- In May, attackers encrypted the data of a company operating in Tallinn. We received several reports of fake online shops and fraud calls made on behalf of the Estonian Health Insurance Fund.
- We participated in the international cyber defence exercise Locked Shields. We updated the cybersecurity quick guide for companies. We published a set of information security measures for small institutions and businesses.
- CISA, the FBI, and the Department of Energy have issued a warning of increased attacks against industrial equipment of US energy companies. Investigators have discovered hidden communication devices in some solar inverters made in China.
Incidents reported to CERT-EE that had an impact on the confidentiality,
integrity, or availability of data or information systems.
Devices in Estonian cyberspace infected with malware detected by automatic monitoring. CERT-EE notifies network owners of infections.
Phishing sites still account for the largest proportion of incidents recorded by CERT-EE.
Situation in Estonian cyberspace
On 12 May, attackers encrypted the data of a company operating in Tallinn, making its business applications unusable. The backups were kept on the same network and were therefore also encrypted. According to initial information, the attackers penetrated the systems of the company through outdated software security vulnerabilities six months ago. Ransomware attacks often originate either from unpatched software or from a Remote Desktop Protocol (RDP) connection open to the internet. Last month, we also updated our Threat assessment (in Estonian), which sets out recommendations to prevent ransomware attacks.
On 17 May, between 3:15 a.m. and 5:20 a.m., the automated border control system, or ABC gates, at Tallinn Airport did not operate. Passengers on four different flights were affected by the incident. Once the service and the gates were restarted, they were back in operation. The outage was caused by a connection failure between the web server and the ABC gates.
On 29 May, at around 3 p.m., the IT services of the East Tallinn Central Hospital, including the internal network, the external network, the WiFi, the e-mail server, as well as the systems used to treat patients, started to fail. A state of crisis was declared at the hospital: operations were postponed and patients arriving at the emergency department were transferred to other hospitals. The networks were restored after about 2.5 hours. The outage was caused by a failure during network maintenance that prevented the servers from accessing the necessary data.
In May, we were alerted on several occasions about fake online shops. Through social media, the user is lured to the online shop by very attractive offers – for example, by claims that the shop has to close due to economic difficulties and that there will be a clearance sale. In reality, the e-shop is only designed to phish for bank card details or the information required to log into the internet bank. We always recommend researching about the e-shop online and reading feedback from other users before making a purchase. If the search does not bring up any information about the e-shop, it is probably a fake website. We also recommend you read the tips on the IT-vaatlik portal (in Estonian) to follow when shopping online.
Same as the month before, fraud calls made on behalf of the Estonian Health Insurance Fund were common again. The calls claimed for example that a person has unused health benefits and offered to carry them over to the new year. The calls are becoming more and more credible and the speaker has good Estonian language skills. You will be asked to confirm your request using either a Smart-ID or Mobile-ID PINs. However, this may give access to your bank account and the possibility to make transfers from it. We recommend once again that you hang up all fraud calls immediately and avoid sharing your personal details or PINs.
Activities of the Estonian Information System Authority
We participated in the international cyber defence exercise Locked Shields from 5 May to 9 May. A total of 4,000 experts from 41 countries took part in the exercise. Participants were divided into 17 international teams tasked with protecting IT systems and critical infrastructure components – such as power grids and 5G communication networks – that were created for the exercise but correspond to their real-life counterparts. As in the past, the exercise consisted of an attacking red team and a defending blue team. This year Locked Shields took place for the 15th time.
We updated the cybersecurity quick guide for companies. The guide is designed to help companies take the first steps towards more cybersecure business processes. In the quick guide, you will find e.g. information on how to protect the assets and employees of your company, how to recognise attacks, and how to prepare for incidents.
We published a set of information security measures for small institutions and businesses (in Estonian). In addition, the E-ITS portal now offers a support application. The E-ITS support application (in Estonian, also known as ‘võlur’ (the wizard)) is a web-based tool designed to support organisations in implementing the requirements of the Estonian Information Security Standard. It is a tool to help you go through certain steps of the information security management process and to keep up to date with updates to the directory. In May two E-ITS inclusion seminars also took place, where we gave practical advice and recommendations to implementers of the Estonian Information Security Standard to simplify the understanding and implementation of the standard. You can see the presentations of the seminars (in Estonian).
From 12 May, we are open for applications for the new round of Cyber Accelerator. The Estonian Information System Authority (RIA) and Tehnopol Startup Incubator invite startups in the field of cybersecurity to participate in a new round of Cyber Accelerator, where they will have the opportunity to get advice from the best mentors in the field and 60,000 euros of support to develop their ideas. The programme will support early-stage cybersecurity companies with both product and business development for seven months. More information can be found on the website of Tehnopol.
On 15 May, the cyber community meeting RIA CyberMeetUp took place. This time, presentations at the Palo Alto Club were given by Anni Aleksandrov from RIA, Heisi Kurig from the University of Tartu, Dan Bogdanov and Maria Pibilota from Murumaa Cybernetica, Matthias Mehrtens from Niederrhein University of Applied Sciences and Katarína Galanská from Masaryk University.
International situation
In late April and early May, three British shopping chains were targeted by cyber attacks. Luxury department store Harrods confirmed that it detected intrusion attempts on its network and therefore took preventive measures to counter the cyber attack. For customers, services in the shops and the e-shop functioned as usual. A few days earlier, cyber attacks were reported by Marks and Spencer and Co-op shopping chains, the former of which also suffered severe business disruption. In a letter to nearly 70,000 employees, Co-op asked that stricter security measures than usual be taken, such as keeping the camera feed on during video meetings. The National Cyber Security Centre of the UK called the wave of attack a wake-up call and urged retail chain CEOs to take cyber security recommendations seriously.
The US cyber security agency CISA, the FBI, and the Department of Energy have issued a warning of increased attacks against industrial equipment of US energy companies. The attacks are mostly simplistic, taking advantage of the sometimes very weak cyber-security level of ICS/SCADA industrial equipment. However, according to the warning, even simple hacks can result in changes to the settings of the industrial equipment or, in the worst case, even render them physically unusable. CISA also issued recommendations to improve the security of operational technologies.
According to The Times, investigators discovered hidden communication devices in some Chinese-made solar inverters used in the US and other Western countries. Experts estimate that there is a possibility that these devices could be used to remotely trigger an emergency button on inverters and stop them from working. The findings fuel the suspicions that China is installing its own software in critical infrastructure equipment supplied to the West, which could be exploited maliciously in the event of conflict.
The National Criminal Police and the Prosecutor’s Office have declared a Moroccan national suspected of illegally accessing and downloading data from a loyalty card system managed by Allium UPI last year an international fugitive (in Estonian). Based on the evidence gathered in the criminal proceedings, there are grounds to suspect Adrar Khalidi, a 25-year-old Moroccan national, of the crime. The police have not identified any misuse of the downloaded Apotheka customer data.
In the framework of the long-running international police operation Endgame, 300 servers and 650 domains were taken offline, and millions of euros worth of cryptocurrencies were seized from criminals in May. 20 international arrest warrants were also issued. The operation is coordinated by Europol and Eurojust, with contributing investigators from Canada, France, Germany, the Netherlands, the UK, and the US.
Last updated: 09.06.2025
