Russian Cyber Warfare Tactics: Lessons Learned from the Attack on Estonia in 2007

By Paul Seibel

Introduction

The Russian Federation (Russia) has established a well-earned reputation for cyber warfare tactics. Their ability to sow division and increase tensions within other nations through disinformation campaigns and by being able to deny credibility has been shown time and time again (Akimenko and Giles 2020). Much of the current asymmetrical warfare going on in the world is done through these means and seems to be the growing trend. While the rest of the world seems to be catching up in that regard, Russia has been one of the main actors since the start of cyber warfare (Akimenko and Giles 2020). One of the first such incidents of cyber warfare came in 2007, when the nation of Estonia was hit by several Distributed Denial of Service (DDoS) attacks. The attacks were made in response to inflamed tensions in Estonia after a well-known statue celebrating a Soviet victory in World War II was moved out of a city center due to anti-Soviet sentiment (Herzog 2011). While the specific actors were never caught, Russia's response and actions strongly suggest that it was coordinated by them (Herzog 2011). For three weeks, government and public websites were down with threatening messages showing on the pages (CFR n.d.). The servers the messages came from originated in Russia, but very little links them to the government (Herzog 2011). With the government denying anyone the ability to investigate within their borders, an official link cannot be obtained (Herzog 2011). This strategy worked for Russia back then, and continues to work for them now. The cyber-attacks on Estonia were the first such large-scale use of cyber warfare, and provide a great look at how a state-sponsored cyber-attack would work in real-world applications.

Background and Motivation for Attack

In May 2007, the capital city of Estonia, Tallinn, moved its regarded Bronze Soviet Soldier statue away from the city center (Traynor 2007). The statue was erected to commemorate the Soviets ousting the occupying Nazi regime in World War II and the many Soviet soldiers who fell in doing so (Traynor 2007). However, after Estonia’s independence following the collapse of the USSR, many Estonians viewed Russia as an occupier rather than a savior (McGuinness 2017). To them, the statue was a reminder of that occupation (McGuinness 2017). The decision to move it was a controversial one within Estonia, as well as with its Russian neighbor (McGuinness 2017). Many protests and counter-protests broke out, bringing violence along with it (McGuinness 2017). While this was in full swing, the nation came under a DDoS attack in cyberspace, with these attacks halting everything from banks to government websites to media organizations (Traynor 2007).

The Attack

A DDoS attack utilizes hundreds of thousands of computers and internet-connected devices, mostly from different networks, to all flood the target with packets of data at once, overwhelming the target and causing it to fail or slow to such an extreme as to be unusable (Cunningham and Touhill 2019). This is done by infecting all these computers with malware, usually without the owners’ knowledge, through various means (Cunningham and Touhill 2019). The malware then lays dormant until activated by the actor to send the data to the selected target (Cunningham and Touhill 2019). If well-made, the actor can freely choose their target at will and utilize these computers to target things repeatedly (Cunningham and Touhill 2019). The attack on Estonia appeared to be one of these, and sent these attacks to various servers to disrupt needed access to the internet (Cunningham and Touhill 2019). Most, if not all, of the computers and internet devices used by the actors were located in Russia, including some affiliated with the Russian Security Services, which highly indicates the actors were Russian themselves, along with the cause of the attack (Traynor 2007).

This attack, in particular, came from a variety of sources, indicating that it was far more than just one actor behind it (Ottis 2008). Most of the data used to interfere with Estonia’s systems contained pro-Russian sentiments or derogatory messages towards Estonia, all written in Russian (Ottis 2008). Additionally, during the attack, hacker forums were flooded with instructions for people to join in and encouraged people to do so (Ottis 2008). High-ranking Russian politicians took to these forums and other media to promote hostile rhetoric toward Estonia at this time as well, indicating that Russia was waging a People’s War, which is a government encouraging its citizens to attack the other country to retain deniability (Ottis 2008).

In addition to the DDoS attack, the Russian military poised along the Estonia-Russia border and appeared to be ready to invade, causing an international incident (Cunningham and Touhill 2019). With their internet down and on the edge of a possible invasion, Estonia felt intense pressure from Russia and reached out to the EU and NATO for help (Herzog 2011). The coordination of the DDoS attacks along with the movement of Russian troops again signifies that the two were intentionally related (Herzog 2011). Despite the pressure from Russia, the statue was removed from the city center and tension eased (Herzog 2011).

Investigation and Response

The international community helped provide a full investigation into the DDoS attacks to find the specific perpetrators (Herzog 2011). When the investigation led to the inside of Russia’s borders, Russia refused to cooperate, provide any assistance, or let the investigators in (Ottis 2008). Without their support, the investigation turned up empty on actual actors outside of a couple of very minor participants in Estonia (Herzog 2011). However, Russia’s response and actions make it clear that even if the Russian government itself did not make the attack, it at least encouraged the responsible party to conduct it and possibly even afforded the responsible party with protection in exchange for its actions (Ottis 2008). This allowed Russia the perfect way to conduct cyber warfare against a sovereign nation while not taking any responsibility and therefore avoiding retaliation. This was the first known time such an action was committed, and this method has been copied by others many times over, including the United States and North Korea (Cunningham and Touhill 2019).

Following the attacks, Estonia has heavily invested in cyber security, not only through its government security programs, but has also established a volunteer organization with its citizens, the Cyber Defense Unit, to learn cybersecurity and provide assistance when called upon (McGuinness 2017). The government trains the members, but their identities are kept anonymous (McGuinness 2017). The Estonian people remember the incident well and are passionate about not seeing it happen again, which has led to them being one of the most well-secured places now (McGuinness 2017).

Conclusion

A lot can be learned from these incidents as they continue to happen. An example would be the ongoing crisis in Ukraine which bears a lot of similarities, particularly with the buildup of troops and simultaneous cyber-attacks. Russia has been using these means for a long time and will likely continue, demonstrating its proficiency in cyberspace, with other nations following suit. State-sponsored cyber-attacks in the future will look a lot like this and use similar means. Building up a strong cybersecurity apparatus in a way Estonia has may make a difference, but only time will tell its effectiveness against future attacks.

References

Akimenko, Valeriy, and Keir Giles. 2020. “Russia’s Cyber and Information Warfare.” Asia Policy 15 (2): 67–75.

CFR. n.d. “Connect the Dots on State-Sponsored Cyber Incidents - Estonian Denial of Service Incident.” Council on Foreign Relations. Accessed February 2, 2022. https://www.cfr.org/cyber-operations/estonian-denial-service-incident.

Cunningham, Chase, and Gregory Touhill. 2019. Cyber Warfare - Truth, Tactics, and Strategies. https://learning.oreilly.com/library/view/cyber-warfare/9781839216992/Text/Chapter_01.xhtml.

Herzog, Stephen. 2011. “Revisiting the Estonian Cyber Attacks on JSTOR.” Journal of Strategic Studies. https://www-jstor-org.ezproxy1.apus.edu/stable/26463926?seq=1#metadata_info_tab_contents.

McGuinness, Damien. 2017. “How a Cyber Attack Transformed Estonia.” BBC News, April 27, 2017, sec. Europe. https://www.bbc.com/news/39655415.

Ottis, Rain. 2008. “Analysis of the 2007 Cyber Attacks against Estonia from the Inf.” Cooperative Cyber Defence Centre of Excellence, 6.

Traynor, Ian. 2007. “Russia Accused of Unleashing Cyberwar to Disable Estonia.” The Guardian, May 17, 2007, sec. World news. https://www.theguardian.com/world/2007/may/17/topstories3.russia.