Trends and Challenges in Cyber Security – Q1 2023

• No storm in cyber space during election week
• Fraudsters stole €100,000 through BEC scheme
• Global wave of ransomware also affected Estonia
• Public sector targeted with phishing

No storm in cyber space during election week

As we have seen more attacks than usual in Estonian cyberspace over the past year, we prepared for the 2023 Riigikogu elections with special care.

Situation

Preparations for the election week (Feb 27 – March 5) had been ongoing at the Information System Authority (RIA) all year. In one way or another, about a hundred employees of RIA were involved, plus several external partners. We were responsible for the development and maintenance of the election information system (VIS), the management of the i-voting collection solution, the protection of the computers of the staff in polling stations and elections’ cyber security in general.

Before election week, we provided cyber hygiene training and testing for polling station staff as well as candidates. The practical training course raised awareness of the most common cyber threats and gave advice on how to protect yourself against them.

In addition, we offered political parties and individual candidates the opportunity to check for vulnerabilities in their systems that could be exploited by malicious attackers.

The day before the start of the advance and i-voting, RIA went on heightened readiness to ensure security and technical support for the elections, including i-voting. A headquarters and smaller staff groups were set up to monitor the functioning of election-related information systems, possible malfunctions, and attacks around the clock.

Internet voting in Estonia.

Assessment

Looking back on the election week, we can say with relief that it was calmer than expected. Election-related information systems worked smoothly and the situation on the cyber front was relatively quiet.

Denial-of-service attacks, which have become commonplace over the past year, were also observed during the elections, but the number and scale of them was modest and they had no impact on the elections. In addition, CERT-EE identified a few attempts of i-voting with an unofficial application, but these attempts failed.

The most infamous glitch in this year’s elections was not caused by a cyber attack, but by the fact that on the first day of the election week, the latest changes to the voters’ list reached the i-voting system with a slight delay. Therefore, the voting application displayed the old electoral district and its candidates to 57 people whose residence details had recently changed in the population register. Votes cast in the wrong electoral district were cancelled and the people affected were asked to vote again.

A total of 615,009 people cast their votes in this year’s Riigikogu elections. This is a record number and for the first time in 18 years, there were more i-voters than paper voters. For us, this is a sign of trust.

Fraudsters stole €100,000 through BEC scheme

Although the direct victims were the company’s partners abroad, it was a serious blow to the reputation of an Estonian company.

Situation

Last quarter, we once again received reports from companies and institutions who had encountered attempts of financial fraud with various BEC (Business Email Compromise) schemes. The scheme works by criminals sending payment orders or fake invoices ostensibly on behalf of the company, with the criminals being the actual beneficiaries. The whole chain of events often starts with compromising an email account of a company, which gives criminals the opportunity to monitor email conversations and gather background information to credibly intervene at the right moment.

Unfortunately, some attempts of fraud also proved successful. Foreign customers of an Estonian agricultural company managed to pay nearly 100,000 euros’ worth of invoices before they realised they were fake. The scheme was well thought out: a discount was given if the invoices were paid quickly, and a fake account was set up on behalf of the Estonian company on WhatsApp to communicate with customers and confirm that everything was correct.

Assessment

Such scams have been widespread in Estonia and abroad for years. What is remarkable about this case is its complexity – not only were fake emails and invoices sent on behalf of the company, but criminals had also set up alternative communication channels (WhatsApp, telephone) which were used to assure customers.

As fraud schemes become increasingly sophisticated, the measures against them must also be diverse. However, let us review a few basics to start with:

1. Be aware of such scams and the “red flags”. Changes in the bank details of a supplier, rushing payments, or receiving unexpected and urgent financial instructions from the CEO are typical techniques used by fraudsters.
2. If you have the slightest doubt about an invoice or transfer request, call the sender and verify. Use the contacts you already have, not the ones you find in a suspicious email or bill.
3. Follow the company’s rules of procedure on how invoices and transfers are processed. Even when they appear to be ‘very urgent’.

Global wave of ransomware also affected Estonia

In February, attackers started exploiting a two-year-old vulnerability in VMware ESX  software to launch large-scale ransomware campaign.

Situation

This software enables the creation and operation of multiple virtual machines on a single physical server and is widely used around the world and in Estonia. So far, the attackers have been most successful in compromising servers in France, the US, and Germany, leading to a major wave of ransomware attacks.

As the attackers initially targeted a specific publicly available service, CERT-EE identified all the relevant services in Estonian cyberspace and sent warning notices to the owners of the networks connected to the service. However, CERT-EE is aware of at least one local case where attackers managed to exploit the VMWare ESX vulnerability and carry out a ransomware attack.

Assessment

This wave stood out for three reasons. First, it was massive and encrypted thousands of systems in a short period of time, significantly affecting many European countries. Second, in the case of these ransomware attacks, it is so far unclear whether the attackers stole data in addition to encrypting it. Criminal groups usually use special websites and forums to expose their victims and data is usually stolen from the compromised system to be used for extortion later. However, this has not been observed this time.

Third, all the victims of the attack wave were using unpatched virtualisation software that was open to the Internet. This is not a good practice, as targets accessible from the Internet are always tempting to potential attackers. In addition, a security flaw disclosed and fixed two years ago had been left unpatched, probably due to underestimation of risks or simply ignorance.

This wave proved once again that regular software updates are important and that old security flaws can be massively abused again. In February, RIA issued a public threat assessment and recommendations against the background of these attacks, which can be found below the article (in Estonian).

ESX ransom note (BleepingComputer) 

Public sector targeted with spear phishing

In recent months, phishing emails to Estonian authorities have become more frequent and better targeted.

Situation

In order to look credible, the spear phishing emails often use current political topics: Russian aggression in Ukraine, immigration, sanctions, NATO summits, and other issues relevant to the work of officials. In addition, a department within the institution itself (for example, the communications department) or another organisation dealing with the institution (for example, the European Commission) will often appear as the sender of the letter.

Cyber criminals and state-affiliated cyber groups may be behind the phishing schemes. While the ordinary cyber criminals often conduct mass phishing with the aim of reselling the obtained information or access, the state-affiliated groups generally target public institutions (including embassies) or research institutions of interest (universities, think tanks etc).

Assessment

The Russian aggression in Ukraine has raised the interest of various cyber attackers towards Estonia and other European countries. We have written about the surge in DDoS attacks in all our recent overviews. Now, the increased number of phishing attacks is also illustrating the current threat landscape.

The aim of phishing is to get a person to click on the attacker’s desired links, share personal information, or open a malware-infected file. The more skilled and motivated the attacker, the more effort they will make to set the most efficient trap for the chosen victim – hence the use of current political topics in e-mails sent to government officials. In addition to emails, phishing attacks are increasingly carried out through social media, such as job postings and advertisements.

As with almost all cyber threats, preventing phishing attacks requires both technological measures (e.g. email filters, effective anti-virus software) and user awareness and responsibility. Not opening unknown links or suspicious attachments is one of the basic principles of cyber hygiene, as is the use of different strong passwords in different environments. However, it is also very important that users, having fallen for a phishing scam, immediately report it to their IT support. In case of a suspected incident, please contact cert [@] cert.ee.