The purpose of this essay is to compare and contrast the cyber-attacks on Estonia, Georgia, and Ukraine, including tactics, techniques, procedures, and effects. The paper states that none of the models will probably be repeated. The thesis is that cyber-attacks will change as technology changes. In other words, past cyber-attacks operations, particularly in Estonia, Georgia, and Ukraine, are not good predictors of future cyber-attack activity.
Copyright © 2021 Donald L. Buresh, Ph.D., JD, LL.M.
The authors have declared that no competing interests exist.
This paper aims to look at the cyber-attacks of Estonia, Georgia, and Ukraine in light of future attacks. The issue is whether cyber attacks in years to come will resemble the attacks that occurred in Estonia, Georgia, and Ukraine, or will future attacks be based on new technologies that are currently emerging or in development. The cyber-attacks of Estonia, Georgia, and Ukraine are discussed in detail from the perspective of what occurred and what was learned. The thesis that is presented herein is that cyber-attacks will change and evolve as technology becomes more and more pervasive in everyday life. It is proposed that the cyber-attacks in Estonia, Georgia, and Ukraine are relatively poor predictors of future cyber-attacks.
The Russian cyber-attacks that are discussed include the Estonian, Georgian, and Ukrainian cyber-attacks. Each attack is analyzed in terms of its tactics, techniques, procedures, and effects. The measures taken to counter the cyber-attacks and lessons learned from the cyber-attacks are also highlighted in some detail.
The Estonian cyber-attack began on Friday, April 27, 2007, and ended on Friday, May 18, 2007. The attack lasted for three weeks.1 The attack was precipitated by the Estonian government’s decision to move a Soviet World War II memorial of a Bronze soldier two meters high from central Tallinn, the capital city of Estonia, to a military cemetery.2 During World War II-related holidays, individuals commemorated their losses by placing flowers on the Tallinn site.3 However, over time, these events increasingly provoked hostile actions against the Estonian government.4 The movement of the statute was countered by intense opposition by the Russian government and Russian media, where protests in the streets quickly devolved into riots, the Estonian embassy went under siege, and the Estonian ambassador to Russia was physically harassed.5
There was almost universal access to the Internet in Estonia, where the government promoted information technology to increase the administrative ability to foster communications between Estonian citizens and their government and became virtually paperless in 2001.6 The cyber attackers employed three methods against the Estonian government and Estonian institutions. The attacks consisted of Denial of Service (DoS) attacks, Distributed Denial of Service (DDoS) attacks, website defacement, attacks against Data Name Servers (DNS), and mass email comment spam.7 The attacks of April 27 through April 29 consisted of defacing government websites using the straightforward ping command.8 However, as time went by, malformed web queries were employed against the sites of the government and media outlets.9
In the second phase of the attack, the first wave began on May 04, involving intense and precise attacks against websites and data name servers by using botnets, routing the attacks from proxy servers in other countries.10 While the second wave lasted from May 09 through May 11, it should be remembered that in Russia, May 09 is the national holiday, Victory Day, signifying the defeat Nazi Germany in World War II.11 The DDoS attacks increased by 150 percent against government websites during the second phase, lasting from May 09 to May 10.12 Although the Estonian government was the primary victim of the attack, Hansapank, the largest Estonian bank, was also affected by the DDoS attacks.13
The third wave involved the hijacking of 85,000 Estonian computers, taking place from noon until midnight on May 15.14 The website for SEB Eesti Ühispank, Estonia’s second-largest commercial bank, lasted about 1.5 hours for Estonian customers and extended more for customers outside the country.15 On May 18, or the fourth wave, both government and banking websites experienced DDoS attacks.16 The source of the attacks was traced to computers in 178 different countries.17 The attacks were politically motivated by individuals who were following instructions on Russian-language websites.18 The second phase of the attack appears to be centrally controlled.19 There were only a few individuals that took credit for the attacks.20 The Russian government denied involvement in the cyber-attacks.21
The cyber-attack had a noticeable effect on the Estonian economy, affecting commerce, industry, and governance that relied on information and communications technology (ICT) infrastructure.22 Bank, media companies, government institutions, and small to medium businesses were all affected.23 The societal effect was that communication to public administration was significantly hampered along with the information flow to other countries.24 A side-effect was that was the legitimate Internet traffic was clogged.25 There was substantial technical response employed, with international cooperation from the European Union (EU) and the North Atlantic Treaty Organization (NATO).26 There was also increasing public awareness as Estonia worked with other countries to bring cybercriminals to justice.27
The lessons learned are manifold. The Estonian cyber-attack raised international awareness that cyber-attacks were new forms of criminal activity in an information society.28 The attacks accentuated the need for mutual criminal assistance on an international level.29 The challenge was to appreciate that cyber-attacks have international implications affecting one country and a global region or even the whole planet itself.30
The Georgian cyber-attack began on Friday, August 08, 2008, and ended on Thursday, August 28, 2008, and the attack lasted for three weeks.31 The attack was precipitated by an armed conflict between the Russian Federation and the country of Georgia over South Ossetia.32 In 2008, the Internet had a low penetration rate of 7 percent of the population.33 At the time, Georgia was not heavily dependent on IT infrastructure, but there were limited options to connect to the Internet via land routes, where the connections that did exist heavily depended on Russia.34
There were several methods employed in the Georgian cyber-attack. DoS and DDoS were involved, including distributing malicious MS batch scripts whose instructions exploited Structured Query Language (SQL) vulnerabilities.35 Websites were also defaced, and email was used for targeting spamming attacks.36 The targets were the President of Georgia, the Georgian Parliament, Ministries, and the local government of Abkhazia. Financial institutions such as banks were also affected by the attacks.37 Although there was little or no evidence linking the Russian government or state organizations to the attacks, it was thought that Russian hackers were the culprits.38 In essence, there is no conclusive proof as to who was behind the DDoS or defacement attacks.
The effects of the Georgian attacks were limited because of the kinetic military conflict between Russia and Georgia.39 Because of the lack of communication technology in Georgia at the time, the transmission of information to the outside world was constrained, particularly during the beginning of the conflict.40 Primary communications operations were severely affected because most of the Georgian communications lines passed through Russia.41 Internet services had to be relocated to servers outside the country.42 National Community Emergency Response Team (CERT) assistance came from other countries to help alleviate the interruption of Internet service.43 The Georgian academic center CERT mitigated the attack by assuming the role of the Georgian national CERT at the time of the attack.44 There was a state-mandated blockage on Russian websites to control information flow and free up bandwidth where services to servers were relocated to other countries.45 The national CERTs from other countries were thus involved in helping Georgia overcome the cyber-attack.46
One of the significant lessons learned from the Georgian cyber-attacks was the applicability to the Law of Armed Conflicts (LOAC).47 The right of a country to employ force against another state depends on the actions of the other state.48 The remedy must be proportionate to the threat and the harm incurred.49 The problem with the Georgian cyber-attack was that it was difficult to estimate the direct effects of the attacks.50 Because the Georgian population was not highly dependent on Internet services, the cyber-attacks were not sufficiently serious to result in severe economic damage or human suffering.51 Thus, the application of the LOAC to the Georgian cyber-attacks seems problematic at best and irrelevant and immaterial at worst.52 The challenges are that new approaches are needed to provide effective legal remedies, and that continued national information communication technologies are essential.53
On December 23, 2015, Prykapattyapblenergo, a Ukrainian regional electricity distribution company, stated that the service outages experienced by its customers were because of a third party’s illegal entry into the company’s computer and supervisory control and data acquisition (SCADA) systems.54 The outage began at 3:35 PM local time.55 Seven 110 kilovolt (kV) and twenty-three 35 kV substations were disconnected from the Ukrainian power grid for three hours.56 The cyber-attack affected other portions of the distribution power grid, forcing the company to switch to manual mode.57
The Ukrainian news agencies conducted interviews and concluded that a foreign government had remotely controlled the SCADA electrical distribution system.58 It was originally estimated that the outage only affected 80,000 customers.59 However, it was later discovered that the electrical distribution grids for Chernivtsioblenergo and Kyivoblenerogo were affected.60In total, approximately 225,000 customers lost power due to the attack.61 These cyber-attacks in Ukraine were the first attacks that were publicly acknowledged to have resulted in power outages.62
There were a variety of capabilities demonstrated by the Ukrainian attacks, including spear-phishing emails, variations on Black Energy 3 malware, and altering Microsoft Office documents that contained the malware.63 The attack harvested credentials and information to gain admission to the Ukrainian ICT.64 The attackers advanced two SCADA hijack approaches, the first one was a custom hijack, and the other was an agnostic hijack.65 The attackers were successful in employing them across different types of SCADA/DMS implementations.66 The attackers showed a desire to target field devices at substations, write custom malicious firmware, and ensure that specific devices were inoperable.67
It is not clear why these three oblenergos were targeted. Lee et al. gave the following possible decision factors.68
Standard systems and configurations;
Impact duration estimates;
Existing capabilities would achieve the desired results;
Risk-level was reasonable; and
Access to act within the environment.
The lessons learned are legion. The spear-phishing employed social engineering techniques to target the Ukrainian oblenergos need to safelist extensively, identifying users that are given the specific privilege, service, mobility, access, or recognition.69 Because Black Energy 3 was used, user passwords should be changed periodically, data exfiltration and controlling access is critical, and two-factor authentication with user tokens should be applied.70
Attacks Most Likely to Occur in the Future
The purpose of this section of this essay is to discuss the likelihood of using the Estonian, Georgian, and Ukrainian cyber-attacks as models for future attacks. The paper points out that the Estonian and Georgian cyber-attacks share a familiar modus operandi, whereas the Ukrainian cyber-attack is either a special attack, a test attack, or possibly an attack by non-government actors. The reason is that the Estonian and Georgian cyber-attacks lasted for approximately three weeks, while the Ukrainian cyber-attack transpired for merely three hours. The difference in duration could be indicating an alternative explanation.
Estonian and Georgian Cyber-Attacks
The Estonian and Georgian cyber-attacks share several common characteristics. Both cyber-attacks used DoS and DDoS attacks, defacement of websites, and attacks on DNS.71 Both attacks lasted for approximately three weeks.72 The attacks occurred within 16 months, and both attacks were precipitated by the remembrance of a past war or an actual war.73 At the time, Estonia had a highly developed Internet infrastructure, whereas the opposite was true in Georgia.74
In projecting whether these two cyber-attacks would be good models for future attacks, the problem with such a prediction is that the technology employed is ten or more years old. Cell phones were present in the 2007-08 timeframe, but their sophistication at the time was a far cry from current technology.75 The Internet-of-Things (IoT) was in its infancy.76 The machines that instigated the cyber-attacks were likely either computer towers or notebooks. Sophisticated computers inside automobiles, televisions, refrigerators, microwaves, and gas and electric meters outside a home that use the Internet were virtually unknown a decade ago.77 All of these devices are now candidates for bots to be used in future cyber-attacks.78 Thus, based on the evidence above, the cyber-attacks of the future will probably not resemble the cyber-attacks that occurred in Estonia and Georgia.79,80,81.
As an example of future cyber-attacks, the December 2015 cyber-attack in Ukraine has serious credibility issues. First, in February 2014, the Ukrainian Euromaidan Revolution of 2014 occurred nearly two years before the Ukrainian cyber-attack.82 The parties to the revolution that overthrew the existing government included the Euromaidan protestors, the Euromaidan militants (Sotnia), and the Right Sector, a Ukrainian neo-Nazi group.83 At the time, the revolution appeared to be a neo-Nazi revolution, thrusting the Right Sector into political power.84 The Russian people were adamantly against the new Ukrainian government because the 20 Soviet citizens died during World War II, defeating Nazi Germany.85 The citizens of Crimea voted overwhelmingly to secede from Ukraine.86 in fear that the new government would institute the ethnic cleansing of Russians in the peninsula.87 The Eastern regions of Donbas and Luhansk also seceded from Ukraine because most of its citizens were either Russians or of Russian descent.88 The government of Ukraine felt that the citizens of Crimea, Donbas, and Luhansk had illegally seceded from the country and that Russia had instigated the secession.89 Thus, when the opportunity arose, it is reasonable to suggest that blaming Russia for the power outage was a way to cast dispersions on the country’s northern neighbour.
Second, the electrical outage only lasted for three hours.90 In the United States, it is not uncommon for power outages to last for three hours or more, mainly when a variety of events causes an equipment failure.91 This author experienced a power outage for four days while living in Massachusetts after an ice storm.92 In other words, a three-hour power outage could have been caused by a variety of reasons, including equipment failure or incompetence, not merely a cyber-attack by the Russian Federation. This is not to say that the Russian government or Russian citizens did not engage in a cyber-attack against Ukraine. The power outage could have been a testbed for future cyber-attacks.93 Instead, this alternative explanation is mentioned to point out that alternative reasons are possible and maybe probable.
Third, unlikely, there is a possibility that the revolutionary Ukrainian government caused the power outage. On February 27, 1933, the German Reichstag burned to the ground because of arson.94 One month earlier, Hitler was made Chancellor by von Hindenburg.95 The fire was blamed on Marinus van der Lubbe, an unemployed Dutch construction worker who the police arrested because he was outside the building possessing firelighters.96 He was also panting and sweating.97 Van der Lubbe was tried for the arson and executed.98 Hitler used the burning of the building as an excuse to pass The Enabling Act of 1933, assigning all legislative power to Hitler and his ministers, thereby permitting Hitler to control the German political process.99 Hitler then proceeded to eliminate the Communists from German politics.100
In contrast, Hett argued that Hitler and the German Nazis could have caused the burning of the Reichstag to gain political power.101 Hett observed that in the previous election, the Nazis had lost seats in the Reichstag.102 To secure more power, Hitler may have used arson to abandon the constitution of the Weimar Republic.103 With the burning embers of the Reichstag not yet extinguished, Hitler arrested 5,000 people, primarily communists.104 The result was the 12-year reign of the Third Reich.105.
The Right Sector, a Ukrainian political party, is a neo-Nazi group that has Third Reich roots.106 There is a possibility that the Ukrainian government used the power outage as an excuse to blame the Russian Federation for a cyber-attack, thereby garnering international support for the new Ukrainian government.107 What is peculiar about the power outage is that it only lasted for three hours.108 If it were indeed a Russian cyber-attack, the attack would probably have continued for more than a mere few hours, but then again, the attacks could be an effort by the Russian government, even if it is somewhat lackluster, to prevent Ukraine from joining the European Union.109 Western media have claimed that the power outage was a cyber test conducted by the Russians Federation.110 If so, the account would have to explain the short duration of the power outage. One possibility is that the Ukrainian cyber-attack was conducted by Russian hackers who were not affiliated with the Russian government.111 It is also possible that Right Sector hackers attacked the Ukrainian government facilities while spoofing their URL attacking addresses to make it appear that the Russian government was involved in the cyber-attack, but there is seemingly no proof to this theory. It is indeed far more likely that Estonia and Georgia were attacked by the Russian Federation even though the Russian government denied any involvement in the attacks.112 After all, the Estonian and Georgian attacks lasted for three weeks.113 There are several alternative explanations and too many political axes to grind by Ukraine and the Western powers to conclude positively that the power outage was a Russian Federation cyber-attack.114 The Russian Federation may have had little to nothing to gain by instigating a three-hour cyber-attack against the three oblenergos, except collecting the data from a cyber-test.115 However, when considering the potential adverse effects on world opinion, Russia had a lot to lose if it was determined to be the perpetrator of the attacks.116 Thus, the short-lived cyber-attacks of oblenergos may not have originated in Russia and are probably not a good model for future international cyber-attacks.117 It appears that a cyber-test of this magnitude, if it was indeed a test, need only be conducted once and not repeated.118
A Glimpse into the Future
The short response to whether the three cyber-attack models discussed above is likely to be repeated in the future is none of the above.119 The reason is that the answer depends on the date and time of the attack and the technology that is employed by the attack.120 For example, if a cyber-attack were to occur now, there would be little or no change in technology.121 The attack would probably very closely resemble past attacks because the cyber-attack would use existing available technology, such as fax machines, printers, video conference systems, security cameras, door access systems, and heating, ventilation, and cooling systems.122 There would be almost no change in the availability of the IoT and their controlling computer systems.123 Thus, a cyber-attack could resemble the Estonian, Georgian, or Ukrainian attacks, depending on the existing hardware and software employed by the attackers and available at the target site.
However, if we move forward five, ten, or 20 years, the situation dramatically changes. The technology in this future period will probably be entirely different from the technology around us today.124,125 First, there is the IoT. Smart devices are being marketed and sold to consumers at a rapid pace.126 IoT will pervasively dominate our economy in the next five to ten years.127 These devices will probably possess less than adequate security features because security will likely be brushed aside in a rush to market, while cybercriminals will note this situation and probably exploit it.128
Stuxnet and its variations will probably play a dramatic role in future cyber-attacks.129 When the United States government used Stuxnet a decade ago to disrupt Iranian centrifuges, a physical machine was involved that stopped working correctly.130 The child or grandchild of Stuxnet could be employed to modify the actions of physical devices such as automobiles, televisions, refrigerators, or microwave ovens.131 These devices could be programmed by malware to stop functioning or even to explode.132 A car is the most potentially dangerous of the machines mentioned because it is large, heavy, and moves quickly.133 With sophisticated computers inside controlling the operation of an automobile, cars could be employed to run people over or even explode in crowded areas.134 A Stuxnet-like virus that infected a vehicle could be programmed to affect specific vehicles that would injure or kill particular individuals, where the attack occurs in an automobile assembly plant or while driving.135 When this type of cyber-attack occurs, a kinetic response of some sort may be entirely appropriate under certain conditions, such as what happened when Archduke Ferdinand, the heir to the Austrian-Hungarian Empire, was the heir at the time to the Austrian-Hungarian Empire assassinated on June 28, 1914.136
When looking 20 years into the future, it is quite likely that human beings will be physically connected to the Internet via nanotechnology that is implanted into their bodies.137 This technology could interact with human DNA, causing numerous issues.138 For example, a cyber-attack could involve programming humans to perform actions that they normally would not do. A cyber-attack could circumvent human free will.139 If the attack was sufficiently malicious, it might be possible to program humans to attack others or to do nothing when a defensive response would be appropriate. In this case, society could easily resemble a Brave New World or a 1984 society.140,141
Thus, a future cyber-attack depends on the date and time that the attack occurs and the technology involved. Without this information, it is probably impossible to predict what a future cyber-attack will resemble with any precision or accuracy. However, with this information, the only impediment to a precise and accurate prediction is the imagination of a sage or prophet. A prospective attacker will have no such limitation. They are already well aware that the future belongs to them.