Cyber Incident Victim: Estonia
Date:
Apr 2022
Location:
Estonia
Summary
A series of DDoS attacks targeted government-related websites, aiming to overwhelm them with massive volumes of malicious requests—peaking at approximately 700 million queries—primarily originating from outside Europe. The attacks caused only minor disruptions, including brief periods of inaccessibility for some portals, as defensive measures by the national cybersecurity authority and partners successfully filtered malicious traffic before systemic impact. Mitigation efforts included real-time adjustments to web configurations and traffic throttling, with no significant anomalies detected in other state IT systems. The incidents coincided with an international cyber exercise, and authorities suggested geopolitical motivations linked to the country's foreign policy positions, though no actor was formally attributed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The incident began on Thursday, April 21, 2022, around 16:00, when distributed denial-of-service (DDoS) attacks targeted multiple Estonian government and government-affiliated websites. Initial targets included eesti.ee, id.ee, politsei.ee, vm.ee, president.ee, and other state-related portals. Attackers flooded these sites with malicious traffic in an attempt to overwhelm servers and disrupt public access. The Estonian Information System Authority (RIA) and its Cyber Incident Handling Department (CERT-EE) immediately detected the attacks, noting minor operational disruptions where some portals became temporarily inaccessible. RIA Director Tõnu Tammer indicated the attacks likely sought to create inconvenience during Estonia’s hosting of the international Locked Shields cyber exercise, while also acknowledging Estonia’s geopolitical posture—including its condemnation of Russia’s war in Ukraine—as a potential motivator for threat actors. RIA activated pre-approved DDoS mitigation measures funded through a supplementary government budget.
The attacks persisted overnight into Friday, April 22, with renewed intensity targeting RIA’s own systems and additional websites like ccdcoe.org, elron.ee, and tallinn-airport.ee. By Friday morning, attackers had generated approximately 700 million malicious requests, predominantly from outside Europe. CERT-EE collaborated with service providers to implement real-time technical adjustments, including traffic filtering and rate limiting, which contained most disruptions. While sporadic outages occurred—such as brief inaccessibility of some sites—mitigation efforts minimized user-facing impacts. By Saturday, April 23, attack volumes decreased to roughly 75 million requests per targeted site, with CERT-EE describing the cyber environment as calmer than the previous day. Throughout the incident, RIA confirmed no anomalies in backend IT systems beyond web portal availability issues. Tammer emphasized preparedness for prolonged attacks but noted defensive measures had proven effective. Monitoring continued without evidence of escalated impacts or successful network breaches beyond temporary service interruptions.