- A sports association fell victim to an invoice scam. In August, criminals sent scam emails and messages posing as Elisa, Telia, and SmartPosti.
- We organised CyberWizards, an international cybersecurity summer camp for girls. We published a threat assessment regarding a high-impact security vulnerability in Microsoft Exchange.
- A French telecommunications company and a US federal court fell victim to cyber attacks. CERT-UA issued a warning about a new wave of cyber attacks targeting government agencies and defence industry companies.
Incidents reported to CERT-EE that had an impact on the confidentiality, integrity, or availability of data or information systems.
Devices in Estonian cyberspace infected with malware detected by automatic monitoring. CERT-EE notifies network owners of infections. The surge is driven by IoT devices infected with the Badbox 2 botnet, primarily set-top boxes in the Estonian context.
Fradulent wesites account for the largest proportion of incidents recorded by CERT-EE.
Situation in Estonian cyberspace
On 3 August, a sports association discovered that it had fallen victim to an invoice scam. In July, a fraudster posing as a travel agency employee wrote to the association, offering accommodation to Estonian athletes during competitions in Lithuania. The invoice sent and paid for the accommodation contained an account number controlled by fraudsters. The sports association suffered losses of over 3,000 euros. Read more about invoice scams on the IT-vaatlik portal.
In August, it became known that the mechanical engineering company Hekotek had lost hundreds of thousands of euros to fraudsters in May. The chain of events began with a phone call to the chief financial officer, in which the fraudsters introduced themselves as employees of the Health Insurance Fund. Using the information obtained, the fraudsters managed to create a new Smart-ID account using the name of the chief financial officer. In subsequent calls, in which they pretended to be a bank employee and a police officer, the fraudsters gained access to the CFO’s computer using the remote control application AnyDesk. There, they opened a banking app and signed payments with their Smart-ID account. Within two hours, 52 payments were made from the account of the company, totalling hundreds of thousands of euros. Approximately a quarter of this has been successfully recovered.
In August, fraudsters sent scam emails posing as both Elisa and Telia.
The email seemingly sent by Elisa claimed that the customer had made an overpayment and that the company needed their payment details to make a refund. According to Elisa, they never send such emails and do not ask for the bank card details of their customers. Every customer has the opportunity to check their payment status in the Elisa self-service portal: in addition to monthly invoices, the amount of advance payments made is also visible there. Access the Elisa self-service portal via a web browser and do not use links in suspicious emails. A sample of a scam email can be viewed on the Elisa website.
The email sent posing as Telia claimed that the customer had an outstanding invoice and directed them to make a payment via a fraudulent link. The email urged the user to act quickly and threatened possible additional charges and service restrictions. The email was sent from a suspicious address that does not belong to Telia. The company reminded customers that it does not send reminders about unpaid invoices in this manner.
In August, fraudulent messages were also sent on behalf of SmartPosti. They stated that a shipment could not be delivered due to a missing street name and asked people to update the relevant data. The link in the message directed the user to enter their bank card details. Postal service providers never send such messages or ask you to enter your details on suspicious links! If you receive such a message, do not click on the link it contains and do not enter your details, but forward the message to the CERT-EE team.
Activities of the Estonian Information System Authority
On 11–16 August, RIA organised the third annual CyberWizards international cybersecurity summer camp for girls in Kehtna, Rapla County. The aim of the camp is to spark young people’s interest in technology and cybersecurity. This year, 87 girls aged 13–16 from ten different countries registered for the camp. Participants came from Italy, Cyprus, Latvia, Panama, Poland, France, the Czech Republic, Ukraine, Hungary, the United States, and Estonia. There were 54 young girls from foreign countries and 33 from Estonia. The camp activities included diverse cybersecurity workshops, practical exercises, competitions, and teamwork.
We published a threat assessment regarding a high-impact security vulnerability in Microsoft Exchange. The vulnerability allows an attacker to gain privileges in the cloud environment and affects the software versions Microsoft Exchange Server 2016, Microsoft Exchange Server 2019, and Microsoft Exchange Server Subscription Edition RTM. The threat assessment contains recommendations on how to mitigate the impact of this security vulnerability.
We have published a new online course, ‘Information Security for Managers’, at the Digital State Academy, which provides managers with practical knowledge on how to fulfil their role and responsibilities in ensuring the information security of their organisation, from strategic decisions to setting an example on a daily basis. The course takes approximately 30 minutes to complete, and all those interested are welcome to take it.
All users are advised to update their ID software to the latest version, available at id.ee. We released a new version of the ID software, 25.8, which improved the validation of digital signatures and updated the base libraries used in the software. For full information on the latest versions of the ID software, the related changes, the supported operating systems, and possible shortcomings, please visit the website id.ee. We also recommend visiting the portal itvaatlik.ee, where you will find additional information about the need to keep your software up to date and recommendations for cyber hygiene.
International situation
French telecommunications company Bouygues Telecom fell victim to a cyber attack, resulting in the leak of personal data belonging to 6.4 million customers. It is the third largest telecommunications company in France, with over 22 million customers. On 4 August, the company detected the cyber attack and determined that, in the case of certain types of customer agreements, the attackers had obtained personal data such as contact details, marital status, IBAN numbers, and, in the case of business customers, company details. Although no customer credit card or bank details were leaked, the company warned that the stolen data could be used to attempt financial fraud. There have been other cyber attacks against French telecommunications companies recently. In July, Orange reported an attack, and last year, so did telecommunications companies SFR and Free.
Global telecommunications company Colt Technology Services, headquartered in London, was hit by a ransomware attack. As a result of the attack, customers experienced disruptions in various telecommunications services for several days. The incident began on 12 August, and the perpetrators managed to obtain customer data, employees’ personal data, financial data, and other documents, which were put up for sale on the dark web for 200,000 euros. The attack was claimed by a group using WarLock ransomware. According to one security expert, the attack was likely carried out via a zero-day vulnerability in Microsoft SharePoint.
The US Federal Court confirmed that their electronic information system had been hit by a cyber attack. Most of the documents stored in the system are public, but according to a representative of the courts, some of the files related to proceedings also contained confidential documents. Politico wrote a week earlier that, according to two experts familiar with the matter, the attack may have also resulted in a leak of confidential information related to criminal proceedings. There is no information about the attacker, but the recent spate of attacks against courts is more likely to be linked to threats with a national background.
CERT-UA issued a warning about a new wave of cyber attacks targeting government agencies and defence industry companies. The attack begins with phishing, which is often disguised as a court summons or court-related documents. The phishing email contains a link to a standard file-sharing environment, but clicking on the link downloads a ZIP archive containing a file with malware. In connection with the attack wave, CERT-UA has identified three types of malware used in different stages of the attack to create backdoors and steal data (including passwords and documents).
Russian hackers managed to hack into the network of a small hydroelectric power company near Gdansk and gain access to the turbine control systems. The hackers released a video demonstrating how they manipulated the control devices. The same company was attacked in May, but with less success. According to the local publication cyberdefence24, cyber attacks against Polish industrial automation have become a regular occurrence: over the past few months, several Polish water and sewage companies and swimming pools have been attacked.
Last updated: 04.09.2025
