• Trials & Downloads
  • Personal / Home Office products
  • Business Products
  • Malware Cleaner
  • Installers
• • Corporate
  • Norge
  • France
  • Deutschland
  • Sverige
  • Danmark
  • Suomi
  • Nederland
  • Schweiz
  • España
  • United States
  • United Kingdom
  • Italia
• About Norman
  • Vision & Values
  • Management Team
  • Our Technology
  • Awards & Certifications
  • Customer Cases
  • Press & Media Center
  • Events
  • Careers
  • Subscribe to newsletter
  • Contact Us

Security Center

Attack on major social network sites to stop ONE person

2009-08-14 [Malware discussion, Trends & predictions]

   Week 16, 2009

Introduction

Last week the media was flooded by information about an attack on social networking sites like Twitter, LiveJournal and Facebook, allegedly with the intent to stop one Georgian blogger. The blogger calls himself Cyxymu, which according to the blogger is the name if his home town in Russia written in the Latin character set.

Twitter was down approximately two hours while the other affected social networking sites experienced less degraded performance.

This event is interesting at different levels and we shall discuss some of these in this security article. This discussion will be characterized by quite a lot of speculation, which is an ironic side-effect as we shall see.

Facts are characterized by their non-existence

The story is strange! Even though the media focus was quite significant, amazingly little "hard facts" have been revealed. And most of the information about the background for the event comes from the Georgian blogger himself.

Information from the attacked Internet sites

Twitter was the social networking site that was hardest hit, and not surprisingly that site has most information about the event. Even Twitter though is quite vague in its information:

In the past 24 hours, we've been contending with a variety of attacks that continue to change in nature and intensity.  (...) The ongoing, massively coordinated attacks on Twitter this week appear to have been geopolitical in motivation. However, we don't feel it's appropriate to engage in speculative discussion about these motivations. The open exchange of information can have a positive impact globally and our job is to keep Twitter services running reliably to the best of our ability. Twitter's blog 7 August 2009

LiveJournal has posted the following in its maintenance journal:

As some of you may know, LiveJournal has been under attack this morning from 6:00am PST until ??? We have taken steps to mitigate the DDoS but some users may still experience site connectivity problems. We are aware of these issues, (...) LiveJournal Maintenance Acrhive 6 August 2009

The author of this security article was not able to find any official information about this on Facebook's public web pages, although the event itself was of course heavily discussed in various Facebook groups.

Information available in the media

As mentioned, the event received much media attention. A google search, for all the keywords twitter facebook livejournal down august in web pages posted last week, results in more than 37 million hits.

Here are a few highlights:

cnet A Georgian blogger with accounts on Twitter, Facebook, LiveJournal, and Google's Blogger and YouTube was targeted in a denial-of-service attack that led to the sitewide outage at Twitter and problems at the other sites on Thursday, according to a Facebook executive. The blogger, who uses the account name "Cyxymu," (the name of a town in the Republic of Georgia) had accounts on all of the different sites that were attacked at the same time, Max Kelly, chief security officer at Facebook, told CNET News. (...) Kelly declined to speculate on who was behind the attack, but he said: "You have to ask who would benefit the most from doing this and think about what those people are doing and the disregard for the rest of the users and the Internet." >>The complete cnet article

 

New York Times The cyberattacks Thursday and Friday on Twitter and other popular Web services disrupted the lives of hundreds of millions of Internet users, but the principal target appeared to be one man: a 34-year-old economics professor from the republic of Georgia. (...) This week, he began posting day-by-day accounts of the run-up to the conflict that drew partly on posts from his readers inside of Abkhazia, who he said had been describing how the Russian army staged its forces in the region in early August 2008. >>The complete article from New York Times

 

ComputerWeekly.com According to Facebook, what all these sites have in common is a user who is an anti-Russian blogger called Cyxymu from Tbilisi, the capital of Georgia. This theory is given "credibility" by that fact that the DoS attacks coincide with the first anniversary of the start of last year's conflict between Russia and Georgia. Facebook claims cross-service DoS attacks were all aimed at preventing Cyxymu communicating with his followers on this date. (...) >>The complete article from ComputerWeekly.com

Those relatively few security experts that have commented on the event seem to agree that the attack came in two parts:

1. A spammed email with spoofed sender information that had links to the Georgian blogger's accounts on social networks.
2. A Distributed Denial of Service (DDoS) attack on the social networking sites. This DDoS attack was most likely carried out by using one or several botnets.

Why?

This, of course, is the interesting question.

A few have speculated that the Russian government orchestrated the attack. Among those are Cyxymu himself, who according to the BBC News has published (in a blog) a letter to the Russian president, Medvedev, saying:

(...) the entire world is speaking of the Russian hackers working for the Russian Federation government. (...) >>The complete article from BBC News

Most security experts - including Norman's - agree that it is highly unlikely that the Russian government was involved in this activity; particularly if the intended outcome was to silence a single individual blogger. If anything the effect was the contrary, which should have been pretty obvious.

One starting point in investigating any crime is to look at who benefits ("cui bono"), and in this case it is at least obvious that those who do not benefit are

• The Russian government, which has been the recipient of some non-flattering rumors (as those mentioned above)
• Members of the social networking sites that had their activities disrupted
• The social networking sites themselves.

A much more probable theory is that the attack was launched from an individual or a group which did not like Cyxymu's points of view and therefore attempted to (temporarily) stop these views from being read by others. One should however be aware that it would require access to resources that are not insignificant, to be able to disrupt the service of some of the biggest Internet sites that exist - this is not done by anyone as an impulse there and then.

The conspiratory approach to the event is of course that the whole setup was orchestrated by the blogger himself and/or someone that represents the views he advocates.

And then... nothing

After the initial explosion of media attention, which offered very little real information, silence ensued.

One should have expected that investigating this case in more depth might have been interesting. After all it is not everyday that several of the major social networking sites are attacked successfully with such a peculiar basis as the alleged reason.

This is indeed a very strange issue, and it seems dubious that the complete story will ever be revealed.

• Privacy policy
• License agreement
• Trademarks
• Sitemap
• Contact Us

© Norman ASA