Why I believe that the Kyrgyzstan Government hired Russian hackers to launch a DDOS attack against itself.

Last Updated on Wednesday, 4 February 2009 07:30 Written by admin Friday, 30 January 2009 11:32

The Kyrgyzstan cyber attacks of Jan 18 – ? have been getting a lot of press after my initial post about it on Jan 23, particularly since Don Jackson of SecureWorks blogged about it on January 28 and added his analysis. Don referenced my earlier post as well as the Grey Goose report (thanks Don), but I disagree with some of his findings. Here’s why.

1. This is not about denying U.S. forces access to the Manas air base in Kyrgyzstan. President Bakiyev is an ally of the Russian Federation. If Putin wanted to squeeze him into complying, he has many more effective options than a DDoS attack; the biggest stick right now being economic.

2. The most direct way to discover the motive behind the attacks is to look at what’s happening simultaneously WITH the attacks. I created a list here. All but one are related to the formation of the United Popular Movement (UPM), who are calling for the ouster of Bakiyev because of cronyism and his lack of democratic reforms, as well as his inability to fix the ailing economy of the country. Denying the UPM Internet access, along with arresting their leaders, is a classic one-two punch.

3. Almost this exact scenario happened in 2005 when Bakiyev, then an opposition leader, successfully led a regime change against then President Akayev. Cyber attacks occured then as well, effectively blocking access to opposition Web sites. 

4. Finally, the Kyrgyz government has the ability to combat this threat, and the office responsible has done nothing about it. The Kyrgyzstan Interior Ministry’s Ninth main directorate has been recently set up (in part) to counter cyber threats. Training is provided by Russian law enforcement agencies according to Taalay Kadyrkulov, deputy head of the Ninth Directorate (source: Bishkek AKIpress Online 12 Jan 09).

This is not a sophisticated attack, and its being routed through Russian servers. If Kadyrkulov or anyone else in the Kyrgyz government wanted it stopped, it would be a relatively easy matter for them to do so. The Russian government monitors and has full control over its servers at Golden Telecom Moscow and JSC Moscow, which represent a majority of the servers involved in this attack.

So in this case of competing hypotheses, I choose to believe the one with the least number of complexities and assumptions; that this is a simple case of an existing regime trying to retain power by silencing its opposition in every way possible, including hiring Russian hackers to launch DDOS attacks on their own Internet Service Providers.

UPDATE (2/4/09): Jose at Arbor Networks has an excellent post on this topic, and his point – that the attacks don’t appear via any of the usual channels – is another reason why I don’t believe that the Russian government is behind the DDoS attacks of January 18. It didn’t fit the profile of the past cyber attacks that have been attributed to Moscow.