Cyberwarfare Case Study

Editor's note: This is part of a series of analyses on the emergence of cyberspace as battlespace. During the night of April 26-27, 2007, in downtown Tallinn, Estonia, government workers took down and moved a Soviet-era monument commemorating World War II called the Bronze Soldier, despite the protests of some 500 ethnic Russian Estonians. For the Kremlin — and Russians in general — such a move in a former Soviet republic was blasphemy. It was also just the kind emotional flash point that could spark a "nationalistic" or "rally-around-the-flag" movement in cyberspace. By 10 p.m. local time on April 26, 2007, digital intruders began probing Estonian Internet networks, looking for weak points and marshaling resources for an all-out assault. Bursts of data were sent to important nodes and servers to determine their maximum capacity — a capacity that the attackers would later exceed with floods of data, crashing servers and clogging connections. A concerted cyberwarfare attack on Estonia was under way, one that would eventually bring the functioning of government, banks, media and other institutions to a virtual standstill and ultimately involve more than a million computers from some 75 countries (including some of Estonia's NATO allies). Estonia was a uniquely vulnerable target. Extremely wired, despite its recent status as a Soviet republic, Estonian society had grown dependent on the Internet for virtually all the administrative workings of everyday life — communications, financial transactions, news, shopping, restaurant reservations, theater tickets and bill paying. Even parliamentary votes were conducted online. When Estonia's independence from the Soviet Union was restored in 1991, not even telephone connections were reliable or widely available. Today, more than 60 percent of the population owns a cell phone, and Internet usage is already on par with Western European nations. In 2000, Estonia's parliament declared Internet access a basic human right. Some of the first targets of the attack were the Estonian parliament's e-mail servers and networks. A flood of junk e-mails, messages and data caused the servers to crash, along with several important Web sites. After disabling this primary line of communications among Estonian politicians, some of the hackers hijacked Web sites of the Reform Party, along with sites belonging to several other political groups. Once they gained control of the sites, hackers posted a fake letter from Estonian Prime Minister Andrus Ansip apologizing for ordering the removal of the World War II monument. By April 29, 2007, massive data surges were pressing the networks and rapidly approaching the limits of routers and switches across the country. Even though not all individual servers were taken completely offline, the entire Internet system in Estonia became so preoccupied with protecting itself that it could scarcely function. During the first wave of the assault, network security specialists attempted to erect barriers and firewalls to protect primary targets. As the attacks increased in frequency and force, these barriers began to crumble. Seeking reinforcements, Hillar Aarelaid, chief security officer for Estonia's Computer Emergency Response Team, began calling on contacts from Finland, Germany, Slovenia and other countries to assemble a team of hackers and computer experts to defend the country. Over the next several days, many government ministry and political party Web sites were attacked, resulting either in misinformation being spread or the sites being made partially or completely inaccessible. After hitting the government and political infrastructure, hackers took aim at other critical institutions. Several denial-of-service attacks forced two major banks to suspend operations and resulted in the loss of millions of dollars (90 percent of all banking transactions in Estonia occur via the Internet). To amplify the disruption caused by the initial operation, hackers turned toward media outlets and began denying reader and viewer access to roughly half the major news organizations in the country. This not only complicated life for Estonians but also denied information to the rest of the world about the ongoing cyberwar. By now, Aarelaid and his team had gradually managed to block access to many of the hackers' targets and restored a degree of stability within the networks. Then on May 9, the day Russia celebrates victory over Nazi Germany, the cyberwar on Estonia intensified. Many times the size of the previous days' incursions, the attacks may have involved newly recruited cybermercenaries and their bot armies. More than 50 Web sites and servers may have been disabled at once, with a data stream crippling many other parts of the system. This continued until late in the evening of May 10, perhaps when the rented time on the botnets and cybermercenaries' contracts expired. After May 10, the attacks slowly decreased as Aarelaid managed to take the botnets offline by working with phone companies and Internet service providers to trace back the IP addresses of attacking computers and shut down their Internet service connections. During the defense of Estonia's Internet system, many of the computers used in the attacks were traced back to computers in Russian government offices. What could not be determined was whether these computers were simply "zombies" hijacked by bots and were not under the control of the Russian government or whether they were actively being used by government personnel. Although Estonia was uniquely vulnerable to a cyberwarfare attack, the campaign in April and May of 2007 should be understood more as a sign of things to come in the broader developed world. The lessons learned were significant and universal. Any country that relies on the Internet to support many critical, as well as mundane day-to-day, functions can be severely disrupted by a well-orchestrated attack. Estonia, for one, is unlikely ever to reduce its reliance on the Internet, but it will undoubtedly try to develop safeguards to better protect itself (such as filters that restrict internal traffic in a crisis and deny anyone in another country access to domestic servers). Meanwhile, the hacker community will work diligently to figure out a way around the safeguards. One thing is certain: Cyberattacks like the 2007 assault on Estonia will become more common in an increasingly networked world, which will have to learn — no doubt the hard way — how to reduce vulnerability and more effectively respond to such attacks. Perhaps most significant is the reminder Estonia provides that cyberspace definitely favors offensive operations. Next:U.S.: Strengthening Cybersecurity

Cyberwar Case Study: Georgia 2008

by David Hollis

Download The Full Article:Cyberwar Case Study: Georgia 2008

The Russian-Georgian War in August of 2008 represented a long history of geostrategic conflict between the two nations and was based on many complex factors: ¬geopolitical, legal, cultural, and economic. The 1992 South Ossetia War and the 1993 Abkhazian War resulted in the loss of the regions from Georgia to internationally unrecognized, pro-Russian local governments. Tensions had been building in the region for several years prior-to the initiation of conflict in August 2008. The war officially started on 7 August 2008 after several weeks of growing arguments over the future of the South Ossetian territory. Georgian troops initiated a military attack against South Ossetia and began a massive shelling of the town of Tskhinvali in response to alleged Russian provocation. Russia deployed additional combat troops to South Ossetia and retaliated with bombing raids into Georgian territory. Russia deployed naval forces to formally blockade Georgia and landed naval infantry (marines) on Abkhaz coast (near Georgia). The decisive ground combat operation of the campaign resulted in mechanized Russian military and Ossetian militia forces defeating the more lightly armed Georgian military forces in the only large-scale major ground combat of the war (battle for the town of Tskhinvali). Georgian tactical military defeat at the battle of Tskhinvali, operational defeat via Russian uncontested invasion of the western part of Georgia, unchallenged naval blockade of Georgia, and Georgian difficulty getting their media message out to the world, led to Georgia's strategic defeat in the war. The conflict forced approximately 25,000 Georgian residents to flee from ground combat as refugees into internal displacement. The two countries signed a ceasefire agreement a week later but tensions remain high to this day. Russia has failed to implement some of the terms of the ceasefire agreement, resulting in further loss of Georgian territory to Russian occupation.

As wars historically go, it wasn't very big, did not involve vast amounts of military forces, nor did it last long. One might argue that it was more of a typical battle or campaign framed in an on-going long term geopolitical cold war between the combatants, a cold war punctuated with occasional outbreaks of small to large scale violence. On the surface, it represents one of many cold wars (with periodic renewals of formal national-level military conflict) fought every day on the "near abroad" of the Russian periphery. A conflict which may not end for a very, very long time. But while much of that is true, a deeper analysis of the cyberspace domain operations conducted by both sides in this conflict indicate that image is illusory and incomplete. The Russian-Georgian war was quite historic and precedent setting for several reasons.

Download The Full Article:Cyberwar Case Study: Georgia 2008

David M. Hollis is a Senior Policy Analyst with the Office of the Undersecretary of Defense for Intelligence (OUSD(I)). He has spent a total of four years on the OSD staff with three as Cyberspace Security Division Chief for the ASD NII/DoD CIO's office prior to working at OUSD(I). He is also a drilling USAR officer with US Cyberspace Command (USCYBERCOM); currently the senior USAR officer responsible for 25 USAR personnel supporting a wide range of USCYBERCOM J-codes and projects, and was previously a Joint Plans Officer with the USCYBERCOM J5. He was with the Army's 1st Information Operations Command from 2000 to 2006 as Red Team Chief, S2/Director of the Army's CyberIntelligence Center, and Senior Operations Planner. He has previously published cyberwarfare articles in the Joint Forces Quarterly and Armed Forces Journal magazines.

  • Share this Post

About the Author(s)


David M. Hollis

David M. Hollis is a GG-15 Senior Policy Analyst/Planner with the Office of the Undersecretary of Defense for Intelligence’s (USD(I)) Cyberspace, Warfighter Integration, and Strategic Engagement Division (CWISE).  Prior to this position, he was the Chief of the Cyberspace Security Division for the Office of the Assistant Secretary of Defense for Network & Information Integration /DoD Chief Information Officer (ASD NII/DoD CIO).  Lieutenant Colonel David M.


Leave a Reply

Your email address will not be published. Required fields are marked *