The case began to unfold four years ago when an employee of the Estonian Ministry of Economic Affairs and Communications noticed unusual anomalies on their computer. Initially, they suspected malware that was widespread in Estonia at the time. However, when cleaning the computer failed to resolve the issue, the employee reported it to CERT-EE, the incident handling unit of the Information System Authority.
The problem was bigger than it seemed
It quickly became clear that the issue was far more extensive. A backdoor had been built into the ministry’s systems, allowing the exfiltration of large amounts of data – 350 gigabytes in total. While classified state secrets were not compromised, the attackers gained access to a significant amount of sensitive internal information, including strategic documents and working papers, personnel details, and correspondence with businesses.
Tracing the cyber footprint revealed that attacks with a similar modus operandi had targeted other government institutions and companies, including the Ministry of Foreign Affairs and the Health and Welfare Information Systems Centre (TEHIK). While hackers extracted only public data from the ministry’s web servers, in TEHIK’s systems, they accessed the personal information of around 10,000 individuals infected with COVID-19.
The investigation, conducted by the Estonian Internal Security Service and the National Criminal Police, identified three suspects who were serving in the GRU at the time of the attacks: Colonel Yuri Denisov, head of Unit 29155, and his subordinates Nikolay Korchagin and Vitaly Shevchenko. In autumn 2024, Harju County Court placed the suspects, who reside in Russia, under international arrest warrants and detention orders in absentia at the request of the Estonian Prosecutor’s Office.
This marks the first time Estonia has officially attributed state-sponsored cyberattacks to specific individuals. The attribution of cyberattacks is coordinated by the Ministry of Foreign Affairs and aims to promote responsible state behaviour in cyberspace and hold actors accountable when necessary.
Allies of Ukraine targeted
At the same time, Estonia and nine other countries concluded Operation Toy Soldier, which linked Unit 29155 to numerous cyberattacks against Ukraine and its NATO and EU allies. As part of this effort, the United States offered a $10 million reward for the capture of six Russian citizens, including Denisov and Korchagin, who were also wanted by Estonia.
Unit 29155 is reportedly the third GRU unit to develop its own cyber capabilities. According to a US indictment, the unit’s primary focus in recent years has been on Ukraine.
In early 2022, a month before Russia’s full-scale invasion, the unit launched the destructive WhisperGate malware attack, which targeted the Ukrainian government and law enforcement agencies, as well as emergency services. The attack employed destructive malware aimed not at taking control of systems but at rendering them entirely inoperable. Since the malware was disseminated via the services of a US-based company, the perpetrators could also be prosecuted in the United States.
Globally, the unit’s primary objective has been to disrupt international aid to Ukraine, according to US government data. In NATO member states and other countries in Europe, Central Asia and Latin America, the unit has targeted government institutions and critical infrastructure, including banking, healthcare, transportation and energy sectors. Its activities have included defacing websites, mapping infrastructure and stealing data, which they subsequently either sold or leaked. Microsoft has codenamed this GRU cyber unit Cadet Blizzard, noting that it has also targeted IT service providers and software developers in Ukraine and other European countries to gain access to public-sector institutions through their supply chains.
The methods employed by this GRU cyber group are not necessarily sophisticated or advanced. Both in Estonia and elsewhere, they have exploited known security vulnerabilities, such as those in email and web servers, and used stolen user credentials to access their targets. The unit has leveraged tools widely used in the cybersecurity community to identify and exploit vulnerabilities, exfiltrate data, and cover their tracks.
Lessons from the incident
In recent years, the global cybersecurity landscape has become increasingly complex due to rising geopolitical tensions and new technological developments, which state-sponsored cyber groups have exploited to expand their activities.
In response, Estonia has significantly increased its investments in cybersecurity and the protection of critical infrastructure.
Central to this effort is the services provided by the Information System Authority, which helps government agencies secure their networks, continuously search for vulnerabilities, and notify government institutions and businesses about identified issues.
If an incident does occur, CERT-EE experts are available to investigate the causes and assist in resolving the situation.
Although most private companies in Estonia are not legally required to report cyber incidents, doing so is highly recommended. Reporting incidents enables CERT-EE to gain a better overview of Estonia’s cyber landscape and improve the protection of both businesses and the national system as a whole. It also helps identify the activities of state-sponsored cyber actors.
State-run cyber units are characterised by persistence: if an attack fails once, it can be expected to be attempted again. Government institutions and critical infrastructure companies are undoubtedly at the highest risk, but firms providing services to them – such as IT or accounting companies – are also vulnerable to supply chain attacks. Often, similar attack patterns are used against multiple organisations simultaneously, making every piece of information vital for understanding the bigger picture. An anomaly that might seem insignificant at first could, upon closer examination, turn out to be a serious cyberattack.
Ultimately, each organisation is responsible for protecting its own systems and much depends on how seriously its leadership prioritises information security.
If necessary, the Information System Authority’s supervision department can remind organisations of the importance of cybersecurity. This department has significantly expanded its reach, having initiated nearly 150 supervisory review proceedings over the past three years. The work is mainly preventive: instead of reacting solely to identified problems, the department proactively monitors the situation in critical institutions and companies based on threat forecasts.
Estonian Internal Security Service: Cyber operations are part of Russia’s hybrid warfare
According to Margo Palloson, Director General of the Estonian Internal Security Service (KAPO), the objectives of GRU’s cyber cell, Unit 29155, include gathering intelligence, causing reputational damage through the theft and leak of sensitive information, and systematic sabotage by destroying data and computer systems. While the GRU unit was officially linked to the 2020 cyberattacks, various Russian cyber intelligence units carry out operations against Estonia and other nations on an ongoing basis.
The tools of Russian intelligence increasingly blend physical and cyber capabilities, making it likely that information obtained through cyberattacks could be used in physical operations. According to Russia’s military doctrine, cyber operations are a crucial component of hybrid warfare. Regardless of the methods employed, Russia’s hybrid attacks aim to impose its will on other nations, sow instability, instil fear and create confusion.
How to protect yourself from cyber espionage
As state-sponsored cyber groups often employ the same methods and tools as financially motivated cybercriminals, general cybersecurity recommendations remain relevant. However, some specific aspects should be kept in mind:
- Preserve system logs. Retaining system logs is critical for detecting any cyberattacks. Record as much information as possible (e.g. firewall logs) to understand what attackers did and how they did it. However, logs are only useful if they can be analysed effectively and threats are acted upon promptly. Remote access solutions and the accounts they use should be monitored with particular care.
- Segment internal networks. Depending on organisational needs, internal networks should be divided into segments, with access permissions granted strictly on a need-to-know basis. Administrators must use separate accounts – one with user-level permissions for daily tasks and another with elevated privileges only when necessary. Passwords should never be reused across systems, and two-factor authentication should be implemented wherever possible.
- Modernise systems. Keep centralised management systems up to date and phase out outdated software and hardware. While an upfront investment to eliminate legacy systems might seem high, it can prevent much greater damage in the long run.
- Address supply chain risks. When using services provided by external partners, consider supply chain vulnerabilities. Regularly audit external partners’ access to your systems and grant them only the minimal permissions required for their work.
Last updated: 17.02.2025
