- A family medicine centre fell victim to a ransomware attack. In early December, Cloudflare’s systems suffered a failure, resulting in numerous Estonian and global websites and services becoming inaccessible.
- We visited the Algorütm podcast to talk about the goings-on of Estonian cyberspace. We conducted various trainings and held another RIA CyberMeetUp. In cooperation with the Police and Border Guard Board, we published a press release about 1,500 people who had given their PINs to fraudsters.
- The United Kingdom imposed sanctions on two Chinese tech companies. Both the German government and the Danish intelligence service confirmed that Russian groups were behind cyber attacks made against them. Data stored in the code repository of the University of Sydney was leaked.
Incidents reported to CERT-EE that had an impact on the confidentiality, integrity, or availability of data or information systems.
Devices in Estonian cyberspace infected with malware detected by automatic monitoring. CERT-EE notifies network owners of infections. The surge is driven by IoT devices infected with the Badbox 2 botnet, primarily set-top boxes in the Estonian context.
Fradulent wesites account for the largest proportion of incidents recorded by CERT-EE.
Situation in Estonian cyberspace
On 1 December, a family medicine centre announced that it had fallen victim to a ransomware attack. During the incident, data on two servers and backups were encrypted. The most recent backup that the attackers were unable to access was from 2021. The encrypted server contained patient data, medical records, and appointment times, meaning that the attack completely halted the work of the family medicine centre. CERT-EE was able to recover some of the encrypted data.
On 5 December, Cloudflare’s systems suffered a failure, resulting in numerous Estonian and global websites and services becoming inaccessible. In total, approximately 28% of internet traffic passing through Cloudflare was affected. Many public sector websites, including those of the government, parliament, and police, were inaccessible in Estonia. It was also not possible to use Bolt’s website or app, or the national authentication service TARA. In Estonia, the failures lasted for about 20 minutes. The cause of the Cloudflare outage was not an attack, but a change they made to their virtual firewall in response to a recently discovered security vulnerability, which resulted in a technical glitch.
On 9 December, the security and access control system server of a rural municipality government was attacked. The server was accessed via a service provider’s account, which was taken over through phishing. The compromised account was closed within a few minutes and, based on the information available to us, the attackers did not have time to cause any significant damage.
On 10 December, between 12.12 and 12.39 p.m., there were disruptions in the operation of the identity verification and procedural information system UUSIS of the Police and Border Guard Board (PBGB). This disrupted the work of the offices of the PBGB. In addition to identifying individuals and determining their legal status, the PBGB uses this system for issuing identity documents and for migration control procedures. The disruptions were caused by server overload.
On 12 December, between 9.15 a.m. and 1.01 p.m., train ticket sales and timetable searches were unavailable on the websites elron.ee and pilet.ee. The interruption was caused by a failure in the systems of Ridango, the company that manages the ticket sales environment.
On 17 December, between 5.35 p.m. and 5.52 p.m., failures occurred in the operation of RIA’s services, including the state portal eesti.ee, the national authentication service TARA, and X-tee services. The failures began after a change was made at the data centre and were caused by a configuration error.
Unfortunately, December showed no signs of fraud slowing down. We continued to see a large number of scam calls made posing as Elektrilevi, the Estonian Rescue Services Agency, banks, the police, courts, and courier companies, for example. The scam usually begins with the user being told that they need to confirm a transaction (e.g. changing their electricity meter or receiving a parcel) using their PIN. If the user does so, the next call will appear to be from their bank or the police, informing the victim of suspicious transactions on their bank account. After several calls, the user is tricked into entering their PIN several times, which gives access to their bank account. We recommend that you continue to end suspicious phone calls immediately and not enter your PINs, even if someone pressures you to do so. Take your time and discuss any suspicious phone calls with someone close to you, especially if you are being pressured to keep the information regarding the call confidential.
Activities of the Estonian Information System Authority
According to estimates by the Police and Border Guard Board and RIA, approximately 1,500 people have given access to their eesti.ee accounts as a result of manipulation by fraudsters. This is not a data leak or security vulnerability; rather, individuals themselves have entered their PIN1s as a result of manipulation by fraudsters, thereby granting access to their eesti.ee accounts. The fraudsters’ aim was to use the data stored there to build trust and extort money. We also personally notified people via the national mailbox if their state portal accounts had been accessed by fraudsters. Read more detailed instructions on the RIA website, and if you have also fallen victim to fraud, please report it by email to [email protected] and send a copy to CERT-EE [email protected].
On 10 December, the last RIA CyberMeetUp of the year took place. This time, presentations were given by Joseph Carson (Segura), Tiia Sõmer (Nortal/Taltech), and Anni Aleksandrov and Kaisa Lindenburg (RIA). Participants gained an overview of hacking and how criminals manage to carry out various types of fraud and influence human nature. In addition, RIA employees gave an overview of the innovation funding for cybersecurity companies and introduced an event called Connect4Cyber. Recordings of the event can be viewed here. The next RIA CyberMeetUp will take place on 22 January.
Helena Jürgenson, analyst at the Analysis and Prevention Department of RIA, appeared on the Algorütm podcast to discuss the goings-on of Estonian cyberspace. Helena introduced current scams and talked about who makes scam calls and what their motives are. Listen to the Algorütm podcast here.
We visited various institutions and companies to discuss cyber hygiene and current scams. For example, in December, we trained the employees of Rakvere Vesi and Rakvere City Government, as well as students of Tallinn German Gymnasium.
In December, a project led by Denmark was launched with the aim of strengthening the exchange of information regarding cyber threats in the Nordic and Baltic countries. The Nordic-Baltic Cyber Consortium (NBCC) focuses on cyber threat intelligence analysis and information sharing to better detect and prevent cyber attacks. Participants in the project include authorities responsible for cyber security in Iceland, Finland, Norway, Estonia, Lithuania, and Latvia.
We published two new posts on the RIA blog. In the first one, we tell a true story of how an analyst of RIA was deceived while making a purchase online. We also provide readers with recommendations on how to recognise and avoid fraud, and what to do if you have fallen victim to fraud. In the other post, we remind you how important it is to keep your PINs confidential.
International situation
The United Kingdom imposed sanctions on two Chinese technology companies that have carried out cyber attacks against government agencies and private companies in the United Kingdom and many other countries. The sanctioned companies are Sichuan Anxun Information Technology Co. Ltd, better known as i-Soon, and Integrity Technology Group. The latter is accused of creating a covert network and providing technical assistance to other cyber attackers. According to the UK Cyber Security Centre, China’s cyber ecosystem, which includes private companies, supports China’s state cyber operations. The UK government also imposed sanctions on Russian media company Rybar, which is accused of spreading false information and interfering in the elections of other countries.
The German government announced that it has found conclusive evidence linking APT28, a threat actor with Russian state backing, to cyber attacks against the German air traffic control centre in August 2024. The attackers managed to penetrate the centre’s office network, but air traffic control was not compromised. The German Federal Foreign Office also accuses Moscow of attempting to influence and destabilise Germany’s recent federal elections with false information. According to Germany, hybrid threats originating from Russia are on the rise, manifesting as cyber attacks, disinformation campaigns, and other activities that threaten national security.
In August, a cyber attack hit the fintech company Marquis, during which personal data was also stolen. Marquis provides services to hundreds of banks and credit institutions in the United States. It is now known that the data breach affected at least 780,000 people, all of whom will receive a personal notification. People’s names, addresses, social security numbers, dates of birth, and, in some cases, credit card numbers were leaked. According to the company, the attack occurred due to a security vulnerability in the SonicWall firewall.
In December, the Danish intelligence service disclosed that the cyber attack against a local water company at the end of 2024 was carried out by the Russian hacktivist group Z-Pentest. The attack manipulated water pressure, causing three water pipes to burst near Copenhagen and leaving 50 households without water for seven hours. Another group, NoName057(16), is linked to several denial-of-service attacks against Danish websites in the run-up to the local elections in November. According to the Danish intelligence service, both hacker groups have ties to the Russian state.
The University of Sydney announced that the personal data of approximately 27,500 former and current employees, students, and alumni had been leaked from their information system. The data was leaked from a code repository that also stored old data files from 2018. Although the illegal downloading of data has been confirmed, there is currently no evidence that it has been misused. The university has promised to send personal notifications to all affected individuals.
On the weekend before Christmas, a ransomware attack hit Romanian Waters, the company that manages Romania’s national water supply. According to the Romanian national cyber security centre, over 1,000 servers and workstations were taken offline as a result of the attack, both at the head office and at ten regional branches. According to the company, the attack did not affect operational technology (OT) and hydraulic engineering works continued to function, but were coordinated by telephone and radio communication. According to preliminary data, the attackers used the Windows encryption tool BitLocker.
Last updated: 06.01.2026
