The Estonia Cyberwar

Remember the "cyberwar" in Estonia last year? When asked about it, I generally say that it's unclear that it wasn't just kids playing politics.

The reality is even more mundane:

...the attacker convicted today isn't a member of the Russian military, nor is he an embittered cyber warrior in Putin's secret service. He doesn't even live in Russia. He's an [20-year-old] ethnic Russian who lives in Estonia, who was pissed off over that whole statue thing.

The court fined him 17,500 kroons, or $1,620 dollars, and sent him on his way.

So much for all of that hype.

Tags: , , ,

Posted on January 28, 2008 at 12:36 PM • 22 Comments

Comments

Mike BJanuary 28, 2008 1:55 PM

As much as I know you hate "movie plot" threat scenarios, I would like to point out that cyber (or classic) terrorists attacking one nation-state under the guise of another nation-state either to provoke a larger incident or simply cover their own tracks has been the subject of numerous television and movie plots.

AnonymousJanuary 28, 2008 2:15 PM

Could it be true that the Russian military no longer has the drive or technology?

EstonianJanuary 28, 2008 2:31 PM

Bruce, the "hype" was all very real here in Estonia last spring. Many important websites, like the Ministry of Foreign Affairs and most read newspapers were inaccessible, and their access from outside Estonia was cut off temporarily because of that.

This local Estonian youngster is responsible for one attack against the government's website. He admitted his part. He has been convicted and fined. I think that this is very much what he deserved.

But how does it prove that the other attacks were a hype? I am sure the Estonian CERT has logs that prove very much otherwise. My personal experience trying to access Estonian websites that time proves otherwise. Unfortunately, those criminals are yet out of reach for Estonian police. That they are not identified does not serve as proof that they do not exist.

asnJanuary 28, 2008 2:50 PM

I agree with Estonian. Where the forensic analysis is that verifies that this is true and he is the only to be blame. I am a little bit sceptical about this.

Analogy GuyJanuary 28, 2008 3:13 PM

On the other hand, what a strange coincidence that this kid would take it upon himself to do only what he was convicted of in the midst of a much greater incident.

If all he did was what he was convicted of, then his part amounts to little more than using a hair blow-dryer in the middle of a tornado.

MaitJanuary 28, 2008 3:20 PM

Analog Guy:

He had no choice - he was convicted for what he had admitted to doing before his arrest took place.

If you break the law, don't blog about it.

sJanuary 28, 2008 3:36 PM

Seems to me you decided ahead of time this was the case, then when you read this, automatically validated it.

Old ShatterhandJanuary 28, 2008 4:14 PM

"Et tu Bruce" . What we are seeing here is a serious case of the old "chinese whispers" effect – http://en.wikipedia.org/wiki/Telephone_(game) .

I've been following these blog posts about "capturing the mastermind behind the Estonian 04/07 attacks" for a few days now, and it is clear, that the actual news has been "lost in translation" a while back.

This lad did not mastermind anything, and it is safe to assume that he did not single-handedly organize a wide scale DDoS attack against the Estonian infrastructure.

Most likely this is one of the many youngsters that took part in the "cyber riots" that took place at the time of the DDoS attacks and the rioting on the streets. I think this guy was actually charged with attempting to pingflood a party website :) For his part in the "riots" (the riots mainly consisting of threats on the forums, basic attacks using ready-made tools, simple defacements etc.) he got a slap on the wrist and a reasonably small fine.

So, this was not "the attacker" behind the 04/07 events in Estonia, this was "a kiddie" behind a marginal effort.

One should always try to take these news with a grain of salt :)

Analogy GuyJanuary 28, 2008 4:15 PM

@Mait

You misunderstand my point. It is simply that if this guy's actions were so trivial why did he even bother in the first place? Like watering the lawn during a rainstorm.

It seems reasonable to assume that since he was caught attacking one website during the big event, he was probably responsible for attacks on a lot more than just one website - the authorities just couldn't prove it.

Victor WagnerJanuary 28, 2008 4:34 PM

They really should hire him rather than fire him. It is a big problem with all ex-USSR states - goverments don't understand value of professionals. They prefer cheap labor to qualified one. And many businesses too.

PHBJanuary 28, 2008 4:43 PM

I don't think we should dismiss this as unimportant for several reasons.

First there is a real fear in diplomatic circles that an incident of this type could cause a crisis to escalate. This happened in 2001 when there was a minor incident between the US and China. Hacker groups on both sides took potshots using modified versions of code red.

Second the Russian government has been busy with all manner of lawless activities of late. Murder of spies with plutonium laced teapots, denial of service attacks against sites critical of the Putin regime, including the London Telegraph.

Third, the fact that it is possible to take out other sites using an attack that has been documented for ten years kinda points to the fact that we have not been taking Internet security a tenth as seriously as we claim.

AnonymousJanuary 28, 2008 10:19 PM

@ old Shatterhand

I may have missed your point, but I'm getting the impression that you're suggesting there needed to be some organized body behind the DDoS attacks. There didn't.

DDoS is easy, it's braindead simple. Remember mafiaboy? That was 8 years ago. The tools will only have gotten better since then.

Old ShatterhandJanuary 29, 2008 1:31 AM

@Anonymous

No, I am not suggesting there was an organized body or a "mastermind" behind the attacks.

My opinion is, that the 04/07 attacks were mostly emotional, spontaneous acts conducted by individuals and loosely tied groups of people. There might have been "professionals" involved, at some level but we will never know.

Most likely there were hundreds if not thousands of guys like this kid, acting out not because of an "order" given to them, but because they felt they had to react to the political situation and got their motive when Estonia moved a WW II memorial.

AleksejsJanuary 29, 2008 1:33 AM

@ Victor Wagner
You do not hire people to protect country who think that this country should not exist in the first place.

From neighboring Latvia

MartinsKJanuary 29, 2008 6:26 AM

Some more comments from neighbors. What happened can not be called a hype. I don't think that network isolation is a hype. For example I remember some problems with wire transfers in neighboring Latvia, and I think it was because some of banks host their servers in Estonia. And I hardly believe that this attack was organized within Estonia, so prosecuting is more harder and they are prosecuting everybody who participated in and/or organized this attack within their jurisdiction (using what they can prove). I think most of these "attackers" were quite young and quite fast and they got the idea from message boards and they acted without thinking a lot about possible consequences (and it worked).

About this one case - this is only the first (Latvian media reports that other will follow) so this should be the reason for the escalated media attention, AFAIR there are other trials already in process/to begin.

AnonymousJanuary 29, 2008 11:09 AM

@Mike B
It's called "false flag" operations, and has been carried out by several countries many times in our history. The US has done so frequently (some of the most "famous" ones include the Spanish-American war, Pearl Harbor, the US-invasion of Iraq, etc.)

Estonian2January 29, 2008 12:08 PM

@Estonian

Estonians provoked DDoS themselves simply by massively going to delfi and other pages. People who usually do not read news in the net rushed there altogether, so even when everybody from abroad was blocked, all these pages were still down

MartinsKJanuary 29, 2008 12:09 PM

@Anonymous

This is not the case. It all started after a monument was moved. Please read the whole story, it is a little bit more complicated.

Karl SiilFebruary 15, 2008 1:56 PM

@Bruce,

Reading the comments on the Wired article indicates that the truth is likely not as black and white as the author indicated. The comments suggest that one hacker was caught, tried, and convicted, not that the whole "cyberwar" thing was due to that person. Your blurb in the your newsletter implicitly agrees with Wired's position. IMO, Wired's position is at worst biased and at least incomplete. While I agree that people shouldn't be screaming electronic Pearl Harbor every time two unwanted packets show up from a foreign source, I think you dismiss too readily everything that went down in Estonia. While I'm not screaming conspiracy, I don't write it off to simple script-kiddying either.

Karl (an Estonian American)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..