Couple more thoughts on the Twitter attack

Earlier, I blogged that Twitter was DOS’ed last Thursday to go after one guy who goes under the user alias Cyxymu.  I postulated that someone was impersonating Cyxymu in order to discredit during a spam blitz and then DOS’ed various sites where he posts.  I’m going to expand on that theory.

Assuming that Cyxymu was not behind the spam run, the following questions come to mind:

1. Who was behind the spam run and cyberattack?
2. Why did they do it?

Let’s look at question 1.  Who did it? Was it the Russian government? Did they engage in state sponsorship of cyberwarfare in order to silence a dissenter? Is their skin really this thin?  While possible, this attack follows a similar pattern of two episodes in recent memory. In 2007, the Estonian government came under cyberattack when they attempted to remove a Russian war memorial from one of its major cities. At the time, the Estonian government accused the Russian government of coordinating the attacks, but it turns out that an aide to a Russian politician in the Duma was responsible for it and acted "alone", that is, without direction from Russia explicitly. Of course, he still had lots of help from friends in the botnet community.

In 2008, during the first Russian/Georgian war, Georgia came under cyberattack, and also accused Russia of co-ordinating it. However, as Israeli security expert Gadi Evron points out, the attack probably was not coordinated by the Russian government. Both this incidence and the Estonian one appear to be co-ordinated cyber-riots, that is, a group of hackers who are fiercely patriotic got angry at anti-Russian rhetoric. They got together and took down the government's web sites in an attempt to "make them pay."

I would tend to lump this in the same category. Some people who didn’t like what Cyxymu was saying got together and hatched plan: shut this guy up, and make him look unethical.  Here’s a proposed timeline:

1. Pro-Russian guy has been following Cyxymu for some time and want to silence him.

2. Pro-Russian guy talks to his friends who either control botnets or know guys who control botnets.

3. Botnets send out a large spam run redirecting to Cyxymu’s pages on various social networking sites.

4. Simultaneously, other botnets (or possibly the same but if I were doing it, I’d definitely use a different one) start DOS’ing Twitter, LiveJournal, Facebook, etc. 

5. Various people will think that all these people clicked on links in spam and the sheer volume of people going to these sites will take them down.

6. Facebook, LiveJournal, etc, find out about the spam campaign and shut down Cyxymu’s site.  Of course, this didn’t actually happen because the strategy was quite transparent.

While we don't know for certain who is responsible and why they did it (not yet, anyhow), we do know that whoever was behind these attacks can wreak a lot of havoc with only a small amount of resources and are probably well connected to the black market of botnet operators.  Personally, I’m going with the above theory until I come across a better one.  I don’t think it was a state-sponsored attack, I think it was somebody who was well-connected inciting a cyber-riot.