- Technical difficulties affected the automatic border control system at Tallinn Airport. On the morning of 19 March, train services were suspended due to a software fault.
- We published a threat assessment detailing a cyber attack that targeted one of the largest medical device manufacturers in the world. We wrote on the RIA blog about how artificial intelligence is used in cyber attacks, what a botnet is, and which scam websites are currently prevalent.
- The US published its new national cyber strategy. Stryker, one of the largest medical device manufacturers in the world, was hit by a major cyber attack. The Finnish shipping company Viking Line was hit by a data breach.
Incidents reported to CERT-EE that had an impact on the confidentiality, integrity, or availability of data or information systems.
Fradulent wesites account for the largest proportion of incidents recorded by CERT-EE.
Situation in Estonian cyberspace
On 3 March, between 12.45 p.m. and 1.07 p.m. and between 3.33 p.m. and 3.35 p.m., technical difficulties occurred in the draft legislation information system of the Government Office (eelnoud.valitsus.ee). There were also disruptions in the information system on 4 March between 10.16 and 10.30 a.m. The interruptions were caused by a technical error.
On 9 and 10 March, there were technical difficulties with the automatic border control gates (ABC gates) at Tallinn Airport. As a software error caused problems at the gates with the detection of document chips and biometric verification, passengers were directed to manual passport control. After the gates were restarted, three of the four began to work, but the software had to be reinstalled for the fourth.
On 15 March, between 7.20 and 8.12 a.m., the websites oiguskantsler.ee, aki.ee, prokuratuur.ee, rik.ee, konkurentsiamet.ee, and vanglateenistus.ee, which are managed by the Centre of Registers and Information Systems (RIK), were unavailable. The incident was caused by a technical error.
On 16 March, disruptions occurred in the digital prescription service. Pharmacies were not able to sell medicines or medical devices on the basis of prescriptions issued on that date. All prescriptions issued during the disruption had to be reissued. CERT-EE is not aware of what caused the disruption.
At 2 a.m. on the night of 19 March, the maintenance partner of Estonian Railways Ltd carried out a scheduled restart of its servers. Following this, a fault occurred in the traffic control systems, as a result of which traffic controllers at the Baltic Station were unable to manage the trains. As a result, westbound train services were suspended, and all other trains arriving at and departing from the Baltic Station were also affected. Once the problem was resolved at around 9.30 am, train services began to resume gradually. Train services across Estonia returned to normal at 2 p.m.
On 25 March, between 9.39 and 11.35 a.m., the mailbox and document view were not accessible in the Estonian app. Instead, users were shown an error message relating to VPNs. That same morning, the Defence Forces issued a nationwide alert regarding a drone threat. Many clicked the ‘I understand’ button, which directed them to log in to the Estonian app. Due to a sudden surge in traffic and queries, security measures were triggered, blocking some of the queries.
In March, phishing emails were circulated that appeared to have been sent on behalf of LHV Pank. The emails stated that it was time to update data and that to do so, the recipient needed to log in via the link provided in the email and confirm the accuracy of the data with their signature. The link in the email led to a phishing page designed to steal the login details of the user. The emails were sent from various suspicious domains, such as [email protected], which does not belong to LHV. We wish to remind you once again that banks do not ask you to update your details via email, nor do they send you suspicious links for this purpose. In addition, emails were sent last month claiming that there was an unread message in the user’s LHV inbox. To view the message, users were asked to log in to their internet bank, and on this occasion, too, the link led to a phishing site.
Activities of the Estonian Information System Authority
Gert Auväärt, Director of NCSC-EE at RIA, appeared on the programme Olukorrast digiriigis to discuss what actually happened in cyberspace in Estonia and the world over the past year. Developments over the past year have clearly shown that cyber security no longer affects only IT enthusiasts. It is the foundation upon which society functions, encompassing entrepreneurship, public services, energy security, and the sense of everyday safety of people. Listen to the programme on the Kuku website.
In the RIA blog, we explained how artificial intelligence is used in cyber attacks and which developments should be monitored closely. With the help of artificial intelligence, cyber criminals can create convincing phishing emails in a matter of seconds, automate attacks, and adapt malware faster than ever before. All of this is also changing the nature of cyber threats – the attacks are becoming increasingly sophisticated and better targeted. What is the forecast for the use of artificial intelligence in cyber attacks over the coming years, what should we be aware of, and what should we be prepared for? You can read all about it on the RIA blog (in Estonian).
On 19 March, the third RIA CyberMeetUp of the year took place. This time, presentations were given by Patrik Maldre and Lauri Maldre (Guild Security), Andres Elliku (Wise), Vashek Matyas (Masaryk University), and Lukaš Malina (University of Brno), as well as Lauri Tankler and Kaisa Lindenburg (RIA). Recordings of the event can be viewed on YouTube. The next RIA CyberMeetUp will take place on 16 April.
CERT-EE has recently detected several cyber attacks targeting Estonian websites, in which the attackers first took control of the websites and then attempted to infect the devices of the visitors. The attack involves the use of a fake CAPTCHA check created by the attackers. We explained on the RIA blog (in Estonian) how this attack works and how to spot a fake CAPTCHA.
We published a threat assessment detailing a cyber attack that targeted one of the largest medical device manufacturers in the world. In mid-March, it became clear that a group with links to Iran had begun retaliating in cyberspace for the attacks that had hit the country, targeting the US company Stryker. As a result of the attack, the operations of the company were severely disrupted. Although this particular attack targeted a US medical company, other countries and sectors are also potentially at risk due to the attack vector used. For more details on the attack and our recommendations, please see our threat assessment (in Estonian).
Various scam websites have begun to spread rapidly across the Estonian internet, mimicking state agencies and media portals, that are attempting to lure victims into transferring their money to an investment platform. We explained on the RIA blog (in Estonian) how this scheme works and how to recognise scam ads.
We also wrote a post explaining what a botnet is. There is a considerable number of devices in the average home today that are connected to the internet – these include smartphones, computers, and various smart home devices such as smart TVs, routers, security cameras, fridges, robot vacuum cleaners, and so on. However, these come with a number of new cyber risks, one of which is the possibility of the devices being recruited into a botnet. Read the blog to find out what a botnet is used for (in Estonian) and how to protect your devices.
International situation
In early March, the Trump administration unveiled the new cyber strategy of the country. The strategy document is brief and emphasises the unhesitating use of cyber attack and defence operations against all threats, reducing the regulatory burden, modernising and securing federal networks, enhancing the protection of critical infrastructure and making their supply chains more secure, adopting artificial intelligence solutions in cyber security, and developing the cyber workforce. The strategy also emphasises the need for cooperation between the public and private sectors.
In March, it was reported that the FBI had detected suspicious activity in mid-February within one of its information systems, which manages data relating to surveillance operations. The investigation into the incident is still in its early stages, but according to the Wall Street Journal, US investigators suspect that the attack was carried out by actors with links to the Chinese state. FBI representatives have not commented on this claim.
On 11 March, the US company Stryker, one of the largest manufacturers of medical devices of the world operating in dozens of countries, was hit by a major cyber attack. A group with Iranian links, Handala, has publicly claimed responsibility for the attack; its main targets to date have been Israeli companies and institutions. According to initial assessments, the attackers gained access to a Stryker account with Microsoft 365 Global Administrator rights and used the Microsoft Intune tool to permanently delete data from approximately 200,000 devices held by employees. The attack disrupted operations at many factories and disrupted the processing of orders and deliveries worldwide; however, medical equipment in use in hospitals was not affected.
The hacker group ByteToBreach announced a successful breach of the network of CGI Sverige, the Swedish branch of the global IT firm CGI, and released the source code of the Swedish e-government platform. It is also reported that the hackers are in possession of personal data relating to employees of CGI Sverige, technical data relating to electronic signatures, and personal data of Swedish citizens. A spokesperson for CGI Sverige confirmed that hackers had managed to gain access to two internal test servers where an older version of the source code was stored.
The Finnish shipping company Viking Line has announced that it fell victim to a data breach. According to a spokesperson for the shipping company, this was most likely carried out via their digital service provider, Digitalist Experience. The leaked data includes the names, email addresses, telephone numbers, and vehicle registration numbers of customers, as well as the names, job titles, and password hashes of employees. According to initial reports, the leak did not affect all customers of the shipping company, but only those who had placed pre-orders with duty-free shops.
As a result of ‘Operation Alice’, a multi-year police operation carried out by the German police, Europol, and 22 other countries, a network of criminal platforms on the dark web was taken down. Criminals used these platforms to advertise child sexual content and various services related to cybercrime. Most of them were scam websites where customers paid in cryptocurrency but never received the promised services or materials. The network comprised at least 300 servers, more than a third of which are located in Germany. The main suspect, a 35-year-old Chinese national, is alleged to have earned at least 350,000 euros through the network.
The European Commission was hit by a cyber attack – a spokesperson confirmed that the europa.eu website had been hacked and data relating to the website had been stolen. According to BleepingComputer, hackers have gained access to at least one Amazon AWS account linked to the Commission. The attack was claimed by the group ShinyHunters, which published 90 gigabytes of stolen data on the dark web and confirmed that it was in possession of even more sensitive data, such as contracts, confidential documents, and the personal details of employees. According to a Commission spokesperson, the attack affected part of their cloud infrastructure, but not the internal systems. The exact scale and impact of the incident are currently under investigation.
Last updated: 10.04.2026
