Cyberwarfare 101: Case Study of a Textbook Attack, part 2

This post continues on from my previous post on the cyberattack on Estonia in 2007.

During the first wave of the assault, network security specialists attempted to erect barriers and firewalls to protect primary targets. As the attacks increased in frequency and force, these barriers began to crumble.

Seeking reinforcements, Hillar Aarelaid, chief security officer for Estonia’s Computer Emergency Response Team, began calling on contacts from Finland, Germany, Slovenia and other countries to assemble a team of hackers and computer experts to defend the country. Over the next several days, many government ministry and political party Web sites were attacked, resulting either in misinformation being spread or the sites being made partially or completely inaccessible.

After hitting the government and political infrastructure, hackers took aim at other critical institutions. Several denial-of-service attacks forced two major banks to suspend operations and resulted in the loss of millions of dollars (90 percent of all banking transactions in Estonia occur via the Internet). To amplify the disruption caused by the initial operation, hackers turned toward media outlets and began denying reader and viewer access to roughly half the major news organizations in the country. This not only complicated life for Estonians but also denied information to the rest of the world about the ongoing cyberwar. By now, Aarelaid and his team had gradually managed to block access to many of the hackers’ targets and restored a degree of stability within the networks.

Then on May 9, the day Russia celebrates victory over Nazi Germany, the cyberwar on Estonia intensified. Many times the size of the previous days’ incursions, the attacks may have involved newly recruited cybermercenaries and their bot armies. More than 50 Web sites and servers may have been disabled at once, with a data stream crippling many other parts of the system. This continued until late in the evening of May 10, perhaps when the rented time on the botnets and cybermercenaries’ contracts expired. After May 10, the attacks slowly decreased as Aarelaid managed to take the botnets offline by working with phone companies and Internet service providers to trace back the IP addresses of attacking computers and shut down their Internet service connections.

During the defense of Estonia’s Internet system, many of the computers used in the attacks were traced back to computers in Russian government offices. What could not be determined was whether these computers were simply “zombies” hijacked by bots and were not under the control of the Russian government or whether they were actively being used by government personnel.

Although Estonia was uniquely vulnerable to a cyberwarfare attack, the campaign in April and May of 2007 should be understood more as a sign of things to come in the broader developed world. The lessons learned were significant and universal. Any country that relies on the Internet to support many critical, as well as mundane day-to-day, functions can be severely disrupted by a well-orchestrated attack. Estonia, for one, is unlikely ever to reduce its reliance on the Internet, but it will undoubtedly try to develop safeguards to better protect itself (such as filters that restrict internal traffic in a crisis and deny anyone in another country access to domestic servers). Meanwhile, the hacker community will work diligently to figure out a way around the safeguards.

One thing is certain: Cyberattacks like the 2007 assault on Estonia will become more common in an increasingly networked world, which will have to learn — no doubt the hard way — how to reduce vulnerability and more effectively respond to such attacks. Perhaps most significant is the reminder Estonia provides that cyberspace definitely favors offensive operations.

Comments (2)

  1. A couple of weeks ago, an article appeared on asking the question "Should cybersecurity