Estonian officials told U.S. diplomats that they believed the Russian government was involved in the 2007 cyberattacks against their country, a leaked U.S. State Department cable published Monday said.
The attacks were the first sustained campaign that targeted a nation's information infrastructure, although others have occurred since, including one against the former Soviet republic of Georgia in 2008. Russian hackers were also blamed for the Georgian attacks.
Estonia's cyber problems began in April 2007, when distributed denial-of-service (DDoS) attacks crippled the site for Estonia's prime minister, struck the domains of the nation's two largest banks and targeted other, smaller sites as well.
The attacks started after Estonia announced it was relocating a Soviet-era war memorial, called the "Bronze Soldier," and peaked on May 9, Russia's Victory Day that marks the surrender of Germany in World War II. A week later, the attacks petered out.
In a cable dated June 4, 2007, from the U.S. embassy in Tallinn, Estonia's capital, American diplomats reported that Estonian sources first believed the attacks were more "cyber riot" than cyberwar, but later changed their minds.
"The [government of Estonia] believes it has enough circumstantial evidence to link Moscow with the attacks," the U.S. cable stated, citing a conversation between Estonia's president, Toomas Hendrik Ilves, and the U.S. ambassador at the time, S. Davis Phillips. "Moreover, as [name redacted] repeatedly asked us in conversations, 'Who benefits from these attacks?' He speculated that the probing nature of the attacks on specific government and strategic private sector targets through the use of anonymous proxies fit the modus operandi of the Putin regime testing a new 'weapon.'"
Vladimir Putin, now the prime minister of Russia, was its president in 2007.
Others, including security researchers, tagged the Estonian attacks as akin to online rioting. But Estonia wasn't buying that.
Another Estonian source told U.S. embassy personnel that a "small core of individuals" pre-planned and coordinated the attacks. Estonia said its monitoring of Russian-language hacker forums prior to opening attacks on April 27 indicated that the hackers had originally pegged May 9 as the strike date.
"When the [Ministry of Defense] announced its plans to move the Bronze Soldier on April 27, [the attackers] moved up their plans to try to link the attacks with the monument's removal," the source told U.S. diplomats. "You don't expect spontaneous, populist cyber attacks to have a pre-determined list of targets and precise dates and times for coordinated attacks," said the source, whose name was struck from the cable published by WikiLeaks. The DDoS attacks forced Swedish-owned Hansabank, one of Estonia's two largest banks, to spend at least [euro]10 million ($13.4 at the time) to defend itself, the cable reported. Hansabank and its main rival, SEB, brought more servers online and bought more bandwidth capacity to weather the attacks.
Estonian officials also told the U.S. that they had received no cooperation from Putin's government or the Russian Internet service providers that they suspected were used by attackers.
"[Name redacted] complained that cooperation with Russia's CERT was almost nonexistent," the embassy said. "The lack of responsiveness by the [government of Russia] and Russian CERT [computer emergency response team] personnel only diminished Russia's claims of innocence in the eyes of the Estonians."
The cable was one of the 1,200 that WikiLeaks has published in the last two weeks from its cache of more than 250,000 State Department messages.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.