- In October, denial-of-service attacks were carried out against eesti.ee and election-related websites, but they had no effect. On 14 October, the network connection of the Eastern Centre of the Emergency Response Centre was briefly interrupted. In October, various telephone and internet scams spread again.
- We conducted a cyber security campaign for companies. We helped ensure the readiness, security, and technical support of e-elections. The third round of Cyber Accelerator began and the first RIA CyberMeetUp of the season took place.
- Latvia was hit by a wave of denial-of-service attacks. Discord announced that hackers managed to steal the data of approximately 70,000 users. There was a disruption at the data centre of Amazon, which affected many services.
Incidents reported to CERT-EE that had an impact on the confidentiality, integrity, or availability of data or information systems.
Devices in Estonian cyberspace infected with malware detected by automatic monitoring. CERT-EE notifies network owners of infections. The surge is driven by IoT devices infected with the Badbox 2 botnet, primarily set-top boxes in the Estonian context.
Fradulent wesites account for the largest proportion of incidents recorded by CERT-EE.
Situation in Estonian cyberspace
On 4 and 5 October, four denial-of-service attacks were launched against the state portal eesti.ee. The attacks lasted a few minutes. In addition, the name servers of CERT-EE and the Information System Authority were attacked. As a result of defensive measures, the attacks had no effect.
On 6 October, between 10.07 a.m. and 11.03 a.m., services of the Population Register were disrupted, which in turn disrupted the services dependent on them (processing of emergency calls, identity documents, etc.). The incident was caused by a technical database failure.
On 14 October at 10.13 a.m., the network connection of the Eastern Centre of the Emergency Response Centre was interrupted, causing several information systems to stop working. The systems recovered within three minutes, but soon the connection was interrupted again. This time, too, the service recovered within a couple of minutes, but as the cause of the interruption was unknown, the Eastern Centre temporarily stopped accepting calls to 112 and 1247 lines to prevent further interruptions. Calls were redirected to other centres. The Emergency Response Centre resumed normal operations at 11.05 a.m. The interruption was caused by a network device failure.
During the elections, the situation in cyberspace was calm. During the first few days of the week, there were short-term denial-of-service attacks against election-related websites, but they had no impact. In the second half of the week, there were short-term disruptions in the operation of eID tools. Overall, everything went smoothly and the e-elections were a success.
On 30 October, between 8.51 and 9.10 a.m., the use of Mobile-ID and Smart-ID was disrupted. The use of Mobile-ID was disrupted in both Estonia and Lithuania. At that time, the use, registration, and cancellation of Smart-ID were disrupted. The incident was caused by an attack.
In October, various telephone and internet scams spread again. A large proportion of the scam calls were made posing as Elektrilevi and Tervisekassa, offering to replace electricity meters or provide medical benefits. There were also calls in which callers posed as a representative of a bank and claimed to report suspicious transactions on accounts. Lately, a scheme where several calls are made in a row on behalf of different institutions has also become widespread. The first call urges the person to act quickly, for example by offering a refund of a benefit or threatening financial loss. The second call claims that fraudsters were involved in the previous call and that in order to stop their activities, the recipient of the call needs to log in to their bank by submitting the PINs of their Smart-ID or Mobile-ID. For example, one victim created a Smart-ID account under the instructions of fraudsters and lost over 73,000 euros. We recommend that you hang up such calls immediately and avoid sharing your personal data and PINs. We would like to remind you once again that no public authority, bank, or company will ever ask for such information over the phone.
Activities of the Estonian Information System Authority
October is Cyber Security Month, and this time we are focusing on company managers to encourage them to take responsibility for the cyber security of their companies. Cyber security is not just a matter for the IT department; company management should regularly contribute to raising the cyber awareness of employees and the security of systems. We recommend that company managers familiarise themselves with the materials available on the portal itvaatlik.ee, which contains practical advice and videos for both companies and private individuals. In addition, we recommend reading the cyber security quick guide for companies and taking the cyber test.
We helped to ensure the readiness, security, and technical support in the local government council elections, including i-voting. Election week took place from 13 October to 19 October and RIA was on high alert throughout the election period. This time, more than 270,800 people, or 45.6% of all voters, opted for i-voting. Technically, both i-voting and the election information system functioned without any major problems and the situation in cyberspace was calm. We also reminded everyone how to vote securely online.
We published a new post on the RIA blog about the end of Windows 10 product support. Microsoft will discontinue product support for the widely used Windows 10 on 14 October 2025. After this date, the computer will continue to function, but will become more vulnerable to security threats and viruses. Windows 10 users can upgrade to Windows 11 free of charge if their computer hardware supports it. If this is not possible, consumers in the European Economic Area (including Estonia) can use the Extended Security Update (ESU) programme until 13 October 2026, free of charge. RIA discusses it in greater depth in its blog.
We invite all interested parties to participate in a series of workshops on the practical implementation of E-ITS. The aim of the workshops on the information security standard is to help institutions start creating an information security management system and to provide them with the necessary knowledge and practical skills. In addition, we have created an online E-ITS support application that helps organisations systematically assess and develop their level of information security. The support application, along with instructions and supporting materials, is available on the E-ITS portal.
As of 1 October, Taavi Kupper is the head of the Incident Response Department (CERT-EE) of the National Cyber Security Centre at the Information System Authority. According to Taavi, his main goal in the new position is to contribute his knowledge and experience to strengthening the cyber security of Estonia. Taavi has a broad background in cyber defence and security in both the public and private sectors. He has previously worked at Nortal, CR14, and in various positions at the Cyber and Information Operations Centre of the Estonian Defence Forces.
We are conducting the third round of Cyber Accelerator in cooperation with Tehnopol Startup Incubator and the European Cybersecurity Competence Centre (ECCC). The aim of the accelerator programme is to support innovation and product development in the field of cyber security, thereby promoting entrepreneurship and helping to protect people and businesses from cyber threats. Six start-ups with great potential were selected for the third round of the accelerator programme. Read more on the website of the Information System Authority.
On 9 October, the first RIA CyberMeetUp of the season took place. This time, presentations were given by Märt Hiietamm (RIA), Liis Kängsepp (Kuehne+Nagel), James Thomas (Nortal), Matiss Veigurs (NATO CCDCOE), and Kaisa Lindenburg (RIA). Recordings of the event can be viewed here. The next RIA CyberMeetUp will take place on 13 November.
International situation
On 2 October, Latvia was hit by a wave of denial-of-service attacks, which caused several websites of the state and local governments to be down for up to an hour. According to available information, IP addresses from Russia, Belarus, Vietnam, South Korea, the United States, India, Taiwan, and the Baltic states were used in the attack. According to Latvian CERT experts, the attacks were well coordinated and the attackers tried to adapt to the security measures that were being implemented.
According to the New York Post, the Cybersecurity and Infrastructure Security Agency (CISA) is one of the government agencies whose staff will be drastically and permanently reduced in the context of the on-going government shutdown. Of the approximately 2,500 employees currently employed by CISA, only 889 have been retained during the government shutdown, and Trump has ordered all federal agencies to permanently cut non-critical jobs. It is believed that this cut may primarily affect CISA.
The social media platform Discord announced that hackers managed to steal the data of approximately 70,000 users, including names, Discord usernames, and documents submitted for age verification. The attack did not target Discord directly, but rather a third party providing customer service.
In the second week of October, an international police operation called SIMCARTEL was conducted against a criminal network that sold telephone numbers registered in various countries and contributed to investment fraud and fraud targeting private individuals, among other things. During the operation, Latvian police arrested five suspects, including the alleged leader of the network, and confiscated 40,000 active SIM cards. The Estonian police also participated in the operation. According to Europol, the network maintained an online platform where criminals could rent temporary phone numbers and use them to open fake accounts on social media and communication platforms. According to Europol, the network is responsible for 1,700 cyber fraud cases in Austria and 1,500 fraud cases in Latvia, with a total of over 49 million fake accounts created using the platform.
On 20 October, the digital services of approximately one thousand companies in a number of countries were disrupted due to an outage at a data centre of Amazon in the United States. It is now known that the outage originated in the US-EAST-1 data centre of Amazon Web Services, or AWS, in North Virginia, and the incident summary reveals that the root cause was a failure in the automation of the name server management system, which took offline the DynamoDB database, critical to the operation of Amazon’s services. The outage affected banks, airlines, entertainment platforms, and logistics companies globally for up to 14 hours, with losses estimated to be in the billions of dollars.
Last updated: 03.02.2026
