A New Breed Of Hackers Tracks Online Acts of War

Washington Post
Wednesday, August 27, 2008

“Hacktivists” Update Their Mission
By Kim Hart
Washington Post Staff Writer

TORONTO — Here in the Citizen Lab at the University of Toronto, a new breed of hackers is conducting digital espionage.

They are among a growing number of investigators who monitor how traffic is routed through countries, where Web sites are blocked and why it’s all happening. Now they are turning their scrutiny to a new weapon of international warfare: cyber attacks.

Tracking wars isn’t what many of the researchers, who call themselves “hacktivists,” set out to do. Many began intending to help residents in countries that censor online content. But as the Internet has evolved, so has their mission.

Ronald J. Deibert, director of the Citizen Lab, calls the organization a “global civil society counterintelligence agency” and refers to the lab as the “NSA of operations.”

Their efforts have ramped up in the past year as researchers gather evidence that Internet assaults are playing a larger role in military strategy and political struggles. Even before Georgia and Russia entered a ground war earlier this month, Citizen Lab’s researchers noticed sporadic attacks aimed at several Georgian Web sites. Such attacks are especially threatening to countries that increasingly link critical activities such as banking and transportation to the Internet.

Once the fighting began, massive raids on Georgia’s Internet infrastructure were deployed using techniques similar to those used by Russian criminal organizations. Then, attacks seemed to come from individuals who found online instructions for launching their own assaults, shutting down much of Georgia’s communication system.

Two weeks later, researchers are still trying to trace the origins of the attacks. “These attacks in effect had the same effect that a military attack would have,” said Rafal Rohozinski, who co-founded the Information Warfare Monitor, which tracks cyber attacks, with Citizen Lab in 2003. “That suddenly means that in cyberspace anyone can build an A-bomb.”

The cyber attacks that disabled many Georgian and Russian Web sites earlier this month marked the first time such an assault coincided with physical fighting. And the digital battlefield will likely become a permanent front in modern warfare, Deibert said.

Seven years ago, Deibert opened the Citizen Lab using grant money from the Ford Foundation. Soon after, he and Rohozinski helped begin the OpenNet Initiative, a collaboration with Harvard’s Law School, Cambridge and Oxford universities that tracks patterns of Internet censorship in countries that use filters, such as China. The project received an additional $3 million from the MacArthur Foundation. Deibert and Rohozinski also launched the Information Warfare Monitor to investigate how the Internet is used by state military and political operations. And Citizen Lab researchers have created a software tool called Psiphon that helps users bypass Internet filters.

The combined projects have about 100 researchers in more than 70 countries mapping Web traffic and testing access to thousands of sites.

A number of companies specialize in cyber security, and several nonprofit organizations have formed cyber-surveillance projects to keep international vigil over the Web. Shadowserver.org, for example, is a group of 10 volunteer researchers who post their findings about cyber attacks online.

The small Toronto office of Citizen Lab, tucked in a basement of the university’s Munk Centre for International Studies, serves as the technological backbone for the operations. World maps and newspaper clips cover the walls. Researchers move between multiple computer screens, studying lists of codes with results from field tests in Uzbekistan, Cambodia, Iran and Venezuela, to name a few.

“We rely on local experts to help us find out why a particular site is being blocked,” Deibert said. It could be a problem with the Internet service provider, a temporary connection glitch or a downed server. “But what’s more effective is blasting a site into oblivion when it is strategically important. It’s becoming a real arms race.”

He’s referring to “denial of service” attacks, in which hundreds of computers in a network, or “botnets,” simultaneously bombard a Web site with millions of requests, overwhelming and crashing the server. In Georgia, such attacks were strong enough to knock key sources of news and information offline for days.

Georgian Internet service providers also limited access to Russian news media outlets, cutting off the only remaining updates about the war. On the night of Aug. 12 — the height of the fighting — “there was panic in Tbilisi brought about by a vacuum of information,” Rohozinski said.

Shadowserver saw the first denial of service attack against Georgia’s presidential Web site July 20. When the fighting began, Andre M. Di Mino, Shadowserver’s founder, counted at least six botnets launching attacks, but it was “difficult to tell if it was a grass-roots effort or one commissioned by the government.”

The organization detects between 30 and 50 denial of service attacks every day around the world, and Di Mino said they have become more sophisticated over the past two years.

“It really went from almost a kiddie type of thing to where it’s an organized enterprise,” he said. But he’s hesitant to label this month’s attacks as a form of cyberwar, although he expects networks to play an expanded role in political clashes.

Jose Nazario, a security researcher with Arbor Networks, said cyber attacks used to target a computer’s operating system. But he’s seen a “tremendous rise” in attacks on Web browsers, allowing attackers access to much more personal information, such as which sites a person visits frequently. An attacker then could learn which servers to target in order to disrupt communication.

It’s unclear who is behind the attacks, however. In some cases, the locations of botnet controllers can be traced, but it’s impossible to know whether an attacker is working on the behalf of another organization or government. “It’s going to take a year to figure this out,” Nazario said.

The data trail often goes cold when it crosses borders because there is little legal framework for such investigations. And many countries, along with the United Nations and other international bodies, are still weighing whether a cyber attack is an act of war.

“If a state brings down the Internet intentionally, another state could very well consider that a hostile act,” said Jonathan Zittrain, co-founder of Harvard’s Berkman Center for Internet Society, and a principal investigator for the OpenNet Initiative.

There are also strategic reasons not to disrupt networks in order to monitor the enemy’s conversations or to spread misinformation.

“That’s an amazing intelligence opportunity,” he said.

Using the Internet to control information can be more important than disrupting the networks when it comes to military strategy, Rohozinski said. In Georgia, for example, the lack of access to both Georgian and Russian sources of information kept citizens in the dark while the fighting continued.

“Sometimes the objective is not to knock out the infrastructure but to undermine the will of the people you’re fighting against,” he said. “It’s about the nuts and bolts, but it’s also about how perceptions can be shaped through what’s available and what’s not.”

© 2008 The Washington Post Company