This is a follow-up to my previous post on Cybersecurity and the White House. It illustrates an actual cyberwarfare attack against Estonia in 2007 and how it can be a legitimate national security issue.

Study of a cyberwarfare attack

Estonia is one of the most wired countries in eastern Europe. In spite of its status of being a former Soviet republic, it relies on the internet for a substantial portion of everyday life—communications, financial transactions, news, shopping and restaurant reservations all use the Internet. Indeed, in 2000, the Estonian government declared Internet access a basic human right. It is this growing depending on the Internet that left Estonia particularly vulnerable to a large-scale cyberattack in April 2007.

The cyberattack is thought to have coincided with an event in downtown Tallinn. During the night of April 26-27, 2007, government workers took down and moved a Soviet-era monument commemorating World War II called the Bronze Soldier, as well as war graves in Talinn. This sparked protests of 500 ethnic Russian Estonians. For the Kremlin—and Russians in general—such a move in a former Soviet republic was considered a grave nationalistic insult.

This was the kind emotional flash point that could spark a “nationalistic” or “rally-around-the-flag” movement in cyberspace. By 10 p.m. local time on April 26, 2007, digital intruders began probing Estonian Internet networks, looking for weak points and marshaling resources for an all-out assault. Most of the attacks that had any influence on the general public were distributed denial of service type attacks ranging from single individuals using various low-tech methods like ping floods to expensive rentals of botnets usually used for spam distribution. Spamming of bigger news portals commentaries and defacements including that of the Estonian Reform Party website also occurred. Once they gained control of the sites, hackers posted a fake letter from Estonian Prime Minister Andrus Ansip apologizing for ordering the removal of the World War II monument.

This was a concerted cyberwarfare attack on Estonia. Some observers reckoned that the onslaught on Estonia was of a sophistication not seen before. The case was studied intensively by many countries and military planners and, at the time it occurred, it may have been the second-largest instance of state-sponsored cyberwarfare.

A couple of days later, networks and routers were being pressed to their limits. Not all servers were taken offline but functionality of the Internet in Estonia was limited because so many resources were dedicated to protecting itself. Security specialists erected firewalls and barriers but as time passed, these barriers started to break down. The government eventually started taking down sites and making them available only to users within Estonia, but this was only seen as a temporary fix. It works for a country as small as Estonia but not for larger nations where the traffic is much more international.

The cyberwar on Estonia intensified two weeks later. On May 9, the day Russia celebrates victory over Germany, the size of the attacks increased. More than 50 Web sites and servers may have been disabled at once, with a data stream crippling many other parts of the system. This continued until late in the evening of May 10, perhaps when the rented time on the botnets and cybermercenaries’ contracts expired. After May 10, the attacks slowly decreased as Estonia managed to take the botnets offline by working with phone companies and Internet service providers to trace back the IP addresses of attacking computers and shut down their Internet service connections.

During the defense of Estonia’s Internet system, many of the computers used in the attacks were traced back to computers in Russian government offices. At the time of the attacks, Estonian Foreign Minister Urmas Paet accused the Kremlin of direct involvement in the cyberattacks. A few months later in September 2007, Estonia’s defense minister admitted he had no evidence linking cyber attacks to Russian authorities. What could not be directly determined was whether these computers were simply “zombies” hijacked by bots and were not under the control of the Russian government or whether they were actively being used by government personnel.

At the time, Dmitry Peskov, the Kremlin’s chief spokesman, told the BBC’s Russian Service there was “no way the [Russian] state [could] be involved in cyber terrorism”. Two years later, On March 10, 2009 Konstantin Goloskokov, a “commissar” of Kremlin-backed youth group Nashi has claimed responsibility for the attack. Whether or not they are is up for debate, as another Russian politician claimed his assistant was responsible for it.

Estonia was particularly vulnerable to this type of attack, but the lesson is clear for the broader developed world. A concerted effort made by either a government (?) or a group of people trying to teach another country a lesson can wreak serious havoc on a country’s economy. Such an attack is a national security issue and a case can be made that it falls within the realm of government oversight.

Sources:
• You will want to check out Stratfor’s very good summary on the issue, available at this link (no subscription required).
• Wikipedia has a good summary available here.
• The BBC reported on this event two years ago. Summary is similar to the above articles.