Estonia’s unsolved zombie insurgence

The origin of the attacks on Estonia’s Internet infrastructure may never be known. Hackers typically don’t sign their work with real names.

The denial-of-service attacks that began in April are linked, at least in a time sequence, to the removal of a statue honouring a Second World War Soviet soldier from a public park in the Estonian capital of Tallinn .

One in four Estonian citizens is of Russian descent and many take great pride in “liberating” Estonia from the Germans. Many ethnic Estonians hated the Soviets then, hate Russia now and are not particularly grateful to the Red Army , which departed in 1994 only.

The removal of the statue triggered several days of street protests in Estonia by the Russian minority, which the authorities anticipated. They also anticipated Internet-based attacks, but not their scale nor duration.

More than a month of attacks created chaos in the Estonian economy. The month-long assault against government Web sites, banks, media outlets and ISPs was neither unusual nor unexpected.

The New York Times hedged its bets by citing anonymous observers, calling it “what some describe as the first real war in cyberspace.” But “first,” “real” and “war” still scored a hat trick of untruths.

In fact, it is hardly the first online conflict. Japan, China and the Koreas probe each other’s networks all the time, and there are occasional assaults against the United States.

Palestinians and Arabs try to disrupt Israel’s communications. Nations created by the collapse of the “formers,” Yugoslavia and the Soviet Union, hack away at each other all the time, as do India and Pakistan.

The attacks against Estonia are also not “real” in the sense there is no identifiable attacker. In the early days of the cyberstorm, Estonian government officials directly blamed official Russia. Prime Minister Andrus Ansip even claimed some of the attacking computers were in Russian President Vladimir Putin’s office.

The attacks also do not constitute a “war,” defined as a “state of armed conflict” or a “sustained contest” between rivals. Shutting down Internet access was not accompanied by physical raids or a coup d’etat. If the attackers had a goal, it was disruption, and they achieved it.

There is no comfort in believing that the attackers were not under the orders of a government. One plausible source of the attacks is Russian criminal gangs, exploiting their technological expertise and resources in what they might see as a patriotic cause.

If the attacks against Estonia were state-sponsored, by Russia or any other nation, then the attacking nation could quickly find itself in deeper trouble than it bargained for. The tools of retaliation are cheap, easy to use and freely available to all.

What happened in Estonia could be a mild example of fourth-generation warfare, broadly defined as combat in which one side refuses to “fight fair” and whose main aim is the chaos it creates.

Estonia is particularly susceptible to Internet-based attacks because much of its government, banking, commercial and communications infrastructure has been built on top of the Internet. There was no apparent attempt to target national critical infrastructure other than Internet resources, and no extortion demands were made.

Digital attacks are inexpensive and can wreak economic havoc far out of proportion to the investment. The basic techniques are clearly understood, and as the case of Estonia shows, the zombie networks are available. There is a global, instant, anonymous marketplace in attack technologies that are beyond the control of any government.

The attacks also punched big holes in the idea that the Internet is so universal and has so much inherent redundancy that it can heal itself, patching around damaged nodes and getting the data safely to its destination, despite any and all obstacles. At different points during the attacks, Estonia deliberately isolated itself from the rest of the Internet.

As John Robb says in his new book, Brave New War, “The threshold necessary for small groups to conduct warfare has finally been breached, and we are only starting to feel its effects,” and, “Nonstate actors in the form of terrorists, crime syndicates, gangs and networked tribes are stepping into the breach to lay claim to areas once in the sole control of states.”

If he is right, that means the attacks against Estonia may have been not only unsanctioned by the Russian government but completely beyond its control. For its part, Estonia has reportedly backed away from blaming the Russian government and is instead asking the European Union to classify the attacks as terrorism.

In the end, the impact of the attacks against a country or an organization is the same. The difference now is that groups beyond the control of any state can organize and use advanced weapons of cyberwar.

Richard Bray is an Ottawa-based freelance journalist specializing in high technology and security. He can be contacted at

Related content:

Cyber attack prompts U.S. to send team to Estonia

Cyber crisis test sends Feds back to security school

The European advantage

Waterloo wins battle of ‘intelligent communities’

New cybersecurity czar rips indecisive bureaucracy

Cyber-crime protection pushes new precedents for privacy

Related Download
Improving the State of Affairs With Analytics Sponsor: SAS
Improving the State of Affairs With Analytics
Download this case study-rich white paper to learn why data management and analytics are so crucial in the public sector, and how to put it to work in your organization.
Register Now