Security researchers zero in on Twitter hackers

Confirm DDoS attacks targeted pro-Georgian blogger in massive effort to keep him quiet

Security experts are making progress in their efforts to identify the hackers responsible for the distributed denial-of-service (DDoS) attacks that that crippled Twitter for several hours Thursday.

They have also come up with strong evidence that confirms claims the DDoS rampage that brought down Twitter and hit Facebook, Google's YouTube and LiveJournal, were caused by attacks targeting a pro-Georgian activist and blogger.

But they have yet to nail down exactly who was behind the attacks, how they were conducted, and from where.

Twitter, meanwhile, admitted that the attacks were "geopolitical in motivation."

"This was a very targeted attack, and what the research shows is that it was aimed at one particular person, and that person's accounts on Twitter, Facebook, YouTube and LiveJournal," said Dave Marcus, director of security research at antivirus vendor McAfee.

McAfee has identified six separate DDoS attacks against various accounts registered to a user pegged as "Cyxymu," as well as a simultaneous spam e-mail campaign aimed at Cyxymu's Gmail account.

"We back-traced and correlated the data the attacks targeting Facebook, Twitter and others, and found commonalities in the IP [address] information," Marcus said.

Although McAfee was as of yet unable to identify the botnet responsible for the DDoS attacks, its trace-backs revealed that 29 per cent of the machines composing the army of hijacked computers were located in Brazil. Turkish PCs accounted for another 9 per cent, and Indian systems made up another 8 per cent.

Marcus declined to guess the botnet's size. "That's kind of point of contention," he said. "In the case of Twitter, they've gone down before anyway, so it could have been small. Facebook, however, tends to be a lot more resilient, with a lot more load balancing and defensive measures." That might indicate the botnet, which hampered Facebook but didn't knock it offline, is larger.

"We're still looking at which botnet it was that did this," Marcus said.

So is Don Jackson, director of threat intelligence for SecureWorks and a noted DDoS expert, who last year at this time investigated Russian "cybermilitia" attacks against Georgia, the former Soviet republic that was then battling Russian military forces over a territorial dispute. "We don't have indication that it's part of a known botnet," Jackson said today. "For such a high-volume, high-profile DDoS [attack], there's a conspicuous lack of evidence."

Jackson and other researchers at SecureWorks haven't seen the usual chatter in known hacker and "hacktivist" forums, been able to locate any botnet command-and-control servers showing evidence of having ordered the DDoS attack, or found any clues that the usual commercial DDoS suspects, who make a living renting out bots for such attacks, were involved.

"Either we had a serious breakdown in our security intelligence on this, or the commercial DDoS guys have researched, and found, different ways to mask their attacks," said Jackson.

However, what data SecureWorks does have points to multiple DDoS attacks launched against the pro-Georgian blogger, Jackson said, backing what Marcus has said.

Even so, Jackson was mystified at the lack of hard information. "We have all kinds of feelers out there to find out if this is a Georgia versus Russia thing," he said. "We have all kinds of triggers that would tell us if that was the case. But so far, there's been nothing."

Last August, Russian hackers mobilized an ad hoc DDoS against numerous state-sponsored sites in Georgia, including its foreign ministry's, defense department's and president's sites. At the time, researchers said that the attacks had left Russian hacker fingerprints.

Today, Jackson said there might well be a connection between last year's attacks and those against Twitter, Facebook and others yesterday. He cited the circumstantial evidence of the dates -- Georgia attacked the break-away province of South Ossetia on August 7, and Russia responded the next day.

"There's certainly a lot constant hackers involved over there, but there's no chat about it at all in the usual places," Jackson said. "But I think it would be unusual for them to self-mobilize for an attack of this size, against one person."

That would add weight to the idea that a commercial DDoS operator might have been involved. If it was a Russian group that specializes in DDoS attacks, "the cost would be free," said Jackson, adding that it was conceivable that the botnet had been donated to the cause of hitting Cyxymu.

"Hacktivism is very much back," said McAfee's Marcus. "But it's really hard to say that this is the beginning of a trend, this targeting of individuals that leads to collateral damage [like the Twitter outage]."

On the plus side, Marcus said, when Twitter went dark for several hours the outage prevented not only the innocent, but also the criminals, who rely on Twitter as a launch platform for spam and malware distribution.

"I guarantee that they were irritated," Marcus said.

For its part, today Twitter co-found Biz Stone acknowledged that the micro-blogging site had not restored full service, and was in fact still fending off attacks. He also hinted at a confirmation of what McAfee, SecureWorks and other security firms said today, that the attacks had some kind of political agenda.

"The ongoing, massively coordinated attacks on Twitter this week appear to have been geopolitical in motivation," Stone said in a company blog posted just before 2 p.m. Eastern.

"However, we don't feel it's appropriate to engage in speculative discussion about these motivations," Stone said.

Join the PC World newsletter!

Error: Please check your email address.

Tags biz stonehackersexploits and vulnerabilitiesddostwitter

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?