[nsp-sec] [stratfor] Cyberwarfare 101: Case Study of a Textbook Attack

Fri Apr 18 10:00:14 EDT 2008

this just landed in my inbox ... i have not heard the podcast.

-- jose

Strategic Forecasting, Inc.
---------------------------

CYBERWARFARE 101: CASE STUDY OF A TEXTBOOK ATTACK

Summary
One of the most mature instances of a cyberwarfare attack was an assault on 
Internet networks in Estonia in late April and early May of 2007. The Russian 
government was suspected of participating in -- if not instigating -- the 
attack, which featured some of the key characteristics of cyberwarfare, 
including decentralization and anonymity.

Analysis

MEMBERS-ONLY PODCAST

Interactive Cyberwarfare Timeline

Editor's note: This is part of a series of analyses on the emergence of 
cyberspace as battlespace.

During the night of April 26-27, 2007, in downtown Tallinn, Estonia, government 
workers took down and moved a Soviet-era monument commemorating World War II 
called the Bronze Soldier, despite the protests of some 500 ethnic Russian 
Estonians. For the Kremlin -- and Russians in general -- such a move in a 
former Soviet republic was blasphemy.

It was also just the kind emotional flash point that could spark a 
"nationalistic" or "rally-around-the-flag" movement in cyberspace. By 10 p.m. 
local time on April 26, 2007, digital intruders began probing Estonian Internet 
networks, looking for weak points and marshaling resources for an all-out 
assault. Bursts of data were sent to important nodes and servers to determine 
their maximum capacity -- a capacity that the attackers would later exceed with 
floods of data, crashing servers and clogging connections.

A concerted cyberwarfare attack on Estonia was under way, one that would 
eventually bring the functioning of government, banks, media and other 
institutions to a virtual standstill and ultimately involve more than a million 
computers from some 75 countries (including some of Estonia's NATO allies). 
Estonia was a uniquely vulnerable target. Extremely wired, despite its recent 
status as a Soviet republic, Estonian society had grown dependent on the 
Internet for virtually all the administrative workings of everyday life -- 
communications, financial transactions, news, shopping, restaurant 
reservations, theater tickets and bill paying. Even parliamentary votes were 
conducted online. When Estonia's independence from the Soviet Union was 
restored in 1991, not even telephone connections were reliable or widely 
available. Today, more than 60 percent of the population owns a cell phone, and 
Internet usage is already on par with Western European nations. In 2000, 
Estonia's parliament declared Internet access a basic human right.

Some of the first targets of the attack were the Estonian parliament's e-mail 
servers and networks. A flood of junk e-mails, messages and data caused the 
servers to crash, along with several important Web sites. After disabling this 
primary line of communications among Estonian politicians, some of the hackers 
hijacked Web sites of the Reform Party, along with sites belonging to several 
other political groups. Once they gained control of the sites, hackers posted a 
fake letter from Estonian Prime Minister Andrus Ansip apologizing for ordering 
the removal of the World War II monument.

By April 29, 2007, massive data surges were pressing the networks and rapidly 
approaching the limits of routers and switches across the country. Even though 
not all individual servers were taken completely offline, the entire Internet 
system in Estonia became so preoccupied with protecting itself that it could 
scarcely function.

During the first wave of the assault, network security specialists attempted to 
erect barriers and firewalls to protect primary targets. As the attacks 
increased in frequency and force, these barriers began to crumble.

Seeking reinforcements, Hillar Aarelaid, chief security officer for Estonia's 
Computer Emergency Response Team, began calling on contacts from Finland, 
Germany, Slovenia and other countries to assemble a team of hackers and 
computer experts to defend the country. Over the next several days, many 
government ministry and political party Web sites were attacked, resulting 
either in misinformation being spread or the sites being made partially or 
completely inaccessible.

After hitting the government and political infrastructure, hackers took aim at 
other critical institutions. Several denial-of-service attacks forced two major 
banks to suspend operations and resulted in the loss of millions of dollars (90 
percent of all banking transactions in Estonia occur via the Internet). To 
amplify the disruption caused by the initial operation, hackers turned toward 
media outlets and began denying reader and viewer access to roughly half the 
major news organizations in the country. This not only complicated life for 
Estonians but also denied information to the rest of the world about the 
ongoing cyberwar. By now, Aarelaid and his team had gradually managed to block 
access to many of the hackers' targets and restored a degree of stability 
within the networks.

Then on May 9, the day Russia celebrates victory over Nazi Germany, the 
cyberwar on Estonia intensified. Many times the size of the previous days' 
incursions, the attacks may have involved newly recruited cybermercenaries and 
their bot armies. More than 50 Web sites and servers may have been disabled at 
once, with a data stream crippling many other parts of the system. This 
continued until late in the evening of May 10, perhaps when the rented time on 
the botnets and cybermercenaries' contracts expired. After May 10, the attacks 
slowly decreased as Aarelaid managed to take the botnets offline by working 
with phone companies and Internet service providers to trace back the IP 
addresses of attacking computers and shut down their Internet service 
connections.

During the defense of Estonia's Internet system, many of the computers used in 
the attacks were traced back to computers in Russian government offices. What 
could not be determined was whether these computers were simply "zombies" 
hijacked by bots and were not under the control of the Russian government or 
whether they were actively being used by government personnel.

Although Estonia was uniquely vulnerable to a cyberwarfare attack, the campaign 
in April and May of 2007 should be understood more as a sign of things to come 
in the broader developed world. The lessons learned were significant and 
universal. Any country that relies on the Internet to support many critical, as 
well as mundane day-to-day, functions can be severely disrupted by a 
well-orchestrated attack. Estonia, for one, is unlikely ever to reduce its 
reliance on the Internet, but it will undoubtedly try to develop safeguards to 
better protect itself (such as filters that restrict internal traffic in a 
crisis and deny anyone in another country access to domestic servers). 
Meanwhile, the hacker community will work diligently to figure out a way around 
the safeguards.

One thing is certain: Cyberattacks like the 2007 assault on Estonia will become 
more common in an increasingly networked world, which will have to learn -- no 
doubt the hard way -- how to reduce vulnerability and more effectively respond 
to such attacks. Perhaps most significant is the reminder Estonia provides that 
cyberspace definitely favors offensive operations.