2007 cyberattacks on Estonia
This article needs to be updated.July 2018)(
The 2007 cyberattacks on Estonia (Estonian: 2007. aasta küberrünnakud Eesti vastu) were a series of cyberattacks which began on 27 April 2007 and targeted websites of Estonian organizations, including Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country's disagreement with Russia about the relocation of the Bronze Soldier of Tallinn, an elaborate Soviet-era grave marker, as well as war graves in Tallinn. Most of the attacks that had any influence on the general public were distributed denial of service type attacks ranging from single individuals using various methods like ping floods to expensive rentals of botnets usually used for spam distribution. Spamming of bigger news portals commentaries and defacements including that of the Estonian Reform Party website also occurred. Research has also shown that large conflicts took place to edit the English-language version of the Bronze Soldier's Wikipedia page.
Some observers reckoned that the onslaught on Estonia was of a sophistication not seen before. The case is studied intensively by many countries and military planners as, at the time it occurred, it may have been the second-largest instance of state-sponsored cyberwarfare, following Titan Rain.
During a panel discussion on cyber warfare, Sergei Markov of the Russian State Duma has stated his unnamed aide was responsible in orchestrating the cyber attacks. Markov alleged the aide acted on his own while residing in an unrecognised republic of the former Soviet Union, possibly Transnistria. On 10 March 2009 Konstantin Goloskokov, a "commissar" of the Kremlin-backed youth group Nashi, has claimed responsibility for the attack. Experts are critical of these varying claims of responsibility. The direct result of the cyberattacks was the creation of the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia.
The Estonian government was quick to blame the Kremlin, accusing it of being directly involved in the attacks. It was later revealed that the allegations were not completely correct when Estonia's defense minister, Jaak Aaviksoo, admitted that he had no evidence linking the cyber-attacks to the Kremlin. "Of course, at the moment, I cannot state for certain that the cyber-attacks were managed by the Kremlin, or other Russian government agencies," Jaak Aaviksoo said in interview on Estonia's Kanal 2 TV channel. "Again, it is not possible to say without doubt that orders came from the Kremlin, or that, indeed, a wish was expressed for such a thing there," said Aaviksoo. Russia called accusations of its involvement "unfounded", and neither NATO nor European Commission experts were able to find any proof of official Russian government participation. Since the attack, Estonia has advocated for increased cybersecurity protection and response protocol.
In response to such attacks, NATO conducted an internal assessment of their cyber security and infrastructure defenses. The assessment resulted in a report issued to the allied defense ministers in October 2007. It further developed into the creation of a cyber defense policy and the creation of the NATO Cooperative Cyber Defence Center of Excellence (CCDCOE) in May 2008.
Due to the attacks, the Tallinn Manual on the International Law Applicable to Cyber Warfare was also developed. This report outlined international laws which are considered applicable to the cyber realm. The manual includes a total of ninety-five "black-letter rules" addressing cyber conflicts. The Tallinn Manual has worked to provide a global norm in cyber space by applying existing international law to cyber warfare. The manual suggests that states do not have sovereignty over the Internet, but that they do have sovereignty over components of the Internet in their territory.
On 2 May 2007, a criminal investigation was opened into the attacks under a section of the Estonian Penal Code criminalising computer sabotage and interference with the working of a computer network, felonies punishable by imprisonment of up to three years. As a number of attackers turned out to be within the jurisdiction of the Russian Federation, on 10 May 2007, Estonian Public Prosecutor's Office made a formal investigation assistance request to the Russian Federation's Supreme Procurature under a Mutual Legal Assistance Treaty (MLAT) existing between Estonia and Russia. A Russian State Duma delegation visiting Estonia in early May in regards the situation surrounding the Bronze Soldier of Tallinn had promised that Russia would aid such investigation in every way available. On 28 June, Russian Supreme Procurature refused assistance, claiming that the proposed investigative processes are not covered by the applicable MLAT. Piret Seeman, the Estonian Public Prosecutor's Office's PR officer, criticized this decision, pointing out that all the requested processes are actually enumerated in the MLAT.
On 24 January 2008, Dmitri Galushkevich, a student living in Tallinn, was found guilty of participating in the attacks. He was fined 17,500 kroons (approximately US$1,640) for attacking the website of the Estonian Reform Party.
As of 13 December 2008, Russian authorities have been consistently denying Estonian law enforcement any investigative cooperation, thus effectively eliminating chances that those of the perpetrators that fall within Russian jurisdiction will be brought to trial.
Opinions of experts
Critical systems whose network addresses would not be generally known were targeted, including those serving telephony and financial transaction processing. Although not all of the computer crackers behind the cyberwarfare have been unveiled, some experts believed that such efforts exceed the skills of individual activists or even organised crime as they require a co-operation of a state and a large telecom company.
A well known Russian hacker Sp0Raw believes that the most efficient online attacks on Estonia could not have been carried out without the blessing of the Russian authorities and that the hackers apparently acted under "recommendations" from parties in higher positions.  At the same time he called claims of Estonians regarding direct involvement of Russian government in the attacks "empty words, not supported by technical data".
Mike Witt, deputy director of the United States Computer Emergency Readiness Team (CERT) believes that the attacks were DDoS attacks. The attackers used botnets—global networks of compromised computers, often owned by careless individuals. "The size of the cyber attack, while it was certainly significant to the Estonian government, from a technical standpoint is not something we would consider significant in scale," Witt said.
"We don't have directly visible info about sources so we can't confirm or deny that the attacks are coming from the Russian government," Jose Nazario, software and security engineer at Arbor Networks, told internetnews.com. Arbor Networks operated ATLAS threat analysis network, which, the company claimed, could "see" 80% of Internet traffic. Nazario suspected that different groups operating separate distributed botnets were involved in the attack.
Experts interviewed by IT security resource SearchSecurity.com "say it's very unlikely this was a case of one government launching a coordinated cyberattack against another": Johannes Ullrich, chief research officer of the Bethesda said "Attributing a distributed denial-of-service attack like this to a government is hard." "It may as well be a group of bot herders showing 'patriotism,' kind of like what we had with Web defacements during the US-China spy-plane crisis [in 2001]." Hillar Aarelaid, manager of Estonia's Computer Emergency Response Team "expressed skepticism that the attacks were from the Russian government, noting that Estonians were also divided on whether it was right to remove the statue".
"Today security analysts widely believe that the attacks were condoned by the Kremlin, if not actively coordinated by its leaders." Andy Greenberg, author of the WIRED Guide to Cyberwar 23 August 2019. He noted that the next year, 2008, similar attacks on Georgia were accompanied by a Russian physical invasion. wired.com.
Clarke and Knake report that upon the Estonian authorities informing Russian officials they had traced systems controlling the attack to Russia, there was some indication in response that incensed patriotic Russians might have acted on their own. Regardless of conjectures over official involvement, the decision of Russian authorities not to pursue individuals responsible—a treaty obligation—together with expert opinion that Russian security services could readily track down the culprits should they so desire, leads Russia observers to conclude the attacks served Russian interests.
Claiming responsibility for the attacks
A Commissar of the Nashi pro-Kremlin youth movement in Moldova and Transnistria, Konstantin Goloskokov (Goloskov in some sources), admitted organizing cyberattacks against Estonian government sites. Goloskokov stressed, however, that he was not carrying out an order from Nashi's leadership and said that a lot of his fellow Nashi members criticized his response as being too harsh.
Like most countries, Estonia does not recognise Transnistria, a secessionist region of Moldova. As an unrecognised nation, Transnistria does not belong to Interpol. Accordingly, no Mutual Legal Assistance Treaty applies. If residents of Transnistria were responsible, the investigation may be severely hampered, and even if the investigation succeeds finding likely suspects, the legal recourse of Estonian authorities may be limited to issuing all-EU arrest warrants for these suspects. Such an act would be largely symbolic.
Head of Russian Military Forecasting Center, Colonel Anatoly Tsyganok confirmed Russia's ability to conduct such an attack when he stated: "These attacks have been quite successful, and today the alliance had nothing to oppose Russia's virtual attacks", additionally noting that these attacks did not violate any international agreement.
Influence on international military doctrines
The attacks triggered a number of military organizations around the world to reconsider the importance of network security to modern military doctrine. On 14 June 2007, defence ministers of NATO members held a meeting in Brussels, issuing a joint communiqué promising immediate action. First public results were estimated to arrive by autumn 2007.
On 25 June 2007, Estonian president Toomas Hendrik Ilves met with US president, George W. Bush. Among the topics discussed were the attacks on Estonian infrastructure.  NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) operates out of Tallinn, Estonia, since August 2008
The events have been reflected in a NATO Department of Public Diplomacy short movie War in Cyberspace.
- Bronze Night
- Cyberattacks during the 2008 South Ossetia war
- Fatal System Error
- Russian influence operations in Estonia
- The Guardian 17 May 2007: Russia accused of unleashing cyberwar to disable Estonia by Ian Traynor
- "War in the fifth domain. Are the mouse and keyboard the new weapons of conflict?". The Economist. 1 July 2010. Retrieved 2 July 2010.
Important thinking about the tactical and legal concepts of cyber-warfare is taking place in a former Soviet barracks in Estonia, now home to NATO's "centre of excellence" for cyber-defence. It was established in response to what has become known as "Web War 1", a concerted denial-of-service attack on Estonian government, media and bank web servers that was precipitated by the decision to move a Soviet-era war memorial in central Tallinn in 2007.
- "Estonia fines man for 'cyber war'". BBC. 25 January 2008. Retrieved 23 February 2008.
- Graham, Mark; Zook, Matthew; Boulton, Andrew (10 August 2012). "Augmented reality in urban places: contested content and the duplicity of code". Transactions of the Institute of British Geographers. 38 (3): 464–479. doi:10.1111/j.1475-5661.2012.00539.x. ISSN 0020-2754.
- The Economist 24 May 2007: Cyberwarfare is becoming scarier
- "Estonia fines man for 'cyber war'". BBC News. 25 January 2008. Retrieved 22 April 2010.
- Radio Free Europe 6 March 2009: Behind The Estonia Cyberattacks by Robert Coalson
- Kremlin-backed group behind Estonia cyber blitz Financial Times 11 March 2009
- Authoritatively, Who Was Behind The Estonian Attacks?[dead link] DarkReading 17 March 2009
- Bright, Arthur. "Estonia accuses Russia of "cyberattack"". csmonitor.com. Retrieved 10 May 2017.
- Shackelford, Scott (2009). "Estonia Two-and-a-Half Years Later". Cite journal requires
- Herzog, Stephen (2011). "Revisiting the Estonian Cyber Attacks: Digital threats and Multinational Responses". Journal of Strategic Security. 4 (2): 49–60. doi:10.5038/1944-0418.104.22.168.
- Postimees 6 July 2007: Venemaa jätab Eesti küberrünnakute uurimisel õigusabita Archived 8 July 2007 at the Wayback Machine
- Eesti Päevaleht 6 July 2007: Venemaa keeldus koostööst küberrünnakute uurimisel
- Leyden, John (24 January 2008). "Estonia fines man for DDoS attacks". The Register. Retrieved 22 February 2008.
- ERR 13 December 2008 16:43: Venemaa keeldub endiselt koostööst küberrünnakute uurimisel
- Clarke, R.A., Knake, R.K. Cyber War: The Next Threat To National Security And What To Do About It. Harper Collins. 2010.
- Swiss Baltic Chamber of Commerce in Lithuania/Baltic News Service 2 June 2007: Commissar of Nashi says he waged cyber attack on Estonian government sites Archived 10 October 2007 at the Wayback Machine
- (in Russian) Электронная бомба. Кто стоит за кибервойной России с Эстонией Archived 9 October 2007 at the Wayback Machine
- Times Online: Urmas Paet, the Estonian Foreign Minister, accused the Kremlin of direct involvement
- United Press International: Analysis: Who cyber smacked Estonia?
- Internetnews.com: Estonia Under Russian Cyber Attack?
- Experts doubt Russian government launched DDoS attacks, by Bill Brenner, 18 May 2007. SearchSecurity.com
- wired.com: The WIRED Guide to Cyberwar
- Monument dispute with Estonia gets dirty
- Tiraspol Times 9 June 2007: Ministry of Internal Affairs lists PMR's 10 most wanted
- Руководитель российского Центра военного прогнозирования полковник Анатолий Цыганок считает, что кибератаки против Эстонии не нарушали никаких международных договоренностей, потому что таковых просто нет. "Эти атаки были вполне успешными, и сегодня альянсу нечего противопоставить российским виртуальным атакам, – заявил Цыганок в интервью "Газете". – В принципе потери вооружений НАТО могут быть огромными, если в результате таких атак вывести из строя компьютерное военное управление".
- Eesti Päevaleht 15 June 2007: NATO andis rohelise tule Eesti küberkaitse kavale Archived 4 June 2008 at the Wayback Machine by Ahto Lobjakas
- White House 4 May 2007: President Bush to Welcome President Toomas Ilves of Estonia
- Yahoo/AFP 25 June 2007: Bush, Ilves eye tougher tack on cybercrime[dead link]
- "NATO to set up cyber warfare center". Archived from the original on 23 July 2008. Retrieved 23 July 2008.
- Postimees 28 March 2009 14:02: NATO tegi filmi Eesti "kübersõjast"
- Cyber War I: Estonia Attacked from Russia, by Kertu Ruus, European Affairs: Volume number 9, Issue number 1–2 in the Winter/Spring of 2008.
- Black Hat 2007: Lessons of the Estonian attacks, by Bill Brenner, 26 Jul 2007.
- Estonia urges firm EU, NATO response to new form of warfare: cyber-attacks
- Massive DDoS attacks target Estonia; Russia accused
- Cyberattack on Estonia stirs fear of 'virtual war'
- Estonia accuses Russia of 'cyberattack'
- Virtual harassment, but for real
- Digital Fears Emerge After Data Siege in Estonia
- EU urged to deepen cooperation after Estonia cyber-attacks
- The cyber pirates hitting Estonia
- Estonia hit by 'Moscow cyber war'
- Analysis: Who cyber smacked Estonia? by Shaun Waterman, UPI
- Hackers take down the most wired country in Europe by Joshua Davis, Wired, 2007-08-21.
- Georgetown Journal of International Affairs report – Battling Botnets and Online Mobs[dead link] by Gadi Evron who wrote the postmortem analysis of the attacks for the Estonian CERT