Estonia Banks Targeted University of Maryland University College
CSEC 620
Individual assignment # 2

Table of Contents
Introduction …………………………………………………………………………………………………………. 3
Estonia under attack……………………………………………………………………………………………….. 4
Types of attacks ……………………………………………………………………………………………………… 5
Threats actors and their motives ……………………………………………………………………………. 6
Who were responsible for the attacks ……………………………………………………………………. 7
Strategic Shifts in Response to attacks ……………………………………………………………………. 8
Conclusions ……………………………………………………………………………………………………………. 10

Introduction
The Baltic state of Estonia was attacked by hackers in April of 2007. Scores of government and private sector website were shut down. Estonian’s daily activities, such as pumping gas or making withdrawals from ATM machines were severely impacted. The architecture of the Internet allowed networks of bots, called botnets, to direct millions of packets to the servers of the Estonian targets, overloading and rendering them inaccessible to visitors. Digital traffic from servers ranging all the way to Peru, Vietnam and the United States overwhelmed Estonian websites, overloading their buffers with superfluous data. At the apex of this DDoS flooding, government websites that had been receiving 1,000 visits each day were suddenly inundated with 2,000 per second (Crouch, Pg 1). No overt financial motivations were discovered as the driver of these attacks, with the principal motivation being political and retaliatory against the government of Estonia. The likely threat actors belonged to the Russian diaspora, who were incited by the Estonian government’s decision to relocate a Russian war memorial, although forensics never definitively proved it. Hackers were actively recruited and provided with step by step instructions online on how to carry out the attacks, that would ultimately lead to the transformation of collective Eastern European cybersecurity collaboration.

Estonia Banks Targeted
Estonia under attack
The Baltic state of Estonia was attacked by hackers in April of 2007. Scores of government and private sector website were shut down. Estonian’s daily activities, such as pumping gas or making withdrawals from ATM machines were severely impacted. The architecture of the Internet allowed networks of bots, called botnets, to direct millions of packets to the servers of the Estonian targets, overloading and rendering them inaccessible to visitors. Digital traffic from servers ranging all the way to Peru, Vietnam and the United States overwhelmed Estonian websites, overloading their buffers with superfluous data. At the apex of this DDoS flooding, government websites that had been receiving 1,000 visits each day were suddenly inundated with 2,000 per second (Crouch, Pg 1). No overt financial motivations were discovered as the driver of these attacks, with the principal motivation being political and retaliatory against the government of Estonia. The likely threat actors belonged to the Russian diaspora, who were incited by the Estonian government’s decision to relocate a Russian war memorial, although forensics never definitively proved it. Hackers were actively recruited and provided with step by step instructions online on how to carry out the attacks, that would ultimately lead to the transformation of collective Eastern European cybersecurity collaboration.
Type of attacks The cyber-war that was wage against Estonia was carried in several different forms. They range from simple denial of service (DoS) and distributed denial of service (DDoS) attacks, such a ping flooding, to more sophisticated use of botnets. The hackers also employed web defacements and great volumes of emails and comment spams.
DoS and DDoS attacks:
This type of attack was the major cyber-assault weapon used against Estonia. These types of attacks were effective because the internet depends on bandwidth and these attacks can actually block the servers that are targeted which effectively clog the internet. The execution of a DDoS attack is not a complicated undertaking. Simply put, if a targeted email server or a website is being flooded with emails or requests over a short period, the bandwidth will eventually be unable to cope with the high volume of inbound data and will jam ("Infosec Institute," 2013).
Ping-flooding:
This was widely used in the first phase of the Estonia attack. It is a simple denial of service attack where the victim is overwhelmed with the internet control message protocol (ICMP) Echo requests (ping) packets from the attacker. The flood option of ping makes it more effective, in that it sends ICMP packet very quickly without waiting for replies. When coordinated, the automated ping request could cause considerable damage to an intended target ("Infosec Institute," 2013).
Botnets:
A botnet is a network of slave computers that is controlled by an individual intending to do wrong. This wrongdoer can direct the bots from his master computer to forward spams and viruses to other computers on the internet. The owners of these compromised computers are oftentimes unaware that their computers have been hijacked.
The use of botnets in the attacks on Estonia’s information infrastructure brought this cyber-warfare to another level. This advanced DDoS attack utilized huge network of botnets, which was made up of thousands of infected computers. There was also evidence that the hackers rented time on a number of botnets, which showed the great resources that were available to these perpetrators ("Infosec Institute," 2013). Data collected by Arbor Network Active Threat Level Analysis System (ATLAS), an internet traffic monitoring organization, revealed the following: * During the three weeks of attacks, DoS attacks were used to target IP addresses within Estonia, most of these attacks were ICMP ping-flooding that targeted the entire system and not just one specific port or service within the server. * There were 128 unique DoS attacks: 115 ICMP floods, 4 TCP SYNC floods, and 9 generic floods. Several botnet network were used in the onslaught, which made it difficult to locate the perpetrators ("Infosec Institute," 2013).
The DDoS attacks were intense and according to some specialists’ estimates, some of the botnets used in the attacks have chained more than 100,000 zombie PCs. The relentless waves of DDoS attacks were meant to bring down websites of government and the private sector. The attackers carefully selected the critical information infrastructure (e.g. DNS) as targets. At the peak of the attack, surges of incoming internet traffic were 400 times higher than normal ("Infosec Institute," 2013).
Threats actors and their motive The attacks on Estonia in general and the banks in particular were strictly political. The actors were not interested in stealing any information or to benefit financially from their actions. Their main purpose was to make a political statement to the government of Estonia.
There is a long history of tension between this Baltic state and its Russian neighbor, and so is the problem between these ethnic populations in Estonia, which dates back many years. During the cold war when Estonia was part of the Soviet Union, many Russian were relocated to Estonia by the Kremlin. After the collapse of the Soviet Union, the Estonia government implemented policies designed to curtail the Russian influence on their culture. As a result, the Russian minority began to feel marginalized in their own country. This led to a slow, but steady buildup of ethnic tension over the years (Herzog, 2011). The cyber-attacks on Estonia took place in a climate of ethnic tension between Estonians and the Russian minority. On April 30, 2007 a Bronze Soldier memorial was relocated from Tonismagi Park in central Tallinn to the Tallinn military cemetery. This Bronze soldier memorialized the Soviet liberation of Estonia from the Nazis. This decision did not sit well the Russian speaking minority and it caused a riot. In addition to rioting cyberattacks were launched against the country of Estonia (Herzog, 2011).
Who were responsible for the attack?
No one is certain for sure whether the Russian government officially sanctioned the cyber-attacks, but what is undisputed is that Russians were responsible. Russian language websites, online forums and some blogs were busy with discussion about the removal of the war memorial and the cyber-attacks (Evron, 2008).
Some analysts concluded that the attackers acted on their own to protest against the government of Estonia. As it turned out some of these “hacktivists” were experience hackers who had their own botnets out on contract for the cause, some were capable of writing their own destructive scripts, and some were “script kids”. Script kiddies are the least experienced of the hackers. They are novice hackers who carried out their attacks by following instructions found on several Russian hacker websites. With so many individuals involved from the Russian diaspora, and the disparate nature of each individuals, it was extremely difficult to track them. However, in January of 2008, the government of Estonia traced and successfully prosecuted one of the perpetrators ("International Affairs Review”).

Strategic Shifts in Response to Attacks
Prior to the 2007 cyberattacks, the majority of Estonian banks were foreign owned, predominantly by Sweden. This ownership structure facilitated Estonian banks to integrate their institutions in synchronization with the Swedish banks, while hosting servers on Swedish territory. As a result of the 2007 attacks, the necessity of Estonian banks’ servers on Estonian soil was critical for the banks’ ability network security and quickly recover from an attack. Additionally, the Estonian government instituted regulations directing banks and other critical businesses’ servers to be hosted, as well as data storage requirements. Estonian banking firms, which had been compromised by the cyber attacks, provided government with the impetus to increase network security (Borland, 2011).
Lacking official cyber-defense procedures in 2007, Estonian site managers first tried the "whack-a-mole" approach, trying to defeat each wave of traffic separately. As the cyber-attack ramped up, and the origins of the traffic came from a varied set of servers spanning the globe, administrators shut off all inflow from abroad. The option to disable all foreign traffic is one the U.S. does not possess; restricting access could have major repercussions on the global economy. Estonia has consciously enhanced its partnership with the FBI and it played a central role in standing up the NATO Cooperative Cyber Defense Centre of Excellence in Tallinn, which simulates attack scenarios and encourages members to share best practices (Dumbacher, pg 2).
Czosseck, Ottis and Taliharm outline Estonia’s most impactful policy changes in a 2011 paper released by the Cooperative Cyber Defense Center of Excellence (CCDCOE). Three of the most salient are: the creation of a Cyber Security Strategy, the CCDCOE, and the Cyber Defense League (Czosseck, 2011). The 2008 Cyber Security Strategy identified five strategic objectives: developing and implementing a system of security measures, increasing competence in information security, developing a legal framework for cyber security, developing international cooperation, and raising cyber security awareness (Estonia MOD, 2013). Previous attacks on NATO websites on email accounts during the Kosovo War, were a large impetus on the formation of the Cyber Defense Programme. This eventually led to the formation of Computer Incident Response Capability to prevent, detect and respond to cyber threats. In the same year, NATO created the Rapid Reaction Teams to react the cyber-attacks immediately.
Cyber defense has now been implemented into NATO’s smart defense initiative, as a part of international “burden sharing”. This initiative facilitates countries to coordinate together in developing and sustaining capabilities that would be impossible to budgeted alone, while focusing on each nation’s key strengths in the overall cyberdefense strategy (NATO, pg 5). North Atlantic Treaty Articles 4 and 5, direct political consultations, if an ally feels its security is threatened and for a multi-national response, in case of armed aggression against an ally. Anders Fogh Rasmussen, former NATO Secretary General, elaborated on the advantageous of collective cybersecurity by saying “We are all closely connected. So an attack on one ally, if not dealt with quickly and effectively, can affect us all. Cyber-defense is only as effective as the weakest link in the chain. By working together, we strengthen the chain.” (Perknik).
The fact that there has not been any significant computer network breaches reported in Estonia since the 2007 attacks, is a good indicator that the intention of these cyber-policies are achieving their intensions. The Estonian Information System’s Authority website list only to the 2007 Attacks when noting the incidents they have addressed. Neighboring nations, such as the United Kingdom, Germany, the Netherlands, and France have followed suit with national cyber security strategies. The overall consensus is that it’s in a nation’s best interest to develop a comprehensive strategy to secure information networks. Estonia has been on the “tip of the spear” in leading European nations to adopt such a Strategy, and continues to serve as a cyber-policy leader (Pommereau, 2011).

Conclusions

The cyber-attacks on NATO, beginning with the Serbian forces in 1999 transformed the focus of NATO’ security policy. The impact of cyber security gained more prominence when NATO member Estonia’s telecommunication, banking, and energy infrastructure was attacked in 2007.
The cyber-attacks on Estonia were likely initiated as a result of oppositions to the Russian government by former Soviet satellites, yet there is no definitive proof that the Russian government was involved in the cyber-attacks. As a result of the impact of these cyberattacks on Estonia, and other former Soviet satellite nations aligned with the West, NATO has implemented new strategies on cyber defense. Despite significant progress in addressing the ongoing threat from cyberattacks, NATO’s cyber security policy and defenses are not without sufficient vulnerabilities. NATO’s strategy towards cyber security policy implements the concept of burden sharing and smart defense amongst member nations, with particular reliance on Estonia’s specialization in cyber security. The forces that continue to drive these policy implementation have been a intertwining of: a nation’s reliance on information technology; the existing governmental and private support for implementation of these policies, in both the public and industry; and a comprehensive vision and motivation originating within the Estonian government.

References
John Borland, “Perspective: Estonia Sets Shining Wi-Fi Example,” CNET, 1 November 2005. At http://news.cnet.com/Estonia-sets-shining-Wi-Fi-example/2010-7351_3-5924673.html
Crouch, E & McKee, L Jr. (2011). CyberSecurity: What have we learned ? Retrieved from http://www.nsci-va.org/WhitePapers/2011-10-09-Cyber%20Lessons%20Learned-Crouch-McKee.pdf Czosseck, C., Ottis, R., and Taliharm, Anna-Maria “Estonia After the 2007 Cyber Attacks: Legal, Strategic and Organizational Changes in Cyber Security.” Cooperative Cyber Defense Center of Excellence Website, 2011. http://www.ccdcoe.org/articles/2011/Czosseck_Ottis_Taliharm_Estonia_After_the_2007_Cyber_Attacks.PDF.
Denial-of-service: The Estonian cyberwar and its implications for U.S. national security. (). Retrieved from http://www.iar-gwu.org/node/65
Dumbacher, E. D. (2011). Lesson from Estonia: Preparing for a major cyberattack. Retrieved from http://www.nextgov.com/cybersecurity/2011/07/lessons-from-estonia-preparing-for-a-major-cyberattack/49352/
Estonian Ministry of Defense. Cyber Security Strategy, 2008. Retrieved from http://www.mod.gov.ee/files/kmin/img/files/Kuberjulgeoleku_strateegia_2008-2013_ENG.pdf , p. 3-5.
Estonia: To black out an entire country-part one. (2013). Retrieved from http://resources.infosecinstitute.com/estonia-to-black-out-an-entire-country-part-one/
Evron, G. (2008). Battling botnets and online mobs. Retrieved from http:www.legacy.ciaonet.org/journals/gjia/v9i1/0000699.pdf
Evron, G (2008). An Account of the Estonian Internet War by Gadi Evron, where the Internet is going to go, and Estonian Cyberdefense strategy. Retrieved from http://jaanus.com/an-account-of-the-estonian-internet-war-by-gadi-evron-where-the-internet-is-going-to-go-and-estonian-cyberdefense-strategy/
Herzog, S. (2011). Revisiting the Estonia Cyber Attacks: Digital Threats and Multinational Responses. Journal of Strategic Security, 4, 49-60. http://dx.doi.org/10.5038/1944-0472.4.2.3
Joubert, V (2012, May). Five Years after Estonia’s Cyber Attacks: lessons learned for NATO. Retrieved from www.ndc.nato.int/research/series.php?icode=1
Pernik, Improving Cyber Security: NATO and EU, page: 8-9. Retrieved from www.nato.int, Defending Against Cyber Attacks
Pommereau, I. (2011). “Why Estonia May be Europe’s’ Model Country.” Christian Science Monitor. 18 May 2011, http://www.csmonitor.com/World/Europe/2011/0518/Why- Estonia-may-be-Europe-s-model-country.