NATO flew two of its top cyberterrorism experts into the Estonian capital of Tallinn as the country’s security agencies moved to defend sites against the attacks, and questions were raised in meetings between European and Russian leaders in Samara, Russia, on Friday. Ultimately, Estonia had to stop access to all these sites from IP addresses outside the country.
Unofficially, most suspicion has fallen on Russia, which is in the throes of a heated dispute with Estonia after the latter removed an important memorial to Russian victory in the Second World War from downtown Tallinn. Certainly the IP addresses of some of the first machines responsible for the attacks were in Russia, and there is a backdrop of the Bear throwing its weight around for of late, whether over gas suppliers to the Ukraine or statues in Estonia. There’s a particularly nasty trade dispute with Poland, which is upset at a Russian ban on meat imports and is forcing a delay in talks between Russian and the EU on improved cooperation.
In any case, what the Estonian situation has revealed is how, the more a country invests in e-government (and Estonia is a poster child for online public administration), the more vulnerable it is, at least potentially, to concerted efforts to disrupt and even destroy its critical information infrastructure.
This is not, in reality, the first example of such cyberaggression: it has raged between India and Pakistan in the past, and there have been attacks from China that attempted to break into US government sites. When Japan hosted the G8 summit in Okinawa a coupe of years ago, it raised the issue of cyberterrorism after several of its sites had been defaced by hackers. However, the Estonian case is perhaps the first in which a small country has so clearly been targeted by what appears to have been such a large neighbour.
Darren Rennick, CEO of Prolexic, a company that provides DDoS mitigation as a service, said when the company was founded four years ago it was selling primarily into adult and gaming sites, who were the object of extortion as criminals demanded money not to mount DDoS attacks on them. Even now, the people running botnets are of course mainly commercially motivated, he went on. However, we do so activists involved too, such as customers of ours in Saudi with sites that talk about democracy are frequently being attacked. There is also competitive intelligence, whereby a Chinese company will seek to take down the site of a US competitor in the hope of driving business in its direction.
That said, he went on, we foresaw from the outset that a time would come when there would be big attacks not for extortion but actually to damage the economy and, potentially to destroy the defense system of a country. He recalled the recent attack on the routers managing the DNS system for the internet, which while it was small-scale, did cause disruption.
Will the events in Estonia provoke additional spending by governments on DDoS mitigation? Robert Shaw, head of the ICT applications and cybersecurity division at the International Telecommunication Union in Geneva, believes it will. Shaw said his organization is currently looking at the development of a botnet mitigation toolkit, based on the Australian Internet Security Initiative. They created databases of infected computers and worked with the leading ISPs to shut them down, he began, adding that the idea is to draw on that experience for a generic toolkit approach.
Of particular concern, he went on, is the development of what managed security services provider MessageLabs is calling Spam-Thru Botnets, which as peer-to-peer networks mean there is no absolute master controller as in normal botnets. Any machine can be the controller, and they even have some software built on the Kaspersky AV technology that actually removes other botnet software from a machine before installing themselves, said Shaw.
