Who was behind the Estonia cyber attacks?

In May 2007, Estonia became the world’s first victim of a coordinated cyber-attack against a nation state, following a dispute with Russia over the relocation of a Soviet-era war memorial. While the Russian government’s involvement in the attacks could never be proved, the Estonian government told the U.S. they believed the Kremlin’s hands were all over it, according to a cable from June 6, 2007:

9. (S) The GOE believes it has enough circumstantial evidence to link Moscow with the attacks. As President Ilves told the Ambassador, renting the large number of bots used in these attacks is an expensive business. Moreover, as XXXXXXXXXXXX repeatedly asked us in conversations, "Who benefits from these attacks?" He speculated that the probing nature of the attacks on specific government and strategic private sector targets through the use of anonymous proxies fit the modus operandi of the Putin regime testing a new "weapon." XXXXXXXXXXXXX told us that the GOE now feels that their original assessment of a "cyber riot" may have been incorrect. "Looking at the patterns of the attacks, it is clear that there was a small, core of individuals who intended to launch their attack on May 9," XXXXXXXXXXXX explained, "but when the MOD announced its plans to move the Bronze Soldier on April 27, they moved up their plans to try to link the attacks with the monument’s removal." Estonian analysis of these later sophisticated attacks and organization through Russian-language internet forums has led them to believe that the key individuals tried to disguise their initial attacks as a cyber riot. "You don’t expect spontaneous, populist cyber attacks to have a pre-determined list of targets and precise dates and times for coordinated attacks," said XXXXXXXXXXX.

[…]

11. (S) On May 29, Konstantin Koloskokov, Commissar of the pro-Kremlin youth group Nashi in Transnistria, claimed responsibility for some of the early cyber attacks. While not discounting the possibility of his involvement, XXXXXXXXXXXX noted that some of the attacks were extremely sophisticated; beyond the technical abilities of an amateur. To illustrate the point, XXXXXXXXXXXX and XXXXXXXXXXXX described an attack that used a mysterious data packet to crash a GOE and Elion router so quickly that the Estonians are still uncertain how it was done. XXXXXXXXXXXX described in detail a number of additional attacks using different tools and techniques and targets to argue that an organized group with deep financial backing was the likeliest culprit. "Koloskokov is window dressing," said XXXXXXXXXXXX, "a convenient set-up by the real perpetrators."