LAS VEGAS -- Security researcher Gadi Evron helped investigate massive cyberattacks that sent the Web-dependent nation of Estonia reeling last April. While plenty of questions remain as to what happened and why, he's confident the culprit was not the Russian government as many assumed from the outset.
Instead, he said this was a mob riot in the streets of cyberspace, sparked by anger over the Estonian government's decision to move a revered WW II memorial from the Soviet era. Evron, a security evangelist with McLean, Va.-based Beyond Security, told attendees at the Black Hat USA 2007 Briefings Thursday.
He said the good news is that Estonia's CERT (Computer Emergency Response Team) and IT professionals from the private sector were well-coordinated and the Baltic nation quickly bounced back following the incident. The bad news is that cyber riots like this will probably happen more in the future, engineered by people in command of botnets and inspired by what happened in Estonia.
While the attacks hardly broke records in terms of size or sophistication, Evron said they still managed to cause serious short-term disruptions in Estonia, a nation of 1.3 million people that has become almost entirely dependent on the Internet. He noted that the country built its infrastructure from scratch after the collapse of the Soviet Union, with the Internet forming much of the backbone. Almost 100% of its citizens conduct their banking online, and everyone has an ID card with a PKI (public key infrastructure) chip embedded inside. Elections also take place online, with voters casting their ballots from home.
Soon after the attacks began Saturday, April 27, people were unable to buy such essentials as gas and groceries, Evron said, since credit card transactions couldn't be completed.
"Critical infrastructure proved to be [IT systems] in the private and business sectors, not things like transportation and energy," he said. "ISPs, banks and media Web sites became critical items that had to be protected."
The attackers and defenders acted in an ad hoc manner, Evron said. On the Estonian side, citizens volunteered to comb through network activity logs. Conversely, one person enraged by the relocation of the WW II statue made an online request for donations to a PayPal account for the purpose of hiring a botnet to launch attacks. In the same message thread, someone volunteered two of his botnets. In the final analysis, Evron said, the attackers used botnets the way rioters in the street might use rocks and bottles.
And though the Estonians probably weren't as prepared as they should have been, Evron pointed to the controlled, coordinated response as an example from which other governments and private sector entities can learn.
Rather than trying to respond to every individual attack, the first responders made bringing systems back online their top priority, focusing on the targets instead of the source of attack. Technical analysis was limited to cases where a difference could be made, Evron said.
"Estonia is unique," Evron said. "Everyone knows each other and the country's online presence is concentrated. There's a networking of small groups with less burocracy, and it worked for them."
As noteworthy as the Estonian attacks were, Evron said its significance has been overblown in the media, with more FUD than warranted. He said he gets irritated when someone describes the attacks as "the first Internet war."
He said, "What happened in Estonia has happened many times over. The techniques were not new."