when before we were getting 20-30 spam posts a day. (Of the "post a porn link" variety.) I'd just assumed that the spambots got taken out of commission somehow and would eventually be back when the spammers rebuilt their bot.

Wonder if those resources are currently just busy elsewhere?

Things that make one go, "Hmmm."

Mostly, this just indicates to me that Russian intelligence had even more advance notice than I thought it did. Clearly, their tanks were ready; almost everything I've read about this indicates that the Russians knew the timing of the assault by the Georgian forces at least a day or two in advance, and this (along with some other logistical stuff) makes me think longer.

Now, this had been building for months, with raids by Russian-recruited and armed separatists getting pretty severe, I understand. And since Georgia had elected a president on the promise of regaining control of South Ossetia and Abkhazia, that president was unlikely to take it lying down. So it's quite correct to say that the events of 8 August weren't a reaction to the events of 7 August only, but it seems to me that the timing of those events was precipitated by Georgia.

If you think of it as a trap, which it seems to me is the best way, you can say that the spring going sproing is a reaction to the mouse stepping on the pad, or that it's a reaction to the person winding it. The winding happens first (if you're doing it right).

Thanks,
-V.

Since the Russian Business Network is a biggest maintainer of evil botnets, and since the RBN is widely supposed to be linked to Russian intelligence, I wouldn't take this as evidence that the Russians planned the war with Georgia. It's possible they just have attacks like this already set up to go against anybody they think they're likely to get into a fight with.

Josh #13:

The leak of intentions is a problem if you're worried about someone taking some kind of action to prevent what you're doing. Whether that's the US or EU having a ready-to-roll-out diplomatic/economic response, or the Georgians having a week's notice about what you're planning, it's surely a bug rather than a feature. This doesn't depend on whether you care about international opinion (though powerful nations usually don't have to care all that much about international opinion).

No doubt that Russia had tactical plans in place before invading Georgia; just about all advanced military nations draw up and plan hypothetical operations.

Even with the plan in place, I would suspect it would take weeks to get everything lined up for an operation; indeed, the plans have to take that into account.

Modern military logistics are complex as hell. No one comes up with a military whim on Friday and carries it out Monday morning, ab initio.

I believe in many things, but when it comes to combined-arms attacks I don’t believe in coincidence. The Russian invasion was planned, prepped, and ready to roll a week before the provocation was delivered. Setting up the botnet is the clue that the events of 8 August weren’t a reaction to the events of 7 August.

Sure, Russian intelligence could have grown, built and launched their own botnet for this particular attack, but why bother when it's dirt cheap to rent time on those things these days?

Now, had the attack on Georgia's infrastructure included something that isn't easily commercially available (albeit on the black market), you might have something there. (e.g., had the attack included the triggering of already-planted viruses inside Georgia's infrastructure, or included targeted remote exploits)

I'm awfully skeptical about the cyberwar claims, and botnets are growing and shrinking all the time. That's just the sound of salesmen (of salesmen!).

I think the quick response time of the Black Sea Fleet is more telling. It wouldn't surprise me to learn that Russia has key intelligence assets in the Georgian government and/or military, and were tipped off about the operation.

Sure, Russian intelligence could have grown, built and launched their own botnet for this particular attack, but why bother when it's dirt cheap to rent time on those things these days?

Because having the capacity fully in-house and under your control, not relying on a bunch of f*cking civilians (people who mill around on street corners and don't know when colors goes), is a positive virtue when you're writing op-plans.

If I'm understanding correctly, we have:

1) The Black Sea Fleet was ready for the Russian operation,
2) The Russian Army responded suspiciously quickly to the Georgian provocation, and
3) The cyber-attack was ready for the operation.

Now, I was taught that once is chance, twice is coincidence, and 3 times is enemy action, which means that a competent intelligence officer must hypothesize for the sake of threat assessment that the large-scale botnet recruiting just prior to the invasion was related, at least until proved otherwise.

Bruce #23:

The claim I've heard from people who seemed to be pretty clued-in is that the Russians, in a previous cyber attack on another country, rented the botnets from commercial operators. I assume they were paying in some way that gave the botnet owners an incentive to maximize the size and effectiveness of the attacks. That could plausibly have led the botnet owners to release a new attack, in hopes of having more resources to sell. (It could also have that effect through prices/supply of botnet time, but that would probably take longer.)

Perhaps the RBN controlled the timing of the war? Only joking. I think.

But the reality is that the public internet was never designed for security, and the organizations that commercialized the network, and provide most the stations (computers) have done nothing but patch small weaknesses, while leaving huge ones. Sooner or later, we're probably going to change that, and I hope the changes are not authoritarian in nature.

I think its rather hard to read anything into this.

The Russian government and the Russian Internet mafia have close links. Until recently the Russian Business Network was operating out of an ordinary office block in St Petersberg and its employees were seen meeting Putin's people, all the time they were robbing banks in the West.

They operate under a different name after the Economist article.

In answer to Jim, yes Botnets do degrade over time, but they are available for hire, the bots might have been recruited for some other piece of mischief such as attacking the betting sites in advance of the Olympics which were starting. And Georgia probably launched its attack when they did in the hope Russia would not respond breaking the Olympic truce.

Once established a botnet is available to the highest bidder. They wouldn't make as much from the DDoS extortion as Putins mob would pay.

Even if Russia was prepared to attack Georgia, that might be because they intended to strike first or because the Georgians had blown the cover on their operation.

But I have a hard time thinking that they would do either as the criminal gangs are riddled with informers and rippers and are under constant observation by various intelligence operations public and private. Putin's people have definitely used these people to do their dirty work but I can't see them putting them in the way of any sensitive information that might reveal their intentions.

I think it more likely that the opening of the Olympics was the common cause for both events.

Re botnets - I've been spending entirely too damn much time studying them for the past few weeks. The CNN net is about 35,000 IPs (and probably growing), and I see at least two others.

The faux-headline/CNN/msnbc.com/Weekly top news campaign started in the last week of June, and is not slowing down -- actually, spam incoming is still growing, and they're changing strategies on a daily basis, making for a fairly intensive upgrade schedule for my monitoring scripts. Which has been fun, but is getting tiring.

I'm a little skeptical that this botnet was involved in Georgia, for the very simple reason that its spam traffic didn't appear to fall off during that time, and the bandwidth has to come from somewhere. It's a real attractive theory. But I'm not buying it quite yet. Really I should start plotting quantities of spam per day, shouldn't I?

Oh, there are so many ways to study this beautiful, beautiful mass of data... *snif* If only I were paid to do it, I would never do anything else.

Also @6 mjfgates - if you read all of their subject lines, there are spelling errors. I haven't done specific research on the headlines they used, but (1) they've been recycling them for a long time indeed, (2) at least one ("McCain Says Unsure if Obama a Secret Hippopotamus") was so weird I Googled it. Turns out it was the headline of a humor article. Which would explain why it sounded professionally written -- it was.

But there are others ("Horrible borken leg") that were more off-the-cuff.

If you have a taste for these headlines, I have a really, really long list of them. Warning: not for the faint of bandwidth. Wow. I have 1,201 subjects now.

Yes, I think I will become an expert on a specific category of electronic fraud messages when I grow up, Mommy. ("What's an electronic message, Michael?")

Srsly. My Mom was a postal carrier. When I was about twelve and an avid reader of Omni (and a charter subscriber of Byte) I enthused to her how email would replace postal mail as the most common way to stay in touch. She humored me. But she has a DSL line now, too.

But I never ever ever predicted Russian botnets. It's amazing I can comprehend them even now; my head boggles when I think about it too hard.

A country run by an ex-KGB man will surely invest a lot in intelligence services. Clearly the Russians knew well in advance what the Georgians were up to. As Vardibidian @16 says, it was probably a trap, and the Georgian leadership stepped right into it.

"I assume they were paying in some way that gave the botnet owners an incentive to maximize the size and effectiveness of the attacks."

immunity from prosecution might be a good incentive.

Bryan @ 30 - given the involvement of the Russian mafia, immunity from being killed with your entire family might also be a good motivator.

me @ 27 - so I plotted distinct number of IPs, number of spam received, and number of known botnet-engendering spam received for each day from June 15 on, for all the IPs I know to be in "Botnet 1", as I fondly call it.

The graph (thanks, gnuplot!) is here: http://www.vivtek.com/projects/despammed/stats.png

Remember how I said there should be a depression in bandwidth devoted to spam if they were timing it to the attack on Georgia?

Draw what conclusions you will. Is that depression too early? When was Georgia actually experiencing congestion?

Oh, darn. I can't display images in comments. Well, go look. I'm actually convinced, Jim.

I can see the RBN being a form of camouflage for what the FSB is doing.

Rather than hiring people from the RBN, which has all sorts of security risks, I can see the FSB recruiting people with computer skills, and getting some of then into the RBN. Maybe the RBN even knows, and it's part of the protection deal?

The scale of the Russian conventional military response, and its speed, is the big clue that the Russians were ready. It's not something that's easy to hide. Clearly, Georgia didn't have the intel to spot it.

The hard question is whether the USA did. Did a recon satellite pass over the area while the troops were being moved in? It is claimed that the Soviet Union took account of satellites when planning some activities. Could Russia have hidden something this big?

Want to bet that the CIA is too busy looking for terrorists?

One of the huge advantages we had in 1944 was that the Germans didn't have recent photo-recce of southern England. They couldn't see what was coming.

Small countries don't have the assets for modern photo-recce. They have to depend on somebody else.

Is the support of the USA worth anything, if they didn't see this being set up?

Dave, what chills me is that the USA may, in fact, have seen Russia's preparations. August Surprise.

Small powers don't have particularly good photoreconnaisance, but medium-sized companies do; have a look at the footprints of the imagery on www.digitalglobe.com when you zoom in on South Ossetia.

I was tempted at least to ring Digital Globe and ask for a quote on 1.2-metre imagery of Gori tomorrow; I'm not a photointerpreter, but if I link to a high-resolution picture of Gori I suspect I would find a photointerpreter crawling out of the woodwork. It may be under shutter control; Digital Globe is an American company, but annoying the people who launch your satellites is rarely a sound business decision.

Over at Kings of War, a truly interesting suggestion for retaliation. Obviously no one wants to go to war with Russia, and imposing sanctions risks Russia responding by, say, cutting oil and gas supplies. So Europe simply loosens up its visa rules for bright young Russians wanting to move to the West - exacerbating the brain drain and demographic crisis. And there's nothing the Russian government can do about it...

Hmm, I wonder is Russia has all those military satellites that the old USSR had. You know, the ones like we have. The ones that could spot the Georgian troop and artillery movements. Maybe give them a few days of advanced notice that something was happening.

As for our satellites as David Bell in #33 asked. Well, I'm sure we did. However the Russians had just finished major war games in the area (the previous week), so it wouldn't be uncommon for Russian troops to be outside their bases, in formations for that time period. For a quick glance interpretation it probably didn't look strange (unless the analyst would have known the Georgians were also moving).

Another point of view on whether the cyber-attacks were centralized and/or government directed.

#34: the USA may, in fact, have seen Russia's preparations.

How could they/we not have seen Russia's preparations? We were conducting maneuvers with the Georgian military (and with troops from Azerbaijan and Ukraine) from July 15 through August 7th, and there were corresponding Russian maneuvers taking place in North Ossetia.

Provocations back and forth began in early July.

The weapons-selling lobby that operates in both wings of the money party prepared (Billmon link) a very, very long fuse that was lit this month.

I believe in many things, but when it comes to combined-arms attacks I don’t believe in coincidence.
Bruce @23 beat me to it.
My version of Occam's Razor simply tells me that great big Russia has/had pretty well infiltrated little bitty Georgia's military. That is part of their job, after all.
And this is hardly one of those weird long-shot contingencies like, what if Sweden declared war on Norway?

There's another thread to this tangle that intrigues me: from the reports I've heard, all the Russian units involved in the invasion were equipped largely with old equipment like T-72 tanks. One of the planes the Georgians shot down was a Backfire bomber, apparently being used for reconnaissance, which has led analysts to suggest that the Russian Army is short of UAVs and real reconnaissance aircraft.

There are other possible explanations. For instance, if the Russians assumed a non-zero probability of NATO or US military intervention, they might have used units they considered more expendable, holding back their better equipment to engage Western forces that would be larger and better equipped than the Georgians, or the same equipment in Georgian hands. The old equipment was clearly sufficient to give the Georgian military a severe beating.

This makes me wonder if the Russians didn't expect or even intend that NATO would intervene, and planned to mousetrap any foreign force by waving an inferior force in their faces and then slamming them with modern (hmm, I originally typed "mordoran") forces.

Bruce Cohen (StM): Yes the T-72 is an older tank, but well fought (and with the, possible, exception of Ukraine, no one who has them is spending the time and money to keep the crews trained to the level needed to fight them well) they aren't to be trifled with.

In open space, no, the Leopard II, the Chieftan and the M1A1/2 will eat them up, but in the more close-in terrain of Europe (even the steppe is provides cover, long enough for helicopters to bring in support), with infantry support and the other things the Russian can provide, they can afford a Kursk sort of battle, and the T-72 isn't as outmatched as the T-34 (which had some serious design flaws, to go with its superior design elements, as I recall the loss ratios were something like 8:1, but the tanks on the ground ratio was more on the order of 10:1, which is a net win in attritional battle; which is what armor on armor seems to always devolve to).

So T-72s and BTR-60s to fight a holding action while the more modern stuff comes in to engage the forces already involved in the fight.

It's a very good model for defending a space as large as Russia.

#39 Nell:

"Seeing" is one thing, gettingrecognition and interest and attention is quite another.

The best surveillance equipment analysts on the planet is completely useless if the command and control "leadership" have made it their policy they are not going to hear anything but what their loyal syncophants and financially benefitting buddies tell them they want to hear.

Or, to rephrase and recast that:
August, 2001. For months there had been cognizant personnel trying fruitless to get that (cascade of derogatory terms...) who was extralegally placed and kept emplaced in the Oval Office ("Vote Fraud in Ohio, Vote Fraud in Ohio!" to the tune of Crosby, Sill, and Nash's song "Ohio") to pay attention to the threat posed by Al Qaeda and to get the USA Government on alert for and to deter the promised attack.

TWO FBI agents in different parts of the USA who completely independently had earlier in the year been attempting to investigate the reeking to them situation of foreign nationals with no reasonable justification and no sign of a reasonable audit trail regarding the provisioning of the funding, for being in flight training for jumbo jet airliners, were told by their bosses to cease and desist their investigations. The agents saw what looked to them as highly suspicious, potential terrorist activities, posing a large potential threat.
>
Their bosses stopped the investigations. There have never been ANY explanation of why and never any investigation pursued looking up the chain of command of where the "leadership" for squelching the investigations came from.
>
August 2001--the head of security at Boston's Logan International Airport had a security exercise planned. The airlines were so unwilling to cooperate that he cancelled the exercise in frustration, unable not only to get the airlines to cooperate, but failing to get any cooperation from the federal government in its transportation branches to care about airport security and do some arm twisting and put pressure on the airlines to cooperate, and to get the security tightened up....

There were intelligence indications and warnings, the "chatter" had increased. The "leadership" of the US Executive Branch however seems to have made it very clear from the top down, that it didn't want to be bothered to be informed of anything untoward that might be going on as regards adverse activities and noises out of Al Qaeda and Saudi Arabian nationals present in the USA matching no profile of legimate business or interests to be present in the USA, and with no reasonable profiling for having funds at their disposal for taking flight lessons for airliners without substantiative reasons such as being sponsored by a Middle Eastern airline for pilot training for a position as an airline pilot....

My point, finally--why would the same (terms of excoriation) who seem almost to have actively prevented the implementing any activities and actions likely to have prevented the 9/11 atrocities and whose policies and "leadership" thwarted and aborted investigations by FBI agents who could have caught members of the conspiracy months earlier, be much interested in paying attention to a threatened Russian invasion of a neighbor of Russian? Russian after all isn't an "Islamofascist" country (sarcastically said)

To get even snider, who sent more troops and equipment--the USA into Iraq, or Russia into its neighbors?, and who dropped more and bigger bombs where?

And to get even more sarcastic.... hmm, the (terms of nonadmiration) seem to have managed to avoid at least ONE classic asshole piece of stupidity, so far--they haven't at least not yet, attempted an invasion of Russia going eastward from Europe....

Long ago when I was in the USAF I had a boss, a fellow who'd gotten so disgusted with the US Government he hadn't bothered telling the Air Force he was working on a doctorate in math--he was afraid they might promote him and he wanted to retire as a lieutenant colonel with 26 years of service, not get promoted to colonel and stay in to 30, who said "The Soviets have good reason to be paranoid, every time there's been a war in Europe someone's invaded Russia."

(Meanwhile, though it's offtopic--has the Associated Press, was it, yet said WHY it threw the hissy fit weeks ago and went on the lawsuit cease and desist and here is a big fat demand for money rampage? Or was it using bully boy Bushleague rant and rave tactics and backed off and sleazed off any explanation etc.?

Paula Lieberman #43: Their bosses stopped the investigations. There have never been ANY explanation of why and never any investigation pursued looking up the chain of command of where the "leadership" for squelching the investigations came from.

The term "depraved indifference" comes to mind in this situation.

Via Lawyers, Guns and Money, a discussion of the Russian Air Force's role in the march into Georgia.

Short form: the Air Force didn't get any warning memo, didn't have a plan in place, and didn't use any of a number of cool toys that the Russians are supposed to have.

And, in related news, it appears that a major Chinese ISP has been broken via DNS cache poisoning, and is now distributing malware to all and sundry.

So there's a whole lot of noise that's been flying around about the cyber-war and all that... Only thing that's missing is an actual link between the attack and the Russian government.

Remember the Estonia cyber-attack? The one that everyone, and I do mean everyone, blamed on the Russian government? The one that ultimately was traced down to *one* individual?

Why then are comparisons between the two continuing, and being treated as proof of the Russian government's complicity? Putin is hugely popular in Russia, the nationalist spirit is flying high, and -- lest anyone is confused about the fact -- Putin is still very much at the reigns.

I can point you to a dozen malicious hacker-centric Russian sites in about five minutes, all of which will have discussions on how the DDoS attack on Georgia was a good thing. The whole point of DDoS is that the attack doesn't require a large number of people to initiate it.

The obvious point here has been made on DefenseTech: If Russia really needed to take offline the Georgian websites, it could have done so in a much more permanent, kinetic way, without the need to rely on largely untried, counterable approaches.

As for the provocations, the Georgian operation was a coordinated strike that also could not have been executed without extensive planning. But isn't it interesting how roughly 90% of South Ossetia's population hold Russian passports? Passports which, I might add, they did not have when South Ossetia separated from Georgia?

Dan Zlotnikov @ 47

If Russia really needed to take offline the Georgian websites, it could have done so in a much more permanent, kinetic way, without the need to rely on largely untried, counterable approaches.

This isn't a particularly persuasive argument. One of the great benefits of small wars of this sort to large military organizations is the chance to test new, untried tactics and technologies in the field, with a low probability of the new technique's failure preventing success of the overall objective. So the Spanish Civil War became a laboratory for the Wehrmacht's new toys, and the Vietnam War was a test of the US Army's air-mobile tactics.

Bruce Cohen@48:
What is it about a DDoS attack that
a) requires an active, physical engagement?
b) is untried?

Coming back to the news, and promoted from a Sidelight, DDOS against LiveJournal ahead of the Russian elections.