Estonia, six years later

In April 2007, the Estonian government decided to relocate the Bronze Warrior, a Soviet World War II memorial located in Tallinn, as well as the remains of some Soviet WWII soldiers buried nearby.

This decision caused great offense in Russia, starting at the top. Russian president Vladimir Putin said, “I find that this is an absolutely short-sighted policy, extremist-nationalist, which does not take into consideration the history connected with the fight against Nazism or today’s reality.”

Russia’s foreign minister Sergei Lavrov said Estonia had a “blasphemous attitude towards the memory of those who struggled against fascism.”

Within weeks, the country of Estonia was offline, taken down by a botnet-fueled distributed denial of service (DDoS) attack. This attack impacted both the government and the private sector.

The attacks begin….

Within days of the Estonian government decision, a series of sustained DDoS attacks against Estonian Web properties began.

Estonia’s defense minister at the time, Jaak Aaviksoo, told Wired Magazine:

The attacks were aimed at the essential electronic infrastructure of the Republic of Estonia,” Aaviksoo tells me later. “All major commercial banks, telcos, media outlets, and name servers — the phone books of the Internet — felt the impact, and this affected the majority of the Estonian population. This was the first time that a botnet threatened the national security of an entire nation.”

Two weeks into the attack, Arbor Networks senior security researcher at that time Jose Nazario posted a detailed analysis on our blog, writing,

“All in all, someone is very, very deliberate in putting the hurt on Estonia, and this kind of thing is only going to get more severe in the coming years.”

Within the first two weeks, our Internet-wide threat monitoring system, ATLAS, saw at least 128 separate attacks on nine different Web sites in the country, including 35 attacks against the Estonian police, another 35 attacks against the Ministry of Finance and 36 against the Estonian parliament, Prime Minister as well as other general government Web properties.

  • Attack bandwidths ranged from under 10 Mbps to 95 Mbps, with the majority in the 10-30 Mbps range
  • 75 percent lasted no longer than one hour and 5.5 percent, over 10 hours

So does the speculation….

A high profile disagreement between leaders of Estonia and Russia, followed immediately by a cyber-attack against Estonian Web sites? Well, that can only mean one thing, CYBERWAR!!!

Headlines from May 2007

  • Estonia: Ground Zero for World’s First Cyber War?
  • Estonia hit by ‘Moscow cyber war’
  • Russia accused of unleashing cyberwar to disable Estonia
  • Slippery Slopes: Attribution and Semantics

One thing that certainly has not changed since the Estonia incident is that hurried analysis, and attempts at instant attribution, are very rarely accurate.

While the headlines said “cyberwar,” the data that we saw at the time said something else, and that is digital attribution regardless of motive can be extremely difficult. These attacks, like many before and since, were widely distributed around the world. In fact, many of the attacks originated from the United States and elsewhere. There was significant chatter and sharing of attack tools on Russian language Web sites.

Arbor’s ATLAS system and subsequent analysis showed signs of Russian nationalism at work, but no Russian government connection. The sources we analyzed from around the world did not show a clear line from Moscow to Tallinn; instead, it was from everywhere around the world to Estonia. Additionally, we noted at the time that targets were high-profile Web properties, not critical national infrastructure.

As so often happens, after the flurry of initial speculation, the facts settle and the truth comes out, and usually with more than a little snark.


Estonia ‘Cyberwar’ Wasn’t

Sadly, this dashes THREAT LEVEL’s hopes of seeing our own made up infowar term on a CNN graphic.  Since we put it out a week ago, a few more hyperbolic cyberterror gems have surfaced in the coverage of the Estonia packet floods — The First War in Cyberspace!The Future Of Warfare! (exclamation points added) — but the only writer to adopt our Cybarmageddon! was Bruce Sterling.  We’ll let you know if it turns up in his next novel.

There is also a lot of confusion around the term “cyberwar.” What does that mean exactly? One country attacking another seems obvious, but in what respects, what targets, and to what degree? What about when a country leverages experts in the field, as it would with defense contractors, to develop tools and capabilities? Just as there is collaboration between the government and the private sector to develop traditional defense systems and hardware, we must by now realize that the same type of public-private collaboration is happening around the world with regard to cyber capabilities, both defensive and offensive.

I’ll leave the question of what defines a “cyberwar” for others with more patience than I to wax intellectual. What I do know is that geopolitics absolutely shapes the threat landscape and the Internet as we know it today.

Regardless of terminology, we have seen some high profile stories since Estonia. Here are but a few examples that we know about:

April 27, 2007: Attacks on Estonia begin

Week of June 15, 2008Ukraine put under DDoS attack due to NATO protests

August 5, 2008, three days before Georgia launched its invasion of South Ossetia, the Web sites for OSInform News Agency and OSRadio were hacked. Arbor estimates these attacks were in the 814 Mbps range, significantly (at that time) larger than the Estonian DDoS attacks the year before.

December, 2008 – January, 2009: Israel launched an attack named Operation Cast Lead against the Palestine National Authority. The fighting between the Israeli Defense Forces and Hamas included cyber-attacks against government Web sites and media outlets and involved both State and Non-State actors.

December, 2009 – April, 2010: In the months of unrest leading up to Kyrgyzstan’s second Tulip revolution, the technical unit of Kyrgyzstan intelligence cracked the email account of Gennady Pavlyuk, a leading dissident journalist, to obtain specific data on a project of his, then lured him to Kazakhstan under the pretense of meeting angel investors and killed him.

June 2010: Iran was the victim of a cyber attack when its nuclear facility in Natanz was infiltrated by the now very well-known cyber-worm ‘Stuxnet’.

November 2, 2010: Burma was the victim of a cyber-attack caused by a rapidly escalating, large-scale DDoS  attack targeting Burma’s main Internet provider, the Ministry of Post and Telecommunication (MPT), disrupting most network traffic in and out of the country.

January 2011: Tunisia’s Jasmine Revolution which resulted in the overthrow of a corrupt government, included violent protests and the hacking of user names and passwords for the entire online population of Tunisia by AMMAR, the country’s government-run Internet Services Provider (ISP).

January-February 2011: Egypt and Libya are taken offline entirely by their governments.

June 2011: Chinese and Vietnamese attackers started a cyber war over the territorial dispute on the ownership of the Spratly Islands in the South China Sea. 200 Vietnamese Web sites were attacked in June, and 10 percent of those Web sites were managed by government agencies; the attack disabled all the links on these Web sites and placed China’s flag at the center of the page.

March 20, 2013: S. Korean is targeted by N. Korea in series of cyberattacks and impacting 48,000 computers and servers, hampering banks for two to five days.

April 21, 2013: The U.S. military is increasing its budget for cyber warfare and expanding its offensive capabilities, including the ability to blind an enemy’s radar or shut down its command systems in the event of war, according to two defense officials.

May 2013: A new wave of attacked targeting U.S. energy companies begins, rumored to be driven out of the Middle East. Unlike typical cyberattacks that attempt to obtain confidential information, steal trade secrets and gain competitive advantage, these new attacks seek to destroy data or to manipulate industrial machinery and take over or shut down the networks that deliver energy or run industrial processes.

Again, I’ll leave it to others to debate the semantics of cyberwar. What I do know is that cyberspace is a legitimate battle space. The ongoing attacks against global financial services firms are a great example of how this impacts our business and day-to-day lives. Those attacks have been sustained for over six months, with no end in sight. They are being funded at some level, by someone or some group with very serious motivation that would be difficult to keep going with what we know of traditional hacktivism. We can speculate all day long about who might be behind these attacks but I’d suggest we leave that to others and focus on learning lessons and building better defenses. In this changing geo-political driven environment, understanding the ‘who’ can be near impossible with only digital attribution, but attempting to understand the potential motivation behind attacks can help to better gauge risk to your organization. What has really changed since Estonia? The fact that this type of attack today wouldn’t be nearly as surprising as it was in 2007.


Comments are closed.