Perimeter
3/17/2009
05:18 PM
Gadi Evron
Gadi Evron
Commentary
50%
50%

Authoritatively, Who Was Behind The Estonian Attacks?

In the past couple of weeks the press has been humoring a couple of rumors about who was behind the 2007 cyberattacks against Estonia [PDF]. During these attacks, Estonia's infrastructure, which relies heavily on the Internet, nearly collapsed.

In the past couple of weeks the press has been humoring a couple of rumors about who was behind the 2007 cyberattacks against Estonia [PDF]. During these attacks, Estonia's infrastructure, which relies heavily on the Internet, nearly collapsed.This is not the first time such baseless attributions were made.

I was in Estonia when the attacks occurred. I wrote the post-mortem analysis and recommendations for the Estonian CERT, and I am going to authoritatively show you why these claims are baseless. I will list these accusations and responsibility claims, and show you why they should be ridiculed.

Background In April 2007, a large-scale Internet attack was launched against Estonia in what can best be described as a politically motivated cyber-riot. Estonian society is online to an extent unimaginable in other countries; banking and voting are Internet-based, making the country reliant on the Internet. As such, any attack is a frightening proposition, the potential impact being Estonian citizens unable to buy basic groceries or gasoline.

The question of who was behind the attack has been reverberating for two years, with many fingers pointed at the Kremlin.

Here's what happened. On the eve of April 26, 2007, the online Russian-speaking population was excited: Multiple posts appeared all over the Russian blogosphere with simple instructions anyone could follow "to get back at Estonia" for moving the Russian World War II memorial of the unknown soldier from the center of the Estonian capital Tallinn to its outskirts.

Russian-speaking netizens felt empowered, and an online mob formed. The easy-to-use instructions were significant. Attacking Estonia became a fast-spreading meme or epidemic -- encouraging participation by the masses. That included hackers using advanced tools such as botnets.

While the technologies used are of little consequence to this text, they were relatively sophisticated: Botnets changed tactics, an advanced new virus was deployed, and specific network routers were targeted for attack. More important were the periodic updates in the Russian-language blogosphere directly responding to the Estonian defenders, as well as a near-simulteanous riot in the streets of Tallinn.

Whether this organization was an ad-hoc loose coupling of individuals or a planned assault, we cannot tell. We can pinpoint attackers, but not who manipulated the blogosphere -- the Heinleinian puppet masters.

The size of the attack is also of little consequence; its impact is. The Estonians, being quick to mobilize, mounted a successful defensive response, which is why they are still online in cyberspace.

Let's put all of these recent and ridiculous attributions of blame (or responsibility if you like) in order, skipping the original accusation against Russia.

Who was blamed so far? Last week Sergei Markov, a State Duma Deputy from the pro-Kremlin Unified Russia made what I assume to be a joke: "About the cyberattack on Estonia...don't worry, that attack was carried out by my assistant. I won't tell you his name, because then he might not be able to get visas."

This was taken very seriously around the world, which was worrisome by itself. What people fail to realize is this is what Russian humor looks like. Pretty funny, too. It did get Markov some fame, though. Good for him!

This admission is especially interesting, even if I still take it as a joke, because this week Nashi (the Kremlin-backed Putin Youth movement) member Konstantin Goloskov took credit for launching attacks, mentioning it was done on the group's own initiative.

This story was also carried in an Estonian publication (Google translation here).

But, wait. Back in 2007 the same Konstantin Goloskov stated openly, that he took part in attacking Estonia, apparently as another pawn with the rest of the online mob, which did so from the comfort of their homes. Another knob in the machine:

Konstantin Goloskov, a Nashi activist, told the Rosbalt news agency on May 2 that he personally took part in cyber-attacks on Estonian websites. But he denied that Moscow state offices were used. The hacking, he said, was done from the breakaway Moldovan region of Transdniester.

Another story shows they had taken responsibility for participating back in 2007 (translated from Estonian by Google).

My assumption here was that he changed his story, but a friend of mine, Dr. Dorothy Denning, enlightened me. He may not have. The word "launch" can have different meanings, and it's possible that what I take as "initiate" means just to "participate as well." Whether he claimed to be yet another attacker or the organizer matters little. But if we are to suspend disbelief for a moment, and say he did -- he certainly did not control them.

A theory from January 2008 was that an Estonian student masterminded it, which isn't factual to say the least, given the large amount of coordinated effort behind the attacks.

The Estonian student used a botnet (an army of compromised computers controlled by hackers) to attack computers inside Estonia. He wasn't the only Estonian to do so -- every country has extremists -- but he was caught and convicted. The headlines reviving the Estonian story with these claims were misinformed at best.

This story became a legend because of a misleading story headline stating that he was behind the attacks, all by himself. Here is Slashdot carrying the headline "DoS Attacks on Estonia Were Launched by Student." Until this day a large part of the industry is convinced a student was behind the attacks just because of the headline, because Slashdot carried it, and because the latter was followed by Bruce Schneier, who still claims that was the case to this day.

There was another student arrested for the same crime of participating in the attack, but we can skip that story as he was never blamed for "launching the attacks."

A year ago a Russian general was quoted in a Russian newspaper as saying "Russia did it." He was a war college professor, so I am unsure as to how reliable his comments were, and I took that statement in stride as well. I believe that news article was pulled shortly after, but language issues may have stopped me from finding it after it disappeared.

In Perspective Living in Israel I have seen many groups take "responsibility" for terrorist bombings at the same time, or none at all. Unless they can be somehow identified by unrelated evidence, such as forensics or intelligence, things are never clear.

What I can say is that the Estonian attacks, while simple in nature, were immense in scale. The mob that mobilized was beyond any one group's control.

While it is certainly possible that the Nashi members initiated and/or participated in these attacks, we simply can't know for sure. But that is the same as saying the tooth fairy exists just because we have no evidence that it doesn't. A common logical fallacy.

I look at this new declaration as interesting, but not much beyond that.

On a final note, you may want to check this old Russian language news story to see another, although quite different, declaration from Russian officials about the attacks, claiming the Web sites were simply not well-maintained. (Here is a Google translation from Russian.)

What We Can Say For Sure We know and have evidence to show (see PDF article linked above) that the attacks were organized; whether it was in an ad-hoc fashion of people getting together or as a planned assault, we can't tell.

We can show how Estonia was almost cyber-bombed back to the stone age.

We can't, and probably never will be able to, tell who was behind the attacks based on the technical information in our possession. Any future claim will be suspect and treated skeptically unless new, unbelievable evidence (more unbelievable than the claim) becomes available.

As you can see, theories abound. Who was actually behind the attacks is simply not that interesting. The attacks themselves were fascinating, but after two years, perhaps it is time to move on.

If I am to joke, my personal and completely unfounded conspiracy theory is that the KGB (which doesn't exist under that name anymore) was behind the attacks. I am going to stick to my unfounded opinion. What's yours?

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-4801
Published: 2014-12-18
Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x through 2.0.1.1, 3.x before 3.0.1.6 iFix 4, 4.x before 4.0.7 iFix 2, and 5.x before 5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.