S E C R E T SECTION 01 OF 04 TALLINN 000366
SIPDIS
SIPDIS DEPT FOR EUR/NB
E.O. 12958: DECL: 06/04/2017
TAGS: PREL, PGOV, ECON, ETRD, NATO, RS, EN
SUBJECT: ESTONIA'S CYBER ATTACKS: WORLD'S FIRST VIRTUAL ATTACK
AGAINST NATION STATE
REF: A) TALLINN 276 B) TALLINN 280 C) TALLINN 347
D) LEE-GOLDSTEIN EMAIL 05/11/07
Classified By: Ambassador S. Dave Phillips for reasons 1.4 (b) & (d)

1. (S)
Summary. Since April 27, Estonia has been the victim of the
world's first coordinated cyber attacks against a nation state
and its political and economic infrastructure. The sensational
nature of the story, combined with the highly technical
details of the subject matter, has led to a good deal of
misinformation in the public domain. Although GOE and
international analysis is ongoing, these attacks have
highlighted the vulnerability of both government and private
sector internet infrastructure to attacks of this nature. For
over a month, government, banking, media, and other Estonian
websites, servers, and routers came under a barrage of cyber
attacks. Defense against the attacks was extremely expensive
for both GOE and the private sector. GOE and private cyber
defense experts cite the nature and sophistication of the
attacks as proof of Russian government complicity in the
attacks. End Summary.

Virtual Shots Heard Round the World
-----------------------------------

2. (C)
Cyber attacks against Estonian websites began on April 27.
They came in the wake of rioting in Tallinn triggered by the
Government of Estonia's (GOE) preparations for relocating the
so called "Bronze Soldier", a Soviet-era World War II monument
(Refs A and B). The attacks initially targeted GOE websites
including those of the Estonian President, Prime Minister,
Ministry of Foreign Affairs (MFA), Ministry of Justice (MOJ),
and Parliament, among others. According to Hillar Aarelaid,
Head of Estonia's Computer Emergency Response Team (CERT), the
initial attacks were technically unsophisticated and "seemed
more like a cyber riot than a cyber war." However, all our
Estonian interlocutors clearly recognized these attacks as
political in nature. Russian-language internet chat forums
held discussions exhorting people to attack Estonian sites and
supplied downloadable software tools to carry out the attacks.
According to CERT, these initial attacks were limited to spam
(a barrage of unsolicited emails) and cyber vandalism (e.g.,
Prime Minister Andrus Ansip's photo was defaced on the
Estonian Reform Party's website) and appeared to be nothing
more than a virtual mob reaction to the Bronze Soldier issue.
Estonian media and press commentators were quick to accuse
Moscow of being responsible, interpreting these attacks as
part of Russian retribution for moving the Bronze Soldier (Ref C).

3. (S)
However, on April 30, a broader range of cyber attacks -- from
simple spam postings to coordinated DDoS (Distributed
Denial-of-Service) attacks -- began against GOE sites. (Note.
A DDoS attack is when a flood of bogus queries are made to a
specific server or network of computers in order to
over-saturate the target and prevent access by legitimate
users. End Note.) For example, the Presidential website, which
normally has a 2 million Mbps (megabits per second) capacity,
was flooded with nearly 200 million Mbps of traffic. While
none of the technology involved in the attacks was new,
tactics and tools routinely shifted to prevent Estonian
authorities from blocking the attacks. One of the most
pernicious tools in these attacks was "bots." (Note. Bots are
computers and/or servers under the control of a third party.
End Note.) These bot attacks came from ISPs (internet service
providers) around the world (e.g., the United States, Canada,
Russia, Turkey, Germany, Belgium, Egypt, Vietnam, etc.).
Attacks routinely came from one set of bots, subsided and then
resumed again using another set of bots with different ISPs.
According to Aarelaid, the attacks ranged from a single minute
to many hours in length. The longest attacks lasted over

TALLINN 00000366 002 OF 004

ten hours and unleashed a crushing 90 million Mbps of traffic
on targeted endpoints. According to Mihkel Tammet, MOD
Director for Communications and IT, the GOE's assessment was
that a small but unknown number of individuals were behind
these more sophisticated cyber attacks, which quickly dwarfed
the traffic volume of the initial cyber rioters.

4. (S)
On May 3, the cyber attacks expanded beyond GOE sites and
servers to private sites. Hansabank and SEB, Estonia's two
largest banks, faced the most significant problems.
Swedish-owned Hansabank and SEB account for almost 75% of all
online banking in Estonia. (Note: Approximately 90% of all
money transfers and bill payments in Estonia are done online.
End Note.) Hansabank was well prepared with powerful servers,
alternate sites to mirror content (thus making it more
difficult for DDoS attacks), and the ability to reallocate
access lines from foreign to domestic customers. However, even
though Hansabank's site remained online, Jaan Priisalu, Head
of Hansabank's IT Risk Management Group, estimated that it
came at a cost - - at least 10 million Euros ($13.4 million).
Hansabank also had to temporarily block access to its site by
all foreign ISPs so that there was enough broadband capacity
for its domestic clients. However, Hansabank was able to
create alternate access mechanisms for its largest foreign
customers. Correcting much of the press coverage in the early
days of the attacks, Priisalu said that while the cyber
attacks against Hansabank and SEB were a challenge, there was
no serious danger of Estonia's banking sector being shut down.

5. (S)
This second wave of cyber attacks also hit the websites of
Postimees, Estonia's paper of record, and Eesti Paevaleht, a
leading Estonian-language daily, which over two-thirds of
Estonians regularly visit for their news. "Imagine if you can
the psychological effect," Aarelaid asked us, "when an
Estonian tries to pay his bills but can't or get the news
online but can't." As one of the most wired countries on the
planet, GOE interlocutors viewed the evolution of the attacks
as a frightening threat to key economic and societal
infrastructure.

6. (S)
The attacks reached their apex on May 9, the Russian
anniversary of the end of World War II. To cope with the
rising volume of attacks, the GOE increased its broadband
capacity from two Gbps (Gigabites per second) to eight Gbps.
Hansabank, SEB, Postimees, and others also added servers to
increase broadband capacity. A EUCOM cyber defense expert
described it as a "cyber arms race" where the Estonians
repeatedly increased their broadband capacity to match the
increasing volume of cyber attacks (Ref D). Aivo Jurgenson, IT
Security Manager for Elion, Estonia's main Telecommunication
and Internet provider, told us that Elion increased the
"broadband pipe" for both government and private clients at a
frantic pace to keep up with the attacks. Jurgenson told us
that one GOE ministry increased its original server capacity
of 30 Mbps to 1 Gbps (1 Gbps equals 1000 Mbps). Jurgenson said
that this defensive response by the GOE and the private sector
was ultimately successful, but it was extremely expensive.

7. (S)
The number of attacks steadily declined after May 9 and 10,
allowing GOE and private sites to reduce their broadband
capacity. However, on May 15, there was an unexpected spike in
attacks that focused on Hansabank and SEB. In two separate and
coordinated 15 minute attacks, these two sites were hit with
over 400 bot attacks (roughly half the number of bot attacks
recorded on May 10) from multiple ISPs. The attacks
temporarily crashed SEB's site for 30 minutes. Since the May
15 spike, the number of attacks has declined and is now
hovering slightly above pre-April 27 numbers.

No Smoking Gun

TALLINN 00000366 003 OF 004

--------------

8. (S)
On May 2, Foreign Minister Urmas Paet released a statement
that the MFA had proof that some of the attacks originated
from GOR ISPs. The Estonian and international press carried
Paet's claim, but CERT interlocutors distanced themselves from
the accusation. Aarelaid privately said to us that no "smoking
gun" incriminating Moscow has turned up and likely won't. The
use of bots, proxies, and spoofing tactics makes it extremely
difficult to determine with any certainty the origin of the
attacks. Press reports suggested that a million computers were
involved in the attacks. However, Aarelaid admitted that due
to Estonia's poor monitoring capability, CERT could only
speculate on the number of computers and servers attacking
Estonia, and had even less specific information on the origins
of the attacks. (Note. Aarelaid said that the one million
figure used by the press and the GOE was from a quote to the
press taken out of context in which he tried to explain how he
could only speculate a number ranging from a 1000 to a million
computers. End Note.)

9. (S)
The GOE believes it has enough circumstantial evidence to link
Moscow with the attacks. As President Ilves told the
Ambassador, renting the large number of bots used in these
attacks is an expensive business. Moreover, as Aarelaid
repeatedly asked us in conversations, "Who benefits from these
attacks?" He speculated that the probing nature of the attacks
on specific government and strategic private sector targets
through the use of anonymous proxies fit the modus operandi of
the Putin regime testing a new "weapon." Tammet told us that
the GOE now feels that their original assessment of a "cyber
riot" may have been incorrect. "Looking at the patterns of the
attacks, it is clear that there was a small, core of
individuals who intended to launch their attack on May 9,"
Tammet explained, "but when the MOD announced its plans to
move the Bronze Soldier on April 27, they moved up their plans
to try to link the attacks with the monument's removal."
Estonian analysis of these later sophisticated attacks and
organization through Russian-language internet forums has led
them to believe that the key individuals tried to disguise
their initial attacks as a cyber riot. "You don't expect
spontaneous, populist cyber attacks to have a pre-determined
list of targets and precise dates and times for coordinated
attacks," said Tammet.

10. (S)
GOE interlocutors expressed their frustration that their
requests for information from the GOR or action on
Russian-based ISP attacks were not answered or acted upon.
Aarelaid complained that cooperation with Russia's CERT was
almost nonexistent. Even at the height of the Bronze Soldier
controversy, GOE interlocutors who regularly work with their
Russian counterparts (e.g., law enforcement, customs and tax,
border guards, etc.) tell us that working level cooperation
was positive. In comparison, the lack of responsiveness by the
GOR and Russian CERT personnel only diminished Russia's claims
of innocence in the eyes of the Estonians.

11. (S)
On May 29, Konstantin Koloskokov, Commissar of the pro-Kremlin
youth group Nashi in Transnistria, claimed responsibility for
some of the early cyber attacks. While not discounting the
possibility of his involvement, Aarelaid noted that some of
the attacks were extremely sophisticated; beyond the technical
abilities of an amateur. To illustrate the point, Jurgenson
and Aarelaid described an attack that used a mysterious data
packet to crash a GOE and Elion router so quickly that the
Estonians are still uncertain how it was done. Aarelaid
described in detail a number of additional attacks using
different tools and techniques and targets to argue that an
organized group with deep financial backing was the likeliest
culprit. "Koloskokov is window dressing," said Jurgenson, "a
convenient set-up by the real perpetrators."

TALLINN 00000366 004 OF 004

PHILLIPS