Home / Blogs

Cyber Security and the White House, Part 2 - Cyberwarfare

This is a follow-up to my previous post on Cybersecurity and the White House. It illustrates an actual cyberwarfare attack against Estonia in 2007 and how it can be a legitimate national security issue.

Study of a cyberwarfare attack

Estonia is one of the most wired countries in eastern Europe. In spite of its status of being a former Soviet republic, it relies on the internet for a substantial portion of everyday life—communications, financial transactions, news, shopping and restaurant reservations all use the Internet. Indeed, in 2000, the Estonian government declared Internet access a basic human right. It is this growing depending on the Internet that left Estonia particularly vulnerable to a large-scale cyberattack in April 2007.

The cyberattack is thought to have coincided with an event in downtown Tallinn. During the night of April 26-27, 2007, government workers took down and moved a Soviet-era monument commemorating World War II called the Bronze Soldier, as well as war graves in Talinn. This sparked protests of 500 ethnic Russian Estonians. For the Kremlin—and Russians in general—such a move in a former Soviet republic was considered a grave nationalistic insult.

This was the kind emotional flash point that could spark a “nationalistic” or “rally-around-the-flag” movement in cyberspace. By 10 p.m. local time on April 26, 2007, digital intruders began probing Estonian Internet networks, looking for weak points and marshaling resources for an all-out assault. Most of the attacks that had any influence on the general public were distributed denial of service type attacks ranging from single individuals using various low-tech methods like ping floods to expensive rentals of botnets usually used for spam distribution. Spamming of bigger news portals commentaries and defacements including that of the Estonian Reform Party website also occurred. Once they gained control of the sites, hackers posted a fake letter from Estonian Prime Minister Andrus Ansip apologizing for ordering the removal of the World War II monument.

This was a concerted cyberwarfare attack on Estonia. Some observers reckoned that the onslaught on Estonia was of a sophistication not seen before. The case was studied intensively by many countries and military planners and, at the time it occurred, it may have been the second-largest instance of state-sponsored cyberwarfare.

A couple of days later, networks and routers were being pressed to their limits. Not all servers were taken offline but functionality of the Internet in Estonia was limited because so many resources were dedicated to protecting itself. Security specialists erected firewalls and barriers but as time passed, these barriers started to break down. The government eventually started taking down sites and making them available only to users within Estonia, but this was only seen as a temporary fix. It works for a country as small as Estonia but not for larger nations where the traffic is much more international.

The cyberwar on Estonia intensified two weeks later. On May 9, the day Russia celebrates victory over Germany, the size of the attacks increased. More than 50 Web sites and servers may have been disabled at once, with a data stream crippling many other parts of the system. This continued until late in the evening of May 10, perhaps when the rented time on the botnets and cybermercenaries’ contracts expired. After May 10, the attacks slowly decreased as Estonia managed to take the botnets offline by working with phone companies and Internet service providers to trace back the IP addresses of attacking computers and shut down their Internet service connections.

During the defense of Estonia’s Internet system, many of the computers used in the attacks were traced back to computers in Russian government offices. At the time of the attacks, Estonian Foreign Minister Urmas Paet accused the Kremlin of direct involvement in the cyberattacks. A few months later in September 2007, Estonia’s defense minister admitted he had no evidence linking cyber attacks to Russian authorities. What could not be directly determined was whether these computers were simply “zombies” hijacked by bots and were not under the control of the Russian government or whether they were actively being used by government personnel.

At the time, Dmitry Peskov, the Kremlin’s chief spokesman, told the BBC’s Russian Service there was “no way the [Russian] state [could] be involved in cyber terrorism”. Two years later, On March 10, 2009 Konstantin Goloskokov, a “commissar” of Kremlin-backed youth group Nashi has claimed responsibility for the attack. Whether or not they are is up for debate, as another Russian politician claimed his assistant was responsible for it.

Estonia was particularly vulnerable to this type of attack, but the lesson is clear for the broader developed world. A concerted effort made by either a government (?) or a group of people trying to teach another country a lesson can wreak serious havoc on a country’s economy. Such an attack is a national security issue and a case can be made that it falls within the realm of government oversight.

• You will want to check out Stratfor’s very good summary on the issue, available at this link (no subscription required).
• Wikipedia has a good summary available here.
• The BBC reported on this event two years ago. Summary is similar to the above articles.

By Terry Zink, Program Manager

Filed Under


Russian politician claimed his assistant was responsible Taavet Ropp  –  May 6, 2009 7:14 PM

Russian politician claimed his assistant was responsible for it.

FYI, Markov’s assistant _was_ Goloskokov. First wave of nashists are old enough to have jobs in state structures, and many of them have proven themselves loyal enough to have been granted exactly that.

Also, Goloskokov didn’t wait 2 years, he bragged to Russian media about having run botnets out of Transdnistria mere weeks after the attacks. Didn’t reach anglophone media back then.

Critical information infrastructure: vulnerabilities, threats and responses Alex Tajirian  –  Jun 8, 2009 3:36 PM

A diametrically opposite account of the Estonian-Russian cyberwarfare is presented by Myriam Dunn Cavelty in Critical information infrastructure: vulnerabilities, threats and responses. The essay is a good reading on the topic

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global