- In June, a cinema company fell victim to a ransomware attack. The services of the IT and Development Centre at the Estonian Ministry of the Interior (SMIT) and the Health and Welfare Information Systems Centre (TEHIK) were disrupted. In June, there was a significant increase in the number of phishing emails sent posing as LHV Pank and Omniva.
- We launched the itvaatlik.ee portal in English and Russian. In the RIA blog, we wrote a post warning about a new botnet.
- Ukraine’s critical infrastructure was hit by a cyber attack involving the data-destroying malware called PathWiper. Danish government agencies are planning to discontinue the use of Microsoft software. The personal data of Paraguayan residents was leaked onto the dark web.
Incidents reported to CERT-EE that had an impact on the confidentiality, integrity, or availability of data or information systems.
Devices in Estonian cyberspace infected with malware detected by automatic monitoring. CERT-EE notifies network owners of infections. The surge is driven by IoT devices infected with the Badbox 2 botnet, primarily set-top boxes in the Estonian context.
Phishing sites still account for the largest proportion of incidents recorded by CERT-EE.
Situation in Estonian cyberspace
In June, we were notified of several high impact service disruptions.
On 2 June, between 11.12 and 11.40 a.m., the external connections of the Health and Welfare Information Systems Centre (TEHIK) were non-functional, resulting in the disruption of several dependent services: the Health Information System, the Health Insurance Fund services (digital prescription, insurance verification, incapacity for work benefit), the health portal, and the TEHIK website. The operation of the VPN and internet service of the Social Insurance Board was disrupted. The incidents were caused by a network outage that occurred during maintenance work.
On 5 June, a cinema company operating in Estonia, Latvia, and Lithuania announced that they had fallen victim to a ransomware attack. All virtual machines and backups were encrypted during the incident. Although the operations of the company were severely disrupted and system restoration took time, the cinemas continued to function.
On 10 June, at 8.27 a.m., disruptions began affecting the operation of the services managed by the Information Technology and Development Centre of the Ministry of the Interior (SMIT). The emergency response centre was also affected, resulting in longer than usual waiting times for answering emergency calls. In addition, the border control information system malfunctioned, making it impossible to carry out border checks and leading to queues at border crossing points. The longest queue of around 300 people formed in Narva. Due to the technical failure, it was not possible to apply for documents either at the service offices or through the self-service portal, nor was it possible to obtain documents at the PPA service offices or Selver stores. Moreover, the self-service portal of the population register also did not function. The services were restored at 9.34 a.m. The disruption was caused by a failure in the service management system.
In June, there was a significant increase in the number of phishing emails sent posing as LHV Pank and Omniva. The email sent posing as LHV Pank asked the customer to update their contact information and directed them to a phishing site. The email mimicking Omniva claimed that the recipient had a parcel waiting and that they would have to pay customs duty to receive it. Both emails were sent by [email protected]. Always check the sender of the email and the links in the content of the email – whether the domains belong to the correct service provider. Do not open links in phishing emails and forward the email to CERT-EE at [email protected]. See examples of phishing emails and read more on the same topic on the RIA blog.
Activities of the Estonian Information System Authority
On 11 June, the final RIA CyberMeetUp of the season took place at the Palo Alto Club. This time, the speakers on stage included Rain Ottis, Head of the TalTech Centre for Digital Forensics and Cyber Security, Kati Kirsipuu, Project Manager of Tehnopol Startup Incubator and Marleen Rootamm, Project Manager of NATO DIANA. The next event will take place in October. Recordings of the event can be viewed on the RIA website.
Eesti app will soon be available for identity verification. On 4 June, the Riigikogu approved a draft law allowing people to use the Estonian national application to verify their identity. According to the amendment to the Identity Documents Act, service providers can verify the identity of their customers via the Eesti app, which is equivalent to verifying the identity of a customer on the basis of e.g. passport or ID card data. The new solution will become operational on 7 July. Read more here.
Simon Berner, cyber security analyst at the RIA, appeared on Kuku Radio’s show Sihik to talk about the situation in cyberspace. The show covered last month’s incidents, the steadily increasing number of phishing attacks, and common scams.
As of 13 June, itvaatlik.ee, the cyber security prevention portal of RIA, is available in three languages – Estonian, Russian, and English. The multilingual website helps bring cyber security topics to an even wider audience, making important information understandable and user-friendly to everyone living in Estonia, regardless of their mother tongue. IT-vaatlik underwent a thorough revamp at the end of last year and we encourage everyone to read the information there. In addition to guides aimed at individuals and businesses, the portal also offers, for example, a short course on cyber defence, as well as descriptions of common scams.
We wrote a post on the RIA blog warning about a new BADBOX 2.0 botnet that uses home devices for cyber attacks. Through the botnet, criminals control more than a million devices in almost every country in the world, including over 7,000 devices in Estonia. Read the blog to learn more about how devices get infected and what users can do to keep their home network secure. This is also why a record number of malware-infected devices were detected during automated monitoring in June.
We regularly write about the most important security vulnerabilities on the RIA blog. In June, security flaws found in a number of widely used software products were disclosed, with vulnerability patches issued for products from Microsoft, Google, Mozilla, GitLab, Cisco, Atlassian and Linux, among others. Explore the various posts on the RIA blog here.
International situation
CISCO Talos wrote in its blog that Ukraine's critical infrastructure had been hit by a cyber attack involving a new data-destroying malware called PathWiper. Based on the attack’s signature, experts associate it with a Russian state-backed threat actor. The attackers had likely managed to gain access to the management panel of the critical infrastructure company, through which the malware was further distributed.
French luxury brand Cartier fell victim to a cyber-attack, during which customer data was also leaked. The data includes names, addresses, and countries of residence, but reportedly no banking data. Other luxury and fashion brands such as Adidas, Dior, and Victoria’s Secret have also recently struggled with cyber attacks.
The Minister for Digital Affairs of Denmark told the local newspaper Politiken that she intends to set an example by replacing all Microsoft software and tools in her ministry with the open source alternative LibreOffice by the end of the year. Denmark’s largest municipalities, Aarhus and the City of Copenhagen, had previously announced similar plans. According to Caroline Stage, Minister for Digital Affairs, the reason is a desire to achieve digital sovereignty and better control over how Danes’ data is stored.
Investigators discovered 7.4 million records containing personal data of Paraguayan residents on the dark web, for which cybercriminals are demanding 7.4 million dollars. The data is believed to have been stolen during several recent cyber attacks targeting government systems. The Paraguayan government has announced that it does not intend to give in to the extortion or pay the ransom. A few days before the data leakage was made public, the social media account of the president of the country was also compromised.
On 24 June, members and staff of the U.S. House of Representatives received an internal directive to stop using the WhatsApp application on work devices. The reason, according to the cybersecurity service of the House of Representatives, is that WhatsApp lacks transparency on how user data is protected, along with other security-related concerns.
An Iranian hacking group known as Homeland Justice claimed responsibility for a cyber attack in mid-June against the city government of Tirana, capital of Albania. According to local media, the website of the city government was down and some public services were disrupted due to the attack. According to Homeland Justice, the attack was motivated because Albania provides a safe haven for the Iranian opposition group Mujahideen-e-Khalq (MEK). Pro-Iranian groups have previously carried out cyber attacks against Albania, and their activities have intensified amid rising tensions in the Middle East. Israel has also reported a surge in phishing waves and denial-of-service attacks targeting its public services, attributing them to Iran-linked groups.
Last updated: 04.07.2025
