Virtual harassment, but for real
By Miska Rantanen
Russia's aggressive displays towards Estonia of late, in the wake of the moving of the "Bronze Soldier" Soviet war memorial, have not been confined to rioting by nationalists on the streets of Tallinn or the blockading of the Estonian Embassy in Moscow.
Estonian government websites and others have been the victims of denial-of-service attacks since Friday of last week [April 27th, the day the statue was moved, following a night of rioting that left one man dead].
The first WWW target to be hit was apparently that of the Foreign Minister Urmas Paet's free market liberal Reform Party, the home page of which was given a makeover by the intruding crackers. The pages were nevertheless restored in short order.
This past week, the attacks have been stepped up.
Among the targets have been all the Estonian ministries, with the exception of Culture and Agriculture.
From Friday onwards, the black hats have expanded their cracking operations to include Estonian companies' sites, on which anti-Estonian slogans have been pasted up (see photo).
The Estonian web administarors have not been completely helpless against the assaults. For instance, the portal operated by the Estonian Parliament, the Riigikogu, has kept going on a wing and a prayer thanks to new protection methods. Many sites have since instituted bans on all net users with foreign IP addresses.
According to Mikko Hyppönen, Chief Research Officer at the anti-virus and computer security firm F-Secure, cracking a site and spreading disinformation are effective weapons in the net attacker's arsenal.
"By hacking in to a server it is possible to get access to data that you can change as you see fit. If someone gets into, say, the President's pages and puts up something filthy or libellous, the vandalism will get spotted straightaway. But making subtle adjustments to the content of a press release or the form of words used is more effective as it may only get noticed after quite some time", says Hyppönen.
In the case of the Estonian ministerial sites, they have not been under assault from break-ins or wilful damage so much as through denial-of-service (DoS, or DDoS, for distributed denial-of-service) attacks.
In these instances, a website is "swamped" or saturated with malicious intent by external communications requests, such that the victim site is rendered unavailable to its intended, legitimate users.
The phenomenon is not that exceptional, and it can also occur unwittingly, with no intention to cripple the target, rather in the same way that the body can sometimes produce hormones that would arouse the interest of anti-drug agencies.
To take one classic example, at the time of the attacks on the World Trade Center in New York in September 2001, the pages operated by CNN could only be read in text format, as the bandwidth was insufficient for the sudden spike of millions of news-hungry people logging in to browse the latest developments.
"An artificial flood can be generated with a relatively small number of machines by instructing them to access certain pages. Just a few machines can be sufficient to max out a server, if they are programmed correctly", explains Hyppönen.
Nowadays, crises in the real world become visible in cyberspace almost immediately.
To take but one example, on the day that the war in Iraq began in March 2003, there were thousands of DoS attacks perpetrated on US, British, and Arab servers, seen as virtual enemies by the attackers.
The servers came tumbling down, too, at the height of the furore over the Danish Muhammad cartoons. Another new Internet battleground at such moments is the online open-source encyclopedia Wikipedia: in a dispute, whether transnational or personal, encyclopedia entires are changed rapidly to suit the views of the opposing sides, or are subjected to vandalism.
A denial-of-service attack is not some one-man crusade masterminded from an Internet café. Such an incursion would be easy to rebuff by filtering or banning all traffic from a given IP address or a country.
But throwing up the defences becomes an overwhelming task when there are tens of thousands of machines doing the attacking, from locations all over the world.
In an interview on Estonian TV last week, the country's Minister of Justice Rein Lang claimed that the attacks against Estonian government servers on April 29th and 30th could be traced back to Moscow IP addresses owned by the Russian presidential administration and government.
Hyppönen has got hold of Lang's original press release, but he does not find the claims altogether credible.
"In practice there is just one IP address that leads to a government computer. It is of course possible that an attack was launched from there, too, but the person behind it could be anyone, from the son of some ministerial janitor upwards."
Hyppönen takes the view that if the Russian Federation had really wanted to attack in earnest, the Estonian servers would have gone down en masse, and they would have stayed that way for a good long while.
So where have the attacks originated, and who is behind them?
According to Hyppönen, the incursions have made use of botnets, the term used in the trade for a motley collection of compromised computers around the world; machines that have previously been maliciously taken over by worms or "trojan horses", and which are under common command and control systems.
The same technique is used to spread illegal spam via e-mail.
"Computers that have been assimilated into a botnet can be ordered simultaneously to send a lot of traffic to a given Internet address. It is very difficult to defend against this kind of attack."
Another, equally significant network attack task force are those individual enthusiasts who launch attacks from their own PCs and in their own names.
"They are Russians and ethnic-Russian Estonians who want to be a part of the anti-Estonian movement, but who live too far away to meaningfully take to the streets. They are stirred into action through an array of message boards and discussion groups, which provide comprehensive how-to guides on ways of harnessing one's computer to bomb certain websites."
The boards also offer up the e-mail addresses of ministerial civil servants so that they can be blasted with spam. Other potential targets on the lists have included foreign banks operating in Estonia, including Nordea and Sampo.
However, it is by no means certain that all the attackers are kids sitting at home in their bedrooms looking for excitement.
One of the most active agitators on the Russian-language message boards has been someone calling himself alexbest. In recent days he has been exhorting forum members to take part in a massive net assault on Wednesday, May 9th, celebrated as Victory Day in Russia.
According to some Estonian sources, the log-in name alexbest is believed to have connections with the FSB or Federal Security Service, the state security agency of the Russian Federation.
Helsingin Sanomat / First published in print 6.5.2007
Previously in HS International Edition:
Organiser of Internet DoS attacks arrested in Estonia (7.5.2007)
Estonians and Russians in Finland not surprised by war memorial conflict (3.5.2007)
COMMENTARY: "Oh, sorry, I thought you were Estonian" (2.5.2007)
Foreign bank addresses in Estonia listed on a Russian message board site. Zyklonteam.org also appear to be involved in some way in the cracking job on the siilimaja.ee site shown in the photo.
Denial of Service attacks (Wikipedia)
Russia begins cyber attacks against Estonian government (Jamestown Foundation)
F-Secure weblog (28th April, 2007)
MISKA RANTANEN / Helsingin Sanomat