Cyberspace as an integral part of modern competition: Lessons from the 2007 cyber-attack on Estonia

Giovanni Tomasi

24 Mar, 2024

Cyberspace as an integral part of modern competition: Lessons from the 2007 cyber-attack on Estonia

With the proliferation of cyber operations over the past decade, it seems like an almost regular occurrence that headlines will warn of a future “cyber-Armageddon” and detail its dire consequences for the world. While I argue these predictions are more hyperbole than legitimate prophecy, the acute threat posed by cyber operations is only increasing in our digitized society. However, like all tools of conflict, cyber operations are most effective when coordinated with other means, while often allowing an operation to remain below the level of armed conflict while still inflicting damage on an adversary.  Through the ability to obscure the source of the attack, the victims of cyber operation are less likely to respond with kinetic action, ensuring their response remains either non-kinetic or diplomatic in nature. To conceptualize what this might look like, the 2007 cyber-attacks on Estonia offer a poignant and relevant example. These attacks are the first incidence of large-scale distributed denial-of-service (DDoS) operations against a nation-state, a cyber-attack that remains a popular cyber-actor choice. A DDoS attack floods the targeted system with internet traffic, essentially creating a digital traffic jam that overwhelms the targeted network. The simplicity of this type of attack is what makes it still very relevant today. The 2007 Estonian cyber-attacks combined this operational method  with hybrid actions on the land domain, showing the potential devastating effects of integrated cyber operations.

The Estonian cyber-attacks centered around the Estonian government’s decision to relocate a Soviet World War II memorial and unmarked graves from downtown Tallinn to a nearby military cemetery. The movement of the “monument to the liberators of Tallinn” and the graves beneath it was a contentious political issue within Estonia and the former Soviet space. The 68% ethnically Estonian and largely anti-Soviet population of the country was largely in favor of the move, while the 25% ethnically Russian and pro-Soviet segment was against it. The neighboring Russian government also loudly and publicly condemned the move as disparaging to the sacrifices of the Soviet people. 

Amid this controversy, cyber-attackers conducted cyber operations in three waves. The first wave began late on April 26th, 2007, before workers relocated the statue early on April 27th. It lasted several days, consisting of website vandalism and DDoS attacks targeting the Estonian government, media, and corporate websites. The first wave began to subside after May 2nd when the Estonian government made several efforts to block Russian-based IP traffic. The second wave began on May 9th, or “Victory Day,” a holiday Russia and the post-Soviet world celebrate to commemorate the Soviet victory over Nazi Germany. This wave was a large-scale DDoS attack, using rented botnets worldwide to increase internet traffic to targeted sites.1 The final wave began on May 18th and was smaller in scale, only lasting a few days. The entire operation endured  sporadically for 22 days, consisting of 128 DDoS attacks that severely obstructed everyday Estonian life, commerce, and civil functions.2

These cyber-attacks displayed three characteristics from which cyber defenders can draw lessons. First, the attackers’ identity remains largely unknown, mainly thanks to their operational methods. The geographic dispersion of the rented bot-nets helped prevent the location or identification of the precise origin of the attack. Investigators discovered indicators of Russian government involvement, but definitive attribution is impossible to prove.3 In this case, the attackers were unknown, and the defender had to defeat tactics instead of a specific adversary, highlighting the unknown variables of the cyberspace domain. Second, cyber-attackers exploited existing vulnerabilities within the Estonian networks. In 2007, Estonia was especially vulnerable to a DDoS attack as a country dependent on the internet.4 The attack disrupted access to essential government, banking, and small business websites, caused interruptions to cell phone and emergency services, and prevented access to government services for Estonian citizens, with an estimated cost of $27-40 million.5 In the highly digitized modern age, 2007 Estonia’s level of digital integration is more of a standard than an exception. This digitization allows a blunt-force cyber weapon like DDoS to cause widespread societal disruption by focusing on unknown or overlooked system vulnerabilities that continue to exist in digital programming.

The third and most significant trait of the Estonian cyber-attacks was their coordination with physical action in the land domain. As the cyber-attacks were ongoing, widespread protests and riots erupted across Estonia and outside the Estonian Embassy in Russia, resulting in one fatality, 150 wounded, and over 1,000 arrests. Following these demonstrations, pro-Kremlin youth groups allegedly funded by the Russian government organized protests and laid siege to the Estonian Embassy in Russia. They tore down Estonian flags, effectively imprisoned Estonian diplomats, and eventually stormed the embassy. While these actions occurred, the Russian government closed bridges between Russia and Estonia and canceled rail service between the two capitals to economically hurt Estonia.6 Despite the devastating effect of the coordinated actions in Estonia, the conflict remained below the level of armed conflict, thanks mainly to the anonymity provided by cyber-space and the deniability it afforded actors. Without the benefit of clear evidence in the cyberspace domain, the suspected actor could disregard both the cyber-attacks and the physical actions as organic movements by individuals who disagreed with the Estonian government’s decision to move the monument, limiting the response of the Estonian government. 

Thankfully, the 2007 Estonian cyber-attacks failed to accomplish their goal of influencing the Estonian government’s actions. The Estonian government held firm in its decision to relocate the monument and the graves below it, despite the significant pressure from the cyber-attacks. However, the outcome could be different if this scenario is reimagined slightly in a modern country relying heavily on a digital society for everything from commerce to healthcare to governance. As we have seen from several notable ransomware attacks on the private sector such as the 2021 Colonial Pipeline Attack, it is not inconceivable that the country could yield to pressure from unknown (foreign) actors and domestic unrest to restore services necessary to operate as a society. What may seem like a small concession in the greater scheme of things would ultimately mean the success of an actor to impose his will on another, with limited bloodshed. This scenario makes this type of operation a very consequential weapon in an adversary’s arsenal and something that leaders should understand and be prepared to counter. While the reality of the situation may not seem as dire as “cyber-Armageddon,” its consequences remain grave nonetheless. Cyber-attacks and their effects do not exist solely in the vacuum of the cyberspace domain. As such, leaders should be prepared to counter them as part of a greater integrated operation employed across the spectrum of operational domains.

About the Author:

Giovanni Tomasi is an active-duty Army Major and Foreign Area Officer. He previously served as an Infantry Officer in the 3d Cavalry Regiment, 3d U.S. Infantry Regiment (The Old Guard), and the 101st Airborne Division (Air Assault). He is currently pursuing a Master of International Public Policy at Johns Hopkins University. 

Opinions expressed here are those of the author and do not represent those of the United States Army, the Department of Defense, or the United States Government.

Endnotes:

  1. Ben Buchanan, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics (Cambridge, MA: Harvard University Press, 2020), 76.
  2. Ibid., 76-78.
  3. Ibid., 81-82.
  4. George Dewey Davis, “The Digital Fog of Cyber: Case Study of the 2007 Cyber Attack on Estonia” (PhD diss., Northcentral University, Arizona, 2017) 10, ProQuest Dissertations & Theses.
  5. Samuli Haataja, “The 2007 Cyber Attacks Against Estonia and International Law on the Use of Force: An Informational Approach,” Law, Innovation and Technology 9, no. 2 (2017): 160-161, DOI: 10.1080/17579961.2017.1377914.
  6. Ibid., 75-85.