Cyber Incident Victim: NATO Cooperative Cyber Defence Centre of Excellence
Date:
Apr 2022
Location:
Estonia
Summary
A series of distributed denial-of-service (DDoS) attacks targeted Estonian state and state-affiliated websites over two consecutive days, including the NATO Cooperative Cyber Defence Centre of Excellence's web domain. The attacks involved massive volumes of malicious requests—peaking at approximately 700 million—primarily originating from outside Europe, causing intermittent short-term disruptions to some sites. Mitigation efforts by national cybersecurity teams and service providers, including traffic filtering and technical adjustments, minimized user-facing impacts, with most services remaining operational and no significant downtime reported during the second day. While the attackers' identity remained unconfirmed, authorities indicated awareness of potential culprits but withheld specifics to avoid amplifying attention.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 21, 2022, distributed denial-of-service (DDoS) attacks targeted Estonian state and state-affiliated websites, including systems operated by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). The attacks began on Thursday and continued into Friday, April 22, with intermittent intensity. Initial attacks on Thursday subsided around 11 PM but resumed overnight into Friday. The Estonian Information System Authority (RIA) reported that the impact during this initial phase was limited, with only brief periods of unavailability for some websites. By Friday morning, attackers renewed their efforts, directing high volumes of malicious traffic toward RIA systems and specific websites, including ccdcoe.org, elron.ee (Estonian railway operator), and tallinn-airport.ee. Attackers generated approximately 700 million malicious requests by Friday afternoon, with most originating from outside Europe. RIA and CERT-EE, Estonia’s national cybersecurity response team, noted the attacks relied on mass request floods to overwhelm target infrastructure.
CERT-EE, under director Tõnu Tammer, coordinated mitigation efforts with service providers, implementing additional technical measures to limit disruption. Response actions included real-time adjustments to web server configurations, traffic filtering to block malicious requests, and rate limiting to reduce attack effectiveness. These measures minimized user-facing impacts: while some websites experienced short-term outages, most remained accessible, and by 12:30 PM on Friday, no targeted sites showed operational disruptions. Tammer emphasized that ordinary users largely remained unaffected due to rapid containment efforts. RIA and CERT-EE declined to publicly attribute the attacks, citing a policy of avoiding unconfirmed claims that might grant undue attention to perpetrators. The incident concluded without significant operational or reputational damage to targeted entities, reflecting effective collaboration between CERT-EE and organizational IT teams in neutralizing the threat.