Estonia hosts NATO-led cyber war games, with one eye on Russia

TALLINN, Estonia — Two months after Russia’s invasion of Ukraine, the cyberwar that experts feared has yet to materialize. But in the tiny Baltic nation of Estonia, digital disaster is playing out nicely.

Over the last week, the NATO Cooperative Cyber Defense Center of Excellence hosted the 10th edition of one of the world’s largest annual interactive cybersecurity drills.

Over 2,000 participants from 32 countries formed teams and logged in remotely to help defend regions of Berylia — an imaginary island nation in conflict with its Southern neighbor, Crimsonia — represented by organizers in Tallinn, Estonia’s capital city. Participants included cybersecurity experts from governments and private companies, as well as academics.

While the countries are fake, the threats are real — a subject of increasing attention as experts continue to warn Russia could launch destructive digital attacks on Ukraine and its allies in the West.

Estonia’s digital revolution

In Estonia, where Russia launched one of the earliest destructive cyberattacks in 2007, things are even more serious. After Estonia gained independence from the former Soviet Union in 1991, its leaders pushed for a digital revolution, and today, almost all government and private services are online.

During the cyber drills, teams were responsible for protecting those critical services, which were under constant attack. They were tasked with keeping the power grid running, responding to disinformation and propaganda over social media, and protecting a new 5G substation.

They also had to prevent any interference with a financial communication system similar to SWIFT, which allows for secure financial transactions between international banks. Russian banks have recently been banned from SWIFT in light of Russia’s invasion. Finally, the exercise included defending remote work environments, an addition inspired by cybersecurity threats emerging from the Covid-19 pandemic.

A hotel room as battleground

During a tour of the exercise war room at a hotel in Tallinn, organizers from different teams told NPR about the different challenges the teams face.

Beyond the technical, that also includes answering legal questions and responding to media requests, making strategic and political decisions, identifying and isolating digital threats as they were launched, and even working with other teams in case of an emergency, like connecting a failing power grid to a neighboring region to keep it online. The name of the exercise, Locked Shields, is inspired by the military concept of linking defenses and working together, explained exercise director Carry Kangur.

Mehis Hakkaja, the founder and CEO of cybersecurity company Clarified Security, was the leader of the red team, or the attackers. He said his team’s strategy was to launch distracting, unsophisticated attacks early in the exercise, like website defacements. Then they would slowly burrow their way into a team’s office computers and infiltrate the rest of the network.

That strategy is a mirror of what happens in the real world. For example, as Russia was launching early cyberattacks during the ongoing war in Ukraine, unsophisticated denial of service attacks on government websites drew attention while Russia was actually launching more destructive and subtle attacks, including deploying wiper malware on satellite servers and other Ukrainian government devices to render them inoperable.

Fake targets, real malware

The targets in the exercise, like the Berylia Institute of Virology, are fake, but the technology and the malware used to attack it are real. Some of the technology was donated by companies like Siemens, manufacturers of industrial infrastructure.

Urmas Ruuto, the Chief of the Technology Branch at the NATO Cyber Center, helped design the game’s systems. He showed reporters large screens representing the power grid in Berylia, the water purification system, voice over IP servers representing the phone lines, satellite communications channels, and a financial messaging system.

It’s easy to track how teams are doing.

“If it turns red, that means there is trouble,” said Ruuto. And if a team fails to protect its region from an attack on the power grid that would cause physical destruction in real life, the organizers will set off real firecrackers to represent the damage.

For the first time this year, teams have to defend a new 5G substation, cutting edge technology that’s caused controversy over recent years due to the Chinese company Huawei’s ambitions to develop and monopolize its release. Currently, most phone companies claim to have released 5G, but are actually offering 4G with additional bandwidth, Ruuto explained.

Additionally, teams faced a wider range of social media influence campaigns. In the war room, organizers in Tallinn had a green screen to film TikTok style videos at any point in the exercise, responding to teams as they posted their own messages.

Estonia’s cyber conscripts

Siim Marvet is a trainee in Estonia’s military Cyber Command unit. His job during the cyber drills was to monitor web logs for potentially suspicious code as well as making sure there was no evidence of website defacements or alterations of digital news articles during the exercise.

In Estonia, a small nation on Russia’s border, people are still conscripted into military training. Marvet is a cyber conscript, meaning he applied to do his military training with the cyber units, who not only work on computers but are trained in wilderness survival, which includes testing technology in the woods to make sure it would function during a potential conflict.

Adrian Venables, the mastermind behind the plot of the cyberwar drill, explained that the scenario focused on disputes between the two imaginary islands and groups of smaller surrounding islands, as well as tensions between minority populations.

He told NPR that he had no lack of real-world inspiration when drafting the story teams would engage with. He said he is already working on both the next exercise to take place in Estonia, an offensive cybersecurity drill called Crossed Swords, and next year’s Locked Shields.

The exercise “has been in the works for a year,” explained Col. Jaak Tarien, the director of the NATO Cyber Center, during a briefing. “But the war in Ukraine has been going on since 2014. Russia has been attacking the power grid,” for example, he said. Ukrainian businesses were also the target of a destructive attack later called NotPetya, which ultimately got loose and damaged companies around the world, costing billions of dollars in damages.

The war unites hackers in the ‘free world’

The exercise organizers told NPR they were not surprised by Russia’s ongoing digital attacks on Ukraine, though Col. Tarien said he was impressed by how Russia’s invasion “has united hackers in the free world,” referring to how hacktivists from around the world have joined forces with a new Ukrainian volunteer hacker army to target Russia. “It’s quite unique,” he said.

Tarien also said Ukraine has been surprising Russia, both in its military defenses and its ability to fend off cyberattacks. According to Taurien, he still frequently communicates with his colleagues in Ukraine. “When I’m sending emails to them, they are coming back.”

Despite the war, cybersecurity professionals from Ukraine partnered with a team from the United States to participate in the exercise. After some earlier resistance, Ukraine was recently invited to be a contributing member of the NATO Cyber Center, particularly given the valuable intelligence about Russian cyberattacks Ukrainian experts can provide.

When the exercise concluded, a Finnish team won, earning the most points in both technical defending and strategic decision making.

In Estonia, the target of one of the first major nation-on-nation cyberattacks from Russia, experts and average people alike recognize that digital attacks are a part of Russia’s strategy. While cyberattacks haven’t been as destructive as many expected in the war on Ukraine, Estonian officials warn that the threat has not been eliminated.

“The fact of the matter is that the almighty cyber power of Russia did not roll out,” Permanent Secretary Kusti Salm, the highest civilian defense official in Estonia, told NPR. “But clearly it would be extremely false to draw a conclusion that they are not capable.”

Copyright 2022 NPR. To see more, visit https://www.npr.org.