DarkMarket: Cyberthieves, Cybercops and You
Page 17
Estonia may be small, but it is the most wired country in Europe and one of the leading digital powers in the world, from where – among other inventions – came Skype. Free wireless can be found in most places, as connectivity is considered a basic right, not a privilege. You won’t find hotels gouging your wallet for Internet access here.
However, I was talking to Hillar Aarelaid not about Estonia’s go-ahead approach, but about its fabled position in the now fast-growing history of international digital strife.
In early 2007 the Estonian government announced its intention to move the memorial to the fallen of the Red Army during the Great Patriotic War (as the Russians call the Second World War) from its position in the heart of Tallinn to the city’s main cemetery, which is frankly not far from the centre. Russia and its leadership perceived this to be an intolerable insult, even as proof of a resurgence of fascistic Estonian nationalism (all 750,000 of them) and a snub to those soldiers of the Red Army who had sacrificed their lives in liberating Estonia from the Nazi yoke.
The dispute over the bronze soldier escalated. The Russian media, both inside Estonia and across the border in Russia, stoked the genuine worries of Estonia’s Russian minority and before long matters had reached breaking point. On the afternoon of 27th April hundreds of young ethnic Russians, citizens of Estonia, gathered in the centre of Tallinn. The protest against the removal of the memorial remained peaceful and good-humoured until one group attempted to break through a police cordon protecting the statue. Violent clashes erupted and spread quickly – by the evening the old town, a UNESCO heritage site, was ablaze as cars were set on fire, shop windows were smashed and their contents looted.
As the disturbances threatened to spread, Moscow issued warnings citing Estonian police brutality, and the country that had gained its independence from the Soviet Union less than two decades earlier, was gripped by uncertainty and fear. It was highly unlikely that Russia would offer Estonia ‘fraternal assistance’, to use the Soviet euphemism for sending in tanks. After all, Estonia was by now a member of NATO and it seemed inconceivable that Russia would want to trigger NATO’s defence guarantee – all for one and one for all – because of a bloody statue!
Thankfully for all of us, the Kremlin indeed showed no inclination to render any fraternal assistance, but as Tallinn’s centre crackled and fizzed with rioters and flag-burners, hackers were opening up a new front in this peculiar conflict.
That evening the websites of Estonia’s President and several government ministries started receiving inordinate amounts of spam email, while the Prime Minister’s photo on his party’s website was defaced. Russian-language chat rooms began to exhort hackers to launch attacks on Estonian sites and were distributing the software to do so. According to sources quoted in a US Embassy telegram to Washington (c/o WikiLeaks), the initial attacks were technically unsophisticated and ‘seemed more like a cyber riot than a cyber war’.
Over the weekend, however, the attacks escalated from spam showers to DDoS attacks. Hackers had created dozens of those pesky botnets, suborning infected zombie computers around the world and forcing them to request Estonian websites. These were mighty assaults – the presidential website, ‘which normally has a two-million megabits-per-second capacity, was flooded with nearly 200 million Mbps of traffic’, according to the US Embassy cable. This was still manageable, but on 3rd May ‘the cyber attacks expanded beyond Government of Estonia sites and servers to private sites’.
At about ten o’clock that evening Jaan Priisalu received a call at his home on the outskirts of Tallinn. ‘They told me that the channels were all going down at work,’ he remembered. As the Chief of IT Security at Estonia’s biggest bank, Hansabank, Priisalu went into overdrive. ‘I then got an SMS, which informed me that our Internet banking service had gone down.’
It was action stations all round: tens of thousands of computers were swamping Hansabank’s systems with requests for information. Priisalu immediately started to delve into the frenetic electronic activity and soon discovered that Hansabank was under attack from a botnet comprising some 80,000 computers. Following the attacks back to their origin, Priisalu found they were coming from a server in Malaysia. Not that this amounted to evidence of anything at all, for beyond Malaysia the attackers had successfully masked their real origin. But he realised immediately that he was dealing with a very serious attack. ‘It was massive,’ he said. A botnet of 80,000 computers is a big monster that can completely paralyse a company’s entire system within a matter of minutes.
Thanks to Priisalu’s precautionary measures, Hansabank was well prepared with powerful servers. These were alternative websites that could mirror content (thus making it more difficult for DDoS attacks to succeed). However, even though Hansabank’s site remained online, the US Embassy’s key Estonian source reported that it cost the company ‘at least 10 million euros ($13.4 million)’.
The next targets were the Estonian media, including the daily paper with the most frequently visited news website. ‘Imagine, if you can, the psychological effect,’ said one observer, ‘when an Estonian tries to pay his bills but can’t, or tries to get the news online but can’t.’ The government was on high alert, deeply worried that the escalating attacks represented ‘a frightening threat to key economic and societal infrastructure’.
By this time Hillar Aarelaid and his team had fully mobilised. Estonia’s CERT responded by expanding the country’s broadband ‘pipeline’ into the country with the assistance of its friends abroad, notably in Finland and Sweden. ‘We had been expecting that something like this might happen and we had been on alert,’ Hillar remembered. ‘This was where the Russians made a mistake. If you want to succeed with an attack like this, you need to know your enemy really well and you need to be close to your enemy,’ he said, explaining that the Russians had failed to anticipate the high level of Estonia’s preparedness. ‘Had they thought it through,’ he continued, ‘they would have known that our systems were on high alert because of the recent elections.’
Thanks to the coordination of the government, the police, the banks and CERT, the impact of the attacks on ordinary citizens was kept within reasonable boundaries. Hansabank maintained its online banking, but the other two largest banks were unable to. Instead people simply switched to using their branches. Mobile phones were interrupted and, once the government ordered the shutdown of Estonia’s links to the outside world, communication with the country was tricky for a few days. Contrary to initial reports, traffic lights in Tallinn did not stop working, but there was some interruption to the work of the government and the media.
The attacks continued at varying degrees of intensity for two weeks, culminating in a massive assault on 9th May, the date of the Red Army’s victory over the Nazis in Europe. At this point, exhausted by the relentless flood of DDoS attacks, the Estonian government decided to cut off the country’s Internet system from the rest of the world. The DDoS attacks declined to a dribble, eventually coming to an end on 19th May.
The implications of the Estonian events were grave. In political terms it was perfectly clear that the attacks came from Russia, but predictably the government in Moscow denied all responsibility for them. And it is perfectly possible that there was no official involvement. Researchers were unable to track down the precise origin of the attacks. Assuming that they did come from Russia, however, the government must have known about them because of their omniscient monitoring system, SORM-2. Having said that, there was so much extraordinary Internet activity going on in Russia at the time that maybe even the fabled SORM-2 was having a hard time keeping up with everything. Who can say? Because one thing that the attack on Estonia made quite clear was that you can make a very shrewd guess as to who has instigated events like these, but you cannot ever be certain.
Like all governments, the Russian government was evolving its own unique attitude towards the Internet, its function and the relationship between the state and the end user. Moscow recognised as early
as the 1990s that the political and security importance of the Internet was such that it deserved the full attention of one of the country’s most enduring and successful institutions: the secret police. In short, the FSB (intimate successor to the KGB) developed the ability to monitor every packet of data zinging in, out and around the country. This system goes under the appropriately sinister acronym of SORM-2, the Система Оперативно-Розыскных Мероприятий, or the System for Operative-Investigative Activities.
SORM-2 is truly frightening. Should you request information over the Web from your computer in Vladivostock or Krasnodar, then when it reaches your Internet Service Provider, a duplicate package dutifully trots off to FSB central in Moscow, to be read, mulled over, laughed at and (who knows?) used in evidence against you, at the FSB’s pleasure. At the very least, it will be stored.
Not only does SORM-2 require that Russian ISPs feed all Internet activity through to the FSB’s headquarters, but it adds insult to injury by compelling the ISPs to purchase the required equipment (at a cost of more than $10,000) and to fund the running costs of the service. These costs are of course passed on to consumers, who thus end up paying quite directly for a mighty tool of oppression of which they are the principal victims.
The Russian state has the capacity to know who is doing what, when, to whom and, probably, why over the Web. Of course, a sneaky Russian computer-user might concoct a plan to circumvent the all-seeing SORM-2 by encrypting their data and Internet browsing. But remember – encryption is illegal in Russia and one file with a digital lock on it would be enough to buy you a one-way ticket to Siberia.
That does not imply that the Internet regimes of Western governments represent a model of free speech. On the contrary, as our dependency on the Internet increases, so the desire, ability and will of governments to control it strengthen. Despite habitual protests by civil servants and politicians that no such process is under way, the tortured and slow death of Internet privacy in the West, especially in the United Kingdom and the United States, is a sad – albeit visible – reality and is probably inevitable.
The response to 9/11, in the name of combating terrorism, severely curtailed our freedom from state interference on the Web. The main tool in the US was the Total Information Awareness (TIA) programme, although even the Bush administration, with its congenital tin ear, eventually realised that the name had so many Orwellian associations that it should be renamed the Terrorism Information Awareness programme.
The TIA afforded DARPA, the Pentagon’s research and detection wing, considerable access to data gleaned from private communications. Although the programme was eventually closed down, many of its powers were retained by government and distributed among different agencies in the United States.
Elsewhere, in a landmark case, the Supreme Court consented to the FBI deploying key-logger trojans onto the computers of suspects, although under court supervision. This enabled the FBI to log everything that the suspect would do on his computer, just as the cyber criminal does when he infects a third-party computer with a key logger. At the turn of the millennium the European Parliament confirmed the existence of Echelon, the United States’s global spy programme that is allegedly capable of homing in on digital communications anywhere in the world.
In a directive issued under the UK’s presidency of the European Union, Internet Service Providers in Europe were obliged to start storing all computer traffic (this applies to mobile phones as well) for between six months and two years – data that a variety of governmental agencies can access under national legislation. If these moves towards digital surveillance continue, Western governments (usually in the name of anti-terrorism strategies and law enforcement) will be in an ever better position to monitor the movements and habits of their citizens.
Researchers at the London School of Economics best described our chosen path. In June 2009 they asked the reader to imagine:
the government having a deaf security agent following every single person everywhere they go. The agent cannot hear the content of any interactions, but can otherwise observe every minute detail of someone’s life: the time they wake up, how they drive to work, who they talk to and for how long, and how their business is doing, their health, the people they meet in the street, their social activities, their political affiliations, the papers and specific articles they read, and their reaction to those, the food in their shopping basket, and whether they eat healthily, how well their marriage is going, the extra-marital affairs, their dates and intimate relations. Since most of these interactions are today mediated at some level by telecommunications services, or are facilitated by mobile devices, all of this information will now reside with our internet service providers, ready and waiting for government access.
At least in the West, we stand a fighting chance of resisting some of the more draconian powers that various branches of government are seeking to acquire over civil Internet activity.
Given the strength of the civil-liberties community in the West and the KGB’s comprehensive surveillance of the Internet, one might assume that Russia would represent an implacably hostile environment for cyber criminals. Yet the Russian Federation has become one of the great centres of global cybercrime. The strike rate of the police is lamentable, while the number of those convicted barely reaches double figures. The reason, while unspoken, is widely understood. Russian cyber criminals are free to clone as many credit cards, hack as many bank accounts and distribute as much spam as they wish, provided the targets of these attacks are located in Western Europe and the United States. A Russian hacker who started ripping off Russians would be bundled into the back of an unmarked vehicle before you could say KGB.
In exchange, of course, should the Russian state require the services of a hacker for launching a crippling cyber attack on a perceived enemy, then it is probably best for the hacker to cooperate.
2007 was the heyday of a loose organisation of companies based in St Petersburg known as the Russian Business Network, or RBN. This mysterious acronym offered to host websites for individuals and companies – it was known as the king of bulletproof hosters. Companies that offer this service are essentially letting their customers know that they are not interested in the content or function of a website and, in exchange for much higher fees, will resist any legal or digital attempts to bring down the sites.
Not all bulletproof hosting is intended as a way of circumventing the law, but criminals and pirates frequently avail themselves of such services. They are virtually indispensable for individuals and groups involved in the distribution of child pornography, for example, and the RBN was known to include such clients on its books, as several security companies’ research departments have identified.
These hosts have also proved invaluable for people distributing spam email, as these operations require huge, secure capacity in order to spew forth their billions of dubious adverts and viruses. Nigerian 419 scams, counterfeit medicines, the now-fabled penis enlargers and many other products (real or imaginary) are dumped on the world from bulletproof hosts. Many spam messages conceal viruses or links to infected websites, which, if activated, may turn a computer into a single footsoldier in a botnet army.
As the Russian Business Network was booming in 2006 and 2007, Spamhaus, the secretive anti-spam operation in Cardiff, listed it as controlling 2,048 Internet addresses. It described the RBN as ‘among the world’s worst spammers’ and home to vast ‘child pornography, malware, phishing and cybercrime-hosting networks’.
The RBN’s primary significance lies in the profitability of such bulletproof hosting organisations, which are able to charge $600 or more a month. For legitimate websites, the cost would be one-tenth of this.
But its secondary role is, in many respects, the more interesting one. The attacks on Estonia began with millions of spam emails swooping down on the computer networks of the Estonian government. Subsequently François Paget, who works for the US computer-security giant McAfee, analysed t
he content of the spam to discover that they were identical to the standard RBN mailouts. Furthermore, Andy Auld, the head of cyber intelligence at Britain’s Serious Organised Crime Agency, reported that in their brief field-observation of the RBN in St Petersburg, British police were able to establish that the RBN could operate in part because it bribed local law enforcement and the judiciary.
It is possible that the RBN instigated the attacks on Estonia but highly unlikely. More probably it was either paid to launch them or the authorities leaned on them to participate in this act of patriotism. This connection between a complex of St Petersburg-based Internet Service Providers that specialised in criminal activity and the cyber attack on Estonia highlights one of the greatest conundrums at the heart of computer crime and computer security.
There are three main ‘threats’ on the Internet, each manifesting themselves in a variety of guises. First, there is cybercrime. In its most basic form, cybercrime consists of ‘carding’, the theft and cloning of credit-card data for financial gain. Beyond carding, there are all manner of other scams. One of the most lucrative, for example, is called ‘scareware’, which was perfected by a Ukrainian-based company called Innovative Marketing. IM employed dozens of young people in Kiev, the Ukrainian capital, most of whom believed they were involved in a start-up company that was selling legitimate security products. Except they weren’t.
The company was sending out rogue adware, which, once installed on an individual’s computer, would trigger a pop-up on the browser warning the user that their machine had been compromised by a virus. The only way, the advert explained, to rid their computer of the electronic critters now crawling all over their hard disk and RAM was to click on a link and purchase ‘Malware Destroyer 2009’, to name but one of their countless products.