12/3/2017 Fake news and botnets: how Russia weaponised the web | Technology | The Guardian

Fake news and botnets: how Russia weaponised

the web
The digital attack that brought Estonia to a standstill 10 years ago was the first shot in a cyberwar that has
been raging between Moscow and the west ever since

Hannes Grassegger and Mikael Krogerus

Saturday 2 December 2017 13.00 EST

I t began at exactly 10pm on 26 April, 2007, when a Russian-speaking mob began rioting in the
streets of Tallinn, the capital city of Estonia, killing one person and wounding dozens of others.
That incident resonates powerfully in some of the recent conflicts in the US. In 2007, the
Estonian government had announced that a bronze statue of a heroic second world war Soviet
soldier was to be removed from a central city square. For ethnic Estonians, the statue had less to
do with the war than with the Soviet occupation that followed it, which lasted until independence
in 1991. For the country’s Russian-speaking minority – 25% of Estonia’s 1.3 million people – the
removal of the memorial was another sign of ethnic discrimination. Russia’s government warned
that the statue’s removal would be “disastrous” for Estonia.

That evening, Jaan Priisalu – a former risk manager for Estonia’s largest bank, Hansabank, who
was working closely with the government on its cybersecurity infrastructure – was at home in
https://www.theguardian.com/technology/2017/dec/02/fake-news-botnets-how-russia-weaponised-the-web-cyber-attack-estonia?CMP=fb_gu 1/7
12/3/2017 Fake news and botnets: how Russia weaponised the web | Technology | The Guardian

Tallinn with his girlfriend when his phone rang. On the line was Hillar Aarelaid, the chief of
Estonia’s cybercrime police.

“It’s going down,” Aarelaid declared. Alongside the street fighting, reports of digital attacks were
beginning to filter in. The websites of the parliament, major universities, and national newspapers
were crashing. Priisalu and Aarelaid had suspected something like this could happen one day. A
digital attack on Estonia had begun.

Estonia boasts the most technologically advanced system of government in the world. Every
citizen possesses a digital identity – an identification number and login code for access to
completely digitised interactions with the state. Estonians can vote online, file their taxes, check
medical records, access the national health care system, and receive notifications of most
government attempts to access their personal records. About 97% of the country uses digital
banking. The Estonian national ethic is built on the idea that every citizen is transparent and the
state is too. This makes Estonia extremely efficient – and extremely vulnerable. “We live in the
future. Online banking, online news, text messages, online shopping – total digitisation has made
everything quicker and easier,” Priisalu said. “But it also creates the possibility that we can be
thrown back centuries in a couple of seconds.”

Over the following two nights, as the street battles began to wane, the attacks on Estonia’s
technological infrastructure picked up. The authorities were slow to recognise what was
happening. It wasn’t until 24 hours later when the national defence minister realised he was
unable to log on to the ruling party’s website that they knew they had a major problem on their
hands. Then the mail server for parliament crashed. News sites began to falter. Some of the
country’s most widely read publications disappeared altogether.

Priisalu began to analyse the streams of data besieging the country’s institutions. Vast “botnets” –
networks of captured and linked computers – were attempting to bring down computer systems
with automated queries as part of a large DDoS (distributed denial-of-service) attack. “Mail-
bombing” email barrages and volleys of status and location queries overloaded servers across the
country, bringing crucial parts of the Estonian internet to a halt. Some websites, according to the
BBC, were “defaced,” redirecting users “to images of Soviet soldiers and quotations from Martin
Luther King Jr about resisting evil”. “War dialling”, in which automated phone calls target a
company or institution, placed a virtual blockade on phone numbers for government offices and
parliament. On 10 May, Hansabank, Estonia’s biggest bank, had to cease online services and
international card transactions temporarily.

A car is left overturned by the violence in Tallinn in April 2007.

Photograph: STRINGER/AFP/Getty Images
https://www.theguardian.com/technology/2017/dec/02/fake-news-botnets-how-russia-weaponised-the-web-cyber-attack-estonia?CMP=fb_gu 2/7
12/3/2017 Fake news and botnets: how Russia weaponised the web | Technology | The Guardian

The digital firepower arrayed against Estonia was massive and intense. One thousand data packets
per hour were travelling through the country’s networks on the first day. On the second day, it was
2,000 per hour. At its highest point, it was 4m per second. Ordinary computer users, many of
them with no prior hacking experience, volunteered to become “script kiddies,” wielding
premade freeware code scripts to contribute to the attack. Botnets cost money, and this was
funded by online accounts that anyone could pay into. The attacks seemed somehow to have been
outsourced, with the cost of the aggression crowdfunded.

The government was baffled. Were the attacks the opening moves of a military invasion? Estonia
had recently joined Nato, despite the vocal protests of its Russian neighbour. Should it activate
Article 5, the mutual defence clause of the security group’s charter?

Finally, on 19 May, 2007, the attacks were stopped. The Estonians had implemented a simple,
almost absurdly sad solution: they pulled the plug. The most wired country in the world severed
its international electronic connections and largely disappeared from the internet, bringing what
military historians now call the first internet war to an abrupt halt. It was a decisive victory for
whoever had perpetrated the attacks.

No one has ever claimed responsibility, but it soon became apparent to Priisalu and many others
that Russia was responsible. Russia had an obvious, and publicly stated, political motive: its
opposition to the removal of the statue. More importantly, the events in Estonia helped crystallise
an emerging consensus that cyber-attacks could constitute warfare. The attacks on its digital
infrastructure had paralysed parliament, shut down banks, and fuelled violence in the streets. It
was, Priisalu concluded, undoubtedly an act of war.

Perhaps more telling was the fact that the strategies used in Estonia had already been included in
a Russian manual of war. In 1998, Sergei P Rastorguev, a Russian military analyst, published
Philosophy of Information Warfare, which included a lengthy version of this anecdote:

Once there was a fox that wanted to eat a turtle, but whenever he tried to, it withdrew into its
shell. He bit it and he shook it, but he wasn’t getting anywhere. One day he had an idea: he made
the turtle an offer to buy its shell. But the turtle was clever and knew it would be eaten without
this protection, so it refused. Time passed, until one day there appeared a television hanging in a
tree, displaying images of flocks of happy, naked turtles – flying! The turtle was amazed. Oh! They
can fly! But wouldn’t it be dangerous to give up your shell? Hark, the voice on television was
announcing that the fox had become a vegetarian. “If I could only take off my shell, my life would
be so much easier,” thought the turtle. “If the turtle would only give up its shell, it would be so
much easier to eat,” thought the fox – and paid for more broadcasts advertising flying turtles. One
morning, when the sky seemed bigger and brighter than usual, the turtle removed its shell. What
it fatally failed to understand was that the aim of information warfare is to induce an adversary to
let down its guard.

Rastorguev said that one of the most effective weapons in modern conflict was information – or
more accurately, disinformation, like the fake news and social media posts that US audiences have
been reading since last year’s presidential election, or the stories that whipped Estonian protesters
into a frenzy in 2007. The core concept of cyberwar has to be understood as something broader
than hacks or the defacement of websites. It is psychological manipulation, executed with
targeted digital disinformation designed to weaken a country from within. Thus, no smoking gun
will ever be found: “The Russian theory of war allows you to defeat the enemy without ever

https://www.theguardian.com/technology/2017/dec/02/fake-news-botnets-how-russia-weaponised-the-web-cyber-attack-estonia?CMP=fb_gu 3/7
12/3/2017 Fake news and botnets: how Russia weaponised the web | Technology | The Guardian

having to touch him,” says Peter Pomerantsev, author of Nothing is True and Everything is Possible.
“Estonia was an early experiment in that theory.”

Since then, Russia has only developed, and codified, these strategies. The techniques pioneered in
Estonia are known as the “Gerasimov doctrine,” named after Valery Gerasimov, the chief of the
general staff of the Russian military. In 2013, Gerasimov published an article in the Russian
journal Military-Industrial Courier, articulating the strategy of what is now called “hybrid” or
“nonlinear” warfare. “The lines between war and peace are blurred,” he wrote. New forms of
antagonism, as seen in 2010’s Arab spring and the “colour revolutions” of the early 2000s, could
transform a “perfectly thriving state, in a matter of months, and even days, into an arena of fierce
armed conflict”.

Vladimir Putin makes a toast with the Russian military chief of staff
Valery Gerasimov in 2016. Photograph: Mikhail Svetlov/Getty Images

Russia has deployed these strategies around the globe. Its 2008 war with Georgia, another former
Soviet republic, relied on a mix of both conventional and cyber-attacks, as did the 2014 invasion
of Crimea. Both began with civil unrest sparked via digital and social media – followed by tanks.
Finland and Sweden have experienced near-constant Russian information operations. Russian
hacks and social media operations have also occurred during recent elections in Holland,
Germany, and France. Most recently, Spain’s leading daily, El País, reported on Russian meddling
in the Catalonian independence referendum. Russian-supported hackers had allegedly worked
with separatist groups, presumably with a mind to further undermining the EU in the wake of the
Brexit vote.

As the smoking gun is often missing, we shouldn’t fall for every allegation of assumed Russian
involvement. Still, certain patterns have emerged from these conflicts, allowing experts to draft a
rough model of the techniques Russia uses to destabilise its opponents. First, people’s trust in one
another is broken down. Then comes fear, followed by hatred, and finally, at some point, shots are
fired. The pattern was particularly striking in Crimea. People posted reports on Facebook about
gross mistreatment by Ukrainians; dramatic messages circulated on Instagram about streams of
refugees fleeing the country; billboards suddenly appeared in Kiev bearing pro-Russian slogans;
demonstrations followed. Rising suspicion and mutual mistrust split Ukrainian society. In a
matter of months, fighting broke out. Russia used the conflict as a pretext to send in “aid
convoys”, presenting itself as a benevolent responder to an emergency.

https://www.theguardian.com/technology/2017/dec/02/fake-news-botnets-how-russia-weaponised-the-web-cyber-attack-estonia?CMP=fb_gu 4/7
12/3/2017 Fake news and botnets: how Russia weaponised the web | Technology | The Guardian

The Kremlin has used the same strategies against its own people. Domestically, history books,
school lessons, and media are manipulated, while laws are passed blocking foreign access to the
Russian population’s online data from foreign companies – an essential resource in today’s global
information-sharing culture. According to British military researcher Keir Giles, author of Nato’s
Handbook of Russian Information Warfare, the Russian government, or actors that it supports, has
even captured the social media accounts of celebrities in order to spread provocative messages
under their names but without their knowledge. The goal, both at home and abroad, is to sever
outside lines of communication so that people get their information only through controlled
channels.

We spoke with Priisalu on a couple of occasions earlier this year and asked him what we should be
most afraid of. Priisalu considered this for a moment. “Information warfare,” he said.

Since 2007, Estonia has established itself as a global hub for thinking about cyber-attacks and,
more broadly, about what constitutes an act of war in the internet age. Priisalu has been at the
forefront. In 2008, he helped establish the Cooperative Cyber Defence Centre of Excellence, a
Nato-funded international research centre in Tallinn that brings together cybersecurity experts
from around the world. Each year the centre hosts Locked Shields, the world’s largest
international cyberwar exercise. In this year’s simulation, 25 member states enlisted
representatives to fight off thousands of simultaneous attacks on a virtual country called
Crimsonia. The progress of the battle was rendered visually and beamed on to giant screens. Some
“soldiers” came in suits, others in sweatshirts – but most logged in from home.

Priisalu has also helped build Europe’s first volunteer cyber-army. In 2011, his network of
freelance cyberfighters was consolidated into a new sub-unit of the Estonian military’s armed
reserves, the paramilitary Estonian Defence League. The logo of the Estonian Cyber Defence Unit
(CDU) depicts an eagle with a sword in its right claw and a shield in its left displaying an @ sign.
The names of its members and the numbers in its ranks are secret. If called on in an emergency,
they will take up battle stations at their computers.

The US has adopted some of Estonia’s programs in its own efforts to combat cyber incursions. In
2009, the American government established its own Cyber Command centre, under the NSA, at
Fort Meade in Maryland. Last July, the Trump administration split the command off as an
independent agency with a proposed $647m annual budget, 133 operational teams and as many
as 6,200 workers. Likewise, the Department of Defense has developed its own cybersecurity
infrastructure, with dedicated digital “national mission teams” and “combat mission teams”. But
the next step in the west’s collective defensive strategy is to develop a consensus about what,
legally, constitutes an act of cyberwar.

The question is how the west can maintain its core values of freedom of speech and the free flow
of information while protecting itself from malevolent geopolitical actors? For centuries, eastern
European countries such as Estonia relied on walls, watchtowers, and fortresses to keep out
invaders. The US became the world’s most powerful country in part because it was insulated from
foreign threats by vast oceans on two sides. In the internet age, traditional borders are less
effective.

To survive in the era of information warfare, every society will have to create ways of
withstanding cyber-attacks. Blockchain technology, the underlying protocol of cryptocurrencies
such as bitcoin, might for example function as a sort of digital fortress protecting the secure
exchange of information online. Whatever form these defences take, democratic countries will
https://www.theguardian.com/technology/2017/dec/02/fake-news-botnets-how-russia-weaponised-the-web-cyber-attack-estonia?CMP=fb_gu 5/7
12/3/2017 Fake news and botnets: how Russia weaponised the web | Technology | The Guardian

have to focus more resources on finding and spreading potent and reliable technologies, whether
in partnership with private companies or in government cyber labs in Estonia or the US. But we
will also have to accept the sobering reality that these attacks, like guerilla warfare and suicide
bombings, aren’t going away. What’s more, other countries area already aping theses techniques.
Russia may be the world’s most open cyberwarfare aggressor –but it’s far from the only one. Iran,
Israel, North Korea and the United States, and perhaps other countries, are all active. Permanent
globalized digital warfare might become the new cost of living in a connected world.

This is an edited version of a story first published in Das Magazin, Switzerland. Translation by
Edward W Sutton

Since you’re here …

… we have a small favour to ask. More people are reading the Guardian than ever but advertising
revenues across the media are falling fast. And unlike many news organisations, we haven’t put
up a paywall – we want to keep our journalism as open as we can. So you can see why we need to
ask for your help. The Guardian’s independent, investigative journalism takes a lot of time, money
and hard work to produce. But we do it because we believe our perspective matters – because it
might well be your perspective, too.

I appreciate there not being a paywall: it is more democratic for the media to be available for all
and not a commodity to be purchased by a few. I’m happy to make a contribution so others with
less means still have access to information. Thomasine F-R.
If everyone who reads our reporting, who likes it, helps fund it, our future would be much more
secure. For as little as $1, you can support the Guardian – and it only takes a minute. Thank you.

Support the Guardian

Topics
Cyberwar
The Observer
Hacking
Internet
Espionage
Estonia
Europe
features

https://www.theguardian.com/technology/2017/dec/02/fake-news-botnets-how-russia-weaponised-the-web-cyber-attack-estonia?CMP=fb_gu 6/7
12/3/2017 Fake news and botnets: how Russia weaponised the web | Technology | The Guardian

https://www.theguardian.com/technology/2017/dec/02/fake-news-botnets-how-russia-weaponised-the-web-cyber-attack-estonia?CMP=fb_gu 7/7