[ISN] After Computer Siege in Estonia, War Fears Turn to Cyberspace

From: InfoSec News (alerts@private)
Date: Mon May 28 2007 - 23:01:15 PDT


http://www.nytimes.com/2007/05/29/technology/29estonia.html

By Mark Landler and John Markoff
The New York Times
May 29, 2007

TALLINN, Estonia, May 24 When Estonian authorities began removing a 
bronze statue of a World War II-era Soviet soldier from a park in this 
bustling Baltic seaport last month, they expected violent street 
protests by Estonians of Russian descent.

They also knew from experience that if there are fights on the street, 
there are going to be fights on the Internet, said Hillar Aarelaid, the 
director of Estonias Computer Emergency Response Team. After all, for 
people here the Internet is almost as vital as running water; it is used 
routinely to vote, file their taxes, and, with their cellphones, to shop 
or pay for parking.

What followed was what some here describe as the first war in 
cyberspace, a monthlong campaign that has forced Estonian authorities to 
defend their pint-size Baltic nation from a data flood that they say was 
set off by orders from Russia or ethnic Russian sources in retaliation 
for the removal of the statue.

The Estonians assert that an Internet address involved in the attacks 
belonged to an official who works in the administration of Russias 
president, Vladimir V. Putin.

The Russian government has denied any involvement in the attacks, which 
came close to shutting down the countrys digital infrastructure, 
clogging the Web sites of the president, the prime minister, Parliament 
and other government agencies, staggering Estonias biggest bank and 
overwhelming the sites of several daily newspapers.

It turned out to be a national security situation, Estonias defense 
minister, Jaak Aaviksoo, said in an interview. It can effectively be 
compared to when your ports are shut to the sea.

Computer security experts from NATO, the European Union, the United 
States and Israel have since converged on Tallinn to offer help and to 
learn what they can about cyberwar in the digital age.

This may well turn out to be a watershed in terms of widespread 
awareness of the vulnerability of modern society, said Linton Wells II, 
the principal deputy assistant secretary of defense for networks and 
information integration at the Pentagon. It has gotten the attention of 
a lot of people.

The authorities anticipated there would be a backlash to the removal of 
the statue, which had become a rallying point for Estonias large 
Russian-speaking minority, particularly as it was removed to a less 
accessible military graveyard.

When the first digital intruders slipped into Estonian cyberspace at 10 
p.m. on April 26, Mr. Aarelaid figured he was ready. He had erected 
firewalls around government Web sites, set up extra computer servers and 
put his staff on call for a busy week.

By April 29, Tallinns streets were calm again after two nights of riots 
caused by the statues removal, but Estonias electronic Maginot Line was 
crumbling. In one of the first strikes, a flood of junk messages was 
thrown at the e-mail server of the Parliament, shutting it down. In 
another, hackers broke into the Web site of the Reform Party, posting a 
fake letter of apology from the prime minister, Andrus Ansip, for 
ordering the removal of the highly symbolic statue.

At that point, Mr. Aarelaid, a former police officer, gathered security 
experts from Estonias Internet service providers, banks, government 
agencies and the police. He also drew on contacts in Finland, Germany, 
Slovenia and other countries to help him track down and block suspicious 
Internet addresses and halt traffic from computers as far away as Peru 
and China.

The bulk of the cyberassaults used a technique known as a distributed 
denial-of-service attack. By bombarding the countrys Web sites with 
data, attackers can clog not only the countrys servers, but also its 
routers and switches, the specialized devices that direct traffic on the 
network.

To magnify the assault, the hackers infiltrated computers around the 
world with software known as bots, and banded them together in networks 
to perform these incursions. The computers become unwitting foot 
soldiers, or zombies, in a cyberattack.

In one case, the attackers sent a single huge burst of data to measure 
the capacity of the network. Then, hours later, data from multiple 
sources flowed into the system, rapidly reaching the upper limit of the 
routers and switches.

By the end of the first week, the Estonians, with the help of 
authorities in other countries, had become reasonably adept at filtering 
out malicious data. Still, Mr. Aarelaid knew the worst was yet to come. 
May 9 was Victory Day, the Russian holiday that marks the Soviet Unions 
defeat of Nazi Germany and honors fallen Red Army soldiers. The Internet 
was rife with plans to mark the occasion by taking down Estonias 
network.

Mr. Aarelaid huddled with security chiefs at the banks, urging them to 
keep their services running. He was also under orders to protect an 
important government briefing site. Other sites, like that of the 
Estonian president, were sacrificed as low priorities.

The attackers used a giant network of bots perhaps as many as one 
million computers in places as far away as the United States and Vietnam 
to amplify the impact of their assault. In a sign of their financial 
resources, there is evidence that they rented time on other so-called 
botnets.

When you combine very, very large packets of information with thousands 
of machines, youve got the recipe for very damaging denial-of-service 
attacks, said Jose Nazario, an expert on bots at Arbor Networks, an 
Internet security firm in Ann Arbor, Mich.

In the early hours of May 9, traffic spiked to thousands of times the 
normal flow. May 10 was heavier still, forcing Estonias biggest bank to 
shut down its online service for more than an hour. Even now, the bank, 
Hansabank, is under assault and continues to block access to 300 suspect 
Internet addresses. It has had losses of at least $1 million.

Finally, on the afternoon of May 10, the attackers time on the rented 
servers expired, and the botnet attacks fell off abruptly.

All told, Arbor Networks measured dozens of attacks. The 10 largest 
assaults blasted streams of 90 megabits of data a second at Estonias 
networks, lasting up to 10 hours each. That is a data load equivalent to 
downloading the entire Windows XP operating system every six seconds for 
10 hours.

Hillar and his guys are good, said Bill Woodcock, an American Internet 
security expert who was also on hand to observe the response. There 
arent a lot of other countries that could combat that on his level of 
calm professionalism.

Estonias defense was not flawless. To block hostile data, it had to 
close off large parts of its network to people outside the country.

It is really a shame that an Estonian businessman traveling abroad does 
not have access to his bank account, said Linnar Viik, a computer 
science professor and leader in Estonias high-tech industry. For members 
of the Estonian Parliament, it meant four days without e-mail.

Still, Mr. Viik said the episode would serve as a learning experience. 
The use of botnets, for example, illustrates how a cyberattack on a 
single country can ensnare many other countries.

In recent years, cyberattacks have been associated with Middle East and 
Serbian-Croatian conflicts. But computer systems at the Pentagon, NASA, 
universities and research labs have been compromised in the past.

Scientists and researchers convened by the National Academy of Sciences 
this year heard testimony from military strategy experts indicating that 
both China and Russia have offensive information-warfare programs. The 
United States is also said to have begun a cyberwarfare effort.

Though Estonia cannot be sure of the attackers identities, their plans 
were posted on the Internet even before the attack began. On 
Russian-language forums and chat groups, the investigators found 
detailed instructions on how to send disruptive messages, and which 
Estonian Web sites to use as targets.

We were watching them being set up in real time, said Mr. Aarelaid, who 
weeks later could find several examples using Google.

For NATO, the attack may lead to a discussion of whether it needs to 
modify its commitment to collective defense, enshrined in Article V of 
the North Atlantic Treaty. Mr. Aarelaid said NATOs Internet security 
experts said little but took copious notes during their visit.

Because of the murkiness of the Internet where attackers can mask their 
identities by using the Internet addresses of others, or remotely 
program distant computers to send data without their owners even knowing 
it several experts said that the attackers would probably never be 
caught. American government officials said that the nature of the 
attacks suggested they were initiated by hacktivists, technical experts 
who act independently from governments.

At the present time, we are not able to prove direct state links, Mr. 
Aaviksoo, Estonias defense minister, said. All we can say is that a 
server in our presidents office got a query from an I.P. address in the 
Russian administration, he added, using the abbreviation for Internet 
protocol. Moscow had offered no help in tracking down people who the 
Estonian government believes may be involved.

A spokesman for the Kremlin, Dmitri S. Peskov, denied Russian state 
involvement in the attacks and added, The Estonia side has to be 
extremely careful when making accusations.

The police here arrested and then released a 19-year-old Estonian man of 
Russian descent whom they suspected of helping to organize the attacks. 
Meanwhile, Estonias foreign ministry has circulated a document that 
lists several Internet addresses inside the Russian government that it 
said took part in the attacks.

I dont think it was Russia, but who can tell? said Gadi Evron, a 
computer security expert from Israel who spent four days in Tallinn 
writing a post-mortem on the response for the Estonians. The Internet is 
perfect for plausible deniability.

Mr. Evron, an executive at an Internet security firm called Beyond 
Security, is a veteran of this kind of warfare. He set up the Computer 
Emergency Response Team, or CERT, in Israel. Web sites in Israel are 
regularly subjected to attacks by Palestinians or others sympathetic to 
their cause.

Whenever there is political tension, there is a cyber aftermath, Mr. 
Evron said, noting that sites in Denmark became targets after a 
newspaper there published satirical cartoons depicting the prophet 
Muhammad.

The attacks on Estonias systems are not over, but they have dropped in 
volume and intensity, and are aimed mainly at banks. The last major wave 
of attacks was on May 18.

Now that the onslaught has ebbed, Mr. Aarelaid is mopping up. A few days 
ago, he managed to get to the sauna with Jaan Priisalu, the head of 
computer security at Hansabank, and other friends from Estonias Internet 
security fraternity.

Im a simple I.T. guy, he said, gazing at a flickering computer screen. I 
know a lot about bits and packets of data; I dont know about the bigger 
questions. But somebody orchestrated this thing.

-=-

Mark Landler reported from Tallinn and John Markoff from San Francisco. 
Steven Lee Myers contributed reporting from Moscow.

Copyright 2007 The New York Times Company


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon May 28 2007 - 23:07:10 PDT