Читать книгу Russian Cyber Operations - Scott Jasper - Страница 27

During the months of April and May 2017, Estonia suffered through a blistering cyber onslaught. The incident began with rioting and looting in the streets over the relocation of a Soviet war memorial, and the remains of Soviet soldiers buried beneath it, from the center of Tallinn to a war cemetery on the outskirts of the capital. The six-foot-tall bronze statue of a soldier wearing a uniform of the Red Army signified the supreme sacrifice of eleven million comrades made during the “Great Patriotic War,” the Russian term for World War II.⁵⁰ Yet for a country no longer under Soviet occupation, the monument, located at a busy intersection, had become to many Estonians a symbol of suppression of independence. A beleaguered Russian minority begged to differ and protested as the date for dismantling the monument approached. The initially calm protests escalated into violence with looting. Estonian police arrested hundreds, and one fatality occurred. The Kremlin vocally expressed displeasure at this perceived violation of Russian rights, although instead of military action, Russia imposed retaliatory economic measures and severed passenger services between Tallinn and Saint Petersburg.

Estonian leaders were fully aware of the potential for an ensuing “cyberriot,” a catchy term coined by The Economist magazine.⁵¹ The Estonian director of computer emergency response said, “If there are fights on the streets, there are going to be fights on the Internet.”⁵² The danger was clear, for Estonia had evolved since the mid-1990s into an e-state with Internet-based service solutions. Hence, the Internet in Estonia had become a daily feature of life for many citizens. For instance, some 40 percent read a newspaper online daily, and 97 percent of banking transactions took place electronically over the Internet. Estonians used Internet connections to pay for street parking and bus tickets, to vote, and to pay taxes.⁵³ By 2007, 98 percent of the territory in Estonia had Internet access, either fixed line or mobile wireless.⁵⁴ Despite nearly ubiquitous Internet access and usage, Estonia was not ready for a cyber onslaught of the scale, intensity, and duration that it experienced in 2007.

The rioting in cyberspace started on the evening of April 27 against political institutions and news portals. Over roughly four weeks, waves of DDoS attacks swamped the websites of banks, ministries, newspapers, and broadcasters. Botnets deluged sites with bogus requests for information. At its peak more than one million computers created data-request traffic equivalent to five thousand clicks per second on targets.⁵⁵ Jaak Aaviksoo, the Estonian defense minister, remarked, “The attacks were aimed at the essential infrastructure of the Republic of Estonia. . . . This was the first time that a botnet threatened the national security of an entire nation.”⁵⁶ Internet traffic that exceeded averageday peak loads by a factor of ten shut down the Estonian governmental website and those of numerous ministries, some for hours and others for days. Many sites were also defaced. The Estonian prime minister and other politicians were spammed, and the Estonian parliament’s email system was taken off-line. In addition, the Estonian news outlet Postimees Online closed foreign access to its networks after attacks on its servers.⁵⁷

Map 2.1. Estonia

Source: Central Intelligence Agency, “Europe: Estonia,” The World Factbook, https://www.cia.gov/library/publications/resources/the-world-factbook/geos/en.html.

The second phase commenced on April 30 with four waves against mostly governmental websites and financial services. It delegated attack coordination to the command-and-control servers of botnets while the short first phase depended on forum communication and synchronized human actions.⁵⁸ Initially, Russian-language Internet forums posted calls and instructions for patriotic hackers to launch ping commands, which check the availability of targeted computers. The instructions did not require advanced technical knowledge to follow—just a computer with an Internet connection. Later, executable files were made available to copy onto computers and launch automated ping requests. When coordinated across many users, the pings were effective but easily mitigated.⁵⁹ The main attack in the second phase continued use of forum calls to schedule attacks at specific times to generate simultaneous large volumes against targets. However, the first wave on May 4 showed intensification and precision, which indicated the use of botnets.⁶⁰

The DDoS attacks increased on May 8 (in conjunction with Victory Day in Russia, commemorating the defeat of Germany in World War II).⁶¹ On May 9, up to fifty-eight sites were shut down at once.⁶² The attackers used a giant network of enslaved computers, as far away as North America and the Far East, to amplify the impact.⁶³ Banks were hit hard, especially Hansabank, the largest in Estonia, which suffered customer outages for hours. The third wave, on May 15, saw strong DDoS attacks via a botnet of eighty-five thousand hijacked computers.⁶⁴ The Web portal of SEB Eesti Ühispank, the second-largest bank, went off-line for an hour and a half.⁶⁵ In addition, hackers infiltrated and defaced individual websites while posting their own messages.⁶⁶ The final wave struck on May 18, with diminished interruptions afterward.⁶⁷ Over the course of the assault, at least three major Internet-service providers, three of the six largest news organizations or portals, and three mobile network operators in Estonia were disrupted to some extent.⁶⁸ While the DDoS attacks definitely achieved effects on public and private targets, they did not achieve their larger goal, for after all the disruptions finally ended, the bronze statue remained in the tranquility of the cemetery.

The origin of the attacks was mainly, although not exclusively, from sources outside of Estonia. Furthermore, the source was worldwide, by compromised computers from 178 countries, indicative of a global botnet. A substantial number of the attackers were “crowds affected by nationalistic/political emotions” that carried out the attacks according to Russian hacker sites and Internet forums that appeared on April 28.⁶⁹ Some were identifiable by their Internet Protocol (IP) addresses, and many were Russian, including some Russian state institutions and the presidential administration. However, Russian authorities denied any involvement.⁷⁰ The first time anyone claimed responsibility was in March 2009, when Konstantin Goloskokov, a commissar of the Kremlin-backed Russian youth group Nashi, said that “he and some associates had launched the attack.”⁷¹ The Nashi claim added to assumptions concerning involvement by the Russian government. Besides the IP locations, there is also evidence that the Russian government rented time on botnets from transnational criminal syndicates at the peak of the assault. The editor of Postimees, Merit Kopli, said bluntly, “The cyber-attacks are from Russia. There is no question. It is political.”⁷² The timing and effects of the cyber assault did fit nicely into Russia’s overall foreign policy strategy of preserving its influence and safeguarding Russian minority populations in its neighboring countries.⁷³

Madis Mikko, a spokesman for the Estonian defense ministry, said, “If a bank or an airport is hit by a missile, it is easy to say that is an act of war” and then asked, “But if the same result is caused by a cyber attack, what do you call that?”⁷⁴ The “same result” charge of lasting physical damage is debatable, especially since the 2007 cyber operations against Estonia, which were widely referred to as “cyber war,” were not publicly characterized by “the international community as an armed attack.”⁷⁵ The International Group of Experts, the author of the original Tallinn Manual, “agreed with this assessment on the basis that the scale and effects threshold was not reached.”⁷⁶ Although the cyber operations caused no deaths, injuries, or physical damage, they did fundamentally affect the operation of the entire Estonian society. The effects were immediate and direct upon governmental services, the economy, and daily life. The consequences were more than mere inconvenience or irritation, albeit difficult to quantify since most involved denial of service rather than destruction or damage.⁷⁷

Overall the cyber operations intentionally frustrated governmental and economic functions. Thus, Michael Schmitt concludes that “taken together as a single ‘cyber operation,’ the incidents arguably reached the use of force threshold. Had Russia been responsible for them under international law, it is likely that the international community would (or should) have treated them as a use of force in violation of the UN Charter and customary international law.”⁷⁸ The attribution to Russia is lacking due to “no definitive evidence that the hacktivists involved in the cyber operations against Estonia in 2007 operated pursuant to instructions from any State, nor did any State endorse and adopt the conduct.”⁷⁹ The most likely employment of proxies in the form of patriotic hackers confounds the second condition of “attributable to the State under international law” that is required to firmly establish the existence of an internationally wrongful act. Indisputable facts of this relationship do not exist, only indications that Russia was involved, although arguments are bolstered because the Russian Federation refused to cooperate with the Estonian Public Prosecutor’s Office in identifying the hacktivists behind the attacks.⁸⁰ According to the prosecutor’s office, earlier similarly phrased requests under the Agreement on Mutual Legal Assistance had been met, but in the cyber operations case, the Russian Prosecutor’s Office conveniently took a different interpretation.⁸¹