Looking back at the cyberwar against Estonia

August 21, 2007

It began in mid-April, when the Estonian government ruled to remove a monument dedicated to Soviet soldiers who died in WWII as Estonia was being liberated from one of Tallinn's central squares.1

Unveiled in 1947 by the returning Soviet occupiers, who had been kicked out by the Nazis, the Bronze Soldier was met with mixed feelings by ethnic Estonians, who were then subjected to half a century of Russian rule, under which a tenth of the population was deported to the gulag.4

Many ethnic Estonians hated the Soviets then, hate Russia now and are not particularly grateful to the Red Army, which departed in 1994 only.5

This decision by Estonia to remove the monument was met with great protest from Russia and led to an exacerbation of the political ties between the two countries.1

With a tiny population of 1.4 million, Estonia is almost entirely run on computers. The land that helped develop the free VOIP and instant messenger program Skype hosts wireless zones not just on cafe-lined streets, but in gas stations and remote national parks. Estonians bank, vote and pay their taxes online through digital identity cards that are scanned by easy insertion into slots in their laptops, devices that the country's "paperless" government uses to conduct cabinet meetings and draft legislation. Indeed, so proud was Estonia of its commitment to broadband efficiency—and the web's concomitant freedom of information—that its parliament passed a law in 2000 declaring Internet access a basic human right.4

On April 27, immediately after the Estonian police broke up a demonstration in Tallinn that had gathered in protest at the removal of the monument, the Estonian websites of the president, the prime minister, the Estonian parliament, police, and a number of ministries were overloaded with an enormous number of requests from thousands of computers located around the world.1

According to studies conducted by the experts at Finland-based F-Secure, the following websites were completely inaccessible on April 28:

* www.peaminister.ee (Website of the prime minister): unreachable
* www.mkm.ee (Ministry of Economic Affairs and Communications): unreachable
* www.sisemin.gov.ee (Ministry of Internal Affairs): unreachable
* www.vm.ee (Ministry of Foreign Affairs): unreachable
* www.valitsus.ee (Estonian Government): unreachable
* www.riigikogu.ee (Estonian Parliament): unreachable1

The first attack lasted roughly until May 4. During this DDoS attack, over ten Estonian sites took a lashing. In the course of two weeks, they recorded 128 individual DDoS attacks, of which 115 utilized a typical ICMP-flood, 4 used SYN, and the remaining 9 were different variants of attacks meant to increase traffic.1 Botnets flooded Estonian addresses with traffic anywhere from 100 to 1000 times ordinary levels.3

The method and organization of the attacks suggest that the perpetrators had national paralysis in mind. 4

How did the Estonian authorities respond? Estonian politicians broke an unspoken rule when they accused the Russian special service of orchestrating the attacks - and for the first time, the word "cyberwar" was used at this level. This was the first time in history that one government accused another of launching a cyber attack. This never happened during the conflict between India and Pakistan, when the hackers of these two countries engaged in a virtual battle with one another on the Internet in the late nineties.1

The computer community is now playing with the words "cyberwar" and "cyber terrorism" and labeling Russia as the first country to use the "digital bomb".1

The Estonians, and much of the world press, initially characterized this as the first true information war. Fingers were pointed towards the Russian government, largely on the basis of IP addresses (probably spoofed) traced to government facilities. For their part, Russian officials hotly denied any involvement.3

In Russia's defense, while it is true that the "zombies," or infiltrated computers used to clog Estonian websites were traced to places like Canada, Brazil and Vietnam, a number also led straight into the offices of Kremlin and other Russian agencies—not easy silicon curtains to penetrate, even for the most enterprising hacker. Russian officials refused to comply with early requests to help trace IP addresses of any cyber-blitzers who might have been piggybacking off Russian servers.4

Later, Yaak Aaviksoo, the Estonian Minister of Defense, proposed declaring that the cyber attacks were a form of military action. "At present, NATO does not view cyber attacks as military action. That means that the NATO countries which have fallen victim to these attacks are automatically not included under the fifth article of the NATO agreement on military protection. None of the NATO Ministers of Defense today would recognize a cyber attack as military action. This issue must be resolved soon."1

One of the current issues for decision-makers in NATO countries is whether to respond to such attacks with "cyber retaliation," or with retaliatory actions in the physical world (i.e. military force), or both. 7

NATO eventually rushed a cyber-warfare team to the country to assist the Estonian government, and the nation's justice minister requested that the European Union classify the attacks as acts of terrorism.2

But nothing could be established by the NATO experts. Basically, the accusations that the Russian government was involved were based on the single, isolated fact that the Estonian president’s website had been visited from an IP address that "belongs to an employee of the Russian presidential administration."1

Experts from around the world poured into Estonia - from the US, Europe and Israel. Some came to help counter the threat, while others arrived to gain invaluable experience by observing the conflict and learning from it so that they might contribute to the security of their own countries.1

"I don’t think it was Russia, but how do you prove that?" asked Gadi Evron, an IT security expert from Israel. Evron traveled to Tallinn for 4 days and conducted, so to speak, a post-mortem examination of the Estonian system. "The Internet is ideally suited for plausibly refuting anything, really."1

After the attacks against Estonia stopped, experts have returned to their home countries, manufacturers of network equipment have entered into numerous new contracts, journalists have written dozens of articles about what happened, and in the end the statue was put in a new place, and the remains of Soviet soldiers were reburied.1

One positive result of the attacks against Estonia has been greater global attention to the cyber-warfare threat. Dr. Linton Wells II, a former principal deputy to the assistant secretary of defense for networks and information integration, has suggested that the Estonia attacks "may well turn out to be a watershed in terms of widespread awareness of the vulnerability of modern society."2

So who was ultimately behind the attacks? Portions of the attacks looked suspiciously like there was some central coordination happening; but it's as yet impossible to trace anything back to the government. 3

Russian speaking bloggers urged people to attack Estonian web sites. They provided URLs and instructions on how to ping the sites over and over by repeatedly striking keys, creating an online mob. "It's brilliant," Evron said. "You get other people to do your work for you." 6

The irony is that nations like the United States and its NATO Allies, that have the capacity to excel in cyber war as an adjunct to military operations - and can achieve information dominance over the battlefield - are also those most vulnerable to unrestricted cyber war.7

In a 2003 Military Review article addressing the proliferation of cyber attacks—particularly as it has been waged in the past between Israeli and Palestinian hackers—authors Patrick D. Allen and Chris C. Demchak shrewdly compared the phenomenon to the Spanish Civil War. In both instances, far-flung civilian volunteers were called into action—or "horizontally escalated"—through the use of targeted propaganda (as mentioned, Russian language instructions explaining how and when to infiltrate Estonian systems were posted all over the web in the days leading up to the first sortie.) State sponsorship was plausibly deniable: If the Comintern could control the Abraham Lincoln Brigade, what's to stop a government from either openly or covertly corralling citizen "hacktivists" to do its dirty work? Most ominous of all, the event may be taken as a prelude to a later and more devastating assault, involving a greater number of players.4

Modern network attacks almost always favours the aggressor. 7

The threshold necessary for small groups to conduct warfare has finally been breached, and we are only starting to feel its effects. Nonstate actors in the form of terrorists, crime syndicates, gangs and networked tribes are stepping into the breach to lay claim to areas once in the sole control of states.5

Traditional lines between war and peace are becoming blurred. This development was presaged by the Cold War, but is even more obvious in the war against terrorism in the wake of the 11 September attacks on the World Trade Center and the Pentagon. It suggests that the computerised information systems of NATO member states are likely to be the continuing target of attacks by a non-traditional enemy, whose main goal is physical destruction and disruption and who is likely to exploit vulnerabilities wherever they are to be found.7

1. "Malware Evolution: April - June 2007", Kaspersky Lab, August 7, 2007

2. "The cyberwar against the United States", The Boston Globe, August 19, 2007

3. "Estonia's lesson for cyberwar fighters: Learn digital crowd control", Wired, August 10, 2007

4. "Here Come the Cyber Wars", Reason Magazine, August 17, 2007

5. "Estonia's unsolved zombie insurgence", CIO Government Review, July 23, 2007

6. "How an Online Mob Crippled a Nation", Baseline Security, August 03, 2007

7. "Countering cyber war", NATO, January 11, 2002