Was Twitter denial-of-service targeting anti-Russian blogger?

Filed Under: Social networks, Spam, Twitter


Today isn't just the day after Twitter disappeared for a few hours. It's also the first anniversary of Georgian troops moving into South Ossetia, an incident which lead to conflict between the Russian and Georgian armies last year.

Perhaps surprisingly, the two may not be disconnected.

The major DDoS campaign which brought Twitter to its knees yesterday (and mildly impacted the likes of Facebook, LiveJournal, Google's Blogger and possibly YouTube service) may have actually set out to silence only one person - an anti-Russian blogger called Cyxymu from Tbilisi.

This raises the astonishing thought that a vendetta against a single user caused Twitter to crumble, forcing us to ask serious questions about the site's fragility.

Facebook's Chief Security Officer Max Kelly told CNET News that a political blogger using the online name "Cyxymu" - who had accounts on Twitter, Facebook, LiveJournal and Google's Blogger and YouTube services - was targeted in the co-ordinated denial of service attack.

According to Kelly, the pro-Georgian blogger's accounts on the different sites were attacked simultaneously.

It's not currently possible to access Cyxymu's LiveJournal pages (although they can be read via a Google cache as you can see in the screengrab below. Click on the image for a larger version).

Cyxymu LiveJournal page. Click for larger version

Cyxymu's LiveJournal page claims that he has been the victim of a "Joe Job" attack. It is claimed that a large number of emails have been spammed out, claiming to come from Cyxymu's Gmail address, containing links to his various accounts (including, in the example below, his YouTube account):

Email claiming to come from Cyxymu

Now, imagine you received one of these emails. You would be pretty annoyed right? Most people's natural instinct is to get angry about whoever sent you the unsolicited email promoting his blog or YouTube channel.

But if the emails weren't actually sent by Cyxymu, but by someone else trying to muddy Cyxymu's name and perhaps try and trick websites into erasing Cyxymu's accounts for inappropriate behaviour, then your anger and frustration might be being vented at the wrong person.

In other words, Cyxymu may have been set up as a scapegoat by the spammer - with the intention of having their anti-Russian webpages removed.

Cyxymu himself claims on his LiveJournal page that he has been flooded with "out-of-office" replies from people the spam has been sent to, even though he claims not to have sent it himself.

Some media reports have suggested that the surge in internet traffic that crippled Twitter wasn't the result of a distributed denial-of-service attack, but caused by spam recipient's clicking on the links to Cyxymu's webpages.

I don't think that's likely. Most people wouldn't have bothered clicking on the link.

However, I think it is possible that the spam campaign was either run alongside the denial-of-service from compromised computers around the world, or that someone who wasn't responsible for the Joe Job decided to wreak revenge on whoever they believed to have spammed them (and they might have imagined it was Cyxymu) by launching a DDoS from their botnet.

Meanwhile, Cyxymu's YouTube channel is still available. It contains a number of videos, many related to skirmishes between Russians and Georgians:

Cyxymu's Twitter page is also available for anyone to see:

Cyxymu Twitter page

Could these have been the webpages that the denial-of-service attack was trying to blast off the internet?

By the way, long term readers of the Clu-blog may recall that I have blogged about cyber warfare between Russia and Georgia before. Read "Conflict between Russia and Georgia turns to cyber warfare" and "Update on website attacks in Georgia and Russia" for instance.

, , , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.