Home / Blogs

Mobilizing Russian Population Attacking Georgia: Similar to the Estonian Incident?

It seems like the online Russian population is getting mobilized. Like a meme spreading on the blogosphere, the mob is forming and starting to “riot”, attacking Georgia.

This seems very similar to the Estonian incident, only my current guess is natural evolution rather than grass-roots implanted—but I am getting more and more convinced of the similarities as more information becomes available. Determining exactly when the use of scripts by regular users started, is key to this determination.

So, this may possibly be in copy-cat fashion, filling in for the missing coordination that existed in Estonia’s case, or a duplicate after all. It is still too early to come to conclusions.

This information was received from Shadowserver, which posted a reduced public report on this subject on their wiki:


Great work from Shadowserver!

My Colleague Randy Vaughn, came up with the following theory, which is interesting to say the least, although still at this point contradictory to my own (but evidence is mounting):

“I would say more like the result of past training. That is, the .ee attacks served to set a behavioral response that will automatically trigger during any real or perceived conflict.”

By Gadi Evron, Security Strategist

Filed Under


Re: Mobilizing Russian Population Attacking Georgia: Similar to the Estonian Incident? Fergie  –  Aug 14, 2008 8:30 AM

Okay, so I love Gadi, but I have to disagree with him to a certain extent.

Yes, there are “hacktivist”, grass-roots elements which have arisen over the course of the past couple of days, and yes—they have been a component of the digital attacks on Georgian web properties. This is not in contention.

What _is_ (apparently) in contention, is that there is some Russian, state-sponsored participation, and/or whether some “previously-known” Russian/Ukrainian cyber criminals were somehow involved in this mess in the beginning. There was/is/are.

There are valid points to support this position.

There is substantial evidence that there was (and continues to be) involvement of “established” criminal operatives in attacking Georgian websites, manipulation of routing infrastructure, and ongoing maliciousness.

For instance, the use of “established” Botnets (some of which have been around for many months) were fingered as the culprits in the original DDoS attacks (TCP SYN and TCP RST attacks). Only later did we begin to observe “individual contributors” begin the grass-roots salvos.

So, this is a case of many issues converging into a big mess. Yes, there are hacktivist masses (as in the Estonian incidents). Yes, there is also the hand of established criminal elements. I draw no further connection, because it is virtually impossible to do so.

Let’s be real here—not everything is always as it appears. And vice versa.

- ferg

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix


Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

Domain Names

Sponsored byVerisign