Tuesday, May 29, 2007
CYBER-WAR: Can speech be interrupted by massive hacking?
POSTED: Monday, May 28, 2007
In Estonia, what may be the first war in cyberspace
By Mark Landler and John Markoff
TALLINN, Estonia: When the Estonian authorities began removing a bronze
statue of a World War II-era Soviet soldier from a park in this Baltic
seaport last month, they expected violent street protests by Estonians of
They also knew from experience that "if there are fights on the street,
there are going to be fights on the Internet," said Hillar Aarelaid, the
director of Estonia's Computer Emergency Response Team. After all, for
people here the Internet is almost as vital as running water, used
routinely to vote, file their taxes, and, with their cellphones, to shop
or pay for parking.
What followed was what some here describe as the first war in cyberspace,
a three-week battle that forced the Estonian authorities to defend their
small country from a data flood they say was set off by orders from Russia
or ethnic Russian sources in retaliation for the removal of the statue.
There are still minor disruptions.
"This may well turn out to be a watershed in terms of widespread awareness
of the vulnerability of modern society," said Linton Wells 2nd, the
principal U.S. deputy assistant secretary of defense for networks and
information integration at the Pentagon. "It has gotten the attention of a
lot of people."
The Estonians note that an Internet address involved in the attacks
belonged to an official who works in the administration of Russia's
president, Vladimir Putin.
The Russian government has denied any involvement in the attacks, which
came close to shutting down the country's digital infrastructure, clogging
the Web sites of the president, the prime minister, Parliament and other
government agencies, staggering the biggest Estonian bank and overwhelming
the sites of several daily newspapers.
"It turned out to be a national security situation," Estonia's defense
minister, Jaak Aaviksoo, said during an interview. "It can effectively be
compared to when your ports are shut to the sea."
Computer security experts from NATO, the European Union, the United States
and Israel have since converged on Tallinn to offer help and to learn what
they can about cyberwar in the digital age.
When the first digital intruders slipped into Estonian cyberspace at 10
p.m. on April 26, Aarelaid figured he was ready. He had erected firewalls
around government Web sites, set up extra computer servers and put his
staff on call for a busy week.
By April 29, Tallinn's streets were calm again after two nights of riots,
but Estonia's electronic Maginot Line was crumbling. In one of the first
strikes, a flood of junk messages was thrown at the e-mail server of the
Parliament, shutting it down. In another, hackers broke into the Web site
of the Reform Party, posting a fake letter of apology from the prime
minister, Andrus Ansip, for ordering the removal of the highly symbolic
At that point, Aarelaid, a former police officer, gathered security
experts from Estonia's Internet service providers, banks, government
agencies and the police. He also drew on contacts in Finland, Germany,
Slovenia and other countries to help him track down and block suspicious
Internet addresses and halt traffic from computers as far away as Peru and
The bulk of the cyberassaults used a technique known as a distributed
denial of service attack. By bombarding the country's Web sites with data,
attackers can clog not only the country's servers, but also its routers
and switches, the specialized devices that direct traffic on the network.
To magnify the assault, the hackers infiltrated computers around the world
with software known as bots, banding them together in networks to perform
these incursions. The computers become unwitting foot soldiers in a
cyberattack, or "zombies." In one case, the attackers sent a single huge
burst of data to measure the capacity of the network. Then, hours later,
data from multiple sources flowed into the system, rapidly reaching the
upper limit of the routers and switches.
By the end of the first week, the Estonians, with the help of the
authorities in other countries, had become reasonably adept at filtering
out malicious data. Still, Aarelaid knew the worst was yet to come. May 9
was Victory Day, the Russian holiday that marks the Soviet Union's defeat
of Nazi Germany and honors fallen Red Army soldiers. The Internet was rife
with plans to mark the occasion by taking down Estonia's network.
The attackers used a giant network of bots - perhaps as many as one
million computers in places as far-flung as the United States and Vietnam
- to amplify the impact of their assault. In a sign of their financial
resources, there is evidence they rented time on other so-called botnets.
"When you combine very, very large packets of information with thousands
of machines, you've got the recipe for very damaging denial of service
attacks," said Jose Nazario, an expert on bots at Arbor Networks, an
Internet security firm in Ann Arbor, Michigan.
In the early hours of May 9, traffic spiked to thousands of times the
normal flow. May 10 was heavier still, forcing the biggest bank in Estonia
to shut down its online service for more than an hour. Even now, the bank,
Hansabank, is under assault and continues to block access to 300 suspect
Internet addresses. It has held losses to about $1 million.
Finally, on the afternoon of May 10, the attackers' time on the rented
servers expired, and the botnet attacks fell off abruptly. All told, Arbor
Networks measured dozens of attacks. The 10 largest assaults blasted
streams of 90 megabits of data a second at Estonia's networks, lasting up
to 10 hours each. That is a data load equivalent to downloading the entire
Windows XP operating system every six seconds for 10 hours.
While the last major wave of attacks was May 18, banks continued to
experience a diminished level of interruptions.
"Hillar and his guys are good," said Bill Woodcock, a U.S. Internet
security expert who was also on hand to observe the response. "There
aren't a lot of other countries that could combat that on his level of
Linnar Viik, a computer science professor and leader in the
high-technology industry in Estonia, said that the episode would serve as
a learning experience. The use of botnets, for example, illustrates how a
cyberattack on a single country can ensnare many other countries.
In recent years, cyberattacks have been associated with Middle East and
Serbian-Croatian conflicts. But U.S. computer systems at the Pentagon, the
U.S. space agency, universities and research labs have been compromised in
the past. Scientists and researchers convened by the U.S. National Academy
of Sciences this year heard testimony from military strategy experts
indicating that both China and Russia have offensive information-warfare
programs. The United States is also said to have begun a cyberwarfare
Though Estonia cannot be sure of the attackers' identities, their plans
were posted on the Internet even before the attack began. On
Russian-language forums and chat groups, the investigators found detailed
instructions on how to send disruptive messages, and which Estonian Web
sites to use as targets.
For NATO, the attack may lead to a discussion of whether it needs to
modify its commitment to collective defense. Aarelaid said NATO's Internet
security experts said little but took copious notes during their visit.
Because of the murkiness of the Internet - where attackers can mask their
identities by using the Internet addresses of others, or remotely program
distant computers to send data without their owners even knowing it -
several experts said that the attackers would probably never be caught.
U.S. government officials said the nature of the attacks suggested they
were initiated by "hacktivists," technical experts who act independently
"At the present time, we are not able to prove direct state links,"
Aaviksoo, Estonia's defense minister, said. "All we can say is that a
server in our president's office got a query from an IP address in the
Russian administration. It is a fact that we have on our logs," he added,
using the abbreviation for Internet protocol. Moscow has offered no help
in tracking down people who the Estonian government believe may be
A spokesman for the Kremlin, Dmitri Peskov, denied Russian state
involvement in the attacks and added, "The Estonia side has to be
extremely careful when making accusations."
Police here arrested and then released a 19-year-old Estonian man of
Russian descent whom they suspect of helping to organize the attacks.
Meanwhile, Estonia's Foreign Ministry has circulated a document that lists
several Internet addresses inside the Russian government that it says took
part in the attacks.
"I don't think it was Russia, but who can tell?" said Gadi Evron, a
computer security expert from Israel who spent four days last week in
Tallinn writing a postmortem on the response for the Estonians. "The
Internet is perfect for plausible deniability."
Now that the attacks on Estonia's systems have ebbed, Aarelaid is mopping
up. "I'm a simple IT guy," he said, gazing at a flickering computer
screen. "I know a lot about bits and packets of data; I don't know about
the bigger questions. But somebody orchestrated this thing."
John Markoff reported from San Francisco. Steven Lee Myers contributed
reporting from Moscow.
Copyright © 2007 The International Herald Tribune | www.iht.com
The article above is copyrighted material, the use of which may not have specifically authorized by the copyright owner. The material is made available in an effort to advance understanding of political, economic, democracy, First Amendment, technology, journalism, community and justice issues, etc. We believe this constitutes a 'fair use' as provided by Section 107 of U.S. Copyright Law. In accordance with Title 17 U.S.C. Chapter 1, Section 107, the material above is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. If you wish to use copyrighted material from this blog for purposes beyond fair use, you must obtain permission from the copyright owner.