In the Spring of 2007, government computer systems in Estonia experienced a sustained cyberattack that has been labeled by various observers as cyberwarfare, or cyberterror, or cybercrime. On April 27, officials in Estonia moved a Soviet-era war memorial commemorating an unknown Russian who died fighting the Nazis. The move stirred emotions, and led to rioting by ethnic Russians, and the blockading of the Estonian Embassy in Moscow. The event also marked the beginning of a series of large and sustained distributed denial-of-service (DDOS) attacks launched against several Estonian national websites, including government ministries and the prime minister’s Reform Party.
In the early days of the cyberattack, government websites that normally receive around 1,000 visits a day reportedly were receiving 2,000 visits every second. This caused the repeated shut down of some websites for several hours at a time or longer, according to Estonian officials. The attacks, which flooded computers and servers and blocked legitimate users, were described as crippling, owing to Estonia’s high dependence on information technology, but limited resources for managing their infrastructure. Security experts say that the cyberattacks against Estonia were unusual because the rate of the packet attack was very high, and the series of attacks lasted weeks, rather than hour or days, which is more commonly seen for a denial of service attack. Eventually, NATO and the United States sent computer security experts to Estonia to help recover from the attacks, and to analyze the methods used and attempt to determine the source of the attacks.
Initially, the Russian government was blamed by Estonian officials for the cyberattacks, and there were charges of cyberwarfare. Other observers argued that the cyberattack involved collusion between the Russian government and transnational cybercriminals who made their large botnets available for short-term rent, either to individuals or to larger groups. They argue that as the rented time expired, the intensity of the persistent cyberattacks against Estonia also began to fall off. However, not all security experts agree, and it remains unclear whether the cyberattacks were sanctioned or initiated by the Russian government, or if a criminal botnet was actually involved.
After some investigation, network analysts later concluded that the cyberattacks targeting Estonia were not a concerted attack, but instead were the product of spontaneous anger from a loose federation of separate attackers. Technical data showed that sources of the attack were worldwide rather than concentrated in a few locations. The computer code that caused the DDOS attack was posted and shared in many Russian language chat rooms, where the moving of the war memorial was a very emotional topic for discussion. These analysts state that although access to various Estonian government agencies was blocked by the malicious code, there was no apparent attempt to target national critical infrastructure other than internet resources, and no extortion demands were made. Their analysis thus far concluded that there was no Russian government connection to the attacks against Estonia.
In January 2008, a court in Estonia convicted and fined a local man for bringing down a government website, as part of the extended cyberattack in 2007. The 20-year-old, who is apparently an ethnic Russian Estonian, used his home PC to carry out the attack. The investigation continues, and so far, he is the only person convicted for participating in the cyberattack against Estonia.
"Because Estonia is a member of NATO and the European Union, this event exposed how unprepared those organizations may have been to respond to a cyberattack against a member state. Had Estonia invoked NATO's Article V collective security provision, doing so would have raised several thorny questions about what kind of attack triggers those alliance obligations. The fact that the cyberattack was targeted at a member state and prompted an official state response was complicated by the inability to identify the aggressor. Moreover, the attack did no physical damage, and in the end did no permanent damage to Estonia's web-based infrastructure. The damage was measurable only in terms of short-lived commercial losses."
- Robert Vamosi, “Cyberattack in Estonia — What It Really Means,” CnetNews.com, May 29, 2007.
- Christopher Rhoads, “Cyber Attack Vexes Estonia, Poses Debate,” Wall St. J., May 18, 2007, p. A6.
- Carolyn Marsan, “Examining the Reality of Cyberwar in Wake of Estonian Attacks,” 24 Network World, Aug. 27, 2007, at 24.
- Iain Thomson, “Russia ‘Hired Botnets’ for Estonia Cyber-War,” Computing.
- Heise Security, "Estonian DDoS — a final analysis (full-text).
- Mike Sachoff, "Man Convicted In Estonia Cyber Attack," WebProNews, Jan. 24, 2008.
- Cyber Operations in DOD Policy and Plans: Issues for Congress, at 9.
- Joshua Davis, "Hackers Take Down the Most Wired Country in Europe," Wired Mag., Aug. 21, 2007 (full-text).
- Tom Espiner, "How Estonia’s Attacks Shook the World," ZDNet (May 1, 2008) (full-text).
- G. Evron, "Battling Botnets and Online Mobs: Estonia's Defense Efforts during the Internet War" (May 2005) (full-text).
- Mark Landler & John Markoff, "Digital Fears Emerge After Data Siege in Estonia," N.Y. Times, May 29, 2007 (full-text).
- James Andrew Lewis, "Cyber Attacks Explained" (June 15, 2007) (full-text).
- Robert A. Miller & Daniel T. Kuehl, "Cyberspace and the 'First Battle' in 21st-century War," Defense Horizons No. 68 (Sept. 2009), at 2 (full-text).
- Computer Emergency Response Team of Estonia, "Malicious Cyber Attacks Against Estonia Come from Abroad" (Apr. 29, 2007) (full-text).
- Remarks by Homeland Security Secretary Michael Chertoff to the 2008 RSA Conference (Apr. 8, 2008) (full-text).
- "Europe: A Cyber-Riot; Estonia and Russia," The Economist (London), May 12, 2007, at 42 (full-text).