- On 1 September, the website of a school was compromised. Bank services were disrupted. The middle of the month also brought along a massive spread of phishing messages sent posing as Omniva.
- We are organising cybersecurity workshops for middle-aged and elderly people. We published a study on cybersecurity behaviour and permanent influence thereon. EU CyberNet will expand its operations to the Indo-Pacific region.
- The Czech cybersecurity agency NUKIB has issued a warning about Chinese technologies. During the penultimate weekend of September, a cyber attack affected the operations of European airports, causing hundreds of flights to be delayed.
Incidents reported to CERT-EE that had an impact on the confidentiality, integrity, or availability of data or information systems.
Devices in Estonian cyberspace infected with malware detected by automatic monitoring. CERT-EE notifies network owners of infections. The surge is driven by IoT devices infected with the Badbox 2 botnet, primarily set-top boxes in the Estonian context.
Fradulent wesites account for the largest proportion of incidents recorded by CERT-EE.
Situation in Estonian cyberspace
On 1 September, the website of Laagri School was compromised. At midnight, a script was launched via the outdated WordPress software of the website, blocking access to the site. A login window appeared on the home page, asking for a username and a password. The web server of the school has now been cleaned up and the software updated. In light of this incident, we would like to remind you that unpatched software is one of the favourite targets of attackers. Cybercriminals constantly scan the network, trying to find devices and websites with security vulnerabilities. We recommend keeping yourself informed about important security vulnerabilities, and one good way to do this is through the RIA blog, where we write about the most important security vulnerabilities on a weekly basis.
On 16 September, the sale of train tickets on the Elron website was interrupted. Between 2.30 and 4.30 p.m., it was impossible to purchase train tickets, and the timetable search function was also unavailable. The interruption was caused by a configuration error in the systems of Ridango, the company that manages Elron’s ticket sales system. The incident did not affect ticket sales by customer service representatives on trains or from ticket machines. On 25 September, between 3.57 and 4.45 p.m., it was again impossible to view train timetables or purchase tickets on the Elron website. Once again, the interruption was caused by a malfunction in Ridango equipment, which made the database unavailable to the system.
There were interruptions in the functioning of several banks as well
- On 3 September, between 6.04 and 9.59 p.m., there were disruptions in Swedbank’s services: logging into the internet bank (including the mobile app), card payments, payment terminals, etc. Customers of other banks who wished to make payments at companies using Swedbank’s payment terminals were also affected. The incident was caused by a technical glitch in the systems of the bank.
- On 8 September, between 4.40 and 5.06 p.m., the seb.ee website was unavailable or opened more slowly than usual. The interruption was caused by a technical error. From 10.15 p.m. on the same day until 9.20 a.m. on 9 September, some Luminor customers in Estonia, Latvia and Lithuania experienced problems with Visa card payments.
- On 11 September, from 2.21 to 2.30 p.m., the swedbank.ee website was unavailable due to a technical malfunction, and there may have been disruptions to Swedbank card payments and ATM operations.
September also brought along a massive spread of phishing messages sent posing as Omniva . The messages claimed that the expected shipment was in quarantine and that a customs duty of €3.80 had to be paid to receive it. The link in the message directed the user to a phishing page to enter their bank card details. Naturally, a significantly larger amount was then deducted from the card. Please note that Omniva never sends such messages or asks for customer credit card details, bank credentials, PIN1 or PIN2, or any other bank details via a text message.
As was the case last month, fraudulent emails sent posing as Telia were once again in circulation . The email claimed that the recipient had an unpaid Telia invoice and contained a link that the fraudsters used to lure unsuspecting recipients into clicking on it and paying the invoice. In reality, the person was directed to a phishing page to enter their bank details. The phishing emails that spread in September can be recognised by their suspicious email address, which is not associated with Telia. For example, emails were sent from the address [email protected]. A sample phishing email can be viewed on the Telia website.
Activities of the Estonian Information System Authority
We published a report on the study Cybersecurity behaviour of Estonian residents and permanent influence on cyber behaviour. The aim of the study was to help better understand the cybersecurity behaviour of Estonian residents, identify possible interventions that effectively support lasting changes toward more cybersecurity behaviour, assess the feasibility of such interventions in the Estonian context, and provide practical recommendations, on the basis of which it will be possible to plan and implement cybersecurity prevention and information activities more precisely in the following years.
We are once again organising cybersecurity workshops for middle-aged and elderly people. At the workshops, we talk about recognising scam emails and phone calls, creating strong passwords, protecting one’s smartphone and social media, and possibilities for keeping photos and documents safe. The locations and times of the workshops can be found on the website of the Information System Authority.
In cooperation with the State Electoral Office of Estonia and the Consumer Protection and Technical Regulatory Authority, we have compiled a cybersecurity checklist for candidates in the 2025 local elections, which will help them conduct their campaigns safely and with awareness. The guide outlines key recommendations on how to protect oneself from cyber threats and misinformation and how to run a responsible campaign in a digital environment. The checklist for election candidates can be found on the website of the Information System Authority.
The EU CyberNet cyber cooperation initiative led by the Information System Authority is expanding its activities to the Indo-Pacific region. The European Union has allocated an additional 6.6 million euros to the EU CyberNet project to strengthen global cyber capabilities and increase the resilience of Indo-Pacific countries to cyber threats over the next three years. EU CyberNet is a European Union cybersecurity development project that brings together experts and organisations from around the world to strengthen national cyber capabilities and support the development of secure digital societies.
In collaboration with the Labour Inspectorate, we wrote an article about cyber threats affecting companies and employees as well as protective measures against them. The article provides recommendations on the mitigation of cyber risks and steps to take in the event of an incident.
The government approved a regulation prepared by the Ministry of Justice and Digital Affairs, easing the obligation to comply with cybersecurity requirements for network and information systems for nearly 1,200 Estonian companies and local government agencies. The amendment primarily affects the work or administrative burden related to cybersecurity for micro and small businesses, family physicians, and institutions managed by local governments.
International situation
The Czech cybersecurity agency NUKIB issued a threat assessment regarding the fact that Chinese-made technological solutions may send data to China and be controlled from there. The agency points out that the use of data-intensive technologies in critical sectors such as transport, energy, healthcare, and the public sector has led to a situation where technology manufacturers could have a significant impact on the functioning of these sectors. The threat assessment does not directly prohibit the use of any technology, but stipulates that the sectors listed in the Czech Act on Cyber Security must take into account the risks associated with China in their procurement.
During the penultimate weekend of September, a cyber attack affected the operations of several European airports, causing hundreds of flights to be delayed. The cyber attack hit a service provider called Collins Aerospace, whose check-in and boarding software Muse is used by several major European airports. Among the airports that were significantly affected were Brussels, London Heathrow, and Berlin Brandenburg. Airlines were forced to switch to manual check-in for passengers and baggage, which caused long queues and chaos as people missed their connecting flights. Dozens of flights had to be cancelled. According to information from the European Cyber Agency ENISA, this was a ransomware attack.
Fifteen cybersecurity projects in Ukraine were approved for funding under the Tallinn Mechanism, including four projects submitted by the Ukrainian State Service of Special Communications and Information Protection (SSSCIP). One of these focuses on testing the security of government agency networks, another on making the internet connections of government agencies more secure, third on increasing the backup capacity of government agencies, and fourth on improving the security of central and local government public web applications. Eleven countries, including Estonia, contribute to the Tallinn Mechanism.
At the end of August, luxury car manufacturer Jaguar Land Rover (JLR) was hit by a cyber attack, forcing it to temporarily close some of its factories in the United Kingdom. The attack was claimed by an English-speaking hacker group called Scattered Lapsus$ Hunters that has attacked several well-known British brands this year and was also behind a high-profile attack on the Marks and Spencer retail chain.
Cybersecurity company Cloudflare announced on social media that it had documented and blocked the largest denial-of-service attack in history, with a volume of 22.2 terabits per second. The attack lasted only 40 seconds and utilised the Aisuru botnet. According to a company representative, hyper-massive DDoS attacks have recently become more common.
The US President signed an order confirming that the operations of TikTok in the US will be restructured, allowing Americans to continue using the app without the risk of US user data being sent to China or other security concerns. As a result of the restructuring, a new US company will become the majority owner of the US business of the application, with contributions from a select group of technology investors. Chinese owner ByteDance will retain less than 20% of the company.
Last updated: 03.10.2025
