Summation:
The attacks entailed a broad array of techniques, which started with mere spamming posts to later well-coordinated DDoS attacks against the government’s IT systems. The cyber attacks were coordinated in Russian over the internet from computer networks and servers in Russia. Detailed instructions on how to act included topics about the nature and execution of attacks, as well as information about potential targets and attack timing.
Very basic instructions were disseminated on websites, in forums, and in chat spaces, precluding the user’s need for any knowledge or skills. The first attack took place on 27 April following the first night of rioting and was fairly simple. The portrait of the Prime Minister was defaced on the home page of the Reform Party (the PM with Hitler’s mustache) and initial DDoS attacks against Estonian government organizations. Some were successful, but normal operations were quickly restored.
Dmitri’s Role:
On the 28th however, serious attacks were being urged to forum members living in Estonia against Estonian web pages from addresses
http://2ch.ru and
http://forum.xaker.ru. Discussions were also taking place about how to finance the rental of server farms and botnets for a massive attack - A Trojan Horse application - needed to hijack computers. More than 1,500 users logged onto their chat lines and awaited instructions from the botnet. It is widely believed that, a Russian criminal gang rented the botnet in order to launch these attacks against Estonia.
Simultaneous orders to attack were being disseminated via the internet. Although the vast majority were primitive, they were effective for the purposes of creating chaos and confusion. The attacks were also discussed and coordinated in IRC environments. Consequently, there was a large incremental increase in spontaneous attacks carried out by individuals. On the 30th a number of very complex and sophisticated attacks were launched.
The attackers were able to dedicate substantial resources indicative of a well organized and financed enemy. By this time, the Estonian authorities had blocked the majority of internet traffic from ‘dot RU’ IP address extensions, as well as from many other foreign IPs. Somewhat later in the day the brunt of the attack shifted to the DNS system. Now seemingly human-friendly website names were utilized with the obvious intent of putting the entire DNS system out of commission, and cripple Estonia’s internet.
During the first week of May, some of these attacks were able to achieve temporary success against telecommunications companies providing internet services and Estonian media publications. The attackers covered their tracks by using global bot networks (not all located in Russia), proxy servers in third countries, and by distorting their IP addresses.