- There were disruptions in the operation of Mobile-ID services on two separate days. On 8 July, the Eesti app failed to process queries for identity documents and other services. In July, we recorded several denial-of-service attacks.
- Starting 7 July, users of the Eesti app have been able to prove their identity via their smartphone. We updated the implementation manual of the Estonian Information Security Standard, which can be accessed in the E-ITS portal.
- Microsoft shut down 3,000 email accounts linked to individuals involved in a scam carried out by North Korean IT workers. In New York, a mandatory ransomware attack reporting requirement was enacted. Australian airline Qantas confirmed that a recent cyberattack resulted in the data leakage of over one million customers.
Incidents reported to CERT-EE that had an impact on the confidentiality, integrity, or availability of data or information systems. The number of incidents recorded in June may have been affected by the transition to new monitoring tools.
Devices in Estonian cyberspace infected with malware detected by automatic monitoring. CERT-EE notifies network owners of infections. The surge is driven by IoT devices infected with the Badbox 2 botnet, primarily set-top boxes in the Estonian context.
Fradulent wesites account for the largest proportion of incidents recorded by CERT-EE.
Situation in Estonian cyberspace
On 30 June, the SOS2 information system for processing emergency notifications was down between 3.30 p.m. and 4.35 p.m. During that time, all emergency response centres processed emergency notifications on paper, which took longer than usual and resulted in call queues. The incident was caused by the response to a complex event: many users were simultaneously opening and updating the event, causing the system to continuously recalculate new dispatch plans. Due to a significantly higher than usual load, the server cache filled up, causing disruptions in the operation of SOS2.
The functioning of Mobile-ID was disrupted on several occasions. On 3 July, there were interruptions in the operation of the Mobile-ID service: the Tele2 network experienced them between 2.21 p.m. and 2.25 p.m., and the networks of Telia and Elisa between 2.51 p.m. and 3.01 p.m. The cause of the interruptions was a denial-of-service attack. There were also disruptions in Telia’s Mobile-ID service on 5 July between 1.21 p.m. and 2.01 p.m., but the cause remains unknown to us.
In July, we recorded several denial-of-service attacks:
-
On 7 July, between 5.30 p.m. and 8.50 p.m., a denial-of-service attack targeted the following websites managed by the Estonian Centre of Registers and Information Systems (RIK): avaandmed.ariregister.rik.ee, rik.ee, prokuratuur.ee, statistika.rik.ee, juristaitab.ee, kohus.ee, konkurentsiamet.ee, inimoigusteraamat.ee, korruptsioon.ee, ekei.ee, keeleamet.ee. During that time, there may have been brief interruptions in the operation of these websites.
-
On 14 July, two DDoS attacks took place with the first one targeting the name server of the Ministry of Defence and the second one targeting the name servers of the Ministry of Justice and Digital Affairs. Both attacks managed to cause brief service interruptions in the operation of the name servers, but did not have a wider impact.
-
On 21 and 23 July, there were denial-of-service attacks carried out against the website of the Estonian Business and Innovation Agency (eis.ee), and on 26 July against the border queue management information system (eestipiir.ee). As a result, there were brief interruptions in their operations. Once again, there were denial-of-service attacks carried out against the RIA, CERT-EE, SMIT, and TEHIK name servers, but they had no impact.
On 8 July, between 9.50 a.m. and 10.55 a.m., the Eesti app failed to process queries for identity documents and other services. A day earlier, it became possible to prove one's identity via the app by providing digital ID card or passport data, which led to a sharp increase in the number of app users and the volume of queries. This revealed a configuration error that did not manifest itself under lighter loads.
Scam calls impersonating the Estonian Health Insurance Fund continued throughout July. A few months ago, the scam calls were mostly in Russian, but now we are hearing increasingly about fraudsters speaking fluent Estonian. In the call, it is claimed that the person has an unused benefit offered by the Estonian Health Insurance Fund, which they now wish to either refund or carry over to the next year. The employees of the Estonian Health Insurance Fund do not contact people on their own initiative, nor do they ask for document numbers, PIN codes, or other personal information. We recommend ending such calls and not sharing any of your personal information. More information about scam calls and emails can be found on the website of the Estonian Health Insurance Fund.
Activities of the Estonian Information System Authority
Starting 7 July, users of the Eesti app have been able to prove their identity directly via their smartphone by providing the service provider with digital ID card or passport data in the app. The use of the solution is voluntary for both service providers and users, and will be rolled out gradually in cooperation with service providers. It should be noted that the document data in the Eesti app can only be used on the territory of Estonia and does not replace a physical document at international level. Also listen also to the Vikerraadio Uudis+ programme, in which RIA Director of State Information System Taavi Ploompuu spoke about the new identity verification function in the Eesti app.
An article about the use of TikTok in a government institution was published on Levila’s website, where we provided input on cybersecurity threats. Due to the app collecting substantially more data than usual, as well as Chinese security authorities having access to it, Estonian government institutions have banned its use on their employees’ phones.
We updated the implementation manual of the Estonian Information Security Standard, which can be accessed in the eits.ria.ee portal. The manual outlines the steps for managing information security in cases where the information security strategy is based on the implementation of the Estonian Information Security Standard (E-ITS). At the beginning of each step, references to regulations and links to other information security management implementation steps are provided to emphasize the necessity of the action.
We remind you that in just a few months, Microsoft will end Windows 10 product support. Starting from 14 October 2025, there will be no security updates, new features, or technical support for Windows 10 Enterprise, Education, Home, and Pro. At the beginning of the year, we wrote on the RIA blog about the risks associated with using outdated software and outlined various options for prepare for the end of Windows 10 support.
International situation
According to Microsoft, they recently shut down 3,000 Outlook and Hotmail email accounts believed to be linked to individuals involved in a scam carried out by North Korean IT workers. As part of the scam, North Korean IT workers use artificial intelligence to alter their appearance and identity in an attempt to get hired by Western technology companies. The goal is to generate revenue for North Korea, as well as compromise infiltrated companies and steal intellectual property. Microsoft has been monitoring this activity for years, and described the recent dynamics in their latest blog post, including how fraudsters are increasingly using voice alteration technologies and other AI capabilities to conceal their real identities.
The Governor of the State of New York enacted a regulation requiring all local governments and affiliated services (such as transportation, healthcare, police, courts, electric companies, etc) to report ransomware attacks and disclose if they have decided to pay the ransom as a result of the attack. Ransom payments must be reported within 24 hours. According to the Governor, such regulation helps make critical services more secure and will hopefully serve as an example for other states as well.
Nozomi Networks, a company focused on the cybersecurity of industrial equipment, has reported that according to their data, attacks by Iranian state-affiliated hackers against US industrial equipment have increased. In May and June, 28 attacks targeting US industrial clients were detected, while there were 12 in the previous two months. The main interest of the attackers seems to be in the transport and manufacturing sectors. The most active groups identified were MuddyWater, APT33, OilRig, CyberAv2ngers, FoxKitten and HomelandJustice.
Australian airline Qantas confirmed that a recent cyberattack resulted in the phone numbers, birth dates, and home addresses of over one million customers being leaked. The names and email addresses of approximately another four million customers were also leaked. The attack was carried out via a third-party call centre platform used by the airline. According to a Qantas representative, they have no information that the stolen personal data has been published anywhere so far. However, the company confirmed that the attacker has contacted them with the intent of extortion.
In July, hundreds of millions of documents containing detailed information about Swedish citizens and companies were leaked. The leaked data included people's names, personal identification numbers, birth dates, gender, addresses, tax information, and more. The database was accessible online and contained over 100 million data records between 2019 and 2024. The data likely came from the data analytics company Risika and was caused by a misconfigured Elasticsearch server.
Last updated: 08.08.2025
