Cyberwarfare 101: Case Study of a Textbook Attack

MEMBERS-ONLY PODCAST Interactive Cyberwarfare Timeline Editor's note: This is part of a series of analyses on the emergence of cyberspace as battlespace. During the night of April 26-27, 2007, in downtown Tallinn, Estonia, government workers took down and moved a Soviet-era monument commemorating World War II called the Bronze Soldier, despite the protests of some 500 ethnic Russian Estonians. For the Kremlin — and Russians in general — such a move in a former Soviet republic was blasphemy. It was also just the kind emotional flash point that could spark a "nationalistic" or "rally-around-the-flag" movement in cyberspace. By 10 p.m. local time on April 26, 2007, digital intruders began probing Estonian Internet networks, looking for weak points and marshaling resources for an all-out assault. Bursts of data were sent to important nodes and servers to determine their maximum capacity — a capacity that the attackers would later exceed with floods of data, crashing servers and clogging connections. A concerted cyberwarfare attack on Estonia was under way, one that would eventually bring the functioning of government, banks, media and other institutions to a virtual standstill and ultimately involve more than a million computers from some 75 countries (including some of Estonia's NATO allies). Estonia was a uniquely vulnerable target. Extremely wired, despite its recent status as a Soviet republic, Estonian society had grown dependent on the Internet for virtually all the administrative workings of everyday life — communications, financial transactions, news, shopping, restaurant reservations, theater tickets and bill paying. Even parliamentary votes were conducted online. When Estonia's independence from the Soviet Union was restored in 1991, not even telephone connections were reliable or widely available. Today, more than 60 percent of the population owns a cell phone, and Internet usage is already on par with Western European nations. In 2000, Estonia's parliament declared Internet access a basic human right. Some of the first targets of the attack were the Estonian parliament's e-mail servers and networks. A flood of junk e-mails, messages and data caused the servers to crash, along with several important Web sites. After disabling this primary line of communications among Estonian politicians, some of the hackers hijacked Web sites of the Reform Party, along with sites belonging to several other political groups. Once they gained control of the sites, hackers posted a fake letter from Estonian Prime Minister Andrus Ansip apologizing for ordering the removal of the World War II monument. By April 29, 2007, massive data surges were pressing the networks and rapidly approaching the limits of routers and switches across the country. Even though not all individual servers were taken completely offline, the entire Internet system in Estonia became so preoccupied with protecting itself that it could scarcely function. During the first wave of the assault, network security specialists attempted to erect barriers and firewalls to protect primary targets. As the attacks increased in frequency and force, these barriers began to crumble. Seeking reinforcements, Hillar Aarelaid, chief security officer for Estonia's Computer Emergency Response Team, began calling on contacts from Finland, Germany, Slovenia and other countries to assemble a team of hackers and computer experts to defend the country. Over the next several days, many government ministry and political party Web sites were attacked, resulting either in misinformation being spread or the sites being made partially or completely inaccessible. After hitting the government and political infrastructure, hackers took aim at other critical institutions. Several denial-of-service attacks forced two major banks to suspend operations and resulted in the loss of millions of dollars (90 percent of all banking transactions in Estonia occur via the Internet). To amplify the disruption caused by the initial operation, hackers turned toward media outlets and began denying reader and viewer access to roughly half the major news organizations in the country. This not only complicated life for Estonians but also denied information to the rest of the world about the ongoing cyberwar. By now, Aarelaid and his team had gradually managed to block access to many of the hackers' targets and restored a degree of stability within the networks. Then on May 9, the day Russia celebrates victory over Nazi Germany, the cyberwar on Estonia intensified. Many times the size of the previous days' incursions, the attacks may have involved newly recruited cybermercenaries and their bot armies. More than 50 Web sites and servers may have been disabled at once, with a data stream crippling many other parts of the system. This continued until late in the evening of May 10, perhaps when the rented time on the botnets and cybermercenaries' contracts expired. After May 10, the attacks slowly decreased as Aarelaid managed to take the botnets offline by working with phone companies and Internet service providers to trace back the IP addresses of attacking computers and shut down their Internet service connections. During the defense of Estonia's Internet system, many of the computers used in the attacks were traced back to computers in Russian government offices. What could not be determined was whether these computers were simply "zombies" hijacked by bots and were not under the control of the Russian government or whether they were actively being used by government personnel. Although Estonia was uniquely vulnerable to a cyberwarfare attack, the campaign in April and May of 2007 should be understood more as a sign of things to come in the broader developed world. The lessons learned were significant and universal. Any country that relies on the Internet to support many critical, as well as mundane day-to-day, functions can be severely disrupted by a well-orchestrated attack. Estonia, for one, is unlikely ever to reduce its reliance on the Internet, but it will undoubtedly try to develop safeguards to better protect itself (such as filters that restrict internal traffic in a crisis and deny anyone in another country access to domestic servers). Meanwhile, the hacker community will work diligently to figure out a way around the safeguards. One thing is certain: Cyberattacks like the 2007 assault on Estonia will become more common in an increasingly networked world, which will have to learn — no doubt the hard way — how to reduce vulnerability and more effectively respond to such attacks. Perhaps most significant is the reminder Estonia provides that cyberspace definitely favors offensive operations. Next: U.S.: Strengthening Cybersecurity