The hackers who launched cyberattacks against the former Soviet republic of Georgia two months ago probably had links to the Russian government, even though no hard evidence has been uncovered of official involvement, a report by an all-volunteer group of experts said Friday.
"Just because there was no smoking gun doesn't mean there's no connection," said Jeff Carr, the principal investigator of Project Grey Goose, a group of around 15 computer security, technology and intelligence experts that investigated the August attacks against Georgia. "There probably is a connection" between the hackers and the Russian government, said Carr, "and one of the reasons why I say that is what I've been saying all along. The military invasion was on [August 8], and within 24 hours, there was one well-formed group with target lists and a Web site and members.
"I can't imagine that this came together sporadically," he said. "I don't think that a disorganized group can coalesce in 24 hours with its own processes in place. That just doesn't make sense."
Project Grey Goose started its probe with a Russian hacker forum, Xakep.ru, which in turn led investigators to a password-protected Web site, StopGeorgia.ru. Although the group declined to get specific about how it obtained access to the latter, the experts were able to find correlations between the attacks on Georgia's Internet servers and the discussions on Xakep.ru and the postings on StopGeorgia.ru.
Two months ago, shortly after Russia and Georgia military forces clashed over the breakaway provinces of South Ossetia and Abkhazia, Georgia's governmental Web sites were knocked offline by digital attacks. Hackers, perhaps some of the cybercriminals who had links to the notorious Russian Business Network, were initially suspected, although within days some security researchers were blaming a loosely-organized "militia" of Russian hackers for the continuing attacks.
Project Grey Goose had its own take on how the hackers were organized. According to Carr and the group's report, the hierarchy was on a leader-follower, or journeyman-apprentice, model. A smaller number of "leaders" provided the hacking tools, called out application vulnerabilities and named targets. The "followers," although novice hackers, carried out the actual attacks.
There was little sign of a militia organization, where members were recruited. "There was more of a top-down relationship," said Carr. "At the very top, there was probably some channel of communication [to the Russian government], but from there it was self-organized and very informal."
Carr said it was unreasonable to think that, if the Russian government was not directly involved, it had no hand in the attacks. "The reasonable conclusion is that [the Russian government] see this as a convenience, and uses it as a way to distance itself from the hackers while at the time having a relationship with them," he said.