Security researcher Gadi Evron helped investigate massive
cyberattacks that sent the Web-dependent nation of Estonia
reeling last April. Even though plenty of questions remain as
to what happened and why, he's confident the culprit was not the
Russian government as many assumed from the outset.
Instead, he said this was a mob riot in the streets of
cyberspace, sparked by anger over the Estonian government's
decision to move a revered WW II memorial from the Soviet era.
Evron, a security evangelist with Beyond Security, told attendees
at the Black Hat USA 2007 Briefings.
He said the good news is that Estonia's CERT (Computer Emergency Response
Team) and IT professionals from the private sector were
well-coordinated and the Baltic nation quickly bounced back
following the incident. The bad news is that cyber riots like this
will probably happen more in the future, engineered by people in
command of botnets and inspired by what happened in Estonia.
"The Estonians held the line, practiced online mob control and
focused on getting things back up and running," Evron said. "[But]
the concept of an online mob has proven itself and this will likely
receive more attention in the future."
While the attacks hardly broke records in terms of size or
sophistication, Evron said they still managed to cause serious
short-term disruptions in Estonia, a nation of 1.3 million people
that has become almost entirely dependent on the Internet. He noted
that the country built its infrastructure from scratch after the
collapse of the Soviet Union, with the Internet forming much of the
backbone. Almost 100% of its citizens conduct their banking online,
and everyone has an ID card with a PKI (public key infrastructure)
chip embedded inside. Elections also take place online, with voters
casting their ballots from home.
Soon after the attacks began Saturday, April 27, people were
unable to buy such essentials as gas and groceries, Evron said,
since credit card transactions couldn't be completed.
"Critical infrastructure proved to be [IT systems] in the
private and business sectors, not things like transportation and
energy," he said. "ISPs, banks and media Web sites became critical
items that had to be protected."
The attackers and defenders acted in an ad hoc manner, Evron
said. On the Estonian side, citizens volunteered to comb through
network activity logs. Conversely, one person enraged by the
relocation of the WW II statue made an online request for donations
to a PayPal account for the purpose of hiring a botnet to launch
attacks. In the same message thread, someone volunteered two of his
botnets. In the final analysis, Evron said, the attackers used
botnets the way rioters in the street might use rocks and
bottles.
And though the Estonians probably weren't as prepared as they
should have been, Evron pointed to the controlled, coordinated
response as an example from which other governments and private
sector entities can learn.
Rather than trying to respond to every individual attack, the
first responders made bringing systems back online their top
priority, focusing on the targets instead of the source of attack.
Technical analysis was limited to cases where a difference could be
made, Evron said.
He praised the Estonian CERT for staying on top of events and
coordinating well with the private sector. Of course, he added, in
a small, tightly knit nation, a successful comeback was easier than
it might have been had the attacks been directed at the United
States or another large country.
"Estonia is unique," Evron said. "Everyone knows each other and
the country's online presence is concentrated. There's a networking
of small groups with less burocracy, and it worked for them."
As noteworthy as the Estonian attacks were, Evron said its
significance has been overblown in the media, with more FUD than
warranted. He said he gets irritated when someone describes the
attacks as "the first Internet war."
He said, "What happened in Estonia has happened many times over.
The techniques were not new."