Trends and observations in the cyberspace Q4 2020
A successful cyber attack on public authorities showed that no one is fully protected in cyberspace
In November, the Information System Authority (RIA) identified attacks on Estonian state IT infrastructure with a similar pattern in three different cases. The cyber attacks targeted the servers of the Ministry of Economic Affairs and Communications, the Ministry of Social Affairs, and the Ministry of Foreign Affairs. The three attacks shared a similar pattern: the servers hosting the websites was attacked in an attempt to exploit vulnerabilities in their configuration.
In the case of the Ministry of Economic Affairs and Communications, attackers managed to gain access to the servers administered by the ministry and several hundred gigabytes of data were leaked. Criminals managed to access COVID-19-related information concerning 9,158 people hosted by the Ministry of Social Affairs, as a temporary solution, in a database on a web server. The attacker was promptly denied access and the Health Board informed those concerned of the incident. The Ministry of Foreign Affairs got off the easiest, with the criminal being unable to get past their website or access non-public information.
Despite the scale of the incident, Estonian e-services were never endangered and our digital state functioned as usual. We informed other state agencies, local governments, and providers of vital and important services about the identified vulnerabilities of web servers and the possibilities to eliminate the vulnerabilities. A short guide
Assessment by the Information System Authority
Technologies evolve very fast, allowing for more possibilities to abuse them. New vulnerabilities are discovered almost every week, and the attacks that have taken place prove that criminals are actually exploiting them. A successful cyber attack can result in data loss and/or a leak of sensitive information; access to the system also enables gathering information that will eventually help to move on from the web server and compromise other parts of the information system. In addition to information, an attacker may also be interested in money, planning further ransom attacks, or attempting to make money from the stolen data in some other way. Several state agencies made joint efforts to minimise the impact of the November attacks on the Estonian public sector and to prevent new attacks; it is safe to say that more extensive damage was probably averted. Regardless, the impact of data theft cannot be negated in retrospect, the risks associated with it may materialise months or even years later.
What lessons can be learned? What happened in the administrative area of the Ministry of Economic Affairs and Communications exemplifies clearly that even state agencies, which are subject to strict information security rules, can be seriously hit by cyber attacks. The same can be evidenced in news from around the world – in December, the public learned about a cyber attack through SolarWinds Orion software updates, which compromised the information systems of thousands of organisations around the world, including those of several US government agencies. Although complete security against cyber attacks cannot be achieved, investment in cyber security must consistent and systematic and a well-thought-out crisis management plan must be in place in the event of an attack. It is necessary to create a complete and detailed overview of your information systems – list the equipment and software that is being used and all persons who have a user account, including their user rights, and collect and manage logs which can be used to quickly detect anomalies. Although the above sounds elementary, the situation is far from perfect, as people often switch from old legacy systems to temporary solutions due to lack of time or money and pay little attention to cyber security due to other priorities. Cyber security in today’s digital age is expensive, tedious, and largely invisible, but it is becoming indispensable, as it is cheaper for both companies and public authorities to prevent problems than to solve them afterwards.
Denial-of-service attacks for blackmail purposes
In the last quarter, we received several reports of attempts to extort money from companies with denial-of-service attacks. Companies received letters in which criminals threatened to carry out a denial-of-service attack if the company did not pay the ransom. In most cases, this was accompanied by a test attack and a threat of a more serious attack if the blackmailers are ignored and if the ransom is not paid on time. To increase their credibility, the criminals claimed to be affiliated with Fancy Bear or some other well-known cyber group and in their blackmail letter referred to other attacks that had caused great economic damage. Ransom was demanded in cryptocurrencies and ranged from 10,000 to 400,000 euros. The attacks were mostly aimed at either telecommunications companies or banks, the latter being asked for the largest ransom payments. To the best of our knowledge, no companies have agreed to the demands of the attackers, nor do we have any reports of repeat attacks at the time and in the extent promised by the criminals.
Assessment of the Information System Authority
These attacks are part of a global string of blackmails which began to spread in August and reached Estonia in autumn. The aim of the criminals is to make a quick profit, and there is no real connection with infamous groups, such as Fancy Bear, Cozy Bear, or the Armada Collective. The attacks are targeted and the targets mostly operate in the financial, telecommunications, and e-commerce sectors, i.e. sectors where the commercial impact of the threat of a large-scale attack would be greater.
The impacts of the attacks seen in Estonia varied depending on the size of the attack and the existence and effectiveness of countermeasures. In some cases, the attack resulted in disruptions which affected the website of the company and lasted only a few minutes; however, the attack which had the biggest impact (the parent company of a bank operating in Estonia was attacked) rendered the payment terminals of the bank inoperable for a few hours during peak hours, which prevented or postponed transactions in the region worth millions of euros.
If we look at denial-of-service attacks in general, then in the last quarter we received notifications about a total of approximately 140 attacks against Estonian IP addresses, which is somewhat more than in the third quarter. Denial-of-service attacks with different attack vectors and capacities have become so-called ‘over-the-counter products’. Such attacks have grown in popularity due to their availability and relatively low cost for criminals. Therefore, we anticipate that the number of denial-of-service attacks will continue to increase next year, and we recommend that you make the necessary investments to prevent and respond to denial-of-service attacks.
Ransomware incidents in Estonia are mostly related to the Remote Desktop Protocol
At the end of 2018, in our first quarterly review, we wrote about ransomware attacks via network connections that had been left open for the Remote Desktop Protocol (RDP). Two years later, the situation has not changed: CERT-EE receives a number of reports of ransomware incidents each month where, at first, the attacked institution is unable tell how the attackers could gain access, but after analysing the attack, it is concluded that access was probably obtained by exploiting the vulnerabilities of the Remote Desktop Protocol. Ransomware incidents caused by pirated software or emails which contained malware have mainly been reported by private individuals.
Three-quarters of the ransomware incidents reported to us in 2020 were definitely or most likely committed using RDP. In most of the cases where the institution was able to identify the attack vector, the attackers used the Remote Desktop Protocol. Among the targeted victims of last year’s attacks were schools, family health centres, manufacturing companies, accommodation establishments, car dealers and, naturally, private individuals. We are glad that these attacks did not lead to major financial damage; however, in most cases, unfortunately, the attacks resulted in a loss of working time which was spent on fixing the situation.
Assessment of the Information System Authority
By paying ransom, many companies around the world have helped criminals to improve their malware, upgrade their infrastructure, and avoid detention. For example, by following the trends in ransomware attacks, it is noticeable that using the malware that has been sent to victims is becoming increasingly popular (for example, Emotet, a malware strain which is widespread in Estonia and offers services to other malware gangs, including criminals running ransomware operations). The malware referred to in these phishing emails is stored in public Google, Microsoft, or Amazon clouds, i.e. in completely legitimate environments. Therefore, it is crucial to train employees to recognise such letters.
However, in addition to new types of attack methods, it is also necessary to pay attention to the threats that target Estonian companies and institutions on a daily basis. Two years ago, we said that precautionary measures are often taken only after a ransomware incident – RDP has been known as a possible attack vector since 2016 and earlier. We continue to urge people to ensure that the servers and computers of their organisation are not accessible from the Internet. Information System Authority’s recommendations for preventing ransomware incidents are still valid, even though the attacks have become more brutal and there is a threat of leaking stolen data from the victim to increase the likelihood of paying ransom.
NIS 2.0 – the European Union revises the Directive on Security of Network and Information Systems
In mid-December, the European Commission presented its vision to the Member States for the revised Directive on Security of Network and Information Systems, commonly known as the NIS Directive. The current NIS directive entered into force in 2016, and the revised version, NIS 2.0, will probably take effect in about two to three years. The aim of the directive is to raise the overall minimum level of cyber security in the Member States of the EU and to take into account the growing interdependence of different services and sectors. The pandemic has also highlighted the need to better protect medical research and development and the related issues. As the level of cyber security varies greatly from country to country, as does the vision of countries for achieving greater strategic autonomy, intense negotiations lie ahead.
What changes would the NIS 2.0 proposal bring about in its current form? The main changes concern the scope of the directive, the exchange of information, security requirements, and fines. While the current NIS Directive gives Member States quite a lot of flexibility to define which companies to apply the requirements of the Directive, NIS 2.0 introduces a size criterion: the requirements of the Directive must apply to medium-sized (from 50 employees) and large companies. There are also exceptions – companies which should be subject to the requirements regardless of their size, e.g. if they are the only provider in their sector or if they provide an important service at a regional or national level. At first glance, it seems that the current flexible but specific system will become more rigid and general.
Institutions would now be classified by their level of criticality, as well as the level of interdependency – if the work of one physical infrastructure entity depends on a digital infrastructure company, then both can be considered equally valuable. In addition to essential entities, the concept of an important entity has been created. The difference between essential and important entities lies in supervision, where important entities – unlike vital entities – cannot be subject to ex ante supervision. Essential entities would include entities, such as entities manufacturing pharmaceutical products and medical devices, public administration entities, and entities providing space-based services; important entities would include most of the industrial sector, incl. food production and manufacture of machinery and electronics, processing industry, as well as social media platforms. Compared to the current NIS Directive, the scope would therefore be significantly wider.
The NIS 2.0 Directive seeks to create an atmosphere for greater communication: communication channels between national cyber authorities and equipment manufacturers, platforms for vital entities to communicate with each other, and a European vulnerability registry.
Meeting the updated security requirements requires that the management bodies of essential entities are aware of cyber security measures and risks and receive basic cyber security training. There may also be additional obligations for certain entities to use only certified products. The directive would also introduce drastic changes in the punitive measure which would be harmonised with the General Data Protection Regulation and provide for fines of up to 10,000,000 euros or up to 2% of the total annual turnover of the undertaking for non-compliance with the requirements.
A fair balance of obligations for improving the basic level of cyber security across Europe without over-regulation and excessive administrative burdens will be established with the forthcoming negotiations. The Information System Authority analyses the effects of the Commission’s proposal on Estonia and the initial assessment will be submitted to the Government of the Republic of Estonia in February.
Phishing attempts sharing a common pattern, in which criminals tried to lure victims into providing their Smart-ID or Mobile-ID codes needed to access the Internet bank, had been a matter of concern for us since 2019. Phishing emails and messages reached up to 100,000 people in Estonia and the criminals managed to gain access to at least 400 accounts. On 28 September, three men suspected of conducting phishing campaigns were arrested in Romania as part of international police cooperation. We did not expect that this would solve the problem of phishing for bank details, but we are glad to see that the number of scams has fallen: if in Q3 of last year we received a dozen reports, then in the last quarter we received five.
Could be better
On 20 October, members of the US Democratic received a threatening email: ‘Vote for Trump or else!’ The emails, which tried to influence the elections, were apparently sent from info [at] officialproudboys.com, but the metadata revealed that a server located in Estonia was used for sending the emails. The attackers exploited the vulnerability of Koolibri’s website and infected it with a malicious code which was used for sending the emails. This could have happened to any server or website in any country, but it happened in Estonia, because many websites and servers here have been neglected. Make sure to update the software on your servers and patch any security holes.
Trends and observations in the cyberspace Q4 2020 (1.84 MB, PDF)
More news on the same subject
E-voting lasts from 11 to 16 October. If you wish to e-vote, you must check the certificates of your ID-card or mobile-ID and use the latest software.
30.7.2021 – People whose document photo was illegally downloaded do not have to get a new document or a new photo. The incident has no impact on ID-cards, Mobile-ID, Smart-ID or e-services.