Cyber defenders fight hackers in high-tech Estonia war games

Attacks on vital systems and fake news are all part of Locked Shields exercise

The attack on the airbase began with a salvo of fake news. "A report appeared saying drones were using nerve gas," said Lauri Luht, crisis management chief for the cyber security department of Estonia's information system authority.

"Through the day they attacked everything, all the infrastructure of the base," added Klaid Magi, head of the same department's incident response unit.

“We’re basically protecting the whole military infrastructure of this ‘country’ – the airbase, the drone system etcetera, etcetera. Today we managed to defend all our it was quite a good day.”

The imaginary island nation of Berylia, located in the mid-Atlantic west of Ireland, could breathe again – or at least the Berylia being guarded by the Estonian team in the world's biggest international live-fire cyber war games.


Nineteen other teams are now also trying to protect their Berylias from attack by expert hackers in battles that test and hone the skills of internet security specialists drawn from western militaries, governments and industry.

This is Locked Shields 2017, in which each team's virtual airbase faces an unseen enemy's attempts to crash its power supply, air traffic control system, drone network, aircraft fuelling rigs and other key technology – mimicking the cyber havoc that malevolent hackers could wreak.

Online systems

Teams from Europe, the US and the Nato alliance participate remotely, accessing a vast array of online systems overseen from the Locked Shields nerve centre in Tallinn, the heart of an event that this year involves about 800 people.

The Estonian capital is home to the organisation that has staged such exercises annually since 2010 – the Nato co-operative cyber defence centre of excellence.

The event has grown rapidly in size and complexity, mirroring the rising threat from hackers who are now suspected of meddling in everything from the electricity grids to the elections of target states.

It is run from a conference hall in a upscale Tallinn hotel that now resembles a high-tech military bunker: banks of screens show the changing status of fuel systems and aircraft and drone traffic in 20 virtual Berylias, while scores of specialists in colour-coded T-shirts monitor and manipulate the war games from their computers.

By 3pm on Wednesday, six hours into the exercise, some teams had already seen their fuel depots explode and their air traffic control screens crash.

"These are real systems taken from the field," said Raimo Peterson, technology branch chief at the centre of excellence. "The same power grid system is used in energy transmission companies around the world. The drone uses the same system, software and ground station that is used in military systems around the world."

Major blackouts

The safety of such networks is of major concern to real-world governments: in recent years Iran has blamed the US and Israel for hacking its nuclear facilities, and Ukraine sees Russia's hand behind at least two major blackouts.

While defending critical defence infrastructure the teams must also maintain more mundane but crucial IT services like email – all part of about 3,000 virtual systems created solely for Locked Shields.

"It is not just about defending systems," said Liisa Past, chief research officer for the cyber security branch of Estonia's information system authority. "It is defending the way of life of a society" that is deeply reliant on the cyber world.

She leads the strategic communication element of Locked Shields – hitting the teams with “fake news” as well as the kind of legitimate public and media queries that would accompany such a security crisis.

The teams are also faced with the legal and political fallout of Berylia’s travails, and the question of whether a cyber attack could trigger retaliation and even war.

Hybrid aggression

The complexity reflects fears over the "hybrid" aggression Russia has unleashed against Ukraine, combining disinformation and propaganda with cyber attacks and the use of troops and armour without identifying insignia.

The Nato centre opened in Tallinn in 2008, a year after a dispute with Russia over the removal of a Soviet war memorial from the city centre sparked attacks on the websites of Estonia’s presidency, parliament, top banks and media.

Linking hundreds of thousands of infected computers around the world into “botnet” armies, the assailants bombarded Estonian internet addresses with requests – blocking and ultimately crashing them – while skilled hackers broke into “high-value” websites, deleting content and defacing them.

“It was mostly DDOS [distributed denial of service] attacks in 2007 which run down the system...but here they’re trying to get inside, to compromise and change your data,” said Magi, the leader of Estonia’s team at Locked Shields.

"We're going to get a couple of thousand cyber attacks per day – in real life you'd never see as much as this. But it is very necessary to prepare for something like we had in 2007 in Estonia. "

The man co-ordinating the cyber onslaught is Mehis Hakkaja, head of the attacking team in Locked Shields and CEO of Estonian firm Clarified Security.

Over two days his 60-strong hacking unit will severely test the 20 defending teams, whose performances will be analysed and a winner announced – last year Slovakia came out on top ahead of the 2015 victors from Nato.


A graduate of the US military academy at West Point, Hakkaja seems to take a grim pleasure in the pain that his hackers relentlessly inflict on the defenders.

“We take off ‘fingers’ and ‘limbs’ first. We don’t go for the ‘heart’ straight away,” he explained. “So we don’t hit a firewall that would let all the [internet] traffic through, but we might chop down a web server or a few workstations.”

After the plugs are pulled on Berylia, the entire Locked Shields exercise is reviewed for lessons in how better to protect vital systems and infrastructure.

"We are trying to keep pace with attacks and threats in the real world," said Aare Reintam, technical exercise director at the centre of excellence. "Country teams are testing their own systems and tools and tactics...and [afterwards] each country can decide what to modify."