Threat Intelligence

Estonia: To Blackout an Entire Country – Part 2

Dimitar Kostadinov
October 8, 2013 by
Dimitar Kostadinov

IV. Attack Targets & Impact

The main targets appear to be information distribution channels owned either by the Estonian government, or the private and business sector web portals. They specifically belong to banking institutions. Notably, the functioning of critical databases, registers or systems remains almost unaffected throughout the entire duration of the Baltic cyber crisis. To much surprise, they're standard bearers of the classic critical objects, which support information systems. They provide proper work for the transportation and energy systems, but were omitted by the attackers.

On the other hand, the national internet infrastructure took a heavy toll. For a while the national emergency number 112 was disabled and the citizens willing to seek out first aid were practically left on their own to deal with emergencies.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

To summarize, the cyber attacks against Estonia in 2007 were mainly four targets:

  • Servers of organizations and institutions that are the backbone of the Estonian online infrastructure
  • Government and other targets of political significance
  • Services, such as internet services, owned by the private sector
  • Personal or random targets
  • (Tikk, Kaska, & Vihulm, 2010)

    How did Estonia overcome the attack?

    Measures of Political & Institutional Character

    • Estonia's Computer Response Team (CERT) operates as a coordination unit, shielding Estonia's most vital resources. On May 10th, the country was on its way to a total digital collapse that would create a weave of widespread social disruptions. Fortunately, CERT prevailed and Estonia succeeded in avoiding the worst-case scenario (Shackelford, 2009).

    • Estonia is a signatory NATO and EU member state, and IT specialists from these institutions come to the rescue of Estonian authorities struggling with the incoming DDoS attacks (Schreier, 2011). For NATO, that may impose reconsideration of its foundational policies in relation to collective defence of member states of the international organization (Janczewski & Colarik, 2008).

    • Germany, Italy, Spain, Latvia, Lithuania and Slovakia fund and support CERT, the hub in Tallinn, so that Estonia can vindicate its IT infrastructure.

    • The President of Estonia gave away his website, agreeing to take the blow as a bulletproof vest in order to prevent more critical online infrastructure from being destroyed.

    • Estonia organized an international tech summit in 2008 on combating computer-based attacks.

    • In the wake of the Baltic cyber ballistics, NATO introduced the Cooperative Cyber Defense Center (CCD COE) with headquarters located in Tallinn. The work crew consisted of thirty specialists whose main task was to further cyber defense and set up flexible policy for assisting allies in times of cross-jurisdictional attacks. In addition, the Center organizes training courses for representatives from alliance member states (Schreier, 2011).

     

    Technical Measures

    • They wittingly turned the switch off of the local websites under attack to foreign Internet addresses and left them accessible to domestic users only.

    • They cut and screened 99% of bogus traffic coming in outside Estonia. Institutions and private companies were forced to block all traffic, whether malicious or not, originating from outside countries, in order to restore the systems at given point later on. That decision was dictated by fact that the DDoS attacks were sowing informational havoc across Estonia. They were being launched from infected and hijacked PCs throughout the world, hence having foreign IP addresses. By blocking incoming foreign traffic, the local authorities managed to keep their systems running and relatively intact. However, all legitimate users from outside the country were blocked as well. Meanwhile, security experts made a great deal of effort to trace the bots, that is, compromised computers, and notified the responsible ISPs to have them blocked, therefore breaking off the chain of overwhelming traffic (http://software-engineer-training.com/the-cyber-attacks-in-estonia-august-2007/, 2007).

    • An implementation of online "diversion" tactics urged attackers to hack websites that had already been cracked.

    • An installation of advanced filters sifted out the traffic. Subsequently, Cisco Guard was set up to diminish malicious traffic.

    • They localized and blocked bots from root DNS servers to bear testimony to the step-by-step efforts involved in that activity. They came from the following passage, recounted by one of the people who managed to sneak backstage:

    Immediately, Aarelaid and his team started chasing the sources upstream. What they found was a botnet comprising mostly of hijacked computers in the US. As Aarelaid identified a specific address, Woodcock and Lindqvist sent rapid-fire emails to network operators throughout the world, asking for the IPs to be blocked at the source. Their goal was to block traffic before it could enter Estonia's major international connections. One by one, they picked off the bots, and by dawn they had deflected the attackers.
    (Davis, 2007, p. 8)

    • CERT convinced ISPs around the world to compile a blacklist of attacking computers which crashed Estonia's bandwidth.

    • One of the measures relied on blocking the entire .ru domain. Nevertheless, the botnet attack comprised of about a million zombie computers, tracked down to countries as dissimilar as the United States, Peru, Vietnam, China and Egypt (Toth, 2007-2008).

    • CERT attempted to examine server data and logs in order to uncover the perpetrators' identities.

    • Among the non-official actions mentioned are a couple of defaced Russian websites with a notice saying: "Proud to be Estonian!" and "Estonia forever!" (Toth, 2007-2008)

     

    V. Succinct Legal Commentary

    What happened in spring 2007 in Estonia raised many disputes concerning the legal side of those cyber attacks. There are several frequently asked questions with respect to the legality:

    Which legal provision(s) is (are) violated?

    What kind of legal repercussions are awaiting the perpetrator?

    What types of response are considered just?

    This work doesn't have an object to disentangle these complex questions, but it may give a peripheral idea.

    "De jure," the most important thing as far the law is concerned, is who the perpetrator is. If it's a person or a group of individuals not connected anyhow to the state, then the matter is more criminal. Conversely, if suspicion falls on state involvement, and is duly proven...

    First, regarding the Estonia 2007 cyber attacks, a person could invoke a long line of legal norms: Articles 2(4), 41, 51 of the UN Charter; Article 5 The North Atlantic Treaty; Articles 51, 52 (2) Additional Protocol I; Article 35 of the ITU; and Article 19 of UNCLOS. By any means that list isn't complete. Secondly, the common case presupposed the statutory legal repercussions, which are embedded in the relevant provision. In terms of practice, financial and economic sanctions are often applicable in less grave forms of interstate conflicts. Third, responses also vary in accordance to the law, but the legally permissible unilateral military actions are restricted to only one case—the right of self-defense envisaged in Article 51 of the UN Charter.

    To close the subject, let's say that if judged that way by an institution like how NATO or the UN Security Council reacted during and after the Estonia case, there seemed to be neither firm policy nor legal certainty these organizations could lean upon. If the excuse is that this case was a precedent, well, they don't have it any more.

    IV. Why Does Suspicion Fall on the Eastern Neighbour?

    Estonia – Russia affairs in terms of recent history

    For many foreign observers, the sudden cyber flooding in April 2007 orchestrated to clog the pumping heart and veins of the Estonia's IT structure was somewhat incomprehensible. Tons of questions deluge the media such as "who's behind it," "or "why does Estonia appear out of nowhere under such severe DDoS attacks?"They spread out like the Greek fire used by the Saracens to repel the Crusaders in the thirteenth century. In order to give an answer about the identity and motives, a person should look at the whole story in a multidisciplinary context (historical, political, and technological).

    figure2-rev

    Therefore, to make a long story shor, there are many ethnic Russians living in Estonia, who had initially moved there voluntarily, as far back as the time when the country was part of the Soviet Union. After the Perestroika and the fall of the Berlin Wall, Estonian authorities didn't have enough to unify the disparate, even though similar, ethnic groups. For instance, while the two Baltic neighbours, Latvia and Lithuania, granted universal citizenship to all people residing within their borders, Estonia refused to do so. The alternative method for obtaining citizenship is naturalization, which is…a long journey(Richards, 2009).

    As a result, inter alia, many ethnic Russians came to feel disillusioned and disaffected; hence, in time, alienation between different ethnicities within Estonia society became firmly rooted. That state of division settled an unstable political situation that could be easily manipulated by foreign countries such as Russia (Richards, 2009). It should be emphasized also that some of the most brutal and inhumane conflicts in the history of mankind occured when strong ethnic hatred smouldered below the surface for a long time (e.g., Bosnian war, Rwanda, The Holocaust during World War II).

    A situation like that is combustible, and the Estonian Parliament's decision to remove the Bronze Soldier memorial from a central square in Tallinn, the main precipitating event, gave ignition (Richards, 2009).

    The memorial removal and its aftermath

    On one hand, Estonians regard the statue as a symbol of obnoxious foreign occupation, on the other hand, Russians view its relocation as an act of desecration and they are undoubtedly infuriated (Shackelford, 2009). In no time at all, ethnic Russians organized massive public protests, which for one reason or another quickly mutates in street riots, with over a thousand people arrested, and one killed. The Estonian embassy in Moscow was besieged and on top of that, the Estonian ambassador was under attack. Moreover, the Russian government imposed economic sanctions on Estonia, and a Russian delegation was sent to Tallinn to make an attempt at talking out the local government (Michael, 2010).

    What followed next was a series of cyber attacks against Estonian information assets, something you could read about in the first two writings dedicated to the Estonian cyber saga (April-May 2007).

    The funny moment in this story, if there is one, is that at some point when the street riots were so heated and almost out of control, the government was preoccupied with them as an "immediate and visible concern", and all of a sudden "some geek (is) coming and saying 'do you know we are under cyber attack as well?' (Michael, 2010, p. 13)."

    Other Probable Arguments:

    Origin of the Attacks

    The technical data that gave away the attackers' location wasn't very helpful here. Bots that facilitate the congestion of a smashing amount of data flowed toward Estonia's information nodes. They showed a great variety of locations (Tikk, Kaska, Runnimeri, Kert, Taliharm, & Vihul, 2008).

    Distribution of Instructions and Malicious Software

    A downloadable script to generate ping floods against Estonian websites (DNS and IPs) was shared among users on several Russian-language message boards (Tikk, Kaska, Runnimeri, Kert, Taliharm, & Vihul, 2008). The package also included the exact time of the common DDoS attacks.

    The most severe attacks coincided chronologically with Victory Day

    Perhaps it's more than a pure coincidence that the biggest surge of the three-week cyber siege was held on День Победы. (Victory Day, 09 May)

    Putin's speech during the Victory Day parade at Red Square on May 9th, 2007

    During the May 9th parade, Putin publicly announced that "those who are trying today to…desecrate memorials to war heroes are insulting their own people, sowing discord and new distrust between states and people (Davis, 2007, p. 9)." Nevertheless, any direct connections existing at that time of the information crisis in Estonia most likely became speculative.

    The use of expensive botnets

    During that period, the Russian government was accused of being involved in another huge botnet campaign against chess grandmaster Garry Kasparov, who's also a leader of an alliance of opposition parties in Russia. The internet security firm Arbor Networks succeeded in tracking an overlap between the networks involved in the case in question, and Estonia cyber war (Davis, 2007).

    The Verdict

    A month after the attacks, the U.S. Government, along with several private contractors, assessed that "the cyber attacks were most likely carried out by politically motivated gangs (such as Nashi su), not by Russian security agencies directly (Shackelford, 2009, p. 17)." The participation of many young people rushed to attack a country via computer means, which is also notable.

    eStonia: the Internet country

    wifi-sign-rev

    Estonia is considered the 'most connected European state," and its government and society rely on online services all the time. There the popular communication software Skype was created and by 2005, the country was saturated in free Wi-Fi, with about 60 % of citizens connected, allowing them to carry out more than 90% of their banking services online, as well as other routine payments, such as street parking fees (Richards, 2009). Estonia is also renowned for its electronic government services– people can vote, file their taxes, file complaints or contact the government via the Internet.

    That was the bright side of immense connectivity. The other side has more to do with concerns about how to protect that heavy dependence. While Estonia allocates substantial amounts to fund research and development for Internet-based services and telecommunications, it does little to develop qualitative defensive protocols against eventual cyber threats (Richards, 2009). As a general rule, in a country where "the Internet is almost as vital as running water" (Giussani, 2007, par. 1) such a thing is impermissible. Because heavy dependence frequently leads a concomitant heavy loss – "that is what made the cyber attacks against Estonia all the more effective (Shackelford, 2009, p. 3)."

    Conclusion. Importance

    Whether or not, surprisingly, many foreign publications briefly mentioned the digital assault on the tiny Baltic nation, almost dismissing the subject as much ado about nothing. What they don't appreciate is the importance of the event, namely, the genesis of a new interstate warfare, digital. The Estonia case highlights how severe and incapacitating effects cyber attacks can entail at minimum cost. Moreover, this trial run of a new mode of warfare advertises to others its most prominent features. They're difficult to attribute, relatively precise, bloodless (up to now), and ubiquitous.

    In that regard, the Estonia experience raised earnest questions about how governments can ward off cyber attacks without assuming full control over the internet. Never before had an entire country been attacked on virtually every digital line at once, and in such a prolonged and public campaign. The lack of coherent cyber doctrine and uniform cyber strategy prevents monolithic international institutions like NATO to respond effectively to cyber attacks, as was the case with Estonia in 2007. Taking all of this into account, drawing a proper conclusion is important so that the history won't repeat itself…or worse.

    Reference List

    Charvat, J. (2010). Cyber Terrorism: A New Dimension in Battlespace. Retrieved on 07/09/2013 from http://www.ccdcoe.org/publications/virtualbattlefield/05_CHARVAT_Cyber%20Terrorism.pdf

    Davis, J. (2007). Web War I. Retrieved on 07/09/2013 from http://www.wired.com/images/press/pdf/webwarone.pdf

    Estonia Cyber Attacks 2007. Retrieved on 07/09.2013 from http://meeting.afrinic.net/afrinic-11/slides/aaf/Estonia_cyber_attacks_2007_latest.pdf

    Giussani, B. (2007). Estonia under cyberattack: the first electronic war. Retrieved on 07/09/2013 from http://www.lunchoverip.com/2007/05/estonia_under_c.html

    Janczewski, L. & Colarik A. (Eds.). (2008). Cyber Warfare and Cyber Terrorism. Hershey, USA: IGI Global.

    Michael, A. (2010). Cyber Probing: the Politicisation of Virtual Attack. Retrieved on 07/09/2013 from http://www.conflictstudies.org.uk/files/Cyber_Probing.pdf

    Richards, J. (2009). Denial-of-Service: The Estonian Cyberwar and Its Implications for U.S. National Security. Retrieved on 07/09/2013 from http://www.iar-gwu.org/node/65

    Saleem, M. & Hassan, J. (2009). "Cyber warfare", the truth in a real case. Retrieved on 07/09/2013 from http://www.ida.liu.se/~TDDD17/oldprojects/2009/projects/007.pdf

    Shackelford, J. (2009). From Nuclear War to Net War: Analogizing Cyber Attacks in International Law. Retrieved on 07/09/2013 from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1396375

    Schreier, F. (2011). On Cyberwarfare. Retrieved on 07/09/2013 from www.dcaf.ch/content/download/67316/1025687/file/

    Tikk, E., Kaska, K. & Vihul L., (2010). International Cyber Incidents: Legal Considerations. Retrieved on 07/09/2013 from http://www.ccdcoe.org/publications/books/legalconsiderations.pdf

    Tikk, K. Kaska, K. Rünnimeri, M. Kert, A. Talihärm & L. Vihul, (2008). Cyber Attacks Against Georgia: Legal Lessons Identified. Retrieved on 07/09/2013 from http://www.carlisle.army.mil/DIME/documents/Georgia%201%200.pdf

    Toth, B. (2007-2008). Estonia under cyber attack. Retrieved on 07/09/2013 from http://www.cert.hu/sites/default/files/Estonia_attack2.pdf

    http://software-engineer-training.com/the-cyber-attacks-in-estonia-august-2007/, 2012

    Dimitar Kostadinov
    Dimitar Kostadinov

    Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.