Home » Security » Virtual War in Estonia

Virtual War in Estonia

June 1, 2007


Since the Internet first became popular, users have suffered at the hands of those seeking to cause mischief, commit fraud, or profit by jamming email boxes with spam. There has also been transnational brinksmanship with nations trying to learn other nations’ secrets by hacking into sensitive networks. Last year, for example, the U.S. Naval War College had to take its computer system offline after its security system was breached, apparently by someone in China. The Chinese also apparently caused the U.S. Department of Commerce to take its computers offline (see my post on that incident). A new chapter has now been written in the book of cyber skirmishes and the storyline comes from the small Baltic nation of Estonia [“Digital Fears Emerge After Data Siege in Estonia,” by Mark Landler and John Markoff, New York Times, 29 May 2007]. The problem started when the Estonians decided it was time to shed the last vestiges of their Cold War occupation by the Soviets.

“When Estonian authorities began removing a bronze statue of a World War II-era Soviet soldier from a park in this bustling Baltic seaport last month, they expected violent street protests by Estonians of Russian descent. They also knew from experience that ‘if there are fights on the street, there are going to be fights on the Internet,’ said Hillar Aarelaid, the director of Estonia’s Computer Emergency Response Team.”

As I noted in a recent post [On Becoming a Tiger], Estonia has become one of the world’s developmental hot spots and it ranks first on the World Liberty Index. It has become a model nation for others. Estonia’s booming economy, however, rests in large measure on its ability to connect — to each other and to the rest of the world. Landler and Markoff write:

“For people here the Internet is almost as vital as running water; it is used routinely to vote, file their taxes, and, with their cellphones, to shop or pay for parking.”

That’s what made Estonia’s connectivity a target. What happened next, according to Landler and Markoff, is what some in Estonia describe as the first “war” in cyberspace.

“A monthlong campaign … has forced Estonian authorities to defend their pint-size Baltic nation from a data flood that they say was set off by orders from Russia or ethnic Russian sources in retaliation for the removal of the statue. The Estonians assert that an Internet address involved in the attacks belonged to an official who works in the administration of Russia’s president, Vladimir V. Putin. The Russian government has denied any involvement in the attacks, which came close to shutting down the country’s digital infrastructure, clogging the Web sites of the president, the prime minister, Parliament and other government agencies, staggering Estonia’s biggest bank and overwhelming the sites of several daily newspapers. ‘It turned out to be a national security situation,’ Estonia’s defense minister, Jaak Aaviksoo, said in an interview. ‘It can effectively be compared to when your ports are shut to the sea.’ Computer security experts from NATO, the European Union, the United States and Israel have since converged on Tallinn to offer help and to learn what they can about cyberwar in the digital age.”

A port blockade is usually considered an act of war. That is why the Estonians are treating this cyber attack so seriously. Others are also taking notice.

“This may well turn out to be a watershed in terms of widespread awareness of the vulnerability of modern society,” said Linton Wells II, the principal deputy assistant secretary of defense for networks and information integration at the Pentagon. “It has gotten the attention of a lot of people.”

Landler and Markoff provide the details of the attack:

“When the first digital intruders slipped into Estonian cyberspace at 10 p.m. on April 26, Mr. Aarelaid figured he was ready. He had erected firewalls around government Web sites, set up extra computer servers and put his staff on call for a busy week. By April 29, Tallinn’s streets were calm again after two nights of riots caused by the statue’s removal, but Estonia’s electronic Maginot Line was crumbling. In one of the first strikes, a flood of junk messages was thrown at the e-mail server of the Parliament, shutting it down. In another, hackers broke into the Web site of the Reform Party, posting a fake letter of apology from the prime minister, Andrus Ansip, for ordering the removal of the highly symbolic statue. At that point, Mr. Aarelaid, a former police officer, gathered security experts from Estonia’s Internet service providers, banks, government agencies and the police. He also drew on contacts in Finland, Germany, Slovenia and other countries to help him track down and block suspicious Internet addresses and halt traffic from computers as far away as Peru and China.

“The bulk of the cyberassaults used a technique known as a distributed denial-of-service attack. By bombarding the country’s Web sites with data, attackers can clog not only the country’s servers, but also its routers and switches, the specialized devices that direct traffic on the network. To magnify the assault, the hackers infiltrated computers around the world with software known as bots, and banded them together in networks to perform these incursions. The computers become unwitting foot soldiers, or ‘zombies,’ in a cyberattack. In one case, the attackers sent a single huge burst of data to measure the capacity of the network. Then, hours later, data from multiple sources flowed into the system, rapidly reaching the upper limit of the routers and switches. By the end of the first week, the Estonians, with the help of authorities in other countries, had become reasonably adept at filtering out malicious data. Still, Mr. Aarelaid knew the worst was yet to come. May 9 was Victory Day, the Russian holiday that marks the Soviet Union’s defeat of Nazi Germany and honors fallen Red Army soldiers. The Internet was rife with plans to mark the occasion by taking down Estonia’s network. Mr. Aarelaid huddled with security chiefs at the banks, urging them to keep their services running. He was also under orders to protect an important government briefing site. Other sites, like that of the Estonian president, were sacrificed as low priorities.”

The tool that permitted the attacks to be so persistent, however, were bots [read my earlier posts on bots and botnets Bots and Network Security and Zombie Computer Threat Increasing]. Back to Estonia:

“The attackers used a giant network of bots — perhaps as many as one million computers in places as far away as the United States and Vietnam — to amplify the impact of their assault. In a sign of their financial resources, there is evidence that they rented time on other so-called botnets. … In the early hours of May 9, traffic spiked to thousands of times the normal flow. May 10 was heavier still, forcing Estonia’s biggest bank to shut down its online service for more than an hour. Even now, the bank, Hansabank, is under assault and continues to block access to 300 suspect Internet addresses. It has had losses of at least $1 million. Finally, on the afternoon of May 10, the attackers’ time on the rented servers expired, and the botnet attacks fell off abruptly. All told, Arbor Networks measured dozens of attacks. The 10 largest assaults blasted streams of 90 megabits of data a second at Estonia’s networks, lasting up to 10 hours each. That is a data load equivalent to downloading the entire Windows XP operating system every six seconds for 10 hours.”

The authors note that Estonia’s defense was good, but not flawless. Few other countries, however, could have mounted a better overall battle. One of the most interesting fall-outs of the incident is that NATO is rethinking its mission.

“For NATO, the attack may lead to a discussion of whether it needs to modify its commitment to collective defense, enshrined in Article V of the North Atlantic Treaty. Mr. Aarelaid said NATO’s Internet security experts said little but took copious notes during their visit. Because of the murkiness of the Internet — where attackers can mask their identities by using the Internet addresses of others, or remotely program distant computers to send data without their owners even knowing it — several experts said that the attackers would probably never be caught. American government officials said that the nature of the attacks suggested they were initiated by “hacktivists,” technical experts who act independently from governments.”

It used to seem laughable for people to talk about cyber attacks in the same way they talked about missiles, bombs, and tanks. That is no longer the case. Cyber attacks can have serious national security consequences. The Estonian incident will provide a case study that those concerned about cyber security will ponder for years.

Related Posts: