Some Russian cities have been near-paralysed after being targeted by repeated, simultaneous mass bomb threats phoned through to police and emergency services, reports Lina Kolesnikova, who says that hackers are thought to be behind the attacks. But what are their motivations?
On September 28, 2017, the Siberian city of Novosibirsk – the third largest city in Russia – became a target of telephone terrorists. More than 40 telephone calls making bombs threats were received by police and emergency services. Airports, train and bus stations, shopping centres, schools, local government buildings of Novosibirsk and nearby towns were subject to emergency evacuation.
The modus operandi is the same – a massive sequence of telephone calls about bomb threats to the police and on emergency numbers. Bomb threats in Moscow schools were followed by dozens of simultaneous calls to ambulance services.
Many consider these attacks to be a co-ordinated effort by hackers. They started on September 10 and continue at the time of writing. More than 20 cities and towns, from Moscow and St Petersburg to Vladivostok, have been targeted. Commercial and trade organisations suffered financial losses amounting to millions.
The hackers' bomb threats have already led to the evacuation of hundreds thousands of people across the country. Russian law enforcement (police and intelligence) are thought to be working on the premise that members of an as-yet unknown hacker group have created a computer program that creates a stream of phone calls on randomly selected phone numbers. It is likely this involves IP telephony.
It is clear that Russia is being specifically targeted. There are several considerations as to who is perpetrating these attacks, and why. When the attacks started, one of the first rumours was that it was a drill. However, as the attack continued and the authorities stepped in to investigate, this theory was ruled out. Other possibilities include:
- Terrorist groups or overseas agencies, which are constantly probing the ability of Russian authorities to react to bomb threats. These attackers are on a learning curve, looking for patterns and seeking weaknesses that they can exploit in their favour.
- An external official or unofficial group from abroad (likely to be an unfriendly country), which is launching some kind of attack against the Russian authorities before the Presidential election in early 2018. Or more bluntly, they are targeting the country as a whole, given that the authorities are not directly affected, even though their image might be tarnished (this is especially true for hardline politicians).
- A terrorist and/or criminal (eg hacking) group, which is blackmailing or is going to blackmail business organisations, and is demonstrating its abilities to paralyse and/or to impact the work of the economy’s large-scale infrastructure components. Some shopping malls, for example, have reported significant losses as a result of being subjected to the attack.
- A lone hacker or an amateur schoolchild or student, attacking ‘for fun is another, though distant, possibility.
In technical terms, there are many ways such attacks can be organised; starting from a simple PC-based scenarios combining widespread internet telephony such as Skype, Messengers, etc, with text-to-speech technologies. In most cases, the contact information needed for such an attack is publicly available online. While this scenario is technically possible, using regular technology is prone to detection. However, the possibility of being detected after attacking from abroad, especially if the attack emanates from an unfriendly country, makes this more of a theoretical than a practical possibility.
More elaborate scenarios may involve advanced capabilities, such as Tor or various anonymous proxy tools such as Virtual Proxy Networks (VPNs). Given that the cities affected sometimes experience simultaneous calls to several agencies, botnets and not only human groups, could be involved as well.
Imagine a botnet mounting an attack. A single botnet operator can program and command its activities and the botnet might include millions of non-suspicious internet-connected computers or other devices. Black hackers, hackers (with botnets) for hire, and probably some governmental forces, have the capability of raising such an attack, and the ability to make its origin very hard to trace.
Detailed information is not available, but it seems we might see bursts of calls on a daily basis. This is reminiscent of the latest DDOS ‘pulse wave’ attacks. The specifics of such attacks is that the botnet(s) run instantly and for a limited period of time at high output with no signs of a curve from zero load to reaching peak capacity, then fading away. With regard to the DDOS attacks, suggestions have been made that the botnet constantly runs at full capacity and, based on a certain programmed timeline (or conditions), simply switches from one target to another.
I would appreciate any information about whether phone-call based events are happening in other areas. If so, there might be something else brewing, and Russia may not be the only target.
Contact Lina Kolesnikova here