- In November, denial-of-service attacks were carried out against the Tallinn and Tartu official websites. A Tallinn-based company was hit by a ransomware attack. On 18 November, a technical failure affected Cloudflare’s network services.
- We conducted a joint exercise called ‘Cyber Reserve 2025’. The Estonian information security standard (E-ITS) workshops and engagement seminars continued, and the second RIA CyberMeetUp of the season took place.
- The Danish government websites and defence industry companies were hit by a wave of denial-of-service attacks. ESET published an overview of the activities of state-sponsored groups. French social services intermediary Pajemploi reported a major data breach.
Incidents reported to CERT-EE that had an impact on the confidentiality, integrity, or availability of data or information systems.
Devices in Estonian cyberspace infected with malware detected by automatic monitoring. CERT-EE notifies network owners of infections. The surge is driven by IoT devices infected with the Badbox 2 botnet, primarily set-top boxes in the Estonian context.
Fradulent wesites account for the largest proportion of incidents recorded by CERT-EE.
Situation in Estonian cyberspace
On 1 November, between 2:23 p.m. and 6:25 p.m., the automated border control system, i.e. the ABC gates, was not functioning. The interruption was caused by the expiration of a server certificate.
From 9 November at 9:07 p.m. until 10 November at 11:13 a.m., the Health Insurance Fund’s public document register at adr.tervisekassa.ee was unavailable. The incident was caused by a disruption in the certificate chain.
On 17 November, ransomware encrypted data stored on the server of a Tallinn-based company, and the attackers sent a ransom demand to the victim. The company had a backup copy of the data, which was used to restore the services. We would like to remind you that RIA does not recommend complying with criminals and paying ransom, as this does not guarantee that you will get your data back. Read more on how to avoid ransomware attacks on the IT-vaatlik website.
There were denial-of-service attacks against the Tallinn and Tartu official websites. On 11 November, between 7:30 a.m. and 1:22 p.m., tallinn.ee experienced several interruptions, the longest of which lasted 41 minutes. The cause of the interruptions was a denial-of-service attack. On 12 November, the website tartu.ee was subjected to a denial-of-service attack, resulting in several short-term interruptions and slowdowns between 9 a.m. and 5 p.m. The attack was similar to the one carried out against tallinn.ee the previous day. Tartu.ee also experienced interruptions on 13 November between 8:21 a.m. and 11:49 a.m. This time, the reason was active mapping of the website.
On 18 November, a technical failure lasting several hours affected the network services of global internet infrastructure company Cloudflare. The failure affected services in many countries, including Estonia – several news portals (Delfi, Eesti Ekspress, Õhtuleht), as well as etv.ee and vikerraadio.ee, were unavailable for a few hours. In addition, the LuxExpress and Elron websites were disrupted, making it impossible to purchase tickets online, as was the Enefit website. A blog post by Cloudflare reveals that the outage was caused by a mistake made during a routine database update, which triggered a technical chain reaction that affected a large part of the global internet.
As was the case last month, we again saw a number of different telephone and internet scams. For example, on 3 November, a person reported that they had fallen victim to fraud and transferred over €120,000 from an NGO account associated with them to the fraudsters. The first fraudster who called the victim introduced themselves as an electrician. As the victim was waiting for an electrical switchboard to be installed on their building, they scheduled a suitable date. At the end of the call, the fraudster asked for confirmation of the transaction using Smart-ID, and the victim entered PIN1. This was followed by calls from fraudsters who presented themselves as police officers and bank employees and claimed that the bank account of the victim had been illegally accessed and several transactions had been made. To reverse them, the victim was asked to repeatedly enter PIN1 and PIN2. When the victim checked the bank account of their NGO, it turned out that transfers totalling more than €120,000 had been made from it. We continue to recommend that you hang up such calls immediately and avoid sharing and entering your personal data or PINs. We would like to remind you once again that no public authority, bank, or company will ever ask for such information over the phone.
Activities of the Estonian Information System Authority
We conducted the joint exercise ‘Cyber Reserve 2025’, which aimed to test and strengthen the ability to respond to cyber threats targeting critical infrastructure. The exercise was based on a scenario in which the resilience of the electricity transmission system was tested in a situation where the remote operability of the electricity system could have been compromised during an attack. The exercise involved representatives from RIA, Elering, the Ministry of Justice and Digital Affairs, the Ministry of Climate, and the Government Office. For the first time, international partners from Singapore also participated in our exercise. An important aspect was the coordination of communication with partner institutions and testing the readiness levels.
On 13 November, the second RIA CyberMeetUp of the season took place. This time, presentations were given by Bohumila Vančurová (NUKIB), Furkan Senan (Outer Heaven), Siim Alatalu (ESTDEV), and Lauri Tankler (RIA). Participants were given an overview of the situation in the Czech cyber space, increasing the effectiveness of penetration testing, a new initiative to strengthen the cyber security of Ukraine under the Tallinn Mechanism, and the financing of cyber security projects. Recordings of the event can be viewed here. The next RIA CyberMeetUp will take place on 10 December.
RIA released a new version of ID software, which supports the new ID card that will be introduced in the second half of November. The new ID card will bring changes to the appearance of the card, the chip technology, and the software, which means that the ID software will need to be updated for electronic use. In order to use the new ID card electronically, for example for authentication and digital signing, users who receive their ID card after 17 November must update their ID software to version 25.10. After receiving the new ID card, the user must change their PIN2 code in the ID software. Only then can the new ID card be used for digital signing.
In November, E-ITS workshops and engagement seminars took place. At the engagement seminars, we share practical advice and recommendations with E-ITS implementers to simplify their understanding of the standard and its implementation. In practical workshops, however, we will discuss the changes in cyber security requirements that came into force at the beginning of October. You can keep up to date with all past and future events on the E-ITS portal.
We published two new posts on the RIA blog. In the first one we present 10 recommendations for secure remote working. In the second post, however, we write about frauds and attacks affecting companies. Read the posts on the RIA blog.
International situation
An overview published by cyber security company ESET on the activities of state-sponsored groups (APTs) in the second and third quarters of 2025 shows that the most active groups are those with Chinese and Russian backgrounds, accounting for 39.8% and 25.7% of all APT attacks monitored by ESET, respectively. The main focus of groups with a Russian background is on Ukraine, but they also attack countries in the European Union and elsewhere that support Ukraine. According to ESET, Gamaredon, which has a Russian background, grew in terms of both the number and complexity of attacks during this period. In addition, Gamaredon collaborated with another Russian group, Turla. With regard to groups linked to China, ESET pointed out that they have increased their activities in Latin America.
On 6 November, websites related to Belgian military intelligence were unavailable for some time. The attack was claimed by the hacktivist group NoName057. Belgian telecommunications companies Proximus and Scarlet were also targeted with denial-of-service attacks. As unknown drones disrupted operations at several Belgian airports during the same week, there was speculation in some media outlets that these actions may have been coordinated.
The financial results published by the luxury car manufacturer JLR show that the direct damage caused by the cyberattack in the autumn amounts to £196 million (approximately €222 million). The total cost is several times greater than this, and analysts estimate that this is the most damaging cyberattack in the United Kingdom to date. The attack and accompanying data theft took place in September, and a group called ScatteredLapsusHunters claimed responsibility for it. The attack seriously disrupted the global supply chains of JLR, with several factories closed for five weeks and the UK government forced to grant the company a large loan to restart production. According to company representatives, all operations have now been restored and the damage caused by the attack will not affect investments planned for the next five years.
The Danish government websites and defence industry companies were hit by a wave of denial-of-service attacks, and some websites were temporarily down as a result of the attacks. The attack was claimed by the pro-Kremlin hacker group NoName057. The attacks took place in the week leading up to local elections and may have been intended to express discontent with Denmark’s strong support for Ukraine.
French social services intermediary Pajemploi announced a major data breach in which sensitive personal data was stolen from their database. Potentially, 1.2 million people may be affected, and the leaked data includes names, dates of birth, addresses, social security numbers, and Pajemploi customer numbers. No ransomware group has yet claimed responsibility for the attack.
On 24 November, three local authorities in West London announced that their services were being disrupted by a cyberattack. The affected municipalities use the same IT infrastructure, and in order to ensure critical services, an emergency plan had to be activated. One of those affected, the Westminster administration, is one of the most important local authorities in the United Kingdom, as the area is home to the Parliament, government agencies, and several popular tourist and commercial destinations. The nature of the attack has not been officially commented on, but according to experts, there is reason to believe that it was a ransomware attack against an IT service provider.
Last updated: 04.12.2025
