DarkMarket
Page 17
In the world of cyber security, fifteen minutes from the detection of mischief to an officer arriving at the location of the mischief-making computer is more than impressive – it’s brilliant. ‘It was lucky for us that we had done such a good job,’ Hillar said, ‘because when the first big attack came at the end of April, we were well prepared.’
That ‘big attack’, two months after the election, marked another cyber ‘first’ for Estonia as it was subject to a sustained assault on its networks, which eventually forced it to close down its Internet links with the outside world. Some argue that this was the first-ever incidence of cyber warfare.
I had sought out Hillar a month after my visit to Google in Silicon Valley. My eastward journey led me to Tallinn, the picturesque capital of the most northerly Baltic state. The wall of the old town protects a rich mix of Scandinavian, Germanic and Slavic architectural styles. These reflect how the past imperial aspirations of Estonia’s neighbours to the north, the east and the west finally gave way to Estonia’s primary indigenous culture just over twenty years ago, after the collapse of communism (although Russians still make up just under a quarter of the population).
Sitting cheek by jowl with the Orthodox, Lutheran and Catholic churches are faux-bucolic restaurants for the tourists and, after a hearty meal, snappy nightclubs to round the evening off with some dancing. Estonia hosts fewer stag nights for drunken young Englishmen than neighbouring Latvia, but it, too, has a sleazy side. Amongst the clubs is the evocative Depeche Mode Baar, which only plays records by the eponymous 1980s band from Essex and is decked out as a shrine to the cultural legacy of Britain in the early days of Margaret Thatcher.
Tallinn’s strange but welcoming atmosphere was heightened because I arrived only a week before midsummer’s eve and the dawning of the fabled White Nights. Dark does not descend until just after midnight, and the light starts returning an hour and a half later. In a week’s time it would be light for twenty-four hours of the day.
This jumbled crossroads of imperial ambition, peculiar modern cultural icons and the dreamy nature of light form an ideal backdrop for the annual gathering of the Cooperative Cyber Defence Centre of Excellence (CCDOE), the NATO-backed complex that researches all aspects of cyber warfare. The characters at this conference live in a contemporary Wonderland where convention is oft disregarded – ponytails and wire-rimmed glasses earnestly exchange information with starched military uniforms about ‘SQL injection vulnerabilities’. Besuited civil servants are deep in conversation with young men in jeans and T-shirts detailing the iniquities of ‘man-in-the-middle attacks’.
To grasp even the very basics of cyber security in its rich variety, one must be prepared to learn countless new idioms that are being constantly added to or amended. Otherwise you can listen to a conversation that in basic vocabulary and syntax structure is unmistakably English, but is nonetheless completely meaningless to those unschooled in the arcane language. It is, of course, embarrassing continually having to ask people fluent in the tongue why a ‘buffer overload’ can have alarming consequences for the security of your network, but geeks are not a patronising clan and are generally happy to oblige.
Estonia may be small, but it is the most wired country in Europe and one of the leading digital powers in the world, from where – among other inventions – came Skype. Free wireless can be found in most places, as connectivity is considered a basic right, not a privilege. You won’t find hotels gouging your wallet for Internet access here.
However, I was talking to Hillar Aarelaid not about Estonia’s go-ahead approach, but about its fabled position in the now fast-growing history of international digital strife.
In early 2007 the Estonian government announced its intention to move the memorial to the fallen of the Red Army during the Great Patriotic War (as the Russians call the Second World War) from its position in the heart of Tallinn to the city’s main cemetery, which is frankly not far from the centre. Russia and its leadership perceived this to be an intolerable insult, even as proof of a resurgence of fascistic Estonian nationalism (all 750,000 of them) and a snub to those soldiers of the Red Army who had sacrificed their lives in liberating Estonia from the Nazi yoke.
The dispute over the bronze soldier escalated. The Russian media, both inside Estonia and across the border in Russia, stoked the genuine worries of Estonia’s Russian minority and before long matters had reached breaking point. On the afternoon of 27th April hundreds of young ethnic Russians, citizens of Estonia, gathered in the centre of Tallinn. The protest against the removal of the memorial remained peaceful and good-humoured until one group attempted to break through a police cordon protecting the statue. Violent clashes erupted and spread quickly – by the evening the old town, a UNESCO heritage site, was ablaze as cars were set on fire, shop windows were smashed and their contents looted.
As the disturbances threatened to spread, Moscow issued warnings citing Estonian police brutality, and the country that had gained its independence from the Soviet Union less than two decades earlier, was gripped by uncertainty and fear. It was highly unlikely that Russia would offer Estonia ‘fraternal assistance’, to use the Soviet euphemism for sending in tanks. After all, Estonia was by now a member of NATO and it seemed inconceivable that Russia would want to trigger NATO’s defence guarantee – all for one and one for all – because of a bloody statue!
Thankfully for all of us, the Kremlin indeed showed no inclination to render any fraternal assistance, but as Tallinn’s centre crackled and fizzed with rioters and flag-burners, hackers were opening up a new front in this peculiar conflict.
That evening the websites of Estonia’s President and several government ministries started receiving inordinate amounts of spam email, while the Prime Minister’s photo on his party’s website was defaced. Russian-language chat rooms began to exhort hackers to launch attacks on Estonian sites and were distributing the software to do so. According to sources quoted in a US Embassy telegram to Washington (c/o WikiLeaks), the initial attacks were technically unsophisticated and ‘seemed more like a cyber riot than a cyber war’.
Over the weekend, however, the attacks escalated from spam showers to DDoS attacks. Hackers had created dozens of those pesky botnets, suborning infected zombie computers around the world and forcing them to request Estonian websites. These were mighty assaults – the presidential website, ‘which normally has a two-million megabits-per-second capacity, was flooded with nearly 200 million Mbps of traffic’, according to the US Embassy cable. This was still manageable, but on 3rd May ‘the cyber attacks expanded beyond Government of Estonia sites and servers to private sites’.
At about ten o’clock that evening Jaan Priisalu received a call at his home on the outskirts of Tallinn. ‘They told me that the channels were all going down at work,’ he remembered. As the Chief of IT Security at Estonia’s biggest bank, Hansabank, Priisalu went into overdrive. ‘I then got an SMS, which informed me that our Internet banking service had gone down.’
It was action stations all round: tens of thousands of computers were swamping Hansabank’s systems with requests for information. Priisalu immediately started to delve into the frenetic electronic activity and soon discovered that Hansabank was under attack from a botnet comprising some 80,000 computers. Following the attacks back to their origin, Priisalu found they were coming from a server in Malaysia. Not that this amounted to evidence of anything at all, for beyond Malaysia the attackers had successfully masked their real origin. But he realised immediately that he was dealing with a very serious attack. ‘It was massive,’ he said. A botnet of 80,000 computers is a big monster that can completely paralyse a company’s entire system within a matter of minutes.
Thanks to Priisalu’s precautionary measures, Hansabank was well prepared with powerful servers. These were alternative websites that could mirror content (thus making it more difficult for DDoS attacks to succeed). However, even though Hansa
bank’s site remained online, the US Embassy’s key Estonian source reported that it cost the company ‘at least 10 million euros ($13.4 million)’.
The next targets were the Estonian media, including the daily paper with the most frequently visited news website. ‘Imagine, if you can, the psychological effect,’ said one observer, ‘when an Estonian tries to pay his bills but can’t, or tries to get the news online but can’t.’ The government was on high alert, deeply worried that the escalating attacks represented ‘a frightening threat to key economic and societal infrastructure’.
By this time Hillar Aarelaid and his team had fully mobilised. Estonia’s CERT responded by expanding the country’s broadband ‘pipeline’ into the country with the assistance of its friends abroad, notably in Finland and Sweden. ‘We had been expecting that something like this might happen and we had been on alert,’ Hillar remembered. ‘This was where the Russians made a mistake. If you want to succeed with an attack like this, you need to know your enemy really well and you need to be close to your enemy,’ he said, explaining that the Russians had failed to anticipate the high level of Estonia’s preparedness. ‘Had they thought it through,’ he continued, ‘they would have known that our systems were on high alert because of the recent elections.’
Thanks to the coordination of the government, the police, the banks and CERT, the impact of the attacks on ordinary citizens was kept within reasonable boundaries. Hansabank maintained its online banking, but the other two largest banks were unable to. Instead people simply switched to using their branches. Mobile phones were interrupted and, once the government ordered the shutdown of Estonia’s links to the outside world, communication with the country was tricky for a few days. Contrary to initial reports, traffic lights in Tallinn did not stop working, but there was some interruption to the work of the government and the media.
The attacks continued at varying degrees of intensity for two weeks, culminating in a massive assault on 9th May, the date of the Red Army’s victory over the Nazis in Europe. At this point, exhausted by the relentless flood of DDoS attacks, the Estonian government decided to cut off the country’s Internet system from the rest of the world. The DDoS attacks declined to a dribble, eventually coming to an end on 19th May.
The implications of the Estonian events were grave. In political terms it was perfectly clear that the attacks came from Russia, but predictably the government in Moscow denied all responsibility for them. And it is perfectly possible that there was no official involvement. Researchers were unable to track down the precise origin of the attacks. Assuming that they did come from Russia, however, the government must have known about them because of their omniscient monitoring system, SORM-2. Having said that, there was so much extraordinary Internet activity going on in Russia at the time that maybe even the fabled SORM-2 was having a hard time keeping up with everything. Who can say? Because one thing that the attack on Estonia made quite clear was that you can make a very shrewd guess as to who has instigated events like these, but you cannot ever be certain.
Like all governments, the Russian government was evolving its own unique attitude towards the Internet, its function and the relationship between the state and the end user. Moscow recognised as early as the 1990s that the political and security importance of the Internet was such that it deserved the full attention of one of the country’s most enduring and successful institutions: the secret police. In short, the FSB (intimate successor to the KGB) developed the ability to monitor every packet of data zinging in, out and around the country. This system goes under the appropriately sinister acronym of SORM-2, the Система Оперативно-Розыскных Мероприятий, or the System for Operative-Investigative Activities.
SORM-2 is truly frightening. Should you request information over the Web from your computer in Vladivostock or Krasnodar, then when it reaches your Internet Service Provider, a duplicate package dutifully trots off to FSB central in Moscow, to be read, mulled over, laughed at and (who knows?) used in evidence against you, at the FSB’s pleasure. At the very least, it will be stored.
Not only does SORM-2 require that Russian ISPs feed all Internet activity through to the FSB’s headquarters, but it adds insult to injury by compelling the ISPs to purchase the required equipment (at a cost of more than $10,000) and to fund the running costs of the service. These costs are of course passed on to consumers, who thus end up paying quite directly for a mighty tool of oppression of which they are the principal victims.
The Russian state has the capacity to know who is doing what, when, to whom and, probably, why over the Web. Of course, a sneaky Russian computer-user might concoct a plan to circumvent the all-seeing SORM-2 by encrypting their data and Internet browsing. But remember – encryption is illegal in Russia and one file with a digital lock on it would be enough to buy you a one-way ticket to Siberia.
That does not imply that the Internet regimes of Western governments represent a model of free speech. On the contrary, as our dependency on the Internet increases, so the desire, ability and will of governments to control it strengthen. Despite habitual protests by civil servants and politicians that no such process is under way, the tortured and slow death of Internet privacy in the West, especially in the United Kingdom and the United States, is a sad – albeit visible – reality and is probably inevitable.
The response to 9/11, in the name of combating terrorism, severely curtailed our freedom from state interference on the Web. The main tool in the US was the Total Information Awareness (TIA) programme, although even the Bush administration, with its congenital tin ear, eventually realised that the name had so many Orwellian associations that it should be renamed the Terrorism Information Awareness programme.
The TIA afforded DARPA, the Pentagon’s research and detection wing, considerable access to data gleaned from private communications. Although the programme was eventually closed down, many of its powers were retained by government and distributed among different agencies in the United States.
Elsewhere, in a landmark case, the Supreme Court consented to the FBI deploying key-logger trojans onto the computers of suspects, although under court supervision. This enabled the FBI to log everything that the suspect would do on his computer, just as the cyber criminal does when he infects a third-party computer with a key logger. At the turn of the millennium the European Parliament confirmed the existence of Echelon, the United States’s global spy programme that is allegedly capable of homing in on digital communications anywhere in the world.
In a directive issued under the UK’s presidency of the European Union, Internet Service Providers in Europe were obliged to start storing all computer traffic (this applies to mobile phones as well) for between six months and two years – data that a variety of governmental agencies can access under national legislation. If these moves towards digital surveillance continue, Western governments (usually in the name of anti-terrorism strategies and law enforcement) will be in an ever better position to monitor the movements and habits of their citizens.
Researchers at the London School of Economics best described our chosen path. In June 2009 they asked the reader to imagine:
the government having a deaf security agent following every single person everywhere they go. The agent cannot hear the content of any interactions, but can otherwise observe every minute detail of someone’s life: the time they wake up, how they drive to work, who they talk to and for how long, and how their business is doing, their health, the people they meet in the street, their social activities, their political affiliations, the papers and specific articles they read, and their reaction to those, the food in their shopping basket, and whether they eat healthily, how well their marriage is going, the extra-marital affairs, their dates and intimate relations. Since most of these interactions are today mediated at some level by telecommunications services, or are facilitated by mobile devices, all of this information will now reside with our
internet service providers, ready and waiting for government access.
At least in the West, we stand a fighting chance of resisting some of the more draconian powers that various branches of government are seeking to acquire over civil Internet activity.
Given the strength of the civil-liberties community in the West and the KGB’s comprehensive surveillance of the Internet, one might assume that Russia would represent an implacably hostile environment for cyber criminals. Yet the Russian Federation has become one of the great centres of global cybercrime. The strike rate of the police is lamentable, while the number of those convicted barely reaches double figures. The reason, while unspoken, is widely understood. Russian cyber criminals are free to clone as many credit cards, hack as many bank accounts and distribute as much spam as they wish, provided the targets of these attacks are located in Western Europe and the United States. A Russian hacker who started ripping off Russians would be bundled into the back of an unmarked vehicle before you could say KGB.
In exchange, of course, should the Russian state require the services of a hacker for launching a crippling cyber attack on a perceived enemy, then it is probably best for the hacker to cooperate.
2007 was the heyday of a loose organisation of companies based in St Petersburg known as the Russian Business Network, or RBN. This mysterious acronym offered to host websites for individuals and companies – it was known as the king of bulletproof hosters. Companies that offer this service are essentially letting their customers know that they are not interested in the content or function of a website and, in exchange for much higher fees, will resist any legal or digital attempts to bring down the sites.
Not all bulletproof hosting is intended as a way of circumventing the law, but criminals and pirates frequently avail themselves of such services. They are virtually indispensable for individuals and groups involved in the distribution of child pornography, for example, and the RBN was known to include such clients on its books, as several security companies’ research departments have identified.