The RBN Operatives Who Attacked Georgia

In my view, the individuals most directly responsible for carrying out the cyber "first strike" on Georgia are two Russian Business Network operatives, Alexandr A. Boykov and Andrew Smirnov, both of Saint Petersburg, Russia. These men are not "kiddie scripters" (as some have sought to rather narrowly characterize the attackers of Georgia).

Mr. Boykov has been engaged in criminal activity for some time. He is best known for registering an distributing the malware VirusIsolator (which downloads trojans to take control of the victims computer) (1). He has been directly involved in financial crime, and operated scam sites including: Harbor Lending, Oakwood Lending, and Capital Lending (2). Mr Boykov is also a purveyor of porn spam (3).

Mr. Smirnov is known for operating a number a scam sites including canadian-pharmacy-support (4) and canadiandiscountmeds (5). Mr. Smirnov is known to hold Russian nationalist views, and supported cutting off natural gas supplies to the Ukraine (6). The Ukrainian authorities should note that he often travels between Russia and the Ukraine (7).

According to Spamhaus, Ukrainian cyber criminals operate a hosting service in Class C Network 79.135.167.0/24. Mr. Boykov is considered by many analysts to be the proprietor. It should be noted that opening salvos on Georgia emanated from 79.135.167.22. This was noted as early as the morning of Sunday 10 August by both Shadowserver.org (8) and Dancho Danchev (9). These opening cyber attacks preceeded the large-scale mobilization of Russian nationalist hacktivists. In fact, the Website for the President of Georgia had been under attack since July 20th (10)

In the following days, a very heavy (11) spam campaign was launched purporting to be from the BBC which accuses the President of Georgia of being gay . When an individual clicks on the link in the email, a compromised web site is opened, which downloads a virus from 79.135.167.49 (12). Spamhaus issued a warning regarding the malware at 79.135.167.49 on July 29th in SBL66533 (13). On August 5th, Alexey Vasiliev of Novosibirsk, Russia, one of the Storm worm's authors (14), had a malware domain, freepostcardonline_com parked at 79.135.167.49 (15).

AbdAllah a/k/a IstanbulTelecom (79.135.167.0/24) has long been a haven for criminal activity. Steven Adair of Shadowserver has previously identified the AbdAllah Internet Hizmetleri group as RBN affiliated (16). Currently, the malware distributing domain antivirus-2008pro_net resolves to 79.135.167.54 (along with ninety-three other dangerous domains). Malwaredomains.com listed the domain as a hazard on May 28th of this year (17). Presently, virus-isolator_com resolves to 79.135.167.54. The whois information for the site no longer lists Mr. Boykov, but was registered through the notorious EstDomains to a Vargendia Limited in Cyprus. Mr. Boykov's *.virusisolator_com, a subdomain of virusisolator, resolves to IP address 217.170.77.150, as do numerous other virus-isolator sites (18). Such DNS resolution schemes are typical of fast flux and botnet operators. As with many other Russian spammers and cybercriminals, Mr. Smirnov also is now in the process of anonymizing the whois information associated with the spam domains he has registered.

Our research indicates that Mr. Smirnov and Mr. Boykov have exercised administrative level control over this Class C Network (CNet). This is clear in the historical data related to the CNet. The sheer number and frequency of their domains that have moved from IP address to IP address, across the full range of IP addresses in CNet 79.135.167, allows for no other conclusion. Given the degree of control they have historically exercised, it is very likely that they conducted or were a party to the cyber "first strike".

James McQuaid

(1) http://www.malwarebytes.org/forums/index.php?showtopic=4288&pid=16324&mode=threaded&show=&st=0
(2) http://www.ripoffreport.com/reports/0/337/RipOff0337263.htm
(3) http://www.castlecops.com/Blogspot_redirection_Porn_site_spam167793.html
(4) http://www.robtex.com/whois/canadian-pharmacy-support.info.html
(5) http://groups.google.com/group/news.admin.net-abuse.sightings/browse_thread/thread/9d9aa3a014ae6748
and http://www.robtex.com/whois/canadiandiscountmeds.com.html
(6) http://translate.google.com/translate?hl=en&sl=ru&u=http://supol.narod.ru/members/Andrew_Smirnov/gaz1.htm&sa=X&oi=translate&resnum=6&ct=result&prev=/search%3Fq%3Dandrew_smirnov%26hl%3Den%26sa%3DG
(7) author's private note
(8) http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080720
(9) http://ddanchev.blogspot.com/2008/08/russia-vs-georgia-cyber-attack.html
(10) http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080720
(11) https://forums.symantec.com/syment/blog/article?message.uid=344935
(12) http://garwarner.blogspot.com/2008/08/new-bbc-spam-mocks-georgias-president.html
(13) http://www.spamhaus.org/security/cookies.lasso?query=SBL66533
(14) http://www.sudosecure.net/archives/212
(15) http://www.dozleng.com/updates/index.php?autocom=custom&page=results&numpage=1&words=blocklist
(16) http://www.securityzone.org/?cat=8
(17) http://malwaredomains.com/?p=218
(18) http://www.robtex.com/ip/217.170.77.150.html