- On the first day of income declaration, there were problems with signing in to the e-services environment of the Estonian Tax and Customs Board. It was not possible to log in to the Eesti app via Smart-ID.
- We published the RIA Cyber Security Yearbook. In addition, we published a blog post about QR codes and the hidden dangers of activity-tracking apps.
- Valtori, the ICT service centre of the Finnish government, was hit by a cyber attack. The customer database of Odido, the largest telecom operator in the Netherlands, was compromised. An unknown attacker gained access to the French national register FICOBA.
Incidents reported to CERT-EE that had an impact on the confidentiality, integrity, or availability of data or information systems.
Fradulent wesites account for the largest proportion of incidents recorded by CERT-EE.
Situation in Estonian cyberspace
On 4 and 5 February, there were disruptions in the SKAIS2 information system of the Social Insurance Board. The disruptions primarily affected assistive device service providers, who were unable to use the system to check whether the purchaser of the assistive device was entitled to a discount.
On 6 February, between 12.30 p.m. and 3 p.m., there were disruptions when accessing the internet bank and mobile app of LHV. The disruptions were caused by a higher than usual number of users following the release of a new mobile application. Other services, such as ATMs, payment terminals, and cards operated as usual.
On 9 February, between 12 p.m. and 6.15 p.m., denial-of-service attacks were carried out against the eok.ee website of the Estonian Olympic Committee. Between 12.06 p.m. and 12.40 p.m., the website was unavailable on several occasions (for a total of approximately 20 minutes) or responded to queries significantly slower than usual due to the attack. The attack also affected other websites hosted by the same service provider, including riks.ee, riigipilv.ee, and internet.ee. The pro-Russian group NoName057(16) has claimed responsibility for the attack, which organized a DDoS attack campaign against various websites related to the Milan-Cortina Winter Olympics.
On 10 February, between 2.51 p.m. and 4.25 p.m., there were interruptions in the operation of the websites terviseportaal.ee, tehik.ee, shk.sm.ee, and misp2.digilugu.ee, which are managed by the Health and Welfare Information Systems Centre. Most of the affected websites were restored within half an hour, but the Health Portal remained down for an hour and a half. The cause of the interruptions was a configuration error.
On 16 February, the first day of income declaration, between 11.31 a.m. and 1.44 p.m., there were disruptions in the e-services environment of the Estonian Tax and Customs Board when signing with Smart-ID and Mobile-ID. The disruptions were caused by an eMTA setting that caused the user session to expire before the signing process was completed.
Since 9.28 a.m. on 26 February, it has not been possible to log in to the Eesti app via Smart-ID. The incident was caused by changes made due to the transition to the Smart-ID+ solution. The problem affects users who have not previously logged into the Eesti app via Smart-ID and are trying to do so for the first time. Finding a solution by RIA and SK is a matter of the coming days.
At the end of February, various phishing emails were once again sent out en masse. The attackers claimed to be from Omniva, LHV Bank, or Smart-ID. All emails requested that recipients log in using Smart-ID and verify their identity. In emails sent on behalf of LHV Bank and Smart-ID, the attackers claimed that in accordance with anti-money laundering and know-your-customer requirements, it was necessary to verify the personal data of the users. The emails also stated that if the user did not identify themselves, access to the services would be restricted. The emails were sent from suspicious email addresses that do not belong to the organisations mentioned – for example, several emails were sent from the address [email protected]. Keep in mind that banks or other service providers never send such emails or ask you to enter your details on suspicious links.
Activities of the Estonian Information System Authority
We published the Cyber Security Yearbook, which provides an overview of developments, threats, and lessons learned in Estonian and international cyberspace over the past year. Last year in cyberspace will be remembered for the record 10,185 cyber incidents registered by RIA, most of which were fraud, phishing, and malicious redirects. We are pleased to note that the number of denial-of-service attacks with an impact has fallen, but the volume and technical complexity of attacks has decreased. The most extensive global disruptions of last year were actually caused by technical failures in large cloud services. The Cyber Security Yearbook is available in both Estonian and English.
We published a post about QR codes on the RIA blog. QR codes enable users to be directed to the desired website conveniently and quickly. As a result, they are being used more and more widely. Unfortunately, cybercriminals have also discovered this opportunity. We write in our blog about situations where QR codes can be dangerous and which codes should not be opened with your smart device. We also highlight the most common scams involving QR codes. Read more on the RIA blog.
On 19 February, the second RIA CyberMeetUp of the year took place. This time, an overview of the Cyber Security Yearbook and the situation in cyberspace over the past year was presented. The speakers shared insights into the planning and execution of cyber operations, information was released about the direction of this year’s Locked Shields exercise, and discussions were held on how to open more doors for young talent in the field of cyber security. Recordings of the event can be viewed on YouTube. The next RIA CyberMeetUp will take place on 19 March.
Starting in February, we will publish weekly news stories from around the world that are relevant to artificial intelligence. For example, last month, we reported on an AI toy that leaked thousands of private conversations, how Moltbook agents were used to spread malware and leak data, how national groups have exploited artificial intelligence, and a data leak from one of the most popular artificial intelligence-based chat applications. Read all posts published this month on the RIA blog.
We also published a post on the RIA blog about the hidden dangers of activity-tracking applications. Activity-tracking platforms such as Strava and komoot have millions of users worldwide. These popular applications are used to share daily workouts, sporting achievements, and participation in joint events. User profiles are often public, which means that sensitive data is visible to the entire world. Read more about the risks to consider when using these applications in our blog.
On 26 February, RIA introduced the Smart-ID+ solution in the state authentication service. Smart-ID+ primarily helps reduce the risk of phone scams and social engineering, as authentication and confirmation steps are carried out on the phone of the user and are linked to actions initiated by the user. Read more on the RIA website.
International situation
On 29 January, Valtori, the ICT service centre of the Finnish government, detected a cyberattack in which the attacker gained access to the mobile device management system of the state. The system manages data on the official devices (mobile phones, tablets) of government employees, and the leak includes the names, work email addresses, official phone numbers, and device information of up to 50,000 government employees. According to the Finnish government, the leak affects employees in all ministries, but based on current information, no data has been leaked that would jeopardise the operations of ministries. According to Valtori, the attack was carried out through an external service provider, targeting a mobile device management system that had a zero-day vulnerability. At the time of the attack, there was no security patch available.
In the first week of February, Conpet, the national oil pipeline operator of Romania, announced that its business IT network had been hit by a cyberattack. The attack affected the office network and took the website offline, but did not affect the operability of the pipeline or industrial equipment. Conpet manages nearly 4,000 km of pipelines, which are used to transport both crude oil and refined fuel and play a vital role in the energy supply of the country. The ransomware group Qilin announced on the dark web that it had stolen one terabyte of sensitive data from Conpet and also published samples of it.
One of the largest telecom operators in the Netherlands, Odido, admitted that as a result of a recent compromise of their customer database, the data of up to 6.2 million customers may have been leaked. The data includes names, home addresses, telephone numbers, dates of birth, account numbers, and document numbers. According to the company, no passwords or call data have been leaked. Although the stolen data has not yet been made public, the company warned customers that this could happen at any moment and that all affected customers will receive a personal notification from the company. The criminal group ShinyHunters is offering the opportunity to download the entire stolen database on the dark web, which could affect up to 15 million people.
The Norwegian Police Security Service published its national threat assessment describing, among other things, the interests and activities of cyber criminals with Russian, Chinese, and Iranian state backgrounds directed at Norway. In the case of China, cyber espionage and the misuse of servers and routers located in Norway by Chinese cyber attackers to attack third countries are considered to be the main threats. The threat assessment also revealed that Salt Typhoon, a Chinese state-backed group focusing on the telecommunications sector, has compromised network equipment in Norway. In the case of Russia, sabotage attempts on Norwegian territory and influence operations aimed at swaying public opinion to reduce support for Ukraine are considered to be a greater risk.
The French Ministry of Economics and Finance announced that an unknown attacker gained access to the French national register FICOBA, which contained data on 1.2 million bank accounts. Initial access was gained through active login credentials. Access has now been removed. The accessed data contains sensitive personal information that has already been used in phishing attacks.
NetBlocks, an independent organisation that monitors the global internet, confirmed that since 28 February, when the US and Israel began military operations against Iran, virtually the entire country has been without internet access. According to NetBlocks data, only 4% of connections were visible in Iran on 28 February compared to normal times, and by the next day this had fallen to 1%. Internet infrastructure company Cloudflare also confirmed that internet traffic in Iran has practically ceased. It is believed that the Iranian authorities are behind the interruption, as they are trying to prevent civil unrest. On the same day, extensive cyber attacks were also reported against Iranian local news channels, websites linked to the Iranian Revolutionary Guards, and the local religious app BadeSaba.
Last updated: 05.03.2026
