Estonia's CTO speaks out on cyberattacks
Speaking to ZDNet.co.uk at the RSA Conference Europe 2007 in London, Mikhel Tammet, director of the Estonian communication and information technology department, said he believes forces within the Russian government may have initiated and sponsored attacks against his country's critical national infrastructure earlier this year.
In May this year the Estonian critical national infrastructure (CNI) came under sustained cyberattack from perpetrators whose identity remains unknown. However, Tammet said he suspected the forces behind the attacks to be linked to the Russian government.
"It was a political campaign induced by the Russians; a political campaign designed to destroy our security and destroy our society," said Tammet on Tuesday. "The attacks had hierarchy and co-ordination."
Tammet added that, while it was not possible to put a face to the attackers nor to prove any direct connection to the Russian authorities, all previous attacks with a political aim emanating from Russia had their roots in government action.
"It's been that way in Russia for centuries," said Tammet. "The attack was 50 percent emotions, 50 percent something else, but we can't define what that something is. There was an organisation behind it, but we can't [definitively] say if it's the government or criminals, or both."
The attack on Estonia began on 26 April after the Estonian government relocated the "Bronze Soldier", a war memorial commemorating an unknown Russian who died fighting the Nazis. The initial attack phase saw denial-of-service attacks against government sites by individuals and defacement attacks.
In contrast to Tamet's views, Alexey Podrezov, a Russian antivirus researcher for Finnish security company F-Secure, said he believes the attacks were not government-sanctioned and were probably the work of private individuals.
"From a Russian perspective, the Second World War is sacred: we won, we're great, we conquered the fascists. Then Estonia moved the monument, which caused offence. The government had nothing to do with it — the media hyped it up [so people attacked]," said Podrezov.
According to Tammet, at the height of the attacks, 20,000 networks of compromised computers were being linked and orchestrated, indicating that a powerful organisation was behind the barrage of network traffic.
"We had a lot of spam, with government websites targeted, and calls to attack Estonia on the internet, but we were not afraid in this phase," said Tammet.
The Estonians became uneasy during the second phase of the attack, between 30 April and 3 May, which saw a "gathering of botnets like a gathering of armies", according to Tammet. These botnets were used to launch attacks against the routers of ISPs hosting Estonian government sites, and their DNS (domain name system) servers, in an attempt to disable email.
"They were bandwidth-stealing, testing how much we could stand," said Tammet. "Those days were the most alarming."
The main attack phase saw distributed denial-of-service (DDoS) attacks against the two main banks in Estonia, Hansabank and SEB Eesti Ühispank. According to Tammet, Estonia "is 97 percent dependent on internet banking".
"If the main banks are out of order and there are no bank services, we're in deep trouble, because cash isn't common in Estonia," said Tammet.
The attacks peaked on 10 and 15 May, when some bank terminals were also out of order and foreign money transfers knocked out. Government systems were also attacked on 15 May. The attacks abruptly ceased three weeks after they had begun.
Tammet said that the escalation of events during the attack had been hard to predict, and reaction times had to be short. There was no time for human-centred decision making. The attacks caused Estonia to realise that it needed tighter links with ISPs, thin structures to protect e-society, and to share decision making between humans and machines.