Estonian 'Cyber Riot' Was Planned, But Mastermind Still A Mystery - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Estonian 'Cyber Riot' Was Planned, But Mastermind Still A Mystery

Because so much of Estonia's economy relies on the Internet, when the Internet was down, citizens couldn't perform the most basic functions, such buying milk, bread, or gas.

Months after the cyberattacks launched against the Baltic nation of Estonia brought the country to its knees, the dangers of targeted cyberattacks and the consequences of heavy economic reliance on the Web have become clear -- even if the identity of the mastermind behind the attacks remains a mystery.

Estonia's emergency was a unique situation, since Internet connections can be blocked into the entire country, given how small it is -- about 45,000 square kilometers -- and how concentrated its Web users are. It was a "predicament of success," Gadi Evron, security evangelist for network security vendor Beyond Security, said Thursday during the Black Hat USA 2007 conference in Las Vegas.

Because so much of Estonia's economy relies on the Internet, when the Internet was down, citizens couldn't perform the most basic functions, such buying milk, bread, or gas. In this regard, Estonia likewise redefined the national infrastructure to include Internet service providers, media Web sites, and home computers, since the loss of these deeply affected the country.

After the Soviet Union broke apart in 1991, Estonia built its infrastructure from scratch. A lot of it was dependent upon the Web, even the company's parliamentary election system. In fact, about 99% of Estonians bank online, said Evron, a former Israeli government Internet security operations manager and founder of Israel's computer emergency response, or CERT, program.

The attacks started on April 27, although the servers hosting most of the target government Web sites held up well. The attacks escalated as the day wore on, so the government moved the sites to new servers that could more easily be defended. Estonians were seeing up to 1,000 times the normal traffic to certain sites by that time.

The following day, the Estonians began to realize that these attacks were amounting to a "cyberriot" rather than simply being a spike in activity, Evron said. Indeed, the original attackers had begun to use Russian blogs to successfully enlist Russians in the assault, even instructing average computer users on how to attack Estonian Web sites. One blog comment solicited donations to a PayPal account to raise money for hiring botnets to use against Estonia. "The blogosphere was responding to what was happening in Estonia and how it was defending itself," he added. In this regard, the cyberattacks against Estonia resembled mob control or mass psychology with the Internet as the means of instigation.

Another element of the attack was botnets, all of which originated from outside Estonia. One attack in particular came from specially crafted bots planted in a number of computers, with the attack target hard coded into their source, Evron said. "They did not propagate and were not controlled centrally from a command and control center," he added. "This has been seen before, but is not very common. This shows there was some planning" performed in advance of the attack.

One security researcher, Postini senior manager Adam Swidler, believes there's a good chance that authors behind the Storm worm terrorizing the Web today were behind the Estonia attacks.

Estonia's CERT worked throughout the attack to get the country's systems back online. The incident response proved useful, Evron said. And when its resources were exceeded, Estonia CERT sought help from CERT-Bund in Germany, CERT-FI in Finland, and SI-CERT in Slovania.

One of Estonia's defenses was to add Cisco Guard distributed denial-of-service mitigation appliances, which gradually slowed the pace of the attacks from 4 Mbps to 1.2 Mbps to 150 Kbps. Four megabits-per-second isn't necessarily a large attack, but "it was the right size for Estonia," Evron said. "More important was the impact. The spam attack against the Estonian parliament resulted in two days of downtime." Two network routers also crashed.

While Russians were involved in the cyberattacks, the attacks were not launched by Russia itself. Evron was very clear that there are no answers regarding exactly who initiated the attack and how much of it was pre-planned. "No one can tell," he added. "The Internet is perfect for plausible deniability. In information warfare, you may know your opponents, rivals, and enemies, but you do not know who is actually attacking."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll