Estonian 'Cyber Riot' Was Planned, But Mastermind Still A Mystery - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Infrastructure

Estonian 'Cyber Riot' Was Planned, But Mastermind Still A Mystery

Because so much of Estonia's economy relies on the Internet, when the Internet was down, citizens couldn't perform the most basic functions, such buying milk, bread, or gas.

Months after the cyberattacks launched against the Baltic nation of Estonia brought the country to its knees, the dangers of targeted cyberattacks and the consequences of heavy economic reliance on the Web have become clear -- even if the identity of the mastermind behind the attacks remains a mystery.

Estonia's emergency was a unique situation, since Internet connections can be blocked into the entire country, given how small it is -- about 45,000 square kilometers -- and how concentrated its Web users are. It was a "predicament of success," Gadi Evron, security evangelist for network security vendor Beyond Security, said Thursday during the Black Hat USA 2007 conference in Las Vegas.

Because so much of Estonia's economy relies on the Internet, when the Internet was down, citizens couldn't perform the most basic functions, such buying milk, bread, or gas. In this regard, Estonia likewise redefined the national infrastructure to include Internet service providers, media Web sites, and home computers, since the loss of these deeply affected the country.

After the Soviet Union broke apart in 1991, Estonia built its infrastructure from scratch. A lot of it was dependent upon the Web, even the company's parliamentary election system. In fact, about 99% of Estonians bank online, said Evron, a former Israeli government Internet security operations manager and founder of Israel's computer emergency response, or CERT, program.

The attacks started on April 27, although the servers hosting most of the target government Web sites held up well. The attacks escalated as the day wore on, so the government moved the sites to new servers that could more easily be defended. Estonians were seeing up to 1,000 times the normal traffic to certain sites by that time.

The following day, the Estonians began to realize that these attacks were amounting to a "cyberriot" rather than simply being a spike in activity, Evron said. Indeed, the original attackers had begun to use Russian blogs to successfully enlist Russians in the assault, even instructing average computer users on how to attack Estonian Web sites. One blog comment solicited donations to a PayPal account to raise money for hiring botnets to use against Estonia. "The blogosphere was responding to what was happening in Estonia and how it was defending itself," he added. In this regard, the cyberattacks against Estonia resembled mob control or mass psychology with the Internet as the means of instigation.

Another element of the attack was botnets, all of which originated from outside Estonia. One attack in particular came from specially crafted bots planted in a number of computers, with the attack target hard coded into their source, Evron said. "They did not propagate and were not controlled centrally from a command and control center," he added. "This has been seen before, but is not very common. This shows there was some planning" performed in advance of the attack.

One security researcher, Postini senior manager Adam Swidler, believes there's a good chance that authors behind the Storm worm terrorizing the Web today were behind the Estonia attacks.

Estonia's CERT worked throughout the attack to get the country's systems back online. The incident response proved useful, Evron said. And when its resources were exceeded, Estonia CERT sought help from CERT-Bund in Germany, CERT-FI in Finland, and SI-CERT in Slovania.

One of Estonia's defenses was to add Cisco Guard distributed denial-of-service mitigation appliances, which gradually slowed the pace of the attacks from 4 Mbps to 1.2 Mbps to 150 Kbps. Four megabits-per-second isn't necessarily a large attack, but "it was the right size for Estonia," Evron said. "More important was the impact. The spam attack against the Estonian parliament resulted in two days of downtime." Two network routers also crashed.

While Russians were involved in the cyberattacks, the attacks were not launched by Russia itself. Evron was very clear that there are no answers regarding exactly who initiated the attack and how much of it was pre-planned. "No one can tell," he added. "The Internet is perfect for plausible deniability. In information warfare, you may know your opponents, rivals, and enemies, but you do not know who is actually attacking."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
News
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll