Estonian 'Cyber Riot' Was Planned, But Mastermind Still A Mystery - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Infrastructure

Estonian 'Cyber Riot' Was Planned, But Mastermind Still A Mystery

Because so much of Estonia's economy relies on the Internet, when the Internet was down, citizens couldn't perform the most basic functions, such buying milk, bread, or gas.

Months after the cyberattacks launched against the Baltic nation of Estonia brought the country to its knees, the dangers of targeted cyberattacks and the consequences of heavy economic reliance on the Web have become clear -- even if the identity of the mastermind behind the attacks remains a mystery.

Estonia's emergency was a unique situation, since Internet connections can be blocked into the entire country, given how small it is -- about 45,000 square kilometers -- and how concentrated its Web users are. It was a "predicament of success," Gadi Evron, security evangelist for network security vendor Beyond Security, said Thursday during the Black Hat USA 2007 conference in Las Vegas.

Because so much of Estonia's economy relies on the Internet, when the Internet was down, citizens couldn't perform the most basic functions, such buying milk, bread, or gas. In this regard, Estonia likewise redefined the national infrastructure to include Internet service providers, media Web sites, and home computers, since the loss of these deeply affected the country.

After the Soviet Union broke apart in 1991, Estonia built its infrastructure from scratch. A lot of it was dependent upon the Web, even the company's parliamentary election system. In fact, about 99% of Estonians bank online, said Evron, a former Israeli government Internet security operations manager and founder of Israel's computer emergency response, or CERT, program.

The attacks started on April 27, although the servers hosting most of the target government Web sites held up well. The attacks escalated as the day wore on, so the government moved the sites to new servers that could more easily be defended. Estonians were seeing up to 1,000 times the normal traffic to certain sites by that time.

The following day, the Estonians began to realize that these attacks were amounting to a "cyberriot" rather than simply being a spike in activity, Evron said. Indeed, the original attackers had begun to use Russian blogs to successfully enlist Russians in the assault, even instructing average computer users on how to attack Estonian Web sites. One blog comment solicited donations to a PayPal account to raise money for hiring botnets to use against Estonia. "The blogosphere was responding to what was happening in Estonia and how it was defending itself," he added. In this regard, the cyberattacks against Estonia resembled mob control or mass psychology with the Internet as the means of instigation.

Another element of the attack was botnets, all of which originated from outside Estonia. One attack in particular came from specially crafted bots planted in a number of computers, with the attack target hard coded into their source, Evron said. "They did not propagate and were not controlled centrally from a command and control center," he added. "This has been seen before, but is not very common. This shows there was some planning" performed in advance of the attack.

One security researcher, Postini senior manager Adam Swidler, believes there's a good chance that authors behind the Storm worm terrorizing the Web today were behind the Estonia attacks.

Estonia's CERT worked throughout the attack to get the country's systems back online. The incident response proved useful, Evron said. And when its resources were exceeded, Estonia CERT sought help from CERT-Bund in Germany, CERT-FI in Finland, and SI-CERT in Slovania.

One of Estonia's defenses was to add Cisco Guard distributed denial-of-service mitigation appliances, which gradually slowed the pace of the attacks from 4 Mbps to 1.2 Mbps to 150 Kbps. Four megabits-per-second isn't necessarily a large attack, but "it was the right size for Estonia," Evron said. "More important was the impact. The spam attack against the Estonian parliament resulted in two days of downtime." Two network routers also crashed.

While Russians were involved in the cyberattacks, the attacks were not launched by Russia itself. Evron was very clear that there are no answers regarding exactly who initiated the attack and how much of it was pre-planned. "No one can tell," he added. "The Internet is perfect for plausible deniability. In information warfare, you may know your opponents, rivals, and enemies, but you do not know who is actually attacking."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
9 Steps Toward Ethical AI
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/15/2019
Commentary
How to Convince Wary Customers to Share Personal Information
John Edwards, Technology Journalist & Author,  6/17/2019
Commentary
The Art and Science of Robot Wrangling in the AI Era
Guest Commentary, Guest Commentary,  6/11/2019
White Papers
Register for InformationWeek Newsletters
2019 State of DevOps
2019 State of DevOps
DevOps is needed in today's business environment, where improved application security is essential and users demand more applications, services, and features fast. We sought to see where DevOps adoption and deployment stand, this report summarizes our survey findings. Find out what the survey revealed today.
Video
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
Slideshows
Flash Poll