Case Study: The 2007 Cyber Attacks on Estonia

The former Soviet satellite nation of Estonia is home to many ethnic Russians, amounting to an estimated 26 percent of the population. In the Spring of 2007, the Estonian government ordered a statue [commemorating the Soviet liberation of Estonia from Nazi occupation] be removed from Tonismagi Park, in Tallinn. Tensions between ethnic Russians and Estonians, already at a boiling-point, spilled over into the streets and onto the web. As a result, pro-Russian hackers and cyber warriors coordinated one of the most damaging cyber-attacks since the early history of cyber warfare. Through various distributed denial of service[DDoS] attacks, pro-Russian hackers targeted servers and websites of government and financial institutions in Estonia. DDoS attacks are designed to overload and crash servers and websites through repeated and simultaneous requests for information, typically carried out with the use of botnets. Botnets are literally hundreds, maybe thousands, of machines that are under the command and control of a group or individual. The machines are then instructed to simultaneously send out repeated requests for information on a massive scale toward targeted servers and websites, thereby overloading and crashing them. Repeated requests for information typically include mass log-in attempts. In the case of the DDoS attacks on Estonia, hackers shut down, “the websites of all government ministries, two major banks, and several political parties. At one point, hackers even disabled the parliamentary email server” (Herzog 2011). Although Estonia’s government and financial institutions eventually recovered from the attack, there were numerous multinational responses that followed, which led to the development of NATO’s current policy on cyber defense, and the creation of Estonia’s Cyber Defence League. However, the international community largely blamed the Russian Federation for the cyber-attack, asserting that it had been part of a wider plan to promote Russian interests, instigate and empower ethnic Russians, and destabilize a member nation of NATO.

Similar to most modernized governments around the world, Estonia relies on the internet to maintain an infrastructure and conduct business. In April of 2007, hacker groups coalesced to launch crippling DDoS attacks, aimed specifically at Estonia’s government, infrastructure, and financial institutions. International suspicion of foul play on behalf of the Russian government is perhaps more well-founded than the Russian government’s statements of denial. The level of sophistication adds depth to the argument that the Russian government participated in the cyber-attack to promote its own interests, or to retaliate against Estonia for joining the EU and NATO three years earlier (Wlodarska 2011). Certainly, it would be more plausible to believe that loosely organized hackers would be less capable of such sophisticated and wide-spread attacks, and that they would be more inclined to carry out actions more along the lines of website defacement. Stephen Herzog details the level of sophistication,

“In the case of Estonia, the cyber-terrorist attacks occurred through the use of globally dispersed and virtually un-attributable botnets of ‘zombie’ computers. The hackers hijacked computers — including many home PCs — in places like Egypt, Russia, and the United States and used them in a ‘swarming’ DDoS strategy. Government and bank websites that normally received 1,000 visits a day crashed after receiving upwards to 2,000 hits a second” (Herzog 2011).

The size and duration of the attacks seem to support state-sponsorship or participation from the Russian Federation. Similarly, the fact that some IP addresses were traced all the way to Egypt and the United States also seems to promote the notion that these pro-Russian hackers had either been operating together for years, or they were receiving help from the Russian Federation. Toomas Ilves states, “Estonia cannot ignore that [it is] located next to Russia, which uses aggressive rhetoric, is constantly developing its cyber-attack capabilities, and for whom activities directed against other states in cyberspace are merely an instrument to increase its influence and accomplish its objectives” (Ilves 2016).

Regardless, the Russian Federation had obvious interests in stirring up the emotions of ethnic Russians in Estonia, as can be gathered from official statements by senior officials in the Kremlin. Yet, the Russian Federation officially denies any involvement, despite having had multiple IP addresses traced back to various locations inside Russian borders. Oliver Fitton claims that the Russian Federation was running a ‘gray zone’ operation in Estonia, designed to instill Russian nationalism among ethnic Russian Estonians, and to destabilize the Estonian government and financial sectors (Fitton 2016). Herzog explains that, “when combined with satellite television, the wide availability of Russian-language publications, and a plethora of internet forums, these elements of globalization have enabled the Russian ethnic identity to transcend geopolitical borders” (Herzog 2011). In this light, it is easy to see how the Russian Federation would be able to capitalize on the opportunity to exploit pro-Russian/anti-Estonian sentiments, thereby prompting outrage, and resulting in the massive DDoS attacks. Another indicator of Russian instigation can be found in the fact that the Kremlin refused to participate in any attempts to catch the perpetrators, especially ones located inside Russia (Wlodarska 2011).

The attacks that occurred over a period of three weeks were intended to erode relations between the Russian Federation and the newly inducted NATO member Estonia. Whether or not the international community can officially prove that the Russian Federation had been involved, the attack certainly destabilized the Estonian government [and therefore a portion of NATO’s eastern flank]. In this manner, the Russian Federation benefitted from a weakened member of NATO, and from a boost in Russian nationalistic pride both inside and outside of Russia. The latter also bolstered Russian-language [state-controlled] media and propaganda outlets. NATO’s response indicated that it had indeed been destabilized, at least to some extent. It should be noted that it took NATO four years to formulate and implement an official policy decision and response to the 2007 attacks. That means that from 2007–2011, NATO went without any significant cyber defense programs (Kouremetis 2015). As such, member nations were forced to draft and implement their own cyber defense programs, and ultimately fend for themselves. Because of this, the perpetrators of the 2007 DDoS attacks on Estonia essentially disappeared into the shadows, due to a lack and inadequacy of any official international investigation.

In sum, the three-week cyber-attacks on Estonia’s government and financial sectors demonstrated the complexities of cyber warfare. The international community widely suspected the Russian Federation of exploiting Russian nationalism in Estonia to carry out the cyber-attack, which was designed to empower ethnic Russians spread out across the globe, and also to destabilize a member nation of NATO. Much of the evidence surrounding the attacks points toward Russian participation or sponsorship. Motives for the attacks can be easily recognized, and official responses by the Russian Federation seem to hold little weight. However, the international community’s failure to properly investigate the attacks, formulate any substantial or effective policy decisions and responses, and implement any advanced cooperative cyber defense programs ultimately led to an inability to accurate uncover the identities of the true perpetrators. As such, it is easy to assume that similar attacks will become more frequent in the future, given the level of anonymity and ambiguity, and the level of impact in DDoS and other forms of cyber-attacks. If NATO and the international community is to be successful in the pursuit of its political, military, economic, and security objectives, it must come together to establish and implement effective cyber defense policies and programs. Otherwise, the nightmare in Estonia in 2007 will most likely be re-lived, and perhaps on a larger scale.

References:

Donner, Marc. “Cyberassault on Estonia,” IEEE Security and Privacy (2007): 4. Accessed 28 January 2018. http://ieeexplore.ieee.org.ezproxy2.apus.edu/stamp/stamp.jsp?tp=&arnumber=4288034.

Fitton, Oliver. “Cyber Operations and Gray Zones: Challenges for NATO,” Connections: The Quarterly Journal 15, no. 2 (2016): 109–119. Accessed 28 January 2018. https://search-proquest-com.ezproxy1.apus.edu/docview/1784582251?pq-origsite=summon&accountid=8289.

Herzog, Stephen. “Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses,”Journal of Strategic Security 4, no. 2 (2011): 49–60. Accessed 16 July 2017. https://search-proquest-com.ezproxy1.apus.edu/docview/1618841861?pq-origsite=summon&accountid=8289.

Ilves, Toomas Hendrik. “The Consequences of Cyber Attacks,” Journal of International Affairs 70, no. 1 (2016): 175–178. Accessed 16 July 2017. https://search-proquest-com.ezproxy1.apus.edu/docview/1855796600?pq-origsite=summon&accountid=8289.

Kouremetis, Michael. “An Analysis of Estonia’s Cyber Security Strategy, Policy, andCapabilities,”European Conference on Cyber Warfare and Security (2015): 404–412.Accessed 16 July 2017. https://search-proquest-com.ezproxy2.apus.edu/docview/1859442804?pq-origsite=summon&accountid=8289.

Wlodarska, Agata. “Russian-Estonian Relations After 2007: Current Status and DevelopmentProspects,”International Studies 13, no. 1 (2011). Accessed 16 July 2017. https://search-proquest-com.ezproxy1.apus.edu/docview/1322379886?pq-origsite=summon&accountid=8289.