Source: hro.org (info), 11/04/11
· Freedom of expression
The website of the independent newspaper Novaya Gazeta is up and running again following a powerful cyber attack last week. HRO.org has prepared the following briefing, collating expert views on what happened, why, with what aim and who may have been behind the attack.
The publication's Internet site crashed on 7 April 2011 at 3:00 pm Moscow Time. At 3:10 pm the editorial office received a phone call from the Kaspersky Labs computer company, Russia's leading producer of firewalls and other software protection against viruses, spam and hacker attacks.
Experts at Kaspersky Labs established a connection between the DDoS attack on http://www.google.com/url?q=http%3A%2F%2Fwww.novayagazeta.ru%2F&sa=D&sntz=1&usg=AFrqEzdLMBh1kSOPmPGS0WgmxGW5viOwLQ and an earlier attack that had brought down the social networking site LiveJournal ("Живой журнал"). They explained to Novaya Gazeta journalists that this was not a virus specifically created to launch a DDoS attack against their site, but rather one of a number of Optima-Botnets the experts had been aware of for some time, Lenta.ru reports.
Kaspersky Labs offered Novaya Gazeta its Kaspersky DDoS Prevention system to help repel the attack.
To illustrate the intensity of the attack, Novaya Gazeta said that on Thursday 7 April within a mere 14 seconds the site registered 70 thousand unique visitors – normally the number visiting the site over a 24 hour period.
For this reason the content of the Friday (8 April) edition could not be posted on the newspaper's site exactly at midnight. The newspaper was forced to publish its content in PDF format on its LiveJournal blog and ask readers to help distribute the issue.
It is worth noting that LiveJournal users responded to this appeal with great enthusiasm. By 4:00 pm Friday the issue had been reprinted 106 times in blogs. “If every user has an average of 300 'friends' the issue will have reached 30,000 people. And that's through LiveJournal alone,” Novaya Gazeta stated.
On 8 April at around 3:00 pm technical experts informed Novaya Gazeta that the intensity of the assault on its site had diminished noticeably. By 4:00 pm the DDoS attack stopped almost completely. The editors decided to try restarting the portal on its previously used Russian hosting platform. The site was launched at 7:30 pm but the attack was renewed within a minute.
This has led Novaya Gazeta to conclude that rather than disappearing, the Botnet had only switched into “waiting mode” and that it was programmed to be activated by any sign of activity on the part of the site's owners.
In the early morning hours of 9 April the publication was able to re-launch the site through a backup platform but it soon transpired that this lacked sufficient capacity.
It was not until Saturday 10 April that the Novaya Gazeta website was able to resume normal activity.
So who was behind the attack on Novaya Gazeta?
The initiators of the cyber attack have not yet been identified. Meanwhile the publication's editor-in-chief Dmitry Muratov has given his opinion as to the attack’s purpose. He believes that it was quite obviously an attack with pre-planned timing.
The specific target of the attack might have been the publication's new project, the Runet Web Parliament.
The term "Web" is used not in the sense of “virtual” but to indicate how the project works. Any Internet user may propose any candidate – including him- or herself – to this alternative legislative body. As Novaya gazeta’s editor-in-chief Dmitry Muratov said in an interview with RIA Novosti, “a vast number of people responded to this idea. It suddenly proved an overwhelming success.”
Following this success certain Web Parliament candidates started receiving large numbers of votes at night.
"This has been clearly a conscious attempt at sowing national discord and generating chauvinism by means of Botnets and those who are behind them and control them. We have, of course, discarded these votes using technologies that had been developed in advance, and we made public the methodology we used to do that,” stressed Dmitri Muratov.
When the second round of voting for the Web Parliament got underway, the attacks started again, he added.
As a result the voting had to be halted. Incidentally, the editors of Novaya Gazeta emphasize: “We have certainly not given up the idea of carrying through this project. Only now, after the DDoS attack against us, we have decided to change the rules.”
Besides, Dmitri Muratov thinks the assault may also have targeted the newspaper's investigative journalism.
Head of Novaya Gazeta's press office Nadezhda Prusenkova said that the paper was planning to ask law enforcement officials for help. However, she said, judging by the experience of recent years it is unlikely the organizers of the cyber attack would be found; the only option would be to move the paper's servers abroad.
“We are discussing whether it is worth trying to start criminal proceedings,” the paper’s chief issue-editor Sergei Sokolov said.
A spokesman for the Department K, the police ministry’s subdivision responsible for combating computer crime, explained in a BBC interview that all investigations into cybercrime involve close international cooperation. “We are cooperating actively not just with the US but also with many other countries,” a press office representative stressed.
Russian law enforcement agencies have some experience of solving information technology crimes. For example, it did not take them long to identify the hacker from Novorossiisk who displayed video porn at a stand in the centre of Moscow.
However, when it comes to fighting international cybercrime the efforts of the special services of a single country often prove inadequate. It is technically very difficult to deal with the perpetrators, whoever gives the order.
Usually the organizers of cyber attacks, the criminals' accounts, their equipment and the objects of their attacks are scattered around the world. For example, in the case of Novaya Gazeta, the attack was launched from servers located in south Asia and other regions.
Experts on combating cybercrime agree that the best way to ensure Internet security is through even closer cooperation between governments, providers and companies, said the BBC.
Russian President Dmitri Medvedev was outraged at the attacks on LiveJournal. However, many commentators believe that the perpetrators behind the attacks on LiveJournal and Novaya Gazeta's site were acting on the orders of the Russian authorities.
Commentators believe it possible that the attack against LiveJournal and the voting for the Runet Web Parliament has been part of a bigger ploy against free discussion platforms. The methods tested in this attack could later be used for other purposes, for example during Russia's parliamentary and presidential elections.
A New Times source within the Russian FSB poured further oil on the flames. The journal reported that Roman K., a senior officer in the FSB Information Protection Department told them his security service had the technical capability to paralyse Internet across the entire country, if the situation demanded it.
“If, in an emergency, we are officially asked to bring down the Internet, we can certainly do this. Although, not completely. We cannot quite access the satellite part of the traffic, carried by servers that cannot be controlled from Russian territory,” said Roman K.
In this context the former State Duma deputy and currently opposition politician Vladimir Ryzhkov stated in an interview with a New Times correspondent: “I've been told that a special subsection for controlling the Internet has existed in the Lubyanka for several years now, and is capable of dealing with any task. It is quite possible that what we are seeing are just test runs with the elections in mind. It is possible that as we speak technologies are being developed that will make it possible, when necessary, to block all basic social networks in order to prevent the dissemination of information and the organization of protest actions.”
Compiled by Vera Vasilieva, HRO.org