Was Twitter denial-of-service targeting anti-Russian blogger?

Today isn’t just the day after Twitter disappeared for a few hours. It’s also the first anniversary of Georgian troops moving into South Ossetia, an incident which lead to conflict between the Russian and Georgian armies last year.

Perhaps surprisingly, the two may not be disconnected.

The major DDoS campaign which brought Twitter to its knees yesterday (and mildly impacted the likes of Facebook, LiveJournal, Google’s Blogger and possibly YouTube service) may have actually set out to silence only one person – an anti-Russian blogger called Cyxymu from Tbilisi.

This raises the astonishing thought that a vendetta against a single user caused Twitter to crumble, forcing us to ask serious questions about the site’s fragility.

Sign up to our free newsletter.
Security news, advice, and tips.

Facebook’s Chief Security Officer Max Kelly told CNET News that a political blogger using the online name “Cyxymu” – who had accounts on Twitter, Facebook, LiveJournal and Google’s Blogger and YouTube services – was targeted in the co-ordinated denial of service attack.

According to Kelly, the pro-Georgian blogger’s accounts on the different sites were attacked simultaneously.

It’s not currently possible to access Cyxymu’s LiveJournal pages (although they can be read via a Google cache as you can see in the screengrab below. Click on the image for a larger version).

Cyxymu LiveJournal page. Click for larger version

Cyxymu’s LiveJournal page claims that he has been the victim of a “Joe Job” attack. It is claimed that a large number of emails have been spammed out, claiming to come from Cyxymu’s Gmail address, containing links to his various accounts (including, in the example below, his YouTube account):

Email claiming to come from Cyxymu

Now, imagine you received one of these emails. You would be pretty annoyed right? Most people’s natural instinct is to get angry about whoever sent you the unsolicited email promoting his blog or YouTube channel.

But if the emails weren’t actually sent by Cyxymu, but by someone else trying to muddy Cyxymu’s name and perhaps try and trick websites into erasing Cyxymu’s accounts for inappropriate behaviour, then your anger and frustration might be being vented at the wrong person.

In other words, Cyxymu may have been set up as a scapegoat by the spammer – with the intention of having their anti-Russian webpages removed.

Cyxymu himself claims on his LiveJournal page that he has been flooded with “out-of-office” replies from people the spam has been sent to, even though he claims not to have sent it himself.

Some media reports have suggested that the surge in internet traffic that crippled Twitter wasn’t the result of a distributed denial-of-service attack, but caused by spam recipient’s clicking on the links to Cyxymu’s webpages.

I don’t think that’s likely. Most people wouldn’t have bothered clicking on the link.

However, I think it is possible that the spam campaign was either run alongside the denial-of-service from compromised computers around the world, or that someone who wasn’t responsible for the Joe Job decided to wreak revenge on whoever they believed to have spammed them (and they might have imagined it was Cyxymu) by launching a DDoS from their botnet.

Meanwhile, Cyxymu’s YouTube channel is still available. It contains a number of videos, many related to skirmishes between Russians and Georgians:


Cyxymu’s Twitter page is also available for anyone to see:

Cyxymu Twitter page

Could these have been the webpages that the denial-of-service attack was trying to blast off the internet?

By the way, long term readers of the Clu-blog may recall that I have blogged about cyber warfare between Russia and Georgia before. Read “Conflict between Russia and Georgia turns to cyber warfare” and “Update on website attacks in Georgia and Russia” for instance.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.