Estonian official says parliamentary elections were targeted by cyberattacks

Estonia's parliamentary elections this month were unsuccessfully targeted by cyberattacks, one of the country's leading cybersecurity officials told The Record.

The elections marked the first time that the majority of Estonians cast ballots using the country’s internet voting system. While officials in countries like the United Kingdom have domestically warned that such systems introduce risks that could threaten the integrity of the vote, the Estonian government is confident its process is safe.

Gert Auväärt, who heads the National Cyber Security Centre-Estonia (NCSC-EE), told The Record that his team had been in a “heightened awareness level for two weeks” during the campaign, and that attempts to enter the electoral system were unsuccessful.

“There's no point in calling for a press conference and going and saying that this happened. Nothing out of the ordinary happened, nothing happened that hasn't happened the week before, or the week before that. We’ve been in sort of a cyber… I’m not going to use ‘war’, but we've been under a massive wave [of attacks] for a year now.

“We went into a raised level — we have Alpha, Bravo, Charlie — so we went into Bravo last year in January and we haven't lowered it. We don’t know when we'll go back to green, to ‘all calm.’ It's not calm,” said Auväärt.

He declined to offer a detailed description of the attacks, but he stressed that they weren’t successful. They covered a wide range of recognized threat actor behavior, he said.

Kaja Kallas, Estonia’s prime minister, told the Munich Cyber Security Conference in February that since the beginning of the war in Ukraine, cyberattacks against her country had been increasing and changing.

“We see now, the Russian attacks — actually, they are not attributed officially, so maybe I can’t say this so openly — but the attacks on our systems, we see that they are learning,” Kallas said. “They see that ‘OK, these things are not going through’ so they are improving and constantly trying new ways to really undermine our system.”

Estonia is recognised among NATO allies as an authority on Russia. Its foreign intelligence service was praised highly by Sir Richard Moore, the chief of the U.K.’s MI6, at the Aspen Institute last year: “I mean, gosh, pound-for-pound [they] probably knock us into a cocked hat.”

Despite almost a quarter of Estonia’s 1.3 million inhabitants being ethnic Russians, there is no significant sympathy for the invasion of Ukraine among its political parties.

Kallas leads the liberal Reform party, which secured the largest proportion of votes in this month’s election, increasing the party’s number of seats. She is likely to stay on as head of government once coalition negotiations conclude.

The Centre Party, historically the most popular among Russian-speaking Estonians, received 28% fewer votes than it received in the 2019 election. The main opposition party, the nationalist EKRE — which criticized military equipment being sent to Ukraine — also received fewer votes than before.

Alleged Russian operations targeting European states — especially those that share a border with it — have continued during the war in Ukraine. The president of Moldova issued a warning in February about a Russian plot to overthrow her country’s government, while Microsoft in December urged customers to be alert to cyber-enabled influence operations which Russia could deploy “in parallel with cyber threat activity” to provoke social tensions in Europe.

NCSC-EE’s Auväärt said: “We are no different than any other country going through elections. Always there are attempts [at interference],” ranging from information operations to distributed-denial-of-service (DDoS) attacks and phishing campaigns.

The attempts this month “didn't hinder or have any effect on the election process itself, either the paper balloting going on or the internet-based voting,” said Auväärt, adding that “attempts to break into the system and to try and manipulate it” were not just part of the election cycle, but “constant.”

Estonia has faced “massive waves” of cyberattacks over the past year, he added, a period during which Estonia has provided more military equipment to Ukraine as a proportion of its GDP per capita than any other nation.

Each of these waves followed a moment of political tension between Estonia and Russia, such as when Estonia’s Parliament decided to formally describe Russia as a terrorist state, and Ukrainian President Volodymyr Zelensky made a remote address to Estonia’s politicians.

Back in 2007, just a few years after joining NATO, Estonia was impacted by a wave of cyberattacks when it relocated a Soviet war memorial from the center of the capital Tallinn to a military cemetery a few kilometers away. Officials blamed Russia for the incidents.

The digital attempts to hobble the country were groundbreaking. They showed what a nation could face as a result of cyber hostilities and prompted a major research effort into cyberwarfare at NATO, eventually leading to the NATO Cooperative Cyber Defence Center of Excellence being founded in Tallinn in 2008.

“Whatever daily business you conduct that irritates their worldview or their perception of things, immediately there is a response and the response usually is in this massive wave of DDoS attacks,” said Auväärt.

DDoS attacks against Estonian government websites, including the parliamentary website and the president’s website, continued throughout the election, he said. These attacks attempted to take the websites offline by sending too many requests for the servers to handle, meaning authentic attempts to load the page went unanswered.

While DDoS attacks can use different communications protocols to prevent a server from responding to legitimate requests, the Estonian incidents were typically application layer, or Layer 7, attacks — using HTTP requests (the type used to load a web browser page). While they were not technically sophisticated attacks, the scale was surprising, said Auväärt.

“For the first quarter of last year, we were the seventh [most targeted country] on the planet. We’re a country of 1.3 million people, so like a suburb of London population-wise. If you put that into perspective then it shows the level of interest of some people who want to put the emphasis here [on Estonia] with their attacks,” he added.

“It’s not the highest on the planet, but it’s just — to put it bluntly — it’s weird to want to try that much to get the system down. Where the moment of pride comes, of course, is in the fact that we maintained our systems up and running,” Auväärt added.

Pro-Russian hacktivist group Killnet last November targeted the website of Estonia’s intelligence services using a botnet, while another Russian-linked DDoS group, Anonymous Sudan, has been identified using paid-for infrastructure to generate DDoS traffic, indicating that it had some kind of sponsorship.

Auväärt told The Record “there's more variety than just the two options that you listed,” regarding botnet or paid-infrastructure DDoS traffic.

“We know who is behind them and we have the data to go down the rabbit hole and see where it originated. But we're not in the business of attribution,” he said. “It's not our goal first of all, and secondly, this is exactly what they're looking for: ‘Look what we did, look where we succeeded,’ so we don't specifically voice out publicly whoever it was.”