On April 27, 2007, various Internet resources from the Republic of Estonia came under a series of DDOS or distributed denial of service attacks.According to claims by Estonian government officials and media, theattacks originated in Russia and followed a dispute between thegovernment and ethnic Russians over the relocation of a Soviet warmemorial from the Estonian capital of Tallinn. The attacks targetedwebsites belonging to government ministries, banks, media, politicalparties and businesses.
Though DDOS attacks against various networks have taken place onnumerous occasions in the past, the particularly interesting aspect ofthese attacks was that they appear to be politically motivated and mayfall under the concept of cyber-warfare. The term “cyber-warfare”refers to a branch of information warfarethat uses computers and the network infrastructure to carry outtargeted attacks and warfare for military, political, and strategicobjectives. There are various active and passive methods ofcyber-warfare including vandalism and website defacement,denial-of-service attacks, propaganda, information theft and disruptionof services.
The attacks against Estoniaappeared to be only the third known instance of a well funded andorganized campaign of cyber-warfare between two countries. The othertwo instances were alleged attacks against the United States from Chinaand Russia referred to as Titan Rain and Moonlight Maze.The source of computer network attacks is typically near impossible toattribute and would be particularly difficult when involving statesponsored network warfare. It is also possible that obfuscation ofsource that causes intentional political or public strife may be one ofthe core objectives. False flag operations or other forms of subterfugecould represent another reason for source obfuscation andmisrepresentation.
On May 17, 2007, Jose Nazario of Arbor SERT reported seeing 128 distinct DDOS attacks against websites from Estonia. The datafrom Arbor also suggests that the number of attacks consistentlyincreased and peaked on May 9, 2007. The length of the attacks rangedanywhere from less than one minute to more than 10 hours. Arbor alsomeasured bandwidth of the attacks which reached upwards of 90 Mbps insome cases. The prolonged nature and persistence of the attackscombined with the enormous number of packets sent to the targetssuggests that a large botnet was targeting the victims.
In response to the attacks, NATO sent experts to help Estoniainvestigate the attacks and improve network security. The government ofEstonia responded to the attacks by blocking access to the targetedresources from sources that were outside the country, and also askedNATO to develop a strategy to combat ‘cyber-terrorists’. Allegationsby the Estonian government and the release of a list of attackingsource IP addresses from Russia led to a diplomatic row between thecountries. It is unclear as to how the Estonian government reached theconclusion that the Russian government was behind the attacks as thesource of an attack can be easily misrepresented by attackers. Thequestion also arises as to whether an attacking state would be naïveenough to launch a sophisticated targeted attack using their networks,and thus be open to accusations with ease. Though considering the vastbudgets available to military and defense organizations, one wouldexpect a cyber war-fighting group run by a nation-state to be wellfunded, and staffed with some of the best technical analysts in theworld. Such a group would be more than capable of effectivelyobfuscating the apparent origins of real attack traffic.
Subsequent
reportssuggest that the attacks were not orchestrated by a single organizationor government as it was previously thought. They seem to have beencarried out by a group of attackers from around the world. Thequestions still remain as to why Estonia of all countries was targetedand why the attacks followed the specific political row. It is possiblethat these attacks were part of a growing trend ofpolitically-motivated targeted attacks and may represent the beginningof an era of cyber-warfare. It is also very likely this was a one-timeevent that was misinterpreted and blown out of proportion.