Malware Evolution: April - June 2007
by Alexander Gostev - Senior Virus Analyst at Kaspersky Lab - Wednesday, 15 August 2007.
The attacks also targeted Russian media outlets, such as the Ekho Moskvy radio station, and the Kommersant newspaper. In some cases the victims of these attacks did not even make the connection between the events in Estonia and the attacks on their sites. Estonian hackers were likely party to the attacks against the sites of their direct opponents on Russian soil. On May 9, the website for the protectors of the monument was hacked. The homepage no longer featured the "Night Watch" ( organization information - it was replaced with a banner that read: "Proud to be Estonian" with an Estonian flag and "Estonia Forever!" Furthermore, the hackers also attacked at least one other site: This was a direct exchange of virtual blows, as you can see from these screenshots:

(c) F-Secure

How did the Estonian authorities respond? First, the country’s Central Criminal Police arrested a 19 year-old resident of Tallinn named Dmitri, who happened to have a higher technical education, as a suspect in the cyber attacks against government websites. The next developments, however, were completely unexpected. Estonian politicians broke an unspoken rule when the accused the Russian special service of orchestrating the attacks - and for the first time, the word "cyberwar" was used at this level.

It is no secret for anyone that the most prominent government special services have special departments dedicated to the security of a country's electronic resources and taking appropriate measures to do so. We call this "e-reconnaissance". There are similar divisions in the US army, and its members have even taken part in some hacker competitions to penetrate electronic resources, although without much success.

Yet this was the first time in history that one government accused another of launching a cyber attack. This never happened during the conflict between India and Pakistan, when the hackers of these two countries engaged in a virtual battle with one another on the Internet in the late nineties. That was, by the way, when the Lentin (Yaha) worm was created - one of the most destructive email worms in the last decade. Nor did it happen during a different time from NATO’s interference in the Yugoslavia conflict and the bombing of Serbia, when Serbian hackers formed an alliance with hackers from other countries and attacked US and NATO web resources. Such accusations were not voiced during the many complications in relations between China and Japan, when DoS attacks targeted Japanese government websites.

Nothing of the sort happened when American government departments and agencies were (and still are) the target of Chinese hacker groups, which often gain access to secret information. However, this time, although the nature of the attacks was clearly vandalism aimed against Estonian sites, it must have been beneficial for someone to bring the conflict to a new level. At first Urmas Paet, the Estonian Minister of Foreign Affairs, stated that the hackers were acting on behalf of Russia, including from computers located in government institutions. Later, Yaak Aaviksoo, the Estonian Minister of Defense, proposed declaring that the cyber attacks were a form of military action. “At present, NATO does not view cyber attacks as military action. That means that the NATO countries which have fallen victim to these attacks are automatically not included under the fifth article of the NATO agreement on military protection. None of the NATO Ministers of Defense today would recognize a cyber attack as military action. This issue must be resolved soon."

Ultimately, Estonia wanted military protection against threats from the Internet - this was getting serious. These kinds of statements would generally require - at the very least - irrefutable evidence of the Russian government’s participation in the attacks. For months after the attacks began, Estonia was unable to present any such evidence. Nothing could be established by the NATO experts that had rushed to Tallinn in early May to “save their ally.” Basically, the accusations that the Russian government was involved were based on the single, isolated fact that the Estonian president’s website had been visited from an IP address that “belongs to an employee of the Russian presidential administration.” The completeness of the knowledge of Estonian services regarding the owners of all Russian IP addresses is amazing, as is their knowledge about just how “difficult” it is to spoof such an address.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th