“One Technician Unplugged The Estonian Internet”

In all the hoo-ha about the Arab Revolutions some interesting WikiLeaks cables seem to be slipping through the net. Like this one from 2008 about Estonia’s view of the cyberattack on Georgia. Estonia had learned some tough lessons from Russia’s cyberattack on its defenses the previous year, so was quick to send cyber-defense experts to “help stave off cyber-attacks emanating in Russia”, according to the Baltic Times at the time.

The cable, dated Sept 22 2008, reports on meetings with Estonian officials on both the lessons from its own experience and some candid commentary on Georgia’s preparedness and response. Here are some of the points:

  • Russia’s attack on Georgia was a combination of physical and Internet attack. “[Hillar] Aarelaid [Director of CERT-Estonia] recapped the profile of the cyber attacks on Georgia: the country’s internet satellite or microwave links which could not be shut down (inside Russia) were simply bombed (in southern Georgia).”
  • Russia seemed to have learned some lessons from the Estonia attack, suggesting that Estonia was a sort of dry-run: “the attacks on Georgia were more sophisticated than those against Estonia, and did not repeat the same mistakes. For example, in 2007, the ‘zombie-bots’ flooded Estonian cyberspace with identical messages that were more easily filtered. The August 2008 attacks on Georgia did not carry such a message.”
  • That said, Georgia itself learned some lessons, Aarelaid was quoted as saying. While it failed to keep “archives of collected network flow data, which would have provided material for forensic analysis of the attacks,” the country “wisely did not waste time defending GOG (Government of Georgia) websites, he said, but simply hosted them on Estonian, U.S. and public-domain websites until the attack was over.” This “could not have been taken without the lessons learned from the 2007 attacks against Estonia.”
  • Estonia felt it got off lightly, in that it would have made more sense to have tried to trigger a bank-run. (This is not as clear as it could be). “Aarelaid felt that another cyber attack on Estonia ‘…won’t happen again the same way…’ but could be triggered by nothing more than rumors. For example, what could have turned into a run on the banks in Estonia during the brief November 2007 panic over a rumored currency devaluation was averted by luck. Money transfers into dollars spiked, he explained, but since most Estonians bank online, these transfers did not deplete banks’ actual cash reserves.” I take this to mean that if people had actually demanded cash, rather than merely transfered their money into another currency online, then it could have had far more damaging effects on the Estonian banking system.
  • Finally, the debate within Estonia focused on clarifying “who has the authority, for example, to unplug Estonia from the internet. In the case of the 2007 attacks, XXXXXXXXXXXX noted, it was simply one technician who decided on his own this was the best response to the growing volume of attacks.”

25. February 2011 by jeremy
Categories: datawars, Security | Tags: , , , , , , , , | Comments Off on “One Technician Unplugged The Estonian Internet”