Perimeter
3/17/2009
05:18 PM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Authoritatively, Who Was Behind The Estonian Attacks?

In the past couple of weeks the press has been humoring a couple of rumors about who was behind the 2007 cyberattacks against Estonia [PDF]. During these attacks, Estonia's infrastructure, which relies heavily on the Internet, nearly collapsed.

In the past couple of weeks the press has been humoring a couple of rumors about who was behind the 2007 cyberattacks against Estonia [PDF]. During these attacks, Estonia's infrastructure, which relies heavily on the Internet, nearly collapsed.This is not the first time such baseless attributions were made.

I was in Estonia when the attacks occurred. I wrote the post-mortem analysis and recommendations for the Estonian CERT, and I am going to authoritatively show you why these claims are baseless. I will list these accusations and responsibility claims, and show you why they should be ridiculed.

Background In April 2007, a large-scale Internet attack was launched against Estonia in what can best be described as a politically motivated cyber-riot. Estonian society is online to an extent unimaginable in other countries; banking and voting are Internet-based, making the country reliant on the Internet. As such, any attack is a frightening proposition, the potential impact being Estonian citizens unable to buy basic groceries or gasoline.

The question of who was behind the attack has been reverberating for two years, with many fingers pointed at the Kremlin.

Here's what happened. On the eve of April 26, 2007, the online Russian-speaking population was excited: Multiple posts appeared all over the Russian blogosphere with simple instructions anyone could follow "to get back at Estonia" for moving the Russian World War II memorial of the unknown soldier from the center of the Estonian capital Tallinn to its outskirts.

Russian-speaking netizens felt empowered, and an online mob formed. The easy-to-use instructions were significant. Attacking Estonia became a fast-spreading meme or epidemic -- encouraging participation by the masses. That included hackers using advanced tools such as botnets.

While the technologies used are of little consequence to this text, they were relatively sophisticated: Botnets changed tactics, an advanced new virus was deployed, and specific network routers were targeted for attack. More important were the periodic updates in the Russian-language blogosphere directly responding to the Estonian defenders, as well as a near-simulteanous riot in the streets of Tallinn.

Whether this organization was an ad-hoc loose coupling of individuals or a planned assault, we cannot tell. We can pinpoint attackers, but not who manipulated the blogosphere -- the Heinleinian puppet masters.

The size of the attack is also of little consequence; its impact is. The Estonians, being quick to mobilize, mounted a successful defensive response, which is why they are still online in cyberspace.

Let's put all of these recent and ridiculous attributions of blame (or responsibility if you like) in order, skipping the original accusation against Russia.

Who was blamed so far? Last week Sergei Markov, a State Duma Deputy from the pro-Kremlin Unified Russia made what I assume to be a joke: "About the cyberattack on Estonia...don't worry, that attack was carried out by my assistant. I won't tell you his name, because then he might not be able to get visas."

This was taken very seriously around the world, which was worrisome by itself. What people fail to realize is this is what Russian humor looks like. Pretty funny, too. It did get Markov some fame, though. Good for him!

This admission is especially interesting, even if I still take it as a joke, because this week Nashi (the Kremlin-backed Putin Youth movement) member Konstantin Goloskov took credit for launching attacks, mentioning it was done on the group's own initiative.

This story was also carried in an Estonian publication (Google translation here).

But, wait. Back in 2007 the same Konstantin Goloskov stated openly, that he took part in attacking Estonia, apparently as another pawn with the rest of the online mob, which did so from the comfort of their homes. Another knob in the machine:

Konstantin Goloskov, a Nashi activist, told the Rosbalt news agency on May 2 that he personally took part in cyber-attacks on Estonian websites. But he denied that Moscow state offices were used. The hacking, he said, was done from the breakaway Moldovan region of Transdniester.

Another story shows they had taken responsibility for participating back in 2007 (translated from Estonian by Google).

My assumption here was that he changed his story, but a friend of mine, Dr. Dorothy Denning, enlightened me. He may not have. The word "launch" can have different meanings, and it's possible that what I take as "initiate" means just to "participate as well." Whether he claimed to be yet another attacker or the organizer matters little. But if we are to suspend disbelief for a moment, and say he did -- he certainly did not control them.

A theory from January 2008 was that an Estonian student masterminded it, which isn't factual to say the least, given the large amount of coordinated effort behind the attacks.

The Estonian student used a botnet (an army of compromised computers controlled by hackers) to attack computers inside Estonia. He wasn't the only Estonian to do so -- every country has extremists -- but he was caught and convicted. The headlines reviving the Estonian story with these claims were misinformed at best.

This story became a legend because of a misleading story headline stating that he was behind the attacks, all by himself. Here is Slashdot carrying the headline "DoS Attacks on Estonia Were Launched by Student." Until this day a large part of the industry is convinced a student was behind the attacks just because of the headline, because Slashdot carried it, and because the latter was followed by Bruce Schneier, who still claims that was the case to this day.

There was another student arrested for the same crime of participating in the attack, but we can skip that story as he was never blamed for "launching the attacks."

A year ago a Russian general was quoted in a Russian newspaper as saying "Russia did it." He was a war college professor, so I am unsure as to how reliable his comments were, and I took that statement in stride as well. I believe that news article was pulled shortly after, but language issues may have stopped me from finding it after it disappeared.

In Perspective Living in Israel I have seen many groups take "responsibility" for terrorist bombings at the same time, or none at all. Unless they can be somehow identified by unrelated evidence, such as forensics or intelligence, things are never clear.

What I can say is that the Estonian attacks, while simple in nature, were immense in scale. The mob that mobilized was beyond any one group's control.

While it is certainly possible that the Nashi members initiated and/or participated in these attacks, we simply can't know for sure. But that is the same as saying the tooth fairy exists just because we have no evidence that it doesn't. A common logical fallacy.

I look at this new declaration as interesting, but not much beyond that.

On a final note, you may want to check this old Russian language news story to see another, although quite different, declaration from Russian officials about the attacks, claiming the Web sites were simply not well-maintained. (Here is a Google translation from Russian.)

What We Can Say For Sure We know and have evidence to show (see PDF article linked above) that the attacks were organized; whether it was in an ad-hoc fashion of people getting together or as a planned assault, we can't tell.

We can show how Estonia was almost cyber-bombed back to the stone age.

We can't, and probably never will be able to, tell who was behind the attacks based on the technical information in our possession. Any future claim will be suspect and treated skeptically unless new, unbelievable evidence (more unbelievable than the claim) becomes available.

As you can see, theories abound. Who was actually behind the attacks is simply not that interesting. The attacks themselves were fascinating, but after two years, perhaps it is time to move on.

If I am to joke, my personal and completely unfounded conspiracy theory is that the KGB (which doesn't exist under that name anymore) was behind the attacks. I am going to stick to my unfounded opinion. What's yours?

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.