Russia vs Estonia. First Cyber War (2007)
Παπαδάκης Κωνσταντίνος, Αναλυτής Επιχειρήσεων Κυβερνοχώρου-Σύμβουλος Κυβεροάμυνας-Κυβερνοασφάλειας
Papadakis Konstantinos, Cyber- Information Warfare Analyst & Cyber Defense/Security Consultant
Russia vs Estonia.
First Cyber War (2007)
INTRODUCTION
The "virtual" conflict between Russia and Estonia (2007), conducted exclusively
in the field of Cyberspace, can be characterized as "the first cyber war-1st CW" in which
for the first time in the global history of operations, cyber capabilities were used for a
coordinated attack on a state's infrastructure.
HISTORY
The main cause of the conflict was the strained relations between the two states
(due to different geostrategic approaches), as Estonia after the dissolution of the
Soviet Union followed a pro-Western approach.
The cause that triggered the conflict was the ratification by the Estonian
parliament (February 2007) of the "Forbidden Structures Law", which referred to the
de-Sovietization of the country through the removal of those monuments that
demonstrated the 50 years of Soviet "occupation". Based on this bill, the Estonian
government would move the bronze statue called "Soldier of the Red Army", which

Russia vs Estonia. First Cyber War (2007)
Παπαδάκης Κωνσταντίνος, Αναλυτής Επιχειρήσεων Κυβερνοχώρου-Σύμβουλος Κυβεροάμυνας-Κυβερνοασφάλειας
Papadakis Konstantinos, Cyber- Information Warfare Analyst & Cyber Defense/Security Consultant
had been placed by the Soviets in the center of the Estonian capital, after the end of
World War II.
This specific move caused intense reactions both from the side of the Russians
living in Estonia and the Russian government, which culminated in the period from 26-
27 April 2007 when there were fierce clashes in the center of Tallinn, between different
nationalist groups and the police.
ANALYSIS OF THE ATTACKS
The cyber-attacks were carried out in two distinct time phases, with different
levels of intensity and technological specialization.
1. The first phase (April 27-29) was evaluated as «emotionally charged», since
the attacks that supported the social outcry that followed the removal of the statue
were relatively simple and poorly coordinated, targeting government websites and
digital media using technical denial of service (DDoS) attacks, which were relatively
easily το dealt with.
2. The second Phase (April 30-May 18, 2007) involved better coordinated and
more specialized attacks, carried out in four waves:
a. 1st Wave (May 4th)
b. 2nd Wave (May 8-11)
c. 3rd Wave (May 15th)
d. 4th Wave (May 18th)
In particular, a clear correlation was observed between politically significant
dates and the intensification of attacks.
The main methods used by the attackers were:
1. Denial of service or saturation attacks against Estonian servers (DDoS attacks).
2. Unauthorized alteration of web page content (web defacement).
3. Directing network users to unwanted areas (DNS Server attack).
4. Email spamming.
OBJECTIVES OF THE ATTACKS
The main targets of the cyberattacks were governmental and private sector’s
communication and information distribution channels, as well as business sector
websites (mainly banking).
More generally, servers of institutions responsible for the Estonian Internet
infrastructure, government and political targets, services provided by the private
sector, personal and random targets as well as the emergency number (112) were
mainly targeted and affected.

Russia vs Estonia. First Cyber War (2007)
Παπαδάκης Κωνσταντίνος, Αναλυτής Επιχειρήσεων Κυβερνοχώρου-Σύμβουλος Κυβεροάμυνας-Κυβερνοασφάλειας
Papadakis Konstantinos, Cyber- Information Warfare Analyst & Cyber Defense/Security Consultant
Among the governmental and political targets of the attacks were the websites
of the Government, the Prime Minister, the President, the Parliament, the State
Accounting Office. Almost all ministries were attacked, except the Estonian Ministry of
Culture, state agencies (e.g. the Estonian Police Board) and the Reform Party.
It should be noted that traditional critical infrastructure systems, such as IT
systems that support transportation and energy systems, were not targeted.
ORIGIN OF ATTACKS
According to CERT-EE, the attacks came almost exclusively from sources outside
of Estonia. A large part of the attackers were get carried away by nationalistic/political
feelings and carried out the attacks according to the instructions they received on
specific online media (forums and websites), in the context of what is called patriotic
hacking. Although several of the e-mail addresses from which the attacks originated
were located in Russia, the official government in Moscow denied any state support,
noting that the attackers were ordinary citizens who simply reacted on their own
responsibility to the events in Estonia.
RESULTS OF ATTACKS
Cyber-attacks found common ground in Estonia as the country was digitally
advanced and several sectors (economy, trade, industry, etc.) of state operation and
commerce relied on information infrastructure and digital channels for daily
communication and operation.
Cyber-attacks have had a significant impact on:
1. Economy: The attack on digital infrastructures (network servers of major
providers and e-mail, etc.) did not only affect large entities such as banks, media and
government institutions, but also small and medium enterprises whose daily activities
were serious weakened.
2. Society: The country's digital reforms have reduced non-electronic
government communication channels and changed the habits of users who now look
for information mainly online. Due to the unavailability of government websites and
excessive spamming of official e-mail addresses, normal communication with the
government weakened for citizens, although due to the temporary blocking of
government websites, there were no significant daily problems for the population.
3. Communication: The attacks affected Estonia's information flow to the
outside world. Major international media organizations did not have their own stations
or correspondents in Estonia, and the Estonian government relied on online media to
distribute information, making them prime targets for attacks.
FINDINGS FROM THE ATTACKS

Russia vs Estonia. First Cyber War (2007)
Παπαδάκης Κωνσταντίνος, Αναλυτής Επιχειρήσεων Κυβερνοχώρου-Σύμβουλος Κυβεροάμυνας-Κυβερνοασφάλειας
Papadakis Konstantinos, Cyber- Information Warfare Analyst & Cyber Defense/Security Consultant
The organization and intensity of the cyber-attacks were of an unprecedented
scale, and the conclusions of the investigations brought to light important facts:
1. The attacks had a significant impact on the economic and social functioning
of the country, since in order to deal with the cyber-attacks it had to be disconnected
from the internet, an action which place the country, which widely used the internet
not only for public and private transactions (eGovernance, banking system,
communication-media, etc.) but also for providing information at home and abroad,
in a very difficult situation. It is estimated that losses from the cost of outage of an
Estonian bank's website amounted to 1 million dollars.
2. The Estonian legal framework was outdated in dealing with cyber-attacks with
many procedural problems of law enforcement and overlapping jurisdictions.
Internationally, the Estonian government attempted to classify cyber-attacks as a
military activity invoking NATO Article 5, which was not accepted, resulting in cyber-
attacks being treated as Cyber Crimes.
3. There were significant attribution problems, as although for the attacks
and their coordination were used computers located in 178 countries appeared to
come from Russian territory, there was no tangible evidence to incriminate the Russian
government which denied any involvement in the cyber-attacks, claiming they were
due to nationalist groups, with which it had no connection.
EPILOGUE
The cyberattack in Estonia demonstrated for the first time worldwide that, under
certain conditions, it is possible in a conflict between states to use cyber capabilities,
instead of the traditional pillars of state power (political, economic, diplomatic, military,
etc.) with scope as Clausewitz said: the enforcement of policy and will by other means.
In this sense, geostrategic and military conflicts acquire a new dimension: the
cyber dimension, whose size, potential and impact are difficult to predict.
The virtual conflict in Estonia effectively highlighted the ability of cyber
operations to cause consequences of strategic magnitude that are immediately visible
to the entire population of a country and effectively established cyber defense as a key
pillar of national security.
REFERENCES
1 CCD COE (2010)
Eneken Tikk & others
International Cyber Incidents-Legal Considerations
2 CCD COE
Analysis of the 2007 Cyber Attacks against Estonia from the Information Warfare Perspective
3 International Centre for Defence Studies (ICDS) (2007)

Russia vs Estonia. First Cyber War (2007)
Παπαδάκης Κωνσταντίνος, Αναλυτής Επιχειρήσεων Κυβερνοχώρου-Σύμβουλος Κυβεροάμυνας-Κυβερνοασφάλειας
Papadakis Konstantinos, Cyber- Information Warfare Analyst & Cyber Defense/Security Consultant
Moscow’s Hand in the Tallinn Riots.
A Quick Overview by the International Centre for Defence Studies on 7th of May
4 Ottis, R. (2007)
Analysis of the Attacker Profiles in the 2007 Cyber Attacks Against Estonia.
Unpublished MSc dissertation, Tallinn Technical University, Tallinn
5 Wu, C. (2004)
”An Overview of the Research and Development of Information Warfare in China.” In
Edward Halpin et al (eds.) (2006) Cyberwar, Netwar and the Revolution in Military Affairs. Palgrave
MacMillan, Hampshire, pp 173-195.
6 Mishra, S. (2003)
“Network Centric Warfare in the Context of Operation Iraqi Freedom,” Strategic Analysis 27(4) 546-562.
INTERNET
1 Konstantin Kosachev (6 Mar 2007)
“An insult to our war dead”
https://www.theguardian.com/commentisfree/2007/mar/06/comment.secondworldwar
2 Peter Finn-Washington Post, (19 May 2007)
“Cyber Assaults on Estonia Typify a New Battle Tactic”
https://www.washingtonpost.com/wp-dyn/content/article/2007/05/18/AR2007051802122.html
3 Clover, Charles - Financial Times, 11 March 2009
“Kremlin-backed group behind Estonia cyber blitz”. http://www.ft.com/cms/s/0/57536d5a-0ddc-11de-
8ea3-0000779fd2ac.html?nclick_check=1.
4 IT Pro
Rene Millman-1 Jun 2007
https://www.itpro.co.uk/114570/ddos-attacks-on-estonia-not-from-kremlin