Throwback Attack: How a cyber war against Estonia turned the country into a global leader

Courtesy: Industrial Defender
Courtesy: Industrial Defender

The overwhelming majority of recent cyberattacks — at least the highly publicized ones — have been primarily about one thing: money. Colonial Pipeline, SolarWinds, JBS Foods, Kia Motors, Kaseya, the Washington D.C. Police Department and many others were all victims of ransomware. While ransomware attacks can be massively disruptive to both business (e.g., Kia) and critical infrastructure (e.g., Colonial), they pale in comparison to the havoc that can be wreaked by an all-out cyberattack on a country. When Estonia decided to relocate a Soviet-era bronze statue in 2007, the tiny Northern European country was launched into what many agree was the first true cyber war.

The attacks had all the hallmarks of today’s acts of cyber aggression: exploitation of political divisions, fake news, botnets and weaponized waves of spam. The “war” did have a positive impact, however; it taught Estonians the importance of cyber defense, and the country has since become a global cybersecurity hub.

A monument to what?

The “Monument to the Liberators of Tallinn,” a statue of a soldier standing, head bowed, in a World War II-era Red Army military uniform, was unveiled is a small Estonian park on Sept. 22, 1947. The date was significant, meant to commemorate the moment the Red Army reached Tallinn, Estonia’s capital city, three years earlier during WWII. Unfortunately, the question of who the “liberators of Tallinn” actually are is a complicated and controversial one.

The monument was designed as a memorial to the Soviet soldiers who died in WWII, and many Russian-speaking and -sympathizing Estonians saw it as a celebration of Russia’s part in the victory over Nazi Germany. But Soviet interest in Estonia didn’t end with that supposed “liberation”; Russia continued to occupy Estonia until 1991, when the country finally reestablished its independence. For a sizable contingent of ethnic Estonians, the soldier statue was nothing more than a painful symbol of Soviet occupation and oppression.

In 2006, a conservative group in Estonia petitioned to have the monument demolished, but ultimately, after some controversy, the statue and the accompanying war graves were moved from the city center to the Defense Forces Cemetery on the outskirts of the capital.

These days, the monument is better known as the Bronze Solder and has officially been rechristened “Monument to the Fallen in the Second World War.”

The conflict in Estonia begins

The decision to move the Bronze Soldier was not well received by Estonia’s Russian contingent or the Russian-language media. According to a BBC News article on the incident, false Russian news reports claimed both the statue and the war graves were being destroyed. On April 26, protesters took to the streets, kicking off two nights of rioting and looting, the likes of which Estonia had never seen. The BBC reported “156 people were injured, one person died and 1,000 people were detained.”

On April 27, the discord in Estonia went digital. A spate of major cyberattacks rocked the country, including hits on the Estonian parliament, banks and media organizations. According to e-estonia, at the height of the attacks, 58 prominent Estonian websites had been knocked offline. Most of the significant attacks could be categorized as distributed denial-of-service (DDoS) attacks, where unprecedented levels of internet traffic swamp servers and take down websites. The attackers used ping floods, botnets and more to overwhelm their victims with spam.

“The result for Estonian citizens was that cash machines and online banking services were sporadically out of action; government employees were unable to communicate with each other on email; and newspapers and broadcasters suddenly found they couldn’t deliver the news,” wrote Damien McGuinness of the BBC.

Collective defense

Because of the nature of the attacks, most quickly pointed to Russia is the culprit — and it didn’t help the attacks were launched from Russian IP addresses or appeals to the global power for help were ignored. However, there was never definitive proof Russia was behind the chaos in Estonia. Moscow denied the allegations, and Estonia’s defense minister publicly acknowledged they had no real evidence pointing to the Kremlin.

This uncertainty also complicated the response to the cyberattacks, especially considering Estonia is a NATO country. NATO was founded on the principle of collective defense; Article 5 states that an attack against one NATO ally is an attack against all allies. But in the case of a cyberattack, it turns out the organization’s response is not so black and white. NATO determined Article 5 could only be invoked if the cyber aggression resulted in traditional military casualties, such as significant loss of life.

Estonia’s response

Not everything that came out of the cyberattacks of 2007 was negative, however. Estonia took the action as a wake-up call and has since advocated for increased cybersecurity and become a global leader in national cybersecurity defense.

“Prior to the incident, cyberattacks had not been seriously considered as an imminent threat to the state or its citizens,” wrote e-estonia. “There was no common code of conduct or universal agreement between policymakers. For example, it was not defined if this kind of an offense would qualify as an attack against a member state of NATO and hence activate collective defense under Article 5. It was not even clear if a state could legitimately respond to cyberattacks.”

Following the action in Estonia, NATO did conduct an internal assessment of its cybersecurity processes, which spurred the creation of the NATO Cooperative Cyber Defense Center of Excellence (CCDCOE) in May 2008. The Center is based in Tallinn and focuses on research, development, training and education in both the technical and nontechnical aspects of cyber defense.

NATO also developed the “Tallinn Manual on the International Law Applicable to Cyber Warfare,” outlining international laws that are applicable to the cyber realm. All of these elements have made the battle lines clearer for acts of cyber warfare, such as the 2017 Russian cyberattacks in Ukraine.

Estonia has worked since 2007 to ensure they are ready for the next wave of cyberattacks, wherever they originate. They learned the lesson that cyber defense, especially against a potential nation-state, requires constant vigilance and true cooperation between public and private institutions.

“Estonia’s current cybersecurity is bolstered by high-functioning e-government infrastructure, reliable digital identity, mandatory security baseline for all government authorities, and a central system for monitoring, reporting and resolving incidents,” said Klaid Mägi, head of the Incident Response Department (CERT-EE) to e-estonia. “Vital service providers are obliged to assess and manage their ICT risks. Most importantly, there is a common understanding that cybersecurity can only be ensured through cooperation and that a joint contribution is required at all levels — state, private sector and individuals.”




Keep your finger on the pulse of top industry news