Hackers Take Down the Most Wired Country in Europe
Hackers Take Down the Most Wired Country in Europe
Defense minister Jaak Aaviksoo got help from NATO in the wake of the cyberattacks. Photo: Donald Milne The minister of defense checked the Web page again — still nothing. He stared at the error message: For some reason, the site for Estonia’s leading newspaper, the Postimees, wasn’t responding. Jaak Aaviksoo attempted to pull up the sites […]
Defense minister Jaak Aaviksoo got help from NATO in the wake of the cyberattacks. *
Photo: Donald Milne * __The minister __of defense checked the Web page again — still nothing. He stared at the error message: For some reason, the site for Estonia’s leading newspaper, the Postimees, wasn’t responding. Jaak Aaviksoo attempted to pull up the sites of a couple of other papers. They were all down. The former director of the University of Tartu Institute of Experimental Physics and Technology had been the Estonian defense minister for only four weeks. He hadn’t even changed the art on the walls.
An aide rushed in with a report. It wasn’t just the newspapers. The leading bank was under siege. Government communications were going down. An enemy had invaded and was assaulting dozens of targets.
Outside, everything was quiet. The border guards had reported no incursions, and Estonian airspace had not been violated. The aide explained what was going on: They were under attack by a rogue computer network.
It is known as a botnet, and it had slipped into the country through its least protected border — the Internet. Ministers of defense develop strategies to combat the threat of missile attacks, naval bombardment, air raids, and tank advances. But a digital invasion? Estonia is a member of both NATO and the European Union. Should Aaviksoo invoke NATO Article 5, which states that an assault on one allied country obligates the alliance to attack the aggressor?Advertisement
In the coming months, commentators around the world would look back at this moment and debate its significance. But for Aaviksoo, the meaning was clear. This was not the first botnet strike ever, nor was it the largest. But never before had an entire country been targeted on almost every digital front all at once, and never before had a government itself fought back. “The attacks were aimed at the essential electronic infrastructure of the Republic of Estonia,” Aaviksoo tells me later. “All major commercial banks, telcos, media outlets, and name servers — the phone books of the Internet — felt the impact, and this affected the majority of the Estonian population. This was the first time that a botnet threatened the national security of an entire nation.”
Welcome to Web War one.
The event that sparked this digital onslaught had occurred a few days earlier. Around dawn on April 27 — after an overnight meeting of the nation’s crisis commission — the Estonian government removed a 6-foot-tall bronze statue in downtown Tallinn, the capital of Estonia. The Soviets had built the monument in 1947 to commemorate their war dead after driving the Nazis out of the region at the end of World War II. But having rid the country of German occupation, the Russians decided to settle in. The Soviet secret police set up shop, and soon masses of Estonians were deported to Siberia. To many citizens, the statue was a symbol of an oppressive occupation. Now, after 16 years of independence, the Estonians had finally mustered the gumption to ignore the protests of the Russian government — which had warned ominously that the removal would be “disastrous for Estonians” — and uprooted the statue. Three days later, it was installed in a military cemetery in the suburbs.
Even before the removal, violence broke out in the streets of Tallinn. Rioters smashed shop windows, flipped over cars, and threw rocks at riot police. Most of the demonstrators were ethnic Russians, who make up a quarter of the nation’s population. But the fighting died down quickly; hundreds of people were arrested, the windows were repaired, and street sweepers had cleaned up everything by the morning of April 28.
But just as the unrest subsided, a different kind of aggression began to sweep the country. The head of IT at the Postimees watched it with alarm. Ago Väärsi had dealt with spikes in the newspaper’s Internet traffic before, but this was different. From his office at the top of one of Tallinn’s highest buildings, the 31-year-old had spent the past few years serving up a million pageviews a day, roughly comparable to the traffic at the Seattle Post-Intelligencer. But now his paper’s servers were being swamped with 2.3 million pageviews and had already crashed 20 times. A flat-panel monitor on the wall of his office displayed bandwidth consumption — the amount of traffic flowing to the newspaper from within Estonia and from around the world. Usually it hovered in the green zone — 20 to 30 percent of capacity unused. Now he watched as the numbers ticked down: 20 percent unused, 10 percent unused, 5 percent unused. If it reached zero, the site would become inaccessible.
Väärsi has the look of a ’70s rock promoter — he wears his hair long and his shirts open, and he sports rose-tinted, square sunglasses. He’s proof that the geeks have triumphed in this country of 1.3 million. Some 40 percent read a newspaper online daily, more than 90 percent of bank transactions are done over the Internet, and the government has embraced online voting. The country is saturated in free Wi-Fi, cell phones can be used to pay for parking or buy lunch, and Skype is taking over the international phone business from its headquarters on the outskirts of Tallinn. In other words, Estonia — or eStonia, as some citizens prefer — is like a window into the future. Someday, the rest of the world will be as wired as this tiny Baltic nation.
If so, the future was looking perilous. Väärsi watched as automated computer programs continued to spew posts onto the commentary pages of the Postimees Web site, creating a two-fold problem: The spam overloaded the server’s processors and hogged bandwidth. Väärsi turned off the comments feature. That saved bandwidth — the meter showed that there was still capacity — but what did get through tied the machines into knots and crashed them repeatedly. He discovered that the attackers were constantly tweaking their malicious server requests to evade the filters. Whoever was behind this was sophisticated, fast, and intelligent.
As the sun lit the Baltic Sea outside Väärsi’s window, he realized he was exhausted. He had been in the office writing filters and struggling to keep his servers up for days. Every time a server crashed, he received an automated alert on his cell phone: “Web site is critical.” The paper’s editors thought he was going to have a heart attack.
The attacks, among other things, crippled ATMs in Tallinn.At the time, Väärsi couldn’t have known that this was just the beginning. On the morning of Wednesday, May 2, traffic again rose precipitously, driven largely by overseas visitors. So far, Väärsi had preserved enough bandwidth to keep the Postimees online by removing ads and pictures. The pages were a lighter load, but the capacity monitor was still hovering precariously close to zero. Väärsi initially thought the traffic spike was due simply to international interest in the statue controversy. But then he looked at where the traffic was coming from. The number one foreign country accessing the site: Egypt. Vietnam and Peru followed. He doubted that a sizable Estonian population had suddenly materialized in southeast Asia and South America.
Väärsi tried to pull up his competitors’ Web sites. They were down as well. He knew he had only one choice: to sever the international connection. He keyed in a few lines of code and pressed Enter — and all international requests to the paper were suddenly blocked. In the eyes of the world, the Postimees Web site disappeared.
Instantaneously, the bandwidth meter turned green. The site became accessible again within Estonia, but at a cost. Estonia’s leading news outlet could not tell the world what was going on in its own country. Though this was a 21st-century attack, Väärsi used the same defense Estonia had used against Russian invasions four centuries earlier: He had closed the gates, pulled up the ramparts, and settled in for a siege.
__Four days __after the siege began, Hillar Aarelaid was having dinner at , a high-end restaurant just outside the walls of the old city of Tallinn. He doesn’t look like the fine-dining type. His years working the streets as a beat cop have stuck with him: His face seems frozen into an expression that says “Don’t mess with me.” But he was here for a reason. Since his rookie years in the 1980s, he has moved up the ranks, and 10 years ago he began specializing in digital crime. Now he’s head of the Estonian computer emergency response team. Known by the acronym CERT, Aarelaid’s IT cops are the de facto Estonian Internet defense force, charged with coordinating the country’s response to the attacks. The problem was that IT managers nationwide, like Väärsi, had so far been able to use only the bluntest tool — they cut off Estonia from the rest of the world. Fighting the bots directly required a more modern defense. It required social networking.
Across the dinner table from Aarelaid sat Kurtis Lindqvist, the man in charge of running Stockholm-based Netnod, one of the world’s 13 root DNS servers, which direct global Internet traffic. That makes Lindqvist a sort of Olympian in the IT crowd. He is a handsome 32-year-old with a dimpled chin and close-cropped hair. By day, he wears a trench coat and shades, but the geek in him is just below the surface. He loves to play badminton and often programs late into the night. And, befitting the trench-coat-and-shades look, he belongs to a clandestine alliance of Internet elite with the power to cut off global Internet flows. He’s one of the so-called Vetted: the select few who are trusted by the world’s largest ISPs and can ask them to kick rogue computers off the network.
The Vetted constantly crisscross the globe to expand their network of trusted members, and by a stroke of luck, Lindqvist and some others were in Tallinn that week for what was referred to as a BOF — a birds-of-a-feather — meeting with European network operators. A mutual friend suggested that Lindqvist sit down with Aarelaid.
The cybercop explained what had happened: Web sites around Estonia had resorted to a siege defense by cutting off international traffic. To beat back the bots, he needed help tracing their origins. Then he needed to persuade ISPs around the world to blacklist the individual attacking computers that would otherwise overwhelm Estonia’s bandwidth. The problem was that most international ISPs had never heard of Hillar Aarelaid. For all they knew, he could be a hacker trying to cut off legitimate users. That’s where the Vetted would come in — they could make the calls on Aarelaid’s behalf.
By the end of dinner, Lindqvist was satisfied that Aarelaid was legit, and he agreed to join him at CERT headquarters whenever Aarelaid wanted. Patrik Fältström from Sweden and Bill Woodcock from the US — two more of the Vetted — would also go.
Aarelaid had his social network.
__The cyberattacks __on Estonia, like most other ambitious campaigns, unfolded across multiple fronts. The foot soldiers were called script kiddies — relatively unsophisticated troublemakers who copied programs line for line off hacker Web sites. Their primary weapon was the ping attack, a simple request for a response from a Web server, repeated hundreds of times per second. When deployed by masses of attackers, the pings could overwhelm a server.
The script kiddies were stoked into a fervor on Russian-language chat rooms. First they were goaded by overheated rhetoric about the April 27 removal of the statue. A week later, hundreds of posts called for a coordinated attack at the stroke of midnight on May 9, the day Russia celebrates its World War II victory. “You do not agree with the policy of eSStonia???” demanded a user named Victoris on a Russian online forum. “You may think you have no influence on the situation??? You CAN have it on the Internet!”
The post then laid out precise instructions on how to launch a ping attack on specific Estonian sites. It was the equivalent in the real world of an army recruitment pitch bundled with marching orders.
Then there was the air force: botnets. These giant squadrons were made up of hundreds of thousands of individual computers from around the world that had been hijacked previously by hackers. The computers, known as zombies, could be made to repeatedly flood designated Internet addresses with a variety of useless network-clogging data. It was the digital version of carpet bombing and is referred to as a distributed denial of service, or DDoS, attack.
Finally, there were the special forces — hackers who could infiltrate individual Web sites, delete legitimate content, and post their own messages. They used private chat rooms to communicate among themselves, but in public forums they hinted at their intentions. “DDoS is occurring even now but something more potent is on its way. :),” wrote a hacker named S1B. “On the 9th of May a mass attack is planned. The action will be massive — it’s planned to take Estonnet the fuck down :).”
The cyberattacks were sparked when Estonian officials decided to move a statue commemorating Russian war dead to the Tallinn suburbs.
At 10 pm on Tuesday, May 8, Lindqvist, Fältström, and Woodcock arrived at the downtown Tallinn office building that housed CERT headquarters. It was a geek dream team, with the attitude to match. Woodcock, who had spent years traveling through Europe, Africa, and Asia helping to set up Internet infrastructures, sauntered into the operations center wearing bison-skin boots handcrafted for him in Montana. Fältström, a pony-tailed former programmer for the Swedish Navy, now advised his government on Internet security. Lindqvist grabbed an Oreo off the counter, flipped open his PowerBook G4, and plugged in. Aarelaid would lead the charge — his team had to identify the addresses of the attackers and build the filters that would get distributed worldwide — but these guys were the ones with real battle experience.
Woodcock hoisted his laptop into the air. He called Aarelaid and Lindqvist over, took a picture with the built-in camera, and sent it out to the network to prove to the Vetted that Aarelaid was for real. Lindqvist grinned broadly. Aarelaid stared calmly at the camera. It was almost 11 pm in Tallinn — midnight Moscow time.
Everything looked normal on the networks. Traffic coming into Estonia was average for this time of night — about 20,000 packets per second. The first wave of attacks had died down over the previous two days. Maybe the online chatter about an attack that night was a hoax — maybe nothing would happen.
At exactly 11 pm, Estonia was slammed with traffic coming in at more than 4 million packets per second, a 200-fold surge. Globally, nearly 1 million computers suddenly navigated to a multitude of Estonian sites, ranging from the foreign ministry to the major banks. It was a larger-scale version of what had happened to the Postimees, except that the entire country’s bandwidth capacity was being squeezed.
Immediately, Aarelaid and his team started chasing the sources upstream. What they found was a botnet comprising mostly hijacked computers in the US. As Aarelaid identified a specific address, Woodcock and Lindqvist sent rapid-fire emails to network operators throughout the world asking for the IP to be blocked at the source. Their goal was to block traffic before it could enter Estonia’s major international connections. One by one, they picked off the bots, and by dawn they had deflected the attackers. Internet traffic into the country hovered just above normal. “I was very, very lucky that Kurtis, Patrik, and Bill were here,” Aarelaid says.
As the sun rose in Moscow that morning, Red Square was cordoned off. Soon, fighter jets streaked through the cloudy skies while 7,000 Russian soldiers marched past President Putin to celebrate Russia’s victory over Nazi Germany. “Those who are trying today to… desecrate memorials to war heroes are insulting their own people, sowing discord and new distrust between states and people,” Putin proclaimed to the troops.
This veiled threat came as yet another 58 separate botnet attacks rained down on Estonia over the course of the day. Aarelaid continued his blocking efforts even as the Russian government denied involvement in the offensive. True, some of the attacking computers were located in Russia, including, Estonian officials say, one in Putin’s presidential administration office, the equivalent of the West Wing. But those computers were most likely hijacked in the same way US machines had been taken over — when their users opened an infected attachment or visited a site that automatically installed malware. The appearance of Russian IP addresses nevertheless incensed the Estonians.
From the beginning, Urmas Paet, Estonia’s foreign minister, had been accusing Putin’s administration of direct involvement. “The European Union is under attack, because Russia is attacking Estonia,” he had said in a statement a week earlier. “The attacks are virtual, psychological, and real.”
It wasn’t the first time the Russian government had been accused of being involved in a large botnet campaign. In fact, just a few weeks earlier, a similar assault had been launched against an alliance of Russian opposition parties led by chess grandmaster Garry Kasparov. The attacks shut down the opposition Web sites just as government authorities announced a change in venue for an upcoming opposition rally. With his Web site down, Kasparov had difficulty informing his followers of the change, and when they massed at the originally announced location, he was arrested for leading an illegal rally.
Part of the botnet that attacked the opposition Web sites was soon redeployed to assault Estonia. (At wired’s request, Arbor Networks, a security firm that tracks international DDoS attacks, was able to identify overlap between the networks involved in both attacks.) Denis Bilunov, the executive director of the United Civil Front, Kasparov’s party, wasn’t surprised. “There is a specific department within the FSB — the successor to the KGB — that specializes in coordinating Internet campaigns against those they consider a threat,” he says. “They have attacked Chechen rebel sites, us, and now it appears they have attacked Estonia.”
__ In mid-May, __the major botnet attacks stopped as suddenly as they started. The bots appeared to have been set to run for exactly two weeks. After that, the infected com puters abandoned the attacks and reverted to more traditional botnet pastimes, like spamming and extortion.Most Popular
There was plenty of evidence suggesting a clear Russian agenda in the attacks: Russian-language bulletin boards exhorted readers to defend the motherland, and on at least one Estonian site, attackers replaced the homepage with the phrase “Hacked from Russian hackers.” But the Russian government showed little interest in tracking down the culprits.
So in late June I head to Moscow to find out what I can. I make an appointment to meet the vice directors of the Institute of Information Security Issues at Lomonosov Moscow State University. Alexey Salnikov and Valery Yashenko have recently hosted an international conference focusing in part on Internet security. Its first roundtable: counteracting cyberterrorism.
We sit down beneath a photo of Putin in Yashenko’s large office. Yashenko explains that the institute represents the Russian government on all scientific Internet issues and advises the Kremlin on matters of cyberterrorism. I ask him what he knows about the cyberattacks against Estonia. “I didn’t have any interest in it, nor do I have the slightest intention of studying it,” he says. “It is an unimportant example.”
He goes on to explain that no country can protect itself from cyberattacks on its own. There needs to be broader international cooperation. I ask if he has offered this support to Estonia. He responds that he was too busy with other projects.
I contact Hacker, a small Russian-language publication that claims to represent the hacker community, and ask to meet with its editor. He agrees, but when I show up at the restaurant on Bolshaya Lubyanka Street, I find instead a skinny, anxious 21-year-old named Emin Azizov. He isn’t with the magazine but says the editor has sent him to see me and explain exactly what happened to Estonia.
We walk to a nearby park and sit on a bench. Azizov begins by saying that he has closely followed the attacks against Estonia. He watched the hackers formulate their plans in public and private chat sessions and emphasizes that it was not coordinated by the government. These were simply hackers whose fathers and grandfathers had made huge sacrifices for Russia during World War II. The botnets involved — which are usually rented for criminal purposes — were in this case dispatched for free. It was not about money. It was about Russian pride.
If that is the case — if Azizov isn’t trying to cloud the issue — the implication is perhaps more troubling. It suggests that there is a group of Russian hackers who, on their own, can disrupt the routine functioning of commerce, media, and government any time they want. If so, these hackers represent a stateless power — a sort of private militia.
Azizov insists that he did not participate in the Estonian assault. Then he tells me that 80 percent of Estonian Web sites are vulnerable to attack and offers to show me how.
We move to a coffee shop so Azizov can plug in his Alienware laptop. It connects to the Internet via cellular card, and he navigates to R2.ee, an Estonian radio station. After a few keystrokes, he smiles and tilts the screen toward me. There is an error message. He has performed what is known as an SQL injection attack. With one more keystroke, he says, he could take over the site entirely.
“Why are you showing me this?” I ask.
He tells me that he has just started a new company that will help system administrators assess the vulnerability of their sites. He will identify weaknesses, as he just has with R2.ee, and offer to fix them — for a price.
“Did you offer to help fix R2.ee?” I ask.Most Popular
He smiles awkwardly and says that he hasn’t. I ask him why anyone would trust him. After all, he seems to have a suspiciously intimate knowledge of the Estonian attacks. “Russian IT specialists are knowledgeable and experienced enough to destroy the key servers of whole states,” he says. “They’re the best in the world.”
The implication: Clearly you want them on your side, so why not hire them? Maybe Estonia was simply an advertising campaign.
__Ene Ergma is __a formidable woman — tough and smart. At 63, the speaker of the Estonian parliament looks like she’d be as comfortable driving a tank as playing with the grandkids. She has a PhD from Russia’s Institute of Space Research, where she wrote a dissertation titled “Unstable Thermonuclear Burning at Late Stages of Stellar Evolution.”
Today, she leans toward me in her gilded office in the parliament building and says that she suspects the attacks were a test. “Estonia is a NATO country,” she says. “Attacking us is one way of checking NATO’s defenses. They could examine the alliance’s readiness under the cover of the statue protest.”
An alliance, however, could not use the siege defense that Estonia initially employed — the NATO countries can’t all cut themselves off from the world. And they’d have a hard time fighting back: Since governments don’t control the Internet, they can’t effectively fight such a war on their own. They can’t raise an Internet army from scratch, because the key element in defending against botnets is a network of trust. The international community would have to rely on the already established community of the Vetted. In this new world of Internet warfare, armies will be replaced by badminton-loving geeks.
Ergma understands this. She spent years studying nuclear energy and watched the world transform as it wrapped itself around the advent of nuclear technology. For her, information warfare is a similar defining moment in world history. “When I look at a nuclear explosion and the explosion that happened in our country in May, I see the same thing,” she says. “Like nuclear radiation, cyberwar doesn’t make you bleed, but it can destroy everything.”
Contributing editor Joshua Davis (www.joshuadavis.net) wrote about Linux pioneer Hans Reiser in issue 15.07.
WIRED is where tomorrow is realized. It is the essential source of information and ideas that make sense of a world in constant transformation. The WIRED conversation illuminates how technology is changing every aspect of our lives—from culture to business, science to design. The breakthroughs and innovations that we uncover lead to new ways of thinking, new connections, and new industries.