Social Network Analysis and Cyber Warfare: An Open Source Project
Last Updated on Sunday, 21 December 2008 01:47 Written by admin Friday, 22 August 2008 02:23
About one month ago, the DNI issued its “Analytic Outreach” directive (ICD-205), which ordered intelligence analysts within the IC to engage with individuals “outside the IC to explore ideas and alternate perspectives, gain new insights, generate new knowledge, or obtain new information.” Well, think of this project as a reverse Analytic Outreach.
Thanks to the ideas that Bob Gourley has recently expressed in his “Social Media and the National Security Professional” , and to industry contacts made via this blog and through Twitter, I’m both pleased and excited to announce the launch of a social network analysis of Russian cyber warfare activities.
Palantir Technologies has generously offered us the use of its very impressive analytic platform to conduct our research. We’ll be looking not only at network data involved in past cyber warfare attacks (Chechnya, Estonia, and Georgia), but incorporating semantic analysis of Russian hacker blogs in an effort to uncover connections that may not be readily apparent. If this model proves efficacious, we’ll launch a second effort examining Chinese cyber warfare/espionage activities.
This is a pure grass roots effort using only open source data pulled from the Web. All the participants are volunteers. Regular updates will be posted here, and our findings will be published in the appropriate venues.
If this effort sounds as exciting to you as it does to us, we are looking for volunteers who have skills in the following areas: computer security, computer linguists, data base designers/administrators, computer programmers.
If you have the requisite skills and you’d like to participate in this unique project, I’ve set up a protected Twitter alias Gray Goose. Add yourself as a follower and we’ll be in touch about next steps. There will be a vetting process and not everyone who volunteers will be able to participate.
More information will be forthcoming next week so stay tuned!
UPDATE: We’ve been overwhelmed with over 80 volunteer requests. We’re accepting less than 10 so no further requests will be considered. Thanks to everyone who expressed interest.
[...] [...]
Sounds like a very interesting project.
You know, once you get close, the Rooskies will probably target you… but look at the bright side — it will be good data!
A smaller scale mapping project is happening in Cleveland looking at corrupt politicians…
http://mapthemess.net/wiki
Good Luck!
I wish to participate. Thanks.
My twitter pic aside, I would be very interested in participating. I currently work for MicroSolved security consultancy, speak Russian, and travel to the former Com-Bloc quite frequently. Who knows, for once I could actually put all my useless hobbies and habits into doing something useful! lol
Gerhardt13: This is no joke. You could actually be harmed or murdered if you get close to russian hackers! Those guys enjoy the support of the Kremlin, the ex-russian deserter president of Secure Computing Sidewinder Inc. said this very clearly.
Ruffian PM Vladimir Putin was governor of St. Petersburg (Leningrad) after he finished his KGB duty in East Germany. The infamous “Russian Business Network” cybergang is based in St. petersburg and they support (read: bribe) politicians to a tune of 150 million USD a year.
Looking into these things could give you a little polonium-210 vapor or a bullet in the head while in the elevator, those are pretty commonplace in russian business.
I think the free world should simply detach Russia and mainland China from the net, that is cut cables and turn away satellite transponders. Only state-level or international response can stop the ex-communist cybercrooks. A grassroot effort can only produce victims.
[...] ciudadanos. Enlaces Fuente: Zero Intelligence Agents Sitio oficial iniciativa: Intelfusion Usuario a seguir en Twitter: GrayGoose google_hints = ‘ciberataques,Ciberguerra,Open [...]
The RBN Operatives Who Attacked Georgia
In my view, the individuals most directly responsible for carrying out the cyber “first strike” on Georgia are two Russian Business Network operatives, Alexandr A. Boykov and Andrew Smirnov, both of Saint Petersburg, Russia. These men are not “kiddie scripters” (as some have sought to rather narrowly characterize the attackers of Georgia).
Mr. Boykov has been engaged in criminal activity for some time. He is best known for registering an distributing the malware VirusIsolator (which downloads trojans to take control of the victims computer) (1). He has been directly involved in financial crime, and operated scam sites including: Harbor Lending, Oakwood Lending, and Capital Lending (2). Mr Boykov is also a purveyor of porn spam (3).
Mr. Smirnov is known for operating a number a scam sites including canadian-pharmacy-support (4) and canadiandiscountmeds (5). Mr. Smirnov is known to hold Russian nationalist views, and supported cutting off natural gas supplies to the Ukraine (6). The Ukrainian authorities should note that he often travels between Russia and the Ukraine (7).
According to Spamhaus, Ukrainian cyber criminals operate a hosting service in Class C Network 79.135.167.0/24. Mr. Boykov is considered by many analysts to be the proprietor. It should be noted that opening salvos on Georgia emanated from 79.135.167.22. This was noted as early as the morning of Sunday 10 August by both Shadowserver.org (8) and Dancho Danchev (9). These opening cyber attacks preceeded the large-scale mobilization of Russian nationalist hacktivists. In fact, the Website for the President of Georgia had been under attack since July 20th (10)
In the following days, a very heavy (11) spam campaign was launched purporting to be from the BBC which accuses the President of Georgia of being gay . When an individual clicks on the link in the email, a compromised web site is opened, which downloads a virus from 79.135.167.49 (12). Spamhaus issued a warning regarding the malware at 79.135.167.49 on July 29th in SBL66533 (13).
AbdAllah a/k/a IstanbulTelecom (79.135.167.0/24) has long been a haven for criminal activity. Currently, the malware distributing domain antivirus-2008pro_net resolves to 79.135.167.54 (along with ninety-three other dangerous domains). Malwaredomains.com listed the domain as a hazard on May 28th of this year (14). Presently, virus-isolator_com resolves to 79.135.167.54. The whois information for the site no longer lists Mr. Boykov, but was registered through the notorious EstDomains to a Vargendia Limited in Cyprus. Mr. Boykov’s *.virusisolator_com, a subdomain of virusisolator, resolves to IP address 217.170.77.150, as do numerous other virus-isolator sites (15). Such DNS resolution schemes are typical of fast flux and botnet operators. As with many other Russian spammers and cybercriminals, Mr. Smirnov also is now in the process of anonymizing the whois information associated with the spam domains he has registered.
Our research indicates that Mr. Smirnov and Mr. Boykov have exercised administrative level control over this Class C Network (CNet). This is clear in the historical data related to the CNet. The sheer number and frequency of their domains that have moved from IP address to IP address, across the full range of IP addresses in CNet 79.135.167, allows for no other conclusion. Given the degree of control they have historically exercised, it is very likely that they conducted or were a party to the cyber “first strike”.
James McQuaid
Thanks all who have responded to this post. We’ll be contacting you about your participation in this project. Please be sure to register via Twitter.com/graygoose as well.
[...] Enlaces relacionados:Zero Intelligence AgentsIntelfusionGrayGoose [...]
Gergely: I am very aware of the implications that such a Project could entail on my personal safety. It is for this very reason that I will try to attain a certain level of anonymity in relation to anything published by the project. Even with such a project aside, my safety would be unassured anyway. I’ve been attacked/harassed several times in Kiev recently, and I would expect nothing less in St. Petersburg, Moscow, or even Volgograd. I try to keep contact to a minimum, and even occasionally tell non-authorities I’m from somewhere else (such as Poland).
[...] Αύγουστος 27, 2008 From “Social Network Analysis and Cyber Warfare: An Open Source Project“: “We’ll be looking not only at network data involved in past cyber warfare attacks [...]
I’m interested in assisting. Please provide POC. Have resources.
I’m interested in participating… I tried signing on to twitter earlier but didn’t hear back
Derek, message rcvd. Check your email.
[...] a great guest post on the potential of open source intelligence (OSINT) and his new Gray Goose project just up at CTlab. With the DNI Open Source Conference 2008 happening next week, [...]
I’d like to discuss your project further in private, please contact me via email when you get the chance.
A project very similar to yours has been underway for some time with good result. While I am not involved in that project I do have another project underway and have access to resources that may be of assistance to you. I’d like to discuss a collaborative relationship between us.
Regards,
bf
[...] חלוקים בדעתם לגבי מקור ההתקפות על השרתים הגיאורגיים,יוזמת קוד פתוח הוכרזה בניסיון לאתר את מקור ההתקפה – ולהכריע בפן הזה של [...]
[...] Intelligence (OSINT) initiative to investigate the Russia – Georgia cyber war of August, 2008. Project Grey Goose sought to establish whether the Russian government was involved in coordinating the DDOS attacks on [...]
[...] seems the value of open-sourceintelligence analysis of the Internethas not escaped the Department of Homeland Security. This [...]
Hi
I consider that this real.
Well yes, interesting history