Some experts are dismissing speculation earlier this week that hackers sponsored by the Russian government were behind a series of blistering distributed denial-of-service (DDoS) attacks in the Baltic country of Estonia.
The attacks left Web sites for Estonia's prime minister, banks and schools in disarray and some observers pointed fingers at Russia, given its apparent anger over Estonia's decision to remove a bronze statue of a Soviet-era soldier that was part of a World War II memorial.
But information security experts now say it's very unlikely this was a case of one government launching a coordinated cyberattack against another. It was more likely the work of smaller organized groups in control of hijacked computers from around the world, they said.
"Attributing a distributed denial-of-service attack like this to a government is hard," Johannes Ullrich, chief research officer of the Bethesda, Md.-based SANS Internet Storm Center (ISC), said in an email exchange. "It may as well be a group of bot herders showing 'patriotism,' kind of like what we had with Web defacements during the US-China spy-plane crisis [in 2001]."
Hillar Aarelaid, chief security officer for Estonia's Computer Emergency Response Team (CERT), said in published reports Thursday that most of the affected Web sites have been restored to normal service. He also expressed skepticism that the attacks were from the Russian government, noting that Estonians were also divided on whether it was right to remove the statue. And since the attacks began, investigators have found evidence that while Russian hackers may be involved, malicious activity also originated from computers in the U.S., Brazil, Canada and Vietnam.
"I think it is extremely unlikely that the attacks are being sponsored by the Russian government," Graham Cluley, senior technology consultant for UK-based security software company Sophos, said in an email exchange. "The fact that DDoS attacks may be coming from Russian authority computers does not necessarily mean that the Russian authorities have endorsed the attacks. Indeed, it's quite possible that these are PCs which have been taken over by remote hackers."
There have been many instances in the past where hackers have gained access to poorly-defended government and military computers in order to cause mischief, Cluley added.
"If you were the Russian government and wanted to launch an attack against Estonian authority Web sites -- knowing that the world would take a keen interest -- would you really use your own PCs to do it?" Cluley said. "It is quite possible that this is a small group of politically motivated hackers who have a grievance against the Estonian authorities who have taken remote control of PCs to attack Estonian Web sites."
While that may be the case, industry experts said the incident is yet another example of what can happen if governments don't do more to secure their IT infrastructure. The U.S., for example, has come under scrutiny for not doing more to harden its systems.
When a White House ID theft task force released recommendations to better protect people from online fraud last month, for example, the Cyber Security Industry Alliance (CSIA) said the document was short on guidelines to help federal agencies address their own security shortcomings.
The U.S. government learned how vulnerable its systems can be two years ago when it learned of ongoing attacks that were eventually dubbed Titan Rain. In those attacks, Chinese Web sites targeted computer networks in the Defense Department and other U.S. agencies, compromising hundreds of unclassified networks. Though classified information wasn't taken, officials worried that even small, seemingly insignificant bits of information can paint a valuable picture of an adversary's strengths and weaknesses when pulled together.
Ullrich doesn't believe government networks are being defended well enough, given the steady stream of news reports about compromised networks. But, he added, defending against the kind of attack Estonia suffered is no easy task.
"Defending against a DDoS is very hard if you are running a large government network across globally-shared media," he said. "The best defense against a DDoS is a contingency plan. [Governments] have to plan for widespread network disruption. Once the attack is under way, critical records such as phone lists may no longer be reachable." Any good disaster recovery plan should cover these scenarios, he said.
John LaCour, a CISSP and director of product management for San Francisco-based security firm MarkMonitor Inc., said it's equally important for private enterprises to prepare for these kinds of attacks. After all, he said, companies remain a bigger target than government systems.
"Virtually all American businesses are connected to the Internet so there's an endless opportunity to go after private companies," he said. "But while the government is on the Internet, classified systems are more restricted and guarded. Often, cyberattacks are initiated by political groups who are not necessarily state sponsored. As part of their method of operation, it's about targeting the commercial interests."
Should there be escalating cyberattacks against first-world countries, he said, attacks against commercial entities will also be more prevalent. Therefore, enterprises need to have a response plan.
"Often, organizations won't be able to defend against it on their own so they should have a coordinated battle plan with their ISPs and others," LaCour said. "The big problem with DDoS attacks is the potential for collateral damage beyond the prime target."