- On 1 January, there were problems with issuing digital signatures. Two companies were hit by a ransomware attack. In January, there were disruptions in the services of both Telia and Elisa.
- We made a guest appearance on Veebikool to talk about cyber threats among entrepreneurs. We published a warning on the Estonian Information System Authority’s blog about a new botnet called Kimwolf. Another CyberMeetUp of the Information System Authority was held.
- The European Space Agency was hit by a cyber attack. A database containing the details of approximately 17.5 million Instagram users was put up for sale on the dark web. The Iranian government shut down internet access throughout the country to stop the spread of unrest and the flow of information between people.
Incidents reported to CERT-EE that had an impact on the confidentiality, integrity, or availability of data or information systems.
Devices in Estonian cyberspace infected with malware detected by automatic monitoring. CERT-EE notifies network owners of infections.
Fradulent wesites account for the largest proportion of incidents recorded by CERT-EE.
Situation in Estonian cyberspace
At midnight on 1 January, some users and services began experiencing problems with digital signatures. Smart-ID, Mobile-ID and ID card signing were all affected. Among other issues, it became impossible to digitally sign ambulance cards, so ambulance crews resorted to using pen and paper. Bank transfers at Swedbank, SEB, LHV, and Coop were also unavailable. Some of the disruptions were resolved before midday while all services were back up and running by 2.51 p.m. The interruption was caused by a software failure: at the start of the year 2026, the Digidoc4j base library no longer accepted responses from the validity confirmation service signed with the current key length. We recommend that all information system administrators update the DigiDoc4j library used in their systems to version 6.1.0 at the earliest opportunity. For more details, refer to the website of the Information System Authority.
The website tuuleliinid.ee, which sells tickets for ferries travelling between small islands and the mainland, was unavailable from 5.12 p.m. on 9 January until 9.01 a.m. on 12 January. The interruption was related to changing the ticket sales service provider.
Between 8.41 a.m. and 1.22 p.m. on 16 January, an electricity distribution company experienced a large-scale voice and data communication outage. The operation of vital services (electricity sales and distribution network services) was not disrupted, but communication with customers was affected. In addition, mobile data communication failed to work on devices using SIM cards. The interruption was caused by a malfunction in the telecom operator’s equipment.
On 22 January, card and cash transactions by some private and business clients of LHV were counted twice due to a technical error. Payments were processed on multiple assets, and the configuration that was supposed to prevent double processing failed to work. The bank refunded the incorrectly reserved amounts to customers.
In January, there were disruptions in the services of both Telia and Elisa.
-
On 23 January, between 11.26 a.m. and 12.40 p.m., disruptions occurred in the data and voice communications of Telia. The impact was greatest between 12.30 p.m. and 12.40 p.m., when Telia redirected data traffic to other connections. At that time, international voice communications and Internet services related to external connections were affected (it was impossible to open some web pages, use communication applications, etc.). The interruption was caused by a malfunction in the network equipment of an external partner of Telia.
-
At 2.06 a.m. on 27 January, Elisa’s services were hit by a widespread outage. Across Estonia, there were disruptions in voice calls, mobile and cable internet, Elisa’s Mobile ID, self-service, and website, as well as the streaming service Elisa Elamus. Services gradually recovered overnight. All services were up and running by around 9.30 a.m. The outage began with a power failure at the data centre.
In January, two companies reported ransomware attacks against them. On 12 January, the water company of Ida-Viru County was hit by a ransomware attack where data on 11 servers and some office computers was encrypted. The servers were restored from backup copies and there was no significant impact on the company's operations. According to preliminary information, the attack started from a device running an outdated operating system. On 13 January, an industrial company operating in Harju County was hit by a ransomware attack. The malware encrypted the data on one computer. Once again, the attack did not significantly affect the operations of the company. Although the ransomware attacks in January had no major impact, such attacks could bring the entire company to a standstill if a series of unfortunate events were to occur. Read more on our prevention portal IT-vaatlik to find out how to prevent ransomware attacks and what to do if you fall victim to one.
Activities of the Estonian Information System Authority
In January 2026, the Act on Amendments to the Cybersecurity Act and Other Acts entered into force, transposing the NIS 2 Directive, into Estonian law. The aim of the changes is to raise the level of cybersecurity. The amendment to the Cybersecurity Act has brought about significant changes, resulting in a considerable increase in the number of companies and institutions subject to mandatory cybersecurity requirements. More detailed information can be found on the website of the Information System Authority.
At the end of February, the Information System Authority will introduce the Smart-ID+ feature to the state authentication service, making authentication more secure and user-friendly than before. Smart-ID+ allows logging in to e-services in two different ways. When using e-services on a computer, a constantly changing QR code is displayed to the user. When using e-services on a mobile phone, the Smart-ID application opens automatically and the user confirms their login to the e-service with their PIN1. Read more on the Information System Authority’s website.
On 9 January, Helena Jürgenson, an analyst at the Analysis and Prevention Department of the Information System Authority (RIA), made a guest appearance on Veebikool to talk about the cyber threats faced by entrepreneurs and how to protect your business in an informed manner. Helena explained the types of cyber attacks currently in circulation, how to reduce risks, and what to do if you fall victim to an attack. View the recording of the training session here.
On 22 January, the Information System Authority’s first CyberMeetUp of the year took place. This time, Luca Tagliaretti (European Cyber Competence Centre), Patrick Kobly (Rushmore Technologies OÜ), Nikolai Kunitsõn and Kaisa Lindenburg (the Estonian Information System Authority) took to the stage. Discussions focused on supporting cyber innovation in Europe, the Estonian cyber community, and the Chinese cyber ecosystem. Recordings of the event can be viewed here. The next CyberMeetUp of the Information System Authority will be held on 19 February.
Starting in January, we will publish the most important news about international cyber incidents weekly on the Information System Authority’s blog. In January, for instance, we wrote about a cyber attack on the European Space Agency, the Iranian government cutting off internet access, an Instagram data leak, cyber attacks on the energy infrastructure of Poland at the end of December, and several other incidents in cyberspace. Read all posts published this month on the Information System Authority’s blog.
We published a warning on the Information System Authority’s blog about a new botnet called Kimwolf, which cybercriminals use to carry out cyber attacks using ordinary users' home devices. Currently, there are an estimated two million infected devices connected to the Kimwolf network worldwide, including devices belonging to US government agencies. CERT-EE has identified the first infections in Estonia, but the exact number of infected devices is still being determined. Read more on the blog about how the botnet works and which devices are infected.
The Information System Authority and the Estonian Business and Innovation Agency have launched a new support measure to help companies operating in the field of cybersecurity develop innovative, internationally competitive solutions in collaboration with researchers. The measure will allocate 1.5 million euros to the IT sector, and the submission of applications opened on 12 January. The grant covers development of new solutions from concept creation to prototype testing, product development, and experimentation. Only Estonian companies can apply, and the maximum grant amount is 100,000 euros. Read more detailed information on the Estonian Business and Innovation Agency’s website.
International situation
During the raid on Venezuela on 3 January, the US probably used offensive cyber capabilities, among others. President Trump implied that power outages occurred in Caracas during the operation thanks to ‘certain expertise’ of the US, and General Caine, Chairman of the Joint Chiefs of Staff, hinted at various military effects that had facilitated the operation. However, neither the US authorities nor the cyber command have commented on the matter in detail. NetBlocks, an independent organisation monitoring internet traffic, confirmed that unusual interruptions in internet connections were observed in Caracas at 3.01 a.m.
The European Space Agency, of which Estonia is a member, confirmed that they were hit by a cyber attack with limited impact in December. The affected servers are not included in the corporate network of the agency, so the criminals are unlikely to have access to highly sensitive data. According to available information, the perpetrators managed to compromise a limited number of servers storing non-confidential data on joint projects between scientists and engineers. According to SecurityWeek, the attacker uses the alias ‘888’ and has claimed on a dark web forum that they have 200 gigabytes of agency’s data at their disposal, including documents, configuration files, and more.
A database containing details of approximately 17.5 million Instagram users has been put up for sale on the dark web. Unlike previous leaks, not only usernames but also some users’ home addresses, telephone numbers, and email addresses are reportedly also for sale this time. As Instagram does not collect all such data, it is likely that the perpetrators have combined data stolen from Instagram with data obtained from other platforms. Instagram users are advised to be particularly vigilant: never to respond to password reset emails but only change their password by logging in via the app itself, and to set up multi-factor authentication.
In the second week of January, the Iranian government decided to shut down internet access nationwide to stop further spread of unrest and the flow of information between people. The drop in internet traffic to just one per cent of normal levels was confirmed by NetBlocks, an organisation monitoring internet traffic, and Cloudflare, an internet infrastructure company. Local mobile coverage was also disrupted and calls from abroad were blocked. Even StarLink satellite communications could not function normally. An internet blackout of this scale is unprecedented in Iran, the government, however, can continue using the internet and social media, and some other institutions and Telegram propaganda channels appear to have been granted an exception. Experts estimate that Iran has the capability to restrict internet access on a massive but selective scale, which is why there are fears that this situation could persist for some time.
In January, a ransomware attack hit AZ Monica Hospital in Antwerp, forcing the cancellation of operations and the transfer of seven critically ill patients to other hospitals. The emergency department of the hospital was also unable to function normally, and patients requiring emergency care were advised to seek treatment elsewhere. Prompted by the attack, the Belgian Ministry of Health has warned that approximately 75% of Belgian hospitals fail to meet modern cybersecurity standards and that healthcare is one of the sectors most vulnerable to cyber attacks.
In December, cyber attacks were carried out against the energy infrastructure of Poland with the aim of causing power and heating outages. The cyber attacks were coordinated across multiple locations and attempted to disrupt communication between network operators and wind farms, solar power producers, and power stations. The Polish CERT has published a comprehensive report on the large-scale attack attempt on 29 December against Polish wind and solar farms, a district heating and electricity company, and a manufacturing company. According to the report, the aim of the attacks was to destroy infrastructure, and information systems as well as industrial control technology were targeted. After analysing the methods and infrastructure used in the attacks, the Polish CERT concluded that they were largely similar to those used by groups associated with the Federal Security Service of the Russian Federation (FSB), known as Static Tundra, Ghost Blizzard, and Dragonfly. Dragos, a company focusing on the cybersecurity of industrial equipment, has also published its own analysis of the incident.
Last updated: 05.02.2026
