Security experts are making progress in their efforts to identify the hackers responsible for the distributed denial-of-service (DDoS) attacks that crippled Twitter for several hours last week.
They have also come up with strong evidence that confirms claims the DDoS rampage that brought down Twitter and hit Facebook, Google's YouTube and LiveJournal, were caused by attacks targeting a pro-Georgian activist and blogger.
But they have yet to nail down exactly who was behind the attacks, how they were conducted, and from where.
Twitter, meanwhile, admitted that the attacks were "geopolitical in motivation."
"This was a very targeted attack, and what the research shows is that it was aimed at one particular person, and that person's accounts on Twitter, Facebook, YouTube and LiveJournal," said Dave Marcus, director of security research at antivirus vendor McAfee.
McAfee has identified six separate DDoS attacks against various accounts registered to a user pegged as "Cyxymu," as well as a simultaneous spam e-mail campaign aimed at Cyxymu's Gmail account.
"We back-traced and correlated the data the attacks targeting Facebook, Twitter and others, and found commonalities in the IP [address] information," Marcus said.
Although McAfee was as of yet unable to identify the botnet responsible for the DDoS attacks, its trace-backs revealed that 29% of the machines composing the army of hijacked computers were located in Brazil. Turkish PCs accounted for another 9%, and Indian systems made up another 8%.
Marcus declined to guess the botnet's size. "That's kind of point of contention," he said. "In the case of Twitter, they've gone down before anyway, so it could have been small. Facebook, however, tends to be a lot more resilient, with a lot more load balancing and defensive measures." That might indicate the botnet, which hampered Facebook but didn't knock it offline, is larger.
"We're still looking at which botnet it was that did this," Marcus said.
So is Don Jackson, director of threat intelligence for SecureWorks and a noted DDoS expert, who last year at this time investigated Russian "cybermilitia" attacks against Georgia, the former Soviet republic that was then battling Russian military forces over a territorial dispute. "We don't have indication that it's part of a known botnet," Jackson said today.
"For such a high-volume, high-profile DDoS [attack], there's a conspicuous lack of evidence."
Jackson and other researchers at SecureWorks haven't seen the usual chatter in known hacker and "hacktivist" forums, been able to locate any botnet command-and-control servers showing evidence of having ordered the DDoS attack, or found any clues that the usual commercial DDoS suspects, who make a living renting out bots for such attacks, were involved.