Sandworm

Home > Other > Sandworm > Page 10
Sandworm Page 10

by Andy Greenberg


  The attackers’ goals shifted, evolving from mere denial-of-service attacks to defacements, replacing the content of websites with swastikas and pictures of the country’s prime minister with a Hitler mustache, all in a coordinated effort to paint Estonians as anti-Russian fascists. The target list, too, was growing to absurd proportions, hitting everything from banks to arbitrary e-commerce sites to the community forums of Tallinn’s apartment complexes. “Twenty, fifty, a hundred sites, it’s not possible anymore with those numbers to respond,” says Aarelaid. “By Sunday, we realized the normal response wasn’t going to work.”

  On Monday morning, Aarelaid held a meeting with administrators of key government and commercial target sites at the CERT office in central Tallinn. They agreed that it was time for a draconian new approach. Instead of trying to filter out known sources of malicious traffic, they would simply blacklist every web connection from outside Estonia.

  As Estonia’s web administrators put that blacklist into effect, one by one, the pressure on their servers was lifted: The small fraction of the attack traffic originating from inside Estonia itself was easily absorbed. But the strategy came at a certain cost: It severed the Estonian media from the rest of the world, preventing it from sharing its stories of riots and digital bombardment. The tiny country had successfully locked out its foreign attackers. But it had also locked itself in.

  * * *

  ■

  Over the days that followed that lockdown, Estonia’s CERT began the slow process of relieving the country’s internet isolation. Aarelaid and his colleagues worked with internet service providers around the world to painstakingly identify and filter out the malicious machines hosted by each of those global sources of traffic. The attacks were still growing, mutating, and changing their origins—until finally, a week after the attacks had started, they suddenly stopped.

  In the eerie lull that followed, however, Estonia’s defenders knew that the attackers would return. On May 9, Russia celebrates Victory Day, a holiday commemorating the Soviet defeat of Hitler after four years of immeasurable losses and sacrifice. Chatter on hacker forums made clear that the next wave of attacks was being saved for that symbolic day, rallying fellow digital protesters to the cause. “You do not agree with the policy of eSStonia???” asked one poster on a Russian forum, using the “SS” to emphasize Estonia’s supposed Nazi ties. “You may think you have no influence on the situation??? You CAN have it on the Internet!”

  “The action will be massive,” wrote another. “It’s planned to take Estonnet the fuck down:).”

  At almost exactly the stroke of midnight Moscow time on May 8, another barrage hit the Estonian web with close to a million computers conscripted into dozens of botnets, taking down fifty-eight sites simultaneously.

  All that night and through the days that followed, Aarelaid coordinated with the internet service providers he’d befriended to filter out new malicious traffic. But in the second wave of the attack, some of the hackers had also moved beyond mere brute-force flooding. He began to see more sophisticated attacks exploiting software vulnerabilities that allowed the hackers to briefly paralyze internet routers, taking down internet-reliant systems that included ATMs and credit card systems. “You go to the shop and want to pay for milk and bread,” Aarelaid says. “You cannot pay with a card in the shop. You cannot take cash from the ATM. So you go without milk and bread.”

  As the escalating attacks wore on, however, they also began to lose their shock-and-awe effect on Estonia’s webmasters and its population. As Aarelaid tells it, he and IT administrators around the country developed a typically Estonian stoicism about the attacks. They’d go to sleep each night, giving the attackers free rein to tear down their targets at will. Then the defenders would wake up the next morning and clean up the mess they found, filtering the new traffic and restarting routers to bring the country’s digital infrastructure back online before the start of the workday. Even the more sophisticated router attacks had only temporary effects, Aarelaid says, curable with a reboot.

  He compares this siege-defense routine to the Estonian ability to tolerate subzero temperatures in winters, with only a few hours of sun a day, collectively honed over thousands of years. “You go into work and it’s dark. You come home and it’s dark. For a long time, you don’t see any light at all, so you’re ready for these kinds of things,” Aarelaid says. “You prepare your firewood.”

  * * *

  ■

  The attacks ebbed and flowed for the rest of that May until, by the end of the month, they had finally dwindled and then disappeared. They left behind questions that, even a decade later, haven’t been answered with certainty: Who was behind the attacks? And what did they intend to achieve?

  Estonians who found themselves in the epicenter of the events, like Aarelaid and Ilves, believed from the first that Russia’s government—not merely its patriotic hackers—had a hand in planning and executing Estonia’s bombardment. After the initial, weak smatterings of malicious traffic, the attacks had come to seem too polished, too professional in their timing and techniques to be the work of rogue hacktivists. Who, after all, was coordinating between dozens of botnets, seemingly controlled by disparate Russian crime syndicates? An analysis by the security firm Arbor Networks also found that a telling subset of the traffic sources overlapped with earlier distributed denial-of-service attacks aimed at the website of Garry Kasparov, an opposition party presidential candidate and outspoken critic of the Kremlin.

  “It was a very organized thing, and who can organize this? Criminals? Nope,” says Aarelaid. “It was a government. And the Russian government wanted this most.”

  Other Estonians in the thick of the attacks saw them as a kind of partnership between nongovernment hackers and their government handlers—or in the case of the gangs like the Russian Business Network, cybercriminals directed by Kremlin patrons, in exchange for the country’s law enforcement turning a blind eye to their business operations. “It’s like feudalism. You can do some kind of business because some boss in your area allows you to, and you pay him some tribute,” says Jaan Priisalu, who at the time of the attacks was the head of IT security at Estonia’s largest bank, Hansabank. “If your boss is going to war, you’re also going to war.”

  And in early 2007, Russia’s boss was indeed going to war, or at least setting the thermostat for a new cold one. Two months before the Estonian attacks, Putin had taken the stage at the Munich Security Conference and given a harsh, history-making speech that excoriated the United States and NATO for creating what he saw as a dangerous imbalance in global geopolitics. He railed against the notion of a post–Cold War “unipolar” world in which no competing force could check the power of the United States and its allies.

  Putin clearly felt the direct threat of that rising, singular superpower conglomerate. After all, Estonia had joined NATO’s alliance three years earlier, along with the other Baltic states of Lithuania and Latvia, bringing the group for the first time to Russia’s doorstep, less than a hundred miles from St. Petersburg.

  “NATO has put its frontline forces on our borders,” Putin said in his Munich speech. The alliance’s expansion, he continued, represents “a serious provocation that reduces the level of mutual trust. And we have the right to ask: against whom is this expansion intended?” Putin’s unspoken answer to that question was, of course, Russia—and himself.

  When the cyberattacks in Estonia peaked in intensity three months later, Putin didn’t hide his approval, even as his government denied responsibility. In a May 9 Victory Day speech, he gave his implicit blessing to the hackers. “Those who desecrate monuments to the heroes of the war are insulting their own people and sowing discord and new distrust,” he told a crowd in Moscow’s Red Square.

  Still, NATO never treated the Estonian cyberattacks as an overt act of aggression by the Russian state against one of NATO’s own. Under Article 5 of the Washingt
on Treaty that lays out NATO’s rules, an attack against any NATO member is meant to be considered an attack against all of them, with a collective response in kind. But when President Ilves began speaking with his ambassadors in the first week of the cyberattacks, he was told that NATO members were unwilling to remotely consider an Article 5 response to the Russian provocations. This was, after all, a mere attack on the internet, not a life-threatening act of physical warfare.

  Ilves says he asked his diplomats to instead inquire about Article 4, which merely convenes NATO leaders for a “consultation” when a member’s security is threatened. The liaisons quickly brought back an answer: Even that milder step proved a nonstarter. How could they determine Russia was behind the provocations? After all, NATO’s diplomats and leaders hardly understood the mechanics of a distributed denial-of-service attack. The traffic’s source appeared to be Russian freelance hackers and criminals or, more confusing still to the lay observer, hijacked computers in countries around the world.

  Underlying all of that inaction, Ilves says, was another motivation: what he describes as a kind of fracture between western European NATO countries and eastern Europeans facing Russian threats. “There’s a sense that it’s ‘over there,’ that ‘they’re not like us,’ ” Ilves says, mocking what he describes as a “haughty, arrogant” tone of western European NATO members. “ ‘Oh, those eastern Europeans, they don’t like the Russians, so they have a failure and they blame it on Russia.’ ”

  In the end, NATO did essentially nothing to confront Russia in response to the Estonian attacks. Putin, it seemed, had tested a new method to bloody the nose of a NATO country with plausible deniability, using tools that were virtually impossible to trace to the Kremlin. And he’d correctly judged the lack of political will to defend NATO’s eastern European members from an innovative new form of mass sabotage.

  The events of those two months in Estonia would, in some circles, come to be seen as the first cyberwar, or, more creatively, “Web War I.” The cyberattacks were, in reality, hardly as catastrophic as any true war; the threat of an “electronic Pearl Harbor” still lay in the future. But the Russian government nonetheless appeared to have demonstrated an indiscriminate, unprecedented form of disruption of an adversary’s government and civil society alike. And it had gotten away with it.

  13

  FLASHBACK: GEORGIA

  It was a few hours after nightfall when Khatuna Mshvidobadze learned Russian tanks were rolling toward her location.

  Mshvidobadze was, on the night of August 11, 2008, working late in her office at the NATO Information Center in central Tbilisi, the capital of the former Soviet republic of Georgia. She held a position at the time as the deputy director of that organization, a part of Georgia’s Ministry of Defense devoted to lobbying for the small Caucasus country to become part of NATO’s alliance. Much of the group’s work consisted in hosting events and persuading media to make the case for Georgia to join forces with its Western neighbors across the Black Sea. But in the summer of 2008, the NATO Information Center found itself with a new, far more urgent focus: combating the Kremlin’s attempts to dominate the media narrative surrounding a Russian invasion.

  War had broken out days earlier. Russia had moved troops and artillery into two separatist regions within Georgia’s borders, Abkhazia and South Ossetia. In response, the Georgian forces launched a preemptive strike. On August 7, they shelled military targets in the South Ossetian town of Tskhinvali, trying to gain the initiative in what they saw as an inevitable conflict fueled by the Kremlin’s aggression. But their plan, by all appearances, hadn’t accounted for the overwhelming force of the Russian response.

  Proclaiming that it was protecting Abkhazia and South Ossetia from Georgian oppression, Russia flooded the small country with more than twenty-five thousand troops, twelve hundred artillery vehicles, two hundred planes, and forty helicopters. Those numbers dwarfed Georgia’s army of fewer than fifteen thousand soldiers and its bare-bones air force of eight planes and twenty-five helicopters. By the second day of the war, the Kremlin had unleashed its Black Sea fleet of warships for the first time since World War II, sending an armada across the water to blockade Georgia’s coastline. The country had, in mere days, been outgunned and surrounded.

  By August 11, Russian forces were moving out of the separatist regions and into the heart of Georgian territory, taking the city of Gori and splitting the invaded country in two. By that evening, Russian tanks were poised to close the forty-mile stretch from Gori to the capital.

  For Mshvidobadze, working in her downtown Tbilisi office, that night of August 11 was the most chaotic of her life. To start, her building’s internet was inexplicably down, making her job of combating Russian military propaganda—including false claims that Georgians had been massacring civilians in South Ossetia and Abkhazia—nearly impossible.

  In the midst of that rising sense of helplessness, she received a phone call from her boss, the NATO Information Center’s director. Days prior, the director had traveled to the South Ossetian front to cover the unfolding conflict as a journalist, leaving her deputy, Mshvidobadze, to run the organization in her absence. Now Mshvidobadze’s boss wanted to warn her that the Russians were coming for Tbilisi. Everyone needed to evacuate.

  In the hour that followed, Mshvidobadze and her staff prepared for a potential occupation, deleting sensitive files and destroying documents that they feared might fall into Russian hands. Then, in a final injection of chaos, the power across the city suddenly went out—perhaps the result of physical sabotage by the invading forces. It was around midnight when the staff finally hurried out of the blacked-out building and parted ways.

  The NATO Information Center was, at the time, housed in a glass structure on a side street of Tbilisi’s Vake District, a trendy neighborhood known during Georgia’s Soviet era as the home of the city’s intelligentsia. Mshvidobadze walked a block to a busier street nearby and found a scene of utter societal breakdown. The power outage had left the streetlights dark, so that only the headlights of cars illuminated sidewalks. Drivers were frantic, ignoring all traffic laws and plowing through intersections with dead traffic signals—preventing her from even crossing the street. As she tried in vain to flag a taxi, other desperate pedestrians ran past her, some screaming in fear or crying.

  Mshvidobadze was determined to get home to her younger sister, who lived with her in an apartment across the city. But she couldn’t reach her or call a cabdriver to pick her up: Cell phones were working only intermittently, as desperate Tbilisians’ phones swamped telecom networks.

  It would be half an hour before she could finally get through to a driver who could find her amid the pandemonium. Until then, she remained frozen at the intersection, watching the city panic. “It was a terrible, crazy situation. You have to be in a war zone to understand the feeling,” she says. “All these thoughts were running through my head. I thought of my sister, my family, myself. I thought of the future of my country.”

  * * *

  ■

  Jose Nazario had seen Georgia’s war coming, nearly a month earlier—not from the front lines of the Caucasus, but from his office in Michigan. Nazario, a security researcher for Arbor Networks, the cyberattack-tracking firm, had come into work that July morning at the company’s offices, a block from the south end of the University of Michigan’s campus in Ann Arbor, and started the day with his usual routine: checking the aftermath of the previous night’s botnet battles.

  To analyze the entire internet’s digital conflicts in real time, Arbor ran a system called BladeRunner, named for its bot-tracking purpose. It was part of a collection of millions of “honeypots”—virtual computers running on Arbor’s servers around the world, each of which was expressly designed to be hacked and conscripted into a botnet’s horde of enslaved PCs. Arbor used the computers as a kind of guinea-pig collective, harvesting them for malware samples and, more important
for the company’s business model, to monitor the instructions the bots received from botnets’ command-and-control servers. Those instructions would allow them to determine whom the hackers were targeting and with what sort of firepower.

  That morning, the results of Nazario’s BladeRunner review turned up something strange. A major botnet was training its toxic torrent of pings at the website for the Georgian president, Mikheil Saakashvili. The site had apparently been punished with enough malicious traffic to knock it off-line. And the queries that had overwhelmed the site’s server had included a strange set of characters, what appeared to be a message for its administrators: “win+love+in+Rusia.”

  That strange and slightly misspelled string immediately hinted to Nazario that the attack wasn’t the usual criminal extortion takedown but something with a political bent. It looked more like the work of the botnets that had barraged Estonia the year prior, which he and the rest of Arbor’s staff had tracked with fascination.

  “It probably sounds better in the original Russian,” Nazario says of the message. “But it was pretty unambiguous.” He called up one of his favorite contacts for discussing the web’s geopolitical conflicts: John Hultquist, then a young analyst at the State Department with a focus on cybersecurity and eastern Europe.

 

‹ Prev