Estonian 'Cyber Riot' Was Planned, But Mastermind Still A Mystery

Because so much of Estonia's economy relies on the Internet, when the Internet was down, citizens couldn't perform the most basic functions, such buying milk, bread, or gas.

Months after the cyberattacks launched against the Baltic nation of Estonia brought the country to its knees, the dangers of targeted cyberattacks and the consequences of heavy economic reliance on the Web have become clear -- even if the identity of the mastermind behind the attacks remains a mystery.

Estonia's emergency was a unique situation, since Internet connections can be blocked into the entire country, given how small it is -- about 45,000 square kilometers -- and how concentrated its Web users are. It was a "predicament of success," Gadi Evron, security evangelist for network security vendor Beyond Security, said Thursday during the Black Hat USA 2007 conference in Las Vegas.

Because so much of Estonia's economy relies on the Internet, when the Internet was down, citizens couldn't perform the most basic functions, such buying milk, bread, or gas. In this regard, Estonia likewise redefined the national infrastructure to include Internet service providers, media Web sites, and home computers, since the loss of these deeply affected the country.

After the Soviet Union broke apart in 1991, Estonia built its infrastructure from scratch. A lot of it was dependent upon the Web, even the company's parliamentary election system. In fact, about 99% of Estonians bank online, said Evron, a former Israeli government Internet security operations manager and founder of Israel's computer emergency response, or CERT, program.

The attacks started on April 27, although the servers hosting most of the target government Web sites held up well. The attacks escalated as the day wore on, so the government moved the sites to new servers that could more easily be defended. Estonians were seeing up to 1,000 times the normal traffic to certain sites by that time.

The following day, the Estonians began to realize that these attacks were amounting to a "cyberriot" rather than simply being a spike in activity, Evron said. Indeed, the original attackers had begun to use Russian blogs to successfully enlist Russians in the assault, even instructing average computer users on how to attack Estonian Web sites. One blog comment solicited donations to a PayPal account to raise money for hiring botnets to use against Estonia. "The blogosphere was responding to what was happening in Estonia and how it was defending itself," he added. In this regard, the cyberattacks against Estonia resembled mob control or mass psychology with the Internet as the means of instigation.

Another element of the attack was botnets, all of which originated from outside Estonia. One attack in particular came from specially crafted bots planted in a number of computers, with the attack target hard coded into their source, Evron said. "They did not propagate and were not controlled centrally from a command and control center," he added. "This has been seen before, but is not very common. This shows there was some planning" performed in advance of the attack.

One security researcher, Postini senior manager Adam Swidler, believes there's a good chance that authors behind the Storm worm terrorizing the Web today were behind the Estonia attacks.

Estonia's CERT worked throughout the attack to get the country's systems back online. The incident response proved useful, Evron said. And when its resources were exceeded, Estonia CERT sought help from CERT-Bund in Germany, CERT-FI in Finland, and SI-CERT in Slovania.

One of Estonia's defenses was to add Cisco Guard distributed denial-of-service mitigation appliances, which gradually slowed the pace of the attacks from 4 Mbps to 1.2 Mbps to 150 Kbps. Four megabits-per-second isn't necessarily a large attack, but "it was the right size for Estonia," Evron said. "More important was the impact. The spam attack against the Estonian parliament resulted in two days of downtime." Two network routers also crashed.

While Russians were involved in the cyberattacks, the attacks were not launched by Russia itself. Evron was very clear that there are no answers regarding exactly who initiated the attack and how much of it was pre-planned. "No one can tell," he added. "The Internet is perfect for plausible deniability. In information warfare, you may know your opponents, rivals, and enemies, but you do not know who is actually attacking."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Email This  | 
Print  | 
More Insights
Copyright © 2021 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service