"The available evidence supports a strong likelihood of GRU/FSB planning and direction at a high level while relying on Nashi intermediaries and the phenomenon of crowdsourcing to obfuscate their involvement and implement their strategy," says the report, which was produced using research from a collective of researchers.
The FSB is Russia's federal security service, while the GRU is the main intelligence directorate for the Russian armed forces, which is involved in technical espionage. Nashi is a youth group in Russia ostensibly formed to stamp out Nazi sentiment.
The Stopgeorgia.ru site (no longer functioning), registered to help advise hackers on how to attack Georgian sites, was registered using fake information, says the report. The domain was acquired at naunet.ru, which has been blacklisted by the Spamhaus project for hosting phishing and other criminal sites.
Stopgeorgia.ru uses an IP address that resolves to a hosting firm called Steadyhost. That company has offices in an apartment building in the same block as the Russian Center for Research of Military Strength of Foreign Countries, claims the document. The block is also inhabited by the GRU. This led Carr to believe that it was an accommodation address used by agency staff, tying them to Steadyhost.
"Based upon the proximity of the GRU to the apartment building, it's reasonable to assume that some GRU personnel live there," the document says. "It does provide convenient access on a number of levels, not the least of which is the ability to provide cover accommodations (i.e., someone to provide minimum business support activities for SteadyHost)."
"SteadyHost's operators, despite registering a New York address, live and operate in St. Petersburg," alleged Don Jackson, senior security researcher at SecureWorks. "They have worked with other St. Petersburg hosting operators like Alexandr A. Boykov and have done business with Andrey Smirnov and other spammers, pharma scammers, and cyber crooks directly related to the RBN (proper) operations."
The IP block inhabited by Stopgeorgia.ru was leased to a company called Innovation IT Solutions (site down at time of writing), according to the report. It says that Innovation's web site was registered to a Russian national, who purchased the domain through Mirhosting.com, a company which he owns. Both of these companies had a London address, which Carr identified as a mail drop. The report also linked the Stopgeorgia.ru IP address to US hosting firm SoftLayer Technologies, which is on Stopbadware.org's top ten list of worst badware network blocks. That company did not return calls yesterday.
The first version of the report was unable to draw any direct links between the Kremlin and cyber attacks against its enemies. It only cited its suspicions. "The situation has since changed. In February, 2009, the Russian media reported a story that has provided new evidence pointing to how the Russian government sponsors and pays leaders of Russian youth organizations to engage in information operations up to and including hacking to silence or suppress opposition groups," said the follow-up document.
It cites the explicit tying of the Nashi Russian youth group, supported by first deputy chief of the Kremlin's presidential staff Vladislav Surkov, to the Estonian attacks. State Duma Deputy Sergei Markov had also suggested that his "assistant" had been responsible for the attacks. That individual, Nashi activist Konstantin Goloskokov, confirmed that the group was behind the attack in an interview with the Financial Times.
The report also includes an analysis of the cyberwar conducted between pro- and anti-Israel sites during the recent conflict between Israel and Hamas in the Gaza Strip. Aside from documenting the increasing role of crowdsourcing and 'voluntary botnets' in the conflict, it also alleged that pro-Israeli activists are pressuring ISPs to cut off service to hacker websites.
Jeff Carr, author of the report, drew direct parallels between the Russian cyberwar and the Israeli one. The report outlines what Carr sees as the Kremlin's complete control of the Russian internet. "the Kremlin either owns the pipes (Rostelekom, Transtelekom, and Elektrotelekom) or controls the licenses of every communications channel in Russia," said the report, also citing news articles that refer to a Russian monitoring system called SORM-2. This allegedly sends all Russian internet traffic to the FSB.
"The relevant context for me is that the Kremlin could shut down upstream and downstream access to these Russian attack sites if they wanted to. China could as well. Israel? I don't think so," Carr concluded.