Last year, the number of incidents with impact soared to 6,515 from 3,314 the year before. CERT-EE’s monitoring team, on duty around the clock, registered an average of 18 incidents per day. Where did this surge come from?
A surge in phishing and scam websites
Fortunately, the increase was not driven by incidents that shook the foundations of society or affected hundreds of thousands of people at once.
As in previous years, phishing and scam websites made up the majority of impactful incidents. Their number grew 2.5 times within a year, rising from half to two-thirds of all recorded incidents.
Phishing and fraud schemes come in many forms, like a patchwork quilt. Some scams are as classic as ever, such as fake banking websites that are nearly indistinguishable from legitimate ones. Victims think they are entering their PIN to access their account, but in reality, they are handing it over to fraudsters, who simultaneously access the actual banking website and empty the victims’ accounts. Once the funds are drained, scammers often attempt to take out loans in the victim’s name and transfer the money to their own accounts.
Fake delivery notices, sent in the name of well-known courier companies, also remain widespread. These messages direct recipients to fraudulent websites, tricking them into entering their bank card details under the guise of paying a delivery fee. Some victims fall for this even when they haven’t ordered a package recently, only realising their mistake later when checking their bank statements and seeing not just a few euros withdrawn but hundreds or even thousands.
Investment scams also spread last year, promising fantastic returns. After a temporary lull, alongside stocks, various cryptocurrencies – some more exotic than others – became a hot commodity for scammers once again.
These frauds usually start small: victims ‘invest’ a modest sum, often just a few dozen or a couple of hundred euros. Their balance appears to grow over the next few weeks , and when they successfully withdraw their initial amount plus a supposed profit, their confidence (and appetite) grows while their scepticism fades. In the next round, they invest more.
As their displayed balance balloons, some, having spent their savings, even take out loans to maximise returns. But when they finally try to withdraw their funds, endless excuses begin: delays, additional fees and new requirements.
In some cases, scammers demand further deposits to ‘unlock’ the money – deposits that, of course, are never returned. Eventually, the fraudulent website disappears altogether, leaving victims with nothing.
When CERT-EE identifies such scam sites, it requests their hosting providers to take them down, limiting the number of potential victims. However, our reach is not infinite. Ultimately, public awareness and critical thinking are the most effective defences against these schemes.
Read more about various types of scams: Fraudsters made off with millions.
Service disruptions, day after day
After phishing and scams, the third-largest category of incidents in 2024 was service disruptions, with an average of two per day. Malicious attacks did not always cause these; many resulted from hardware or software failures or even well-intentioned but flawed system updates by developers and administrators.
The most infamous software update from last year led to one of the most significant IT disruptions in history. In the early hours of 19 July, cybersecurity firm CrowdStrike released an update for its Falcon Sensor security software, which large organisations widely use to protect against malware and other threats. Unfortunately, the faulty update crippled 8.5 million Windows computers, causing them to crash with the notorious blue screen of death.
This resulted in more than 5,000 cancelled flights and service disruptions in banks from Brazil to New Zealand, emergency numbers, hospitals, television and radio stations, and even fuel payment systems at petrol stations experienced outages. The complete list could go on for pages. Restoring systems took weeks and required significant manual effort. The estimated financial damage quickly reached $10 billion.
Estonia was lucky, as CrowdStrike Falcon has relatively few users here. One state institution and one private company experienced only a few hours of disruption, and at Tallinn Airport, Ryanair check-ins had to be processed manually, causing minor delays. But overall, Estonia avoided the worst consequences.
After this unfortunate incident, many asked whether rushing software updates is really wise. Our answer remains yes: the risks of delaying updates are far greater.
Read more about these risks: 2024 brought a record number of vulnerabilities.
While Estonia escaped the CrowdStrike disaster, a Cloudflare outage in September caused significant disruptions. On the third Monday of the month, Cloudflare’s service failures affected nearly 200 public-sector websites that rely on RIA’s protection against distributed denial-of-service (DDoS) attacks.
Mobile operators also faced network failures, which affected both data and voice services, including emergency calls. If your provider’s network is down but you need to call emergency services, removing the SIM card from your phone allows it to connect to another operator’s network for emergency calls.
There were also disruptions to national authentication services, including TARA, Smart-ID, Mobile-ID and the ID card. Most outages were short-lived or occurred overnight, when few people were attempting to log into online banking or sign digital documents.
More DDoS attacks, less damage
Websites and services can also be knocked offline by DDoS attacks, and last year left little room to breathe in this area. DDoS attack volumes have increased every year since Russia launched its full-scale invasion of Ukraine, and 2024 broke records for both attack numbers and scale. One four-hour wave of attacks targeting public-sector websites generated nearly three billion malicious requests. Under normal conditions, reaching this level of traffic would have taken more than 25 years.
However, the number of attacks is less significant than their impact – and in this regard, there is good news. In 2022, one in three DDoS attacks succeeded in causing significant disruptions. By 2024, this figure had dropped to 18%. Some websites experienced short-term outages or slowdowns, but none of the attacks caused severe damage.
Read more about DoS attacks and their consequences: Denial-of-service attacks: more noise, less impact.
Data breach affects more than 700,000 people
Last year, 68 data breach incidents were recorded in Estonia – nearly twice as many as in 2023. Some were relatively small in scale: for example, the exam information system’s GitHub page accidentally contained real personal data instead of test data, making hundreds of people’s details publicly accessible. Elsewhere, a waste management self-service portal accidentally displayed all customer transactions and personal identification numbers instead of just the user’s own information.
However, all these breaches pale in comparison to the cyberattack on Allium UPI, a company that manages loyalty card systems for Apotheka, Apotheka Beauty, and Pet City.
Attackers gained access to this system and successfully stole nearly 700,000 personal identification numbers, more than 400,000 email addresses, and tens of thousands of phone numbers and home addresses. The stolen data originated from a backup of the customer database covering the years 2014–2020. Anyone affected by this breach should exercise even greater caution against phishing attempts and scams.
Read more about this incident: Lessons from a massive data leak.
Attack on cash circulation
Unlike the pharmacy chain Apotheka, whose customer data was leaked, Hansab is not a household name, but its services are critical to nearly everyone. Hansab is responsible for filling Swedbank, Luminor and LHV ATMs, delivering pensions, issuing ID cards and passports in cooperation with the Police and Border Guard Board, and many other essential functions. In short, if its operations were to suddenly stop, almost everyone would feel the impact.
At midday on 1 March, Hansab’s servers began unexpectedly rebooting. Within minutes, it became clear that something was terribly wrong. As an emergency measure, the company disconnected from the internet and isolated its network to prevent further damage. But the attack had already inflicted severe losses: the entire virtualisation environment had been deleted. Hansab’s CEO, Kristo Timberg, later described it as the attackers reaching the system’s ‘Holy Grail’.
Despite being a crisis for the company, it did not escalate into a national emergency. Cash supplies remained available – ATMs and shops were not emptied, and pension payments were delivered as expected at the beginning of the month. To keep services running, Hansab switched to manual operations, ensuring that ATMs remained functional, cash deposits from retailers were processed, and customer funds were credited.
This time, the impact was limited. However, longer-lasting payment disruptions or interruptions to cash circulation could be more severe.
To prepare for such scenarios, it is advisable to keep enough cash on hand to cover at least a week’s essential expenses.
Crime and punishment
While some may assume that cybercriminals can operate anonymously with impunity, last year provided plenty of evidence to bust this myth, as multiple cases demonstrated that justice can catch up with cyber offenders.
In our previous cybersecurity yearbook, we covered a data breach at genetic testing company Asper Biogene, where attackers stole the personal data – including genetic and health information – of nearly 10,000 individuals.
A criminal investigation revealed that a four-person group spent two months persistently working to infiltrate the company’s systems. First, they identified a security vulnerability that allowed them to access usernames and encrypted passwords.
Next, they decrypted an employee’s password, used it to log into the system and installed malware. This granted them access to sensitive health records, which they downloaded before demanding a €45,000 ransom.
The group’s leader was Vladislav Rybakov, a Russian citizen, whose travel options have since become severely restricted. Due to his role in the Asper Biogene attack, he is now an internationally wanted criminal.
Following the breach, Estonia’s Data Protection Inspectorate launched a parallel investigation, finding serious shortcomings in Asper Biogene’s information security practices. As a result, a fine of €85,000 was imposed, though, at the time of writing, the decision had not yet entered into force.
In 2020, Estonian government bodies suffered a major cyberattack, during which 350 GB of data was stolen from the Ministry of Economic Affairs and Communications; hackers also accessed records on 10,000 COVID-19 patients from agencies under the Ministry of Social Affairs.
Investigations by the Estonian Internal Security Service (KAPO) and the National Criminal Police eventually led to three men, all of whom were working for Russia’s military intelligence (GRU) at the time of the attack: Colonel Yuri Denisov, commander of GRU Unit 29155, Nikolay Korchagin and Vitali Shevchenko. These individuals are now also internationally wanted. Read more about this case: Russian intelligence ramps up cyber pressure on the West.
Last year, the Harju County Court sentenced a young man from Tallinn to prison for selling phishing toolkits and providing guidance on how to carry out cyberattacks. His tools, which he sold using the Telegram messaging app, were explicitly designed to bypass two-factor authentication. This allowed criminals to steal victims’ login credentials and gain access to Microsoft 365, PayPal, Google, Yahoo, Dropbox, Binance and other online accounts.
As for the perpetrators of the Allium UPI and Hansab attacks, that remains an open question. Hopefully, in a future edition of this yearbook, we will be able to report on their identification and prosecution. Until then, stay vigilant in cyberspace!
Last updated: 17.02.2025
