CYBERWAR

Cyberwar in Estonia
and the Middle East
Aviram Jenik, chief executive officer, Beyond Security
Aviram Jenik
Recent cyber attacks in the Middle East and particularly Estonia, where the
country was practically brought to a standstill, have illustrated that cyber- overwhelmed, blacking out internet
warfare has now moved firmly from the realms of possibility to reality. access for significant portions of the
Government and military bodies worldwide will doubtless have learned valuable population.
lessons from these recent incidents, but the possibility still exists for major
disruption. In essence, IT-based attacks may have become the weapon of choice
“The attack centred mainly on
for any nation seeking to cause disruption to another and yet maintain a level of
plausible deniability.
small websites which were easy
to knock out, but nevertheless
was devastatingly effective”
Did a member of your family help mandate, the move sparked the worst
launch a cyber attack that brought riots the country had ever seen – and While the Estonian government was
an entire nation to its knees? No, a startling cyber attack from Russia. expecting there to be an online backlash
seriously, don’t laugh. In April 2007, On April 27, as two days of rioting to its decision to move the statue, it
communications in the Baltic state shook the country and the Estonian was completely unprepared for the scale
of Estonia were crippled through a embassy in Moscow found itself under of the cyber attack. Estonia’s defence
coordinated attack that relied on the siege, a massive distributed denial-of- minister went on record to declare the
computers of millions of innocent users service (DDoS) attack overwhelmed attack “a national security situation”,
around the world, just like you and most of Estonia’s internet infrastructure, adding “it can effectively be compared to
your kin. The strike was notable in bringing online activity almost to a when your ports are shut to the sea.”1
fully demonstrating how cyber war had standstill. The targets were not military Once it became clear that most of the
moved from idea to reality. And it all websites but civilian sites belonging to country’s online business infrastructure
started with the movements of a single organisations such as banks, newspapers, was being affected, the Computer
soldier. internet service providers (ISPs), and Emergency Response Team for Estonia
even home users. Much of the onslaught (CERT-EE) issued a plea for help
“Bank websites became came from hackers using ISP addresses from IT security specialists worldwide
unreachable, paralysing most of in Russia, but the most devastating and an ad-hoc digital rescue team was
Estonia’s financial activity” element in the attack was a botnet which assembled, which included people
co-opted millions of previously virus- from my own firm, Beyond Security.
infected computers around the globe to It took us a few days to get to the
The Bronze Soldier is a two-metre pummel the Estonian infrastructure. bottom of the threat and begin setting
statue which formerly stood in a up frontline defences, which mainly
small square in Tallinn, the Estonian Anatomy of a cyber involved implementing BCP 38 network
capital, above the burial site of Soviet ingress filtering techniques across
soldiers lost in the Second World attack affected routers to prevent source address
War. The memorial has long divided The botnet fooled Estonian network spoofing of internet traffic.
the population of the country, with routers into continuously resending The attack waned quickly once we
native Estonians considering it a useless packets of information to started taking defensive measures. But in
symbol of Soviet (and formerly Nazi) one another, rapidly flooding the the days it took to fight off the attack,
occupation and a large minority infrastructure used to conduct all online it is likely that the country lost billions
population (around 25% of the total) business in the country. The attack of euros in reduced productivity and
of ethnic Russian immigrants seeing centred mainly on small websites which business downtime.
it as an emblem of Soviet victory over were easy to knock out, but nevertheless
the Nazis and Russian claims over was devastatingly effective. Bank websites Cyber war in the Middle
Estonia. When the country’s newly became unreachable, paralysing most
appointed Ansip government initiated of Estonia’s financial activity. Press sites East
plans to relocate the statue and the also came under attack, in an attempt The Estonian incident will go down in
remains as part of a 2007 electoral to disable news sources. And ISPs were history as the first major (and hopefully

4
Network Security April 2009

biggest ever) example of full-blown cyber
warfare. However, there is one place on
earth where cyber war has become part
of the day-to-day online landscape – and
it is still ongoing.
In the Middle East, the Arab-
Israeli conflict has a significant online
element, with thousands of attacks and
counter-attacks a year. This has been
the situation since the collapse of peace
talks in the region and was preceded
by a spontaneous wide-scale cyber war
between Arab and Israeli hackers in
1999 and 2000. Arab sympathisers from
many nations are involved. A group of
Moroccan hackers have been defacing
Israeli web sites for the last six years or
so, and recently Israel’s military radio
station was infiltrated by an Iraqi hacker.
Unlike the blitzkrieg-like strike in
Estonia, this protracted warfare is not
intended to paralyse critical enemy
functions but more to sap morale, drain
resources and hamper the economy. The
targets are typically low-hanging fruit
in internet terms: small transactional,
informational and even homespun
web sites whose security can easily be
compromised. Taking over and defacing
these sites is a way of intimidating the
opposition – creating a feeling of ‘if
they are here, where else might they be?’
– and leads to significant loss of data,
profits and trust for the site owners.
Cyber war spreads
If the Estonia and Middle East examples
were our only experiences of cyber
warfare then it might be tempting to
put them down to local factors and
therefore not of concern to the wider
security community. Sadly, however,
these instances are simply part of a much
larger trend towards causing disruption
on digital communications platforms.
In January this year, for example, two
of Kyrgyzstan’s four ISPs were knocked
out by a major DDoS hit whose authors
remain unknown.2 Although details
are sketchy, the attack is said to have
disabled as much as 80% of all internet
traffic between the former Soviet Union
republic and the west.
The strike appeared to have originated
from Russian networks which are
April 2009
thought to have had links to criminal
activity in the past, and probably the
only thing preventing widespread
disruption in this instance was the fact
that Kyrgyzstan’s online services, unlike
those in Estonia, are poor at the best
of times. It was apparently not the first
such attack in the country, either.3 It is
claimed there was a politically-motivated
DDoS in the country’s 2005 presidential
elections, allegedly attributed to a
Kyrgyz journalist sympathising with the
opposition party.
“The strike appeared to have
originated from Russian
networks which are thought
to have had links to criminal
activity in the past”
China has also engaged in cyber
warfare in recent years, albeit on a
smaller scale. Hackers from within the
country are said to have penetrated
the laptop of the US defence secretary,
sensitive French networks, US and
German government computers, New
Zealand networks and Taiwan’s police,
defence, election and central bank
computer systems.
In a similar fashion, in 2003 cyber
pests hacked into the UK Labour Party’s
official website and posted up a picture
of then US President George Bush
carrying his dog – with the head of Tony
Blair, the Prime Minister of the UK
at the time, superimposed on it.4 The
incident drew attention to government
sites’ lax approach to security although
in this particular event it was reported
that hackers had exploited the fact that
monitoring equipment used by the site
hosting company had not been working
properly. And as long ago as 2001,
animal rights activists were resorting
to hacking as a way of protesting
against the fur trade, defacing luxury
brand Chanel’s website with images of
slaughtered animals.5
The case for the defence
What do all these incidents mean
for policy makers worldwide? Both
the Estonian and Middle Eastern
experiences show clearly that cyber war
CYBERWAR
FEATURE
is a reality and the former, in particular,
demonstrates its devastating potential.
In fairness, Estonia was in some ways
the perfect target for a cyber strike.
Emerging from Russian sovereignty
in the early 1990s with little legacy
communications infrastructure,
the nation was able to leapfrog the
developments of western European
countries and establish an economy
firmly based on online services, such as
banking, commerce and e-government.
At the same time, the small size of the
country – it is one of the least populous
in the European Union – meant that
most of its web sites were similarly
minor and could be easily overwhelmed
in the event of an attack. Last but
not least, at the time of the Estonian
incident, nothing on a similar scale had
been experienced before.
It is safe to say that other nations will
now not be caught out so easily. In fact,
if anything, what happened in Estonia
will have demonstrated to the rest of the
world that cyber weapons can be highly
effective, and so should be considered
a priority for military and defence
planning.
“A 21 000-machine botnet can
be acquired for ‘just a few
thousand dollars’, a fraction
of the cost of a conventional
weapon”
What might make cyber warfare the
tactic of choice for a belligerent state?
There are at least five good reasons. The
first is that it is ‘clean’. It can knock
out a target nation’s entire economy
without damaging any of the underlying
infrastructure.
The second is that it is an almost
completely painless form of engagement
for the aggressor: an attack can be
launched at the press of a button
without the need to commit a single
soldier.
The third reason is cost-effectiveness.
A 21 000-machine botnet can be
acquired for ‘just a few thousand dollars’,
a fraction of the cost of a conventional
weapon, and yet can cause damage and
disruption easily worth hundreds of
times that.6
5
Network Security
 CYBERWAR
The fourth is that it is particularly
difficult for national administrations to
police and protect their online borders.
A DDoS attack may be prevented simply
by installing better firewalls around a
web site (for example), but no nation
issues faced by Estonia and the kinds
of hacker attacks still going on in the
Middle East.
For DDoS strike avoidance, there are
four types of defence:
would be enough to prevent another
Estonia incident. Or would they?
There is, unfortunately, another type
of cyber war strike which we have yet
to see and which could be several times
more devastating that what happened
currently has the power to tell its ISPs,
telecommunications companies and
other online businesses that they should
do this, which leaves the country wide
open to cyber strikes.
The last but by no means least reason
is plausible deniability. In none of the
cyber war attacks seen so far has it
been possible to link the strike with a
government authority, and in fact it
s "LOCKING39.FLOODSWHICHARECAUSED in Estonia. Rather than trying to hack
when the attacker (for example) spoofs
the return address of a client machine
so that a server receiving a connection
message from it is left hanging when
it attempts to acknowledge receipt.
s )MPLEMENTING "#0  NETWORK
ingress filtering techniques to guard
against forged information packets, as
employed successfully in Estonia.
into web sites just to deface them – a
time-consuming effort with relatively
little payback – this tactic would involve
placing ‘time bombs’ in the web systems
concerned. These could be set to lay
dormant until triggered by a specific
time and date or a particular event, such
as a given headline in the national news
feed. They would then activate and shut
would be almost impossible to do so. In
the case of the Chinese hack attacks, for
instance, the authorities have provided
a defence which amounts to saying:
‘There are probably a billion hackers on
s :OMBIE:APPERSWHICHAREFREEOPEN down their host web site, either using an
source tools that can tell a device (or internal DoS or some other mechanism.
‘zombie’) which is flooding a system The code bombs could lay dormant
to stop doing so. for long enough for a malicious agency to
s ,OW
BANDWIDTH WEB SITES WHICH crack and infect most or all of the major
our soil and if it was us we would have
to be stupid to do it from a Chinese IP
address.’
A similar logic potentially provides
absolution to the Russian administration
in the case of Estonia: if it is so cheap
and easy to get a botnet to mount a
DDoS attack, why would the Russians
bother mounting hack attacks from their
own ISPs? And in the Kyrgyz attack,
although the source of the DDoS clearly
points to a Russian hand, the motives
for Russia’s involvement remain hazy,
leading to a suggestion that it may
have been caused by Kyrgyzstan’s own
incumbent party, acting with hired cyber
criminals from Russia.
Tactics for protection
With all these advantages, it is unlikely
that any military power worth its
salt is by this stage still ignoring the
potential of cyber warfare. In fact, since
the Estonia incident it is even possible
that the incidence of cyber warfare
has increased, and we are simply not
aware of the fact because the defensive
capabilities of the sparring nations have
increased. After all, another important
lesson from Estonia is that it is possible
to mount a defence against cyber attacks.
There is no single solution, no silver
bullet, but a range of measures can be
taken to deal with the kinds of DDoS
6
Network Security
prevent primitive DDoS attacks
simply by not having enough capacity
to help propagate the flood.
For hacker attacks such as those seen in
the Middle East, meanwhile, there are
three main types of defence:
s 3CANNINGFORKNOWNVULNERABILITIESIN From page 6
the system.
s #HECKINGFORWEBAPPLICATIONHOLES
s 4ESTING THE ENTIRE NETWORK TO DETECT soldier into combat.
the weakest link and plug any potential
entry points.
A doomsday scenario?
All the above are useful defensive tactics,
but what about strategic actions? First
and foremost, the Estonian experience
showed that it is important for the local
CERT to have priority in the event of an
attack, in order to ensure that things can
return to normal as soon as possible.
Authorities can also as far as possible
check national infrastructures for DoS
and DDoS weaknesses,, and finally,
national CERTs can scan all the
networks they are responsible for –
something the Belgian CERT has already
started doing. Given the openness of the
internet and the differing challenges and
interests of those operating on it, these
measures will of course only provide
partial protection. But it is hoped they
web sites of a country. And in today’s
networked world, this is no longer about
simply causing inconvenience. Think of
the number of essential services, from
telephone networks to healthcare systems,
which now rely on internet platforms.
Knocking all these out in one go could
have a truly overwhelming impact on a
nation’s defensive capabilities, without
the need for an aggressor to send a single
The means to create such an attack
definitely exist. So do the means to defeat
it. What has happened in Estonia and
the Middle East shows we now need to
consider cyber warfare as a very real threat.
What could happen if we fail to guard
against it really does not bear thinking
about.
References
1. Mark Landler and John Markoff:
‘Digital fears emerge after data siege
in Estonia’. New York Times, 29 May
2007.
2. Danny Bradbury: ‘The fog of cyberwar’.
The Guardian, 5 February 2009.
3. Ibid.
4. ‘Labour website hacked’. BBC News,
16 June 2003.
5. ‘The fur flies’. Wired, 23 January 2001.
6. Spencer Kelly: ‘Buying a botnet’. BBC
World News, 12 March 2009.
April 2009