Cyberattacks on Estonia 2007
   HOME

TheInfoList



OR:

Beginning on 27 April 2007, a series of
cyberattack A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricte ...
s targeted websites of
Estonia Estonia, formally the Republic of Estonia, is a country by the Baltic Sea in Northern Europe. It is bordered to the north by the Gulf of Finland across from Finland, to the west by the sea across from Sweden, to the south by Latvia, a ...
n organizations, including Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country's disagreement with
Russia Russia (, , ), or the Russian Federation, is a transcontinental country spanning Eastern Europe and Northern Asia. It is the largest country in the world, with its internationally recognised territory covering , and encompassing one-eig ...
about the relocation of the
Bronze Soldier of Tallinn The Bronze Soldier ( et, Pronkssõdur, russian: Бронзовый солдат, ''Bronzovyj soldat'') is the informal name of a controversial Soviet World War II war memorial in Tallinn, Estonia, built at the site of several war graves, whi ...
, an elaborate Soviet-era grave marker, as well as war graves in
Tallinn Tallinn () is the most populous and capital city of Estonia. Situated on a bay in north Estonia, on the shore of the Gulf of Finland of the Baltic Sea, Tallinn has a population of 437,811 (as of 2022) and administratively lies in the Harju '' ...
. Most of the attacks that had any influence on the general public were
distributed denial of service In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host conne ...
type attacks ranging from single individuals using various methods like
ping flood A ping flood is a simple denial-of-service attack where the attacker overwhelms the victim with ICMP "echo request" ( ping) packets. This is most effective by using the flood option of ping which sends ICMP packets as fast as possible without wa ...
s to expensive rentals of
botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...
s usually used for spam distribution. Spamming of bigger news portals commentaries and
defacement Defacement or disfigurement may refer to: *Defacement (vandalism), the vandalism of physical objects, like buildings, books, paintings and statues * Website defacement, an attack on a website that changes the visual appearance of the site *Defaceme ...
s including that of the Estonian Reform Party website also occurred. Research has also shown that large conflicts took place to edit the English-language version of the Bronze Soldier's Wikipedia page. Some observers reckoned that the onslaught on Estonia was of a sophistication not seen before. The case is studied intensively by many countries and military planners as, at the time it occurred, it may have been the second-largest instance of state-sponsored cyberwarfare, following Titan Rain. As of January 2008, one ethnic-Russian Estonian national had been charged and convicted. During a panel discussion on cyber warfare, Sergei Markov of the Russian State Duma has stated his unnamed aide was responsible in orchestrating the cyber attacks. Markov alleged the aide acted on his own while residing in an unrecognised republic of the former Soviet Union, possibly
Transnistria Transnistria, officially the Pridnestrovian Moldavian Republic (PMR), is an unrecognised breakaway state that is internationally recognised as a part of Moldova. Transnistria controls most of the narrow strip of land between the Dniester riv ...
. On 10 March 2009 Konstantin Goloskokov, a "commissar" of the Kremlin-backed youth group Nashi, has claimed responsibility for the attack. Experts are critical of these varying claims of responsibility. The direct result of the cyberattacks was the creation of the NATO
Cooperative Cyber Defence Centre of Excellence NATO CCD COE, officially the NATO Cooperative Cyber Defence Centre of Excellence ( et, italic=yes, K5 or ''NATO küberkaitsekoostöö keskus''), is one of NATO Centres of Excellence, located in Tallinn, Estonia. The centre was established on 14 ...
in
Tallinn Tallinn () is the most populous and capital city of Estonia. Situated on a bay in north Estonia, on the shore of the Gulf of Finland of the Baltic Sea, Tallinn has a population of 437,811 (as of 2022) and administratively lies in the Harju '' ...
,
Estonia Estonia, formally the Republic of Estonia, is a country by the Baltic Sea in Northern Europe. It is bordered to the north by the Gulf of Finland across from Finland, to the west by the sea across from Sweden, to the south by Latvia, a ...
.


Estonia's response

The Estonian government was quick to blame the Kremlin, accusing it of being directly involved in the attacks. It was later revealed that the allegations were not completely correct when Estonia's defense minister,
Jaak Aaviksoo Jaak Aaviksoo (born 11 January 1954) is an Estonian politician and physicist, a former rector of the University of Tartu and Tallinn University of Technology (TalTech). Aaviksoo has been the Estonian Minister of Defence and Minister of Educa ...
, admitted that he had no evidence linking the cyber-attacks to the Kremlin. "Of course, at the moment, I cannot state for certain that the cyber-attacks were managed by the Kremlin, or other Russian government agencies," he said in an interview on Estonia's
Kanal 2 Kanal 2 is a privately owned Estonian television channel. Its literal name in English is "Channel 2". The channel was established by Ilmar Taska. The channel began broadcasting on 1 October 1993. History The channel started broadcasting on ...
TV channel, "Again, it is not possible to say without doubt that orders came from the Kremlin, or that, indeed, a wish was expressed for such a thing there." Russia called the accusations of its involvement "unfounded", and neither
NATO The North Atlantic Treaty Organization (NATO, ; french: Organisation du traité de l'Atlantique nord, ), also called the North Atlantic Alliance, is an intergovernmental military alliance between 30 member states – 28 European and two No ...
nor
European Commission The European Commission (EC) is the executive of the European Union (EU). It operates as a cabinet government, with 27 members of the Commission (informally known as "Commissioners") headed by a President. It includes an administrative body ...
experts were able to find any proof of official Russian government participation. Since the attack, Estonia has advocated for increased cybersecurity protection and response protocol.


NATO's response

In response to such attacks, NATO conducted an internal assessment of their cyber security and infrastructure defenses. The assessment resulted in a report issued to the allied defense ministers in October 2007. It further developed into the creation of a cyber defense policy and the creation of the NATO Cooperative Cyber Defence Center of Excellence (CCDCOE) in May 2008. Due to the attacks, the '' Tallinn Manual on the International Law Applicable to Cyber Warfare'' was also developed. This report outlined international laws which are considered applicable to the cyber realm. The manual includes a total of ninety-five "black-letter rules" addressing cyber conflicts. The Tallinn Manual has worked to provide a global norm in cyber space by applying existing international law to cyber warfare. The manual suggests that states do not have sovereignty over the Internet, but that they do have sovereignty over components of the Internet in their territory.


Legalities

On 2 May 2007, a criminal investigation was opened into the attacks under a section of the Estonian Penal Code criminalising ''computer sabotage'' and ''interference with the working of a computer network'',
felonies A felony is traditionally considered a crime of high seriousness, whereas a misdemeanor is regarded as less serious. The term "felony" originated from English common law (from the French medieval word "félonie") to describe an offense that resu ...
punishable by imprisonment of up to three years. As a number of attackers turned out to be within the jurisdiction of the
Russian Federation Russia (, , ), or the Russian Federation, is a transcontinental country spanning Eastern Europe and Northern Asia. It is the largest country in the world, with its internationally recognised territory covering , and encompassing one-eig ...
, on 10 May 2007, Estonian Public Prosecutor's Office made a formal investigation assistance request to the Russian Federation's Supreme Procurature under a
Mutual Legal Assistance Treaty A mutual legal assistance treaty (MLAT) is an agreement between two or more countries for the purpose of gathering and exchanging information in an effort to enforce public or criminal laws. A mutual legal assistance request is commonly used to fo ...
(MLAT) existing between Estonia and Russia. A Russian State Duma delegation visiting Estonia in early May in regards the situation surrounding the Bronze Soldier of Tallinn had promised that Russia would aid such investigation in every way available. On 28 June, Russian Supreme Procurature refused assistance, claiming that the proposed investigative processes are not covered by the applicable MLAT. Piret Seeman, the Estonian Public Prosecutor's Office's PR officer, criticized this decision, pointing out that all the requested processes are actually enumerated in the MLAT. On 24 January 2008, Dmitri Galushkevich, a student living in Tallinn, was found guilty of participating in the attacks. He was fined 17,500 kroons (approximately US$1,640) for attacking the website of the Estonian Reform Party. As of 13 December 2008, Russian authorities have been consistently denying Estonian law enforcement any investigative cooperation, thus effectively eliminating chances that those of the perpetrators that fall within Russian jurisdiction will be brought to trial.


Opinions of experts

Critical systems whose network addresses would not be generally known were targeted, including those serving telephony and financial transaction processing. Although not all of the computer crackers behind the cyberwarfare have been unveiled, some experts believed that such efforts exceed the skills of individual activists or even
organised crime Organized crime (or organised crime) is a category of transnational, national, or local groupings of highly centralized enterprises run by criminals to engage in illegal activity, most commonly for profit. While organized crime is generally th ...
as they require a
co-operation Cooperation (written as co-operation in British English) is the process of groups of organisms working or acting together for common, mutual, or some underlying benefit, as opposed to working in competition for selfish benefit. Many animal a ...
of a state and a large telecom company. A well known Russian hacker Sp0Raw believes that the most efficient online attacks on Estonia could not have been carried out without the blessing of the Russian authorities and that the hackers apparently acted under "recommendations" from parties in higher positions. At the same time he called claims of Estonians regarding direct involvement of Russian government in the attacks "empty words, not supported by technical data". Mike Witt, deputy director of the
United States Computer Emergency Readiness Team The United States Computer Emergency Readiness Team (US-CERT) is an organization within the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Specifically, US-CERT is a branch of the Office of ...
(CERT) believes that the attacks were
DDoS In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connec ...
attacks. The attackers used
botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...
s—global networks of compromised computers, often owned by careless individuals. "The size of the cyber attack, while it was certainly significant to the Estonian government, from a technical standpoint is not something we would consider significant in scale," Witt said. Professor
James Hendler James Alexander Hendler (born April 2, 1957) is an artificial intelligence researcher at Rensselaer Polytechnic Institute, United States, and one of the originators of the Semantic Web. He is a Fellow of the National Academy of Public Administr ...
, former chief scientist at
The Pentagon The Pentagon is the headquarters building of the United States Department of Defense. It was constructed on an accelerated schedule during World War II. As a symbol of the U.S. military, the phrase ''The Pentagon'' is often used as a meton ...
's Defense Advanced Research Projects Agency (DARPA) characterised the attacks as "more like a cyber riot than a military attack." "We don't have directly visible info about sources so we can't confirm or deny that the attacks are coming from the Russian government," Jose Nazario, software and security engineer at Arbor Networks, told ''internetnews.com''. Arbor Networks operated ''ATLAS'' threat analysis network, which, the company claimed, could "see" 80% of Internet traffic. Nazario suspected that different groups operating separate distributed botnets were involved in the attack. Experts interviewed by IT security resource SearchSecurity.com "say it's very unlikely this was a case of one government launching a coordinated cyberattack against another":
Johannes Ullrich Johannes Ullrich is the founder of DShield. DShield is now part of the SANS Internet Storm Center which he leads since it was created from Incidents.org and DShield back in 2001. In 2005, he was named one of the 50 most powerful people in Netwo ...
, chief research officer of the Bethesda said "Attributing a distributed denial-of-service attack like this to a government is hard." "It may as well be a group of bot herders showing 'patriotism,' kind of like what we had with Web defacements during the US-China spy-plane crisis
n 2001 N, or n, is the fourteenth Letter (alphabet), letter in the Latin alphabet, used in the English alphabet, modern English alphabet, the alphabets of other western European languages and others worldwide. Its name in English is English alphabet# ...
" Hillar Aarelaid, manager of Estonia's
Computer Emergency Response Team A computer emergency response team (CERT) is an expert group that handles computer security incidents. Alternative names for such groups include computer emergency readiness team and computer security incident response team (CSIRT). A more modern ...
"expressed skepticism that the attacks were from the Russian government, noting that Estonians were also divided on whether it was right to remove the statue". "Today security analysts widely believe that the attacks were condoned by the Kremlin, if not actively coordinated by its leaders." Andy Greenberg, author of the WIRED Guide to Cyberwar 23 August 2019. He noted that the next year, 2008, similar attacks on Georgia were accompanied by a Russian physical invasion. ''wired.com''. Clarke and Knake report that upon the Estonian authorities informing Russian officials they had traced systems controlling the attack to Russia, there was some indication in response that incensed patriotic Russians might have acted on their own. Regardless of conjectures over official involvement, the decision of Russian authorities not to pursue individuals responsible—a treaty obligation—together with expert opinion that Russian security services could readily track down the culprits should they so desire, leads Russia observers to conclude the attacks served Russian interests. On May 23, 2012, the Atlantic Council convened a retrospective conference, "Building a Secure Cyber Future: Attack on Estonia, Five Years On" in which cyber-experts who had been involved in the conflict discussed lessons learned and how the field of cyber-conflict was changed by the Estonian attack and the following year's attack on Georgia. The conference was organized by Jason Healey, director of the Atlantic Council's Cyber Statecraft Initiative, and featured talks by Jaan Priisalu, Director General of Estonia's Information System Authority;
Bill Woodcock Bill Woodcock (born August 16, 1971 in San Francisco, California, United States) is the executive director of Packet Clearing House, the international organization responsible for providing operational support and security to critical Internet ...
, an American cybersecurity expert who assisted in the defense; Jonatan Vseviov, then Minister of Defense and subsequently Ambassador to the United States; Heli Tiirmaa-Klaar, Estonian Ambassador-at-Large for Cybersecurity; and others. Priisalu discussed the attack's impact on the Estonian financial system, while Woodcock described the methods the Estonian CERT used to coordinate defensive actions with network operators and their counterparts in neighboring countries, and Vseviov talked about the broader societal implications of the attack, and NATO's Article 5 obligations.


Claiming responsibility for the attacks

A Commissar of the Nashi pro-Kremlin youth movement in
Moldova Moldova ( , ; ), officially the Republic of Moldova ( ro, Republica Moldova), is a landlocked country in Eastern Europe. It is bordered by Romania to the west and Ukraine to the north, east, and south. The unrecognised state of Transnistr ...
and
Transnistria Transnistria, officially the Pridnestrovian Moldavian Republic (PMR), is an unrecognised breakaway state that is internationally recognised as a part of Moldova. Transnistria controls most of the narrow strip of land between the Dniester riv ...
, Konstantin Goloskokov (Goloskov in some sources), admitted organizing cyberattacks against Estonian government sites. Goloskokov stressed, however, that he was not carrying out an order from Nashi's leadership and said that a lot of his fellow Nashi members criticized his response as being too harsh. Like most countries, Estonia does not recognise
Transnistria Transnistria, officially the Pridnestrovian Moldavian Republic (PMR), is an unrecognised breakaway state that is internationally recognised as a part of Moldova. Transnistria controls most of the narrow strip of land between the Dniester riv ...
, a secessionist region of Moldova. As an unrecognised nation, Transnistria does not belong to
Interpol The International Criminal Police Organization (ICPO; french: link=no, Organisation internationale de police criminelle), commonly known as Interpol ( , ), is an international organization that facilitates worldwide police cooperation and cri ...
. Accordingly, no
Mutual Legal Assistance Treaty A mutual legal assistance treaty (MLAT) is an agreement between two or more countries for the purpose of gathering and exchanging information in an effort to enforce public or criminal laws. A mutual legal assistance request is commonly used to fo ...
applies. If residents of Transnistria were responsible, the investigation may be severely hampered, and even if the investigation succeeds finding likely suspects, the
legal recourse A legal recourse is an action that can be taken by an individual or a corporation to attempt to remedy a legal difficulty. * A lawsuit if the issue is a matter of civil law * Contracts that require mediation or arbitration before a dispute can go ...
of Estonian authorities may be limited to issuing all-EU arrest warrants for these suspects. Such an act would be largely symbolic. Head of Russian Military Forecasting Center, Colonel Anatoly Tsyganok confirmed Russia's ability to conduct such an attack when he stated: ''"These attacks have been quite successful, and today the alliance had nothing to oppose Russia's virtual attacks"'', additionally noting that these attacks did not violate any international agreement.


Influence on international military doctrines

The attacks triggered a number of military organizations around the world to reconsider the importance of network security to modern military doctrine. On 14 June 2007, defence ministers of
NATO The North Atlantic Treaty Organization (NATO, ; french: Organisation du traité de l'Atlantique nord, ), also called the North Atlantic Alliance, is an intergovernmental military alliance between 30 member states – 28 European and two No ...
members held a meeting in
Brussels Brussels (french: Bruxelles or ; nl, Brussel ), officially the Brussels-Capital Region (All text and all but one graphic show the English name as Brussels-Capital Region.) (french: link=no, Région de Bruxelles-Capitale; nl, link=no, Bruss ...
, issuing a joint communiqué promising action by the autumn of 2007. NATO's
Cooperative Cyber Defence Centre of Excellence NATO CCD COE, officially the NATO Cooperative Cyber Defence Centre of Excellence ( et, italic=yes, K5 or ''NATO küberkaitsekoostöö keskus''), is one of NATO Centres of Excellence, located in Tallinn, Estonia. The centre was established on 14 ...
(CCDCOE) was established in Tallinn on 14 May 2008. On 25 June 2007, Estonian president
Toomas Hendrik Ilves Toomas Hendrik Ilves (; born 26 December 1953) is an Estonian politician who served as the fourth president of Estonia from 2006 until 2016. Ilves worked as a diplomat and journalist, and he was the leader of the Social Democratic Party in the ...
met with US president
George W. Bush George Walker Bush (born July 6, 1946) is an American politician who served as the 43rd president of the United States from 2001 to 2009. A member of the Republican Party, Bush family, and son of the 41st president George H. W. Bush, he ...
. Among the topics discussed were the attacks on Estonian infrastructure. The events have been reflected in a NATO Department of Public Diplomacy short movie ''War in Cyberspace''.


See also

* Bronze Night * Cyberattacks during the 2008 South Ossetia war *''
Fatal System Error A fatal system error (also known as a system crash, stop error, kernel error, or bug check) occurs when an operating system halts because it has reached a condition where it can no longer operate safely (''i.e.'' where critical data could be l ...
'' * Russian influence operations in Estonia


References


External links


Cyber War I: Estonia Attacked from Russia
by Kertu Ruus, European Affairs: Volume number 9, Issue number 1–2 in the Winter/Spring of 2008.
Estonian attacks were a cyber riot, not warfare
by Bill Brenner, 6 August 2007.

by Gadi Evron, 26 Jul 2007.

* ttps://arstechnica.com/news.ars/post/20070514-massive-ddos-attacks-target-estonia-russia-accused.html Massive DDoS attacks target Estonia; Russia accused
Cyberattack on Estonia stirs fear of 'virtual war'



Virtual harassment, but for real



EU urged to deepen cooperation after Estonia cyber-attacks

The cyber pirates hitting Estonia

Estonia hit by 'Moscow cyber war'

Analysis: Who cyber smacked Estonia?
by Shaun Waterman, ''UPI''
Hackers take down the most wired country in Europe
by Joshua Davis, ''Wired'', 2007-08-21.
Georgetown Journal of International Affairs report – Battling Botnets and Online Mobs
by Gadi Evron who wrote the postmortem analysis of the attacks for the Estonian CERT {{Hacking in the 2000s
Estonia Estonia, formally the Republic of Estonia, is a country by the Baltic Sea in Northern Europe. It is bordered to the north by the Gulf of Finland across from Finland, to the west by the sea across from Sweden, to the south by Latvia, a ...
Cyberattacks Estonia–Russia relations Internet in Estonia