Cyberwar in Estonia and the Middle East

By Aviram Jenik

Did a member of your family help launch a cyber attack that brought an entire nation to its knees? No, seriously, don't laugh. In April 2007, communications in the Baltic state of Estonia were crippled through a coordinated attack that relied on the computers of millions of innocent users around the world, just like you and your kin. The strike was notable in fully demonstrating how cyber war had moved from idea to reality. And it all started with the movements of a single soldier.

The Bronze Soldier is a two-meter statue which formerly stood in a small square in Tallinn, the Estonian capital, above the burial site of Soviet soldiers lost in the Second World War. The memorial has long divided the population of the country, with native Estonians considering it a symbol of Soviet (and formerly Nazi) occupation and a large minority population (around 25% of the total) of ethnic Russian immigrants seeing it as an emblem of Soviet victory over the Nazis and Russian claims over Estonia. When the country's newly appointed Ansip government initiated plans to relocate the statue and the remains as part of a 2007 electoral mandate, the move sparked the worst riots the country had ever seen - and a startling cyber attack from Russia.

On April 27, as two days of rioting shook the country and the Estonian embassy in Moscow found itself under siege, a massive distributed denial-of service (DDoS) attack overwhelmed most of Estonia's internet infrastructure, bringing online activity almost to a standstill. The targets were not military websites but civilian sites belonging to organizations such as banks, newspapers, internet service providers (ISPs), and even home users. Much of the onslaught came from hackers using ISP addresses in Russia, but the most devastating element in the attack was a botnet which co-opted millions of previously virus infected computers around the globe to pummel the Estonian infrastructure.

Anatomy of a Cyber Attack

The botnet fooled Estonian network routers into continuously resending useless packets of information to one another, rapidly flooding the infrastructure used to conduct all online business in the country. The attack centered mainly on small websites which were easy to knock out, but nevertheless was devastatingly effective. Bank websites became unreachable, paralyzing most of Estonia's financial activity. Press sites also came under attack, in an attempt to disable news sources. And ISPs were overwhelmed, blacking out internet access for significant portions of the population.

While the Estonian government was expecting there to be an online backlash to its decision to move the statue, it was completely unprepared for the scale of the cyber attack. Estonia's defense minister went on record to declare the attack "a national security situation", adding "it can effectively be compared to when your ports are shut to the sea."(1)

Once it became clear that most of the country's online business infrastructure was being affected, the Computer Emergency Response Team for Estonia (CERT-EE) issued a plea for help from IT security specialists worldwide and an ad-hoc digital rescue team was assembled, which included people from my own firm, Beyond Security. It took us a few days to get to the bottom of the threat and begin setting up frontline defenses, which mainly involved implementing BCP 38 network ingress filtering techniques across affected routers to prevent source address spoofing of internet traffic. The attack waned quickly once we started taking defensive measures. But in the days it took to fight off the attack, it is likely that the country lost billions of Euros in reduced productivity and business downtime.

Cyber War in the Middle East

The Estonian incident will go down in history as the first major (and hopefully biggest ever) example of full-blown cyber warfare. However, there is one place on earth where cyber war has become part of the day-to-day online landscape - and it is still ongoing.

In the Middle East, the Arab-Israeli conflict has a significant online element, with thousands of attacks and counter-attacks a year. This has been the situation since the collapse of peace talks in the region and was preceded by a spontaneous wide-scale cyber war between Arab and Israeli hackers in 1999 and 2000. Arab sympathizers from many nations are involved. A group of Moroccan hackers have been defacing Israeli web sites for the last six years or so, and recently Israel's military radio station was infiltrated by an Iraqi hacker.

Unlike the blitzkrieg-like strike in Estonia, this protracted warfare is not intended to paralyze critical enemy functions but more to sap morale, drain resources and hamper the economy. The targets are typically low-hanging fruit in internet terms: small transactional, informational and even homespun web sites whose security can easily be compromised. Taking over and defacing these sites is a way of intimidating the opposition - creating a feeling of 'if they are here, where else might they be?' - and leads to significant loss of data, profits and trust for the site owners.

Cyber War Spreads

If the Estonia and Middle East examples were our only experiences of cyber warfare then it might be tempting to put them down to local factors and therefore not of concern to the wider security community. Sadly, however, these instances are simply part of a much larger trend towards causing disruption on digital communications platforms. In January this year, for example, two of Kyrgyzstan's four ISPs were knocked out by a major DDoS hit whose authors remain unknown.(2) Although details are sketchy, the attack is said to have disabled as much as 80% of all internet traffic between the former Soviet Union republic and the west.

The strike appeared to have originated from Russian networks which are thought to have had links to criminal activity in the past, and probably the only thing preventing widespread disruption in this instance was the fact that Kyrgyzstan's online services, unlike those in Estonia, are poor at the best of times. It was apparently not the first such attack in the country, either.(3) It is claimed there was a politically-motivated DDoS in the country's 2005 presidential elections, allegedly attributed to a Kyrgyz journalist sympathizing with the opposition party.

China has also engaged in cyber warfare in recent years, albeit on a smaller scale. Hackers from within the country are said to have penetrated the laptop of the US defense secretary, sensitive French networks, US and German government computers, New Zealand networks and Taiwan's police, defense, election and central bank computer systems.

In a similar fashion, in 2003 cyber pests hacked into the UK Labor Party's official website and posted up a picture of US President George Bush carrying his dog - with the head of Tony Blair, the Prime Minister of the UK at the time, superimposed on it.(4) The incident drew attention to government sites' lax approach to security although in this particular event it was reported that hackers had exploited the fact that monitoring equipment used by the site hosting company had not been working properly. And as long ago as 2001, animal rights activists were resorting to hacking as a way of protesting against the fur trade, defacing luxury brand Chanel's website with images of slaughtered animals. (5)

The Case for the Defense

What do all these incidents mean for policy makers worldwide? Both the Estonian and Middle Eastern experiences show clearly that cyber war is a reality and the former, in particular, demonstrates its devastating potential. In fairness, Estonia was in some ways the perfect target for a cyber strike. Emerging from Russian sovereignty in the early 1990s with little legacy communications infrastructure, the nation was able to leapfrog the developments of western European countries and establish an economy firmly based on online services, such as banking, commerce and e-government. At the same time, the small size of the country - it is one of the least populous in the European Union - meant that most of its web sites were similarly minor and could be easily overwhelmed in the event of an attack. Last but not least, at the time of the Estonian incident, nothing on a similar scale had been experienced before.

It is safe to say that other nations will now not be caught out so easily. In fact, if anything, what happened in Estonia will have demonstrated to the rest of the world that cyber weapons can be highly effective, and so should be considered a priority for military and defense planning.

What might make cyber warfare the tactic of choice for a belligerent state? There are at least five good reasons. The first is that it is 'clean'. It can knock out a target nation's entire economy without damaging any of the underlying infrastructure.

The second is that it is an almost completely painless form of engagement for the aggressor: an attack can be launched at the press of a button without the need to commit a single soldier.

The third reason is cost-effectiveness. A 21,000-machine botnet can be acquired for 'just a few thousand dollars', a fraction of the cost of a conventional weapon, and yet can cause damage and disruption easily worth hundreds of times that.(6)

The fourth is that it is particularly difficult for national administrations to police and protect their online borders. A DDoS attack may be prevented simply by installing better firewalls around a web site (for example), but no nation currently has the power to tell its ISPs, telecommunications companies and other online businesses that they should do this, which leaves the country wide open to cyber strikes.

The last but by no means least reason is plausible deniability. In none of the cyber war attacks seen so far has it been possible to link the strike with a government authority, and in fact it would be almost impossible to do so. In the case of the Chinese hack attacks, for instance, the authorities have provided a defense which amounts to saying: 'There are probably a billion hackers on our soil and if it was us we would have to be stupid to do it from a Chinese IP address.'

A similar logic potentially provides absolution to the Russian administration in the case of Estonia: if it is so cheap and easy to get a botnet to mount a DDoS attack, why would the Russians bother mounting hack attacks from their own ISPs? And in the Kyrgyz attack, although the source of the DDoS clearly points to a Russian hand, the motives for Russia's involvement remain hazy, leading to a suggestion that it may have been caused by Kyrgyzstan's own incumbent party, acting with hired cyber criminals from Russia.

Tactics For Protection

With all these advantages, it is unlikely that any military power worth its salt is by this stage still ignoring the potential of cyber warfare. In fact, since the Estonia incident it is even possible that the incidence of cyber warfare has increased, and we are simply not aware of the fact because the defensive capabilities of the sparring nations have increased. After all, another important lesson from Estonia is that it is possible to mount a defense against cyber attacks. There is no single solution, no silver bullet, but a range of measures can be taken to deal with the kinds of DDoS issues faced by Estonia and the kinds of hacker attacks still going on in the Middle East.

For DDoS strike avoidance, there are four types of defense:
• Blocking SYN floods, which are caused when the attacker (for example) spoofs the return address of a client machine so that a server receiving a connection message from it is left hanging when it attempts to acknowledge receipt.
• Implementing BCP 38 network ingress filtering techniques to guard against forged information packets, as employed successfully in Estonia.
• Zombie Zappers, which are free, open source tools that can tell a device (or 'zombie') which is flooding a system to stop doing so.
• Low-bandwidth web sites, which prevent primitive DDoS attacks simply by not having enough capacity to help propagate the flood.

For hacker attacks such as those seen in the Middle East, meanwhile, there are
three main types of defense:
• Scanning for known vulnerabilities in the system.
• Checking for web application holes.
• Testing the entire network to detect the weakest link and plug any potential entry points.

A Doomsday Scenario?
All the above are useful defensive tactics, but what about strategic actions? First and foremost, the Estonian experience showed that it is important for the local CERT to have priority in the event of an attack, in order to ensure that things can return to normal as soon as possible.

Authorities can also as far as possible check national infrastructures for DoS and DDoS weaknesses,, and finally, national CERTs can scan all the networks they are responsible for - something the Belgian CERT has already started doing. Given the openness of the internet and the differing challenges and interests of those operating on it, these measures will of course only provide partial protection. But it is hoped they would be enough to prevent another Estonia incident. Or would they?

There is, unfortunately, another type of cyber war strike which we have yet to see and which could be several times more devastating that what happened in Estonia. Rather than trying to hack into web sites just to deface them - a time-consuming effort with relatively little payback - this tactic would involve placing 'time bombs' in the web systems concerned. These could be set to lay dormant until triggered by a specific time and date or a particular event, such as a given headline in the national news feed. They would then activate and shut down their host web site, either using an internal DoS or some other mechanism.

The code bombs could lay dormant for long enough for a malicious agency to crack and infect most or all of the major web sites of a country. And in today's networked world, this is no longer about simply causing inconvenience. Think of the number of essential services, from telephone networks to healthcare systems, which now rely on internet platforms. Knocking all these out in one go could have a truly overwhelming impact on a nation's defensive capabilities, without the need for an aggressor to send a single soldier into combat.

The means to create such an attack definitely exist. So do the means to defeat it. What has happened in Estonia and the Middle East shows we now need to consider cyber warfare as a very real threat. What could happen if we fail to guard against it really does not bear thinking about.

1. Mark Landler and John Markoff: 'Digital fears emerge after data siege
in Estonia'. New York Times, 29 May 2007.
2. Danny Bradbury: 'The fog of cyberwar'. The Guardian, 5 February 2009.
3. Ibid.
4. 'Labour website hacked'. BBC News, 16 June 2003.
5. 'The fur flies'. Wired, 23 January 2001.
6. Spencer Kelly: 'Buying a botnet'. BBC
World News, 12 March 2009.

Aviram Jenik is the CEO of Beyond Security, which has developed tools that uncover security problems in servers and web sites, discover vulnerabilities in corporate networks, check computer systems for vulnerability to hostile external attack and audit vendor products for security risks.

Aviram Jenik

Beyond Security

1616 Anderson Road

McLean, VA 22102


0 Discussion: