Cyber Security in Estonia 2022
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cyber Security in Estonia 2022
Cyber Security in Estonia 2022
Contents
6
Learning From Security
Vulnerabilities Makes Us
Stronger
Last year will go down in history as
the year of security vulnerabilities,
where in the race against time and
criminals, we had to learn some
painful lessons. However, all experi-
ences are useful and must be shared,
says Gert Auväärt, Director of the
Cyber Security Branch of the Informa-
tion System Authority (RIA).
8
The Situation in Cyberspace: A
Year of Security Vulnerabilities
2021 will go down in the history of
20
cybersecurity as a year of major Log4j Caused an IT Earthquake
security vulnerabilities. The largest of In December, IT professionals had to
these was the vulnerability identified respond to one of the biggest security
in the Log4j logging application, but vulnerabilities in recent years:
there were also those that only the Log4j zero day vulnerability.
affected the Estonian e-state. The IT community witnessed a severe
earthquake all over the world at the
14
How Did a Hacker Steal same time and started preparing for
300,000 Document Photos? a devastating tsunami.
One of the most serious incidents last
22
year was due to a security vulnerability In 2021, There Were 50%
in the service of RIA. The attacker More Denial-Of-Service
downloaded nearly 300,000 document Attacks Than Last Year
photos, but was caught a few days Last year, we registered 47 impactful
after the data theft was discovered. denial-of-service attacks, which is
twice as many as in 2020. Until the
16
Legacy Brought Bad Surprises spring, ransom denial-of-service
The access rights system of the state attacks targeted companies, but in
portal eesti.ee was a painful reminder the autumn, schools and learning
that if the attitude towards data environments became the victims.
protection changes, so must the
24
information system. Financial Fraud Has
Become More Diverse
18
Patching Vulnerabilities Is Last year, we received 20% more
Still a Problem reports of fraud than the year before
People tend to put off until tomorrow about incidents in which Estonian
what they can do today. Last year, we people and companies lost money.
saw all too often what happens when RIA only sees the tip of the iceberg,
this principle is followed when fixing because victims of financial fraud
critical vulnerabilities. turn primarily to the police.
4 Cyber Security in Estonia 2022
28
Cannot Get Through the
Gate Until the Gate is Open
Most of us follow simple principles to
ensure our physical security, but many
seem to think that digital assets are
able to protect themselves, writes
Oskar Gross, Head of the Cybercrime
Unit of the Central Criminal Police.
30
Ransomware Attacks Rarely
Have a Happy Ending
While heroes in Hollywood hostage
films are usually able to escape,
then in hostage-taking in cyberspace,
where criminals gain access to
corporate or personal information,
the victim often has to choose
36
between bad and very bad options.
What Happened in International
Cyberspace in 2021?
32
What Did We Learn From Last year, news of cyber incidents
the Local Elections? and security reached even those who
Some functional errors caused public
had not heard of these topics before.
disapproval, but we did not identify
Many incidents directly and severely
any malicious activity that could have
disrupted the daily lives of people and
impacted the 2021 local elections.
crossed the news threshold.
34 40
Hackers, Help the State! Potential Disasters Avoided
We are working on a model that would
When it comes to cybersecurity,
allow state agencies to work with
the focus is often on high-impact
hackers and pay them for information
incidents and the damage they cause:
about security vulnerabilities.
be it stolen data, encrypted systems,
or lost money. However, there are also
incidents with a happy ending.
42
The Cyber Hygiene of the
Estonian Population is
Improving
The level of the cyber hygiene of the
Estonian population has improved
in three years, but there is room
for improvement, according to data
collected in cooperation with
Statistics Estonia.
44
What Will 2022 Bring in
Cyberspace?
Last year brought a lot of security
vulnerabilities and a ransomware
epidemic. What’s in store this year?
Cyber Security in Estonia 2022 5
● FOREWORD
Learning
From Security
Vulnerabilities
Makes Us Stronger
Last year will go down in history as the year of security vulnerabilities,
where in the race against time and criminals, we had to learn some
painful lessons. However, all experiences are useful and must be shared,
says Gert Auväärt, Director of the Cyber Security Branch of the
Information System Authority (RIA).
M
y time in RIA started with big vices and have not been renewed. We have
challenges. In July, two critical carried out an internal analysis of these cases
weaknesses were identified in our and streamlined the processes within RIA to
own systems that allowed access avoid incidents like this in the future.
to users’ personal data. In essence, you could In both cases, we received the first indica-
say that even though the door was locked, the tion that something may be wrong from peo-
key had been left nearby. ple outside of our organisation. This illus-
A month later, we found out about possible trates that the state alone may not be able to
vulnerabilities in other national e-services, as a find the weaknesses of a 20-year-old e-state
result of which some personal data was not and that security can be created in partner-
appropriately protected. Vulnerabilities in the ship with the community. It is very important
real estate and marital property register were that we all take security vulnerabilities seri-
patched and according to our current knowl- ously and patch them. We must share infor-
edge, the data had not been misused in any way. mation because it allows us to learn from oth-
ers and we must not ignore tips and
SECURITY COMES FROM COOPERATION suggestions. The consequences of the vulnera-
Both incidents with our services, the data leak bilities depend on the speed with which we act
of access rights in the self-service environ- – whether we are able to patch them before
ment of eesti.ee for entrepreneurs and the ille- criminals manage to exploit them.
gal download of document photos (both cases
will be discussed in more detail in this year- WARNINGS ARE NOT TAKEN SERIOUSLY
book) happened partly due to the fact that old In March last year, when Microsoft disclosed
system interfaces are still present in some ser- its Exchange server vulnerability and provid-
6 Cyber Security in Estonia 2022
ters more than 20,000 notifications and near-
ly 2,500 cyber incidents a year that have a real
impact on the system or how it works.
Although most attempts to attack fail, we
must stay vigilant.
FOR A SAFER ESTONIA
Ransomware attacks, which are becoming
more and more popular in the world, cause
losses to entrepreneurs that are comparable
to the budget of an average Estonian state
agency. Estonia has not yet been successfully
targeted with high-impact ransomware
attacks, but it is only a matter of time as our
daily lives, including the functioning of the
country, depend on digital services.
Although the security of the systems is the
responsibility of their owner, we must all play
our part. Just as the state must protect its peo-
ple who have entrusted their data to it, so
must any other owner of a database or service.
GERT AUVÄÄRT The digital society is based on trust.
director of the Cyber Security Branch of RIA In order to protect the reliability and securi-
ty of our e-state, we have also increased our
capabilities in RIA, both in terms of people as
ed information on how to patch it, we notified well as our tools and infrastructure. We put
our partners and other authorities. However, together a team of testers, developed a bug
a week later our monitoring revealed that two- bounty programme to detect and patch ser-
thirds of those informed had not yet taken the vice vulnerabilities, and increased the security
necessary action. The e-mail servers of these of the state network.
organisations were still vulnerable, meaning In order to create and maintain security, we
that the mailboxes of the employees were have taken another important step in RIA: the
essentially unprotected. The warning had not Estonian Information Security Standard
been taken seriously. (E-ITS) is finally ready. This is the most
Unpatched systems usually result in crimi- important guide for companies to prevent
nals finding them and compromising them – potential risks. At the end of 2021, the first
installing malware, stealing data, etc. Cyber- pilot group started its work, the main role of
crime is one of the most lucrative and thus the which is to develop best practices in the imple-
fastest growing types of crime in the world. mentation of the standard and to prepare new
However, catching those criminals is difficult, E-ITS experience consultants. Together with
as it is easier to hide traces in cyberspace and the University of Tartu, the initial E-ITS-
the consequences of crime can appear after based maturity model was completed, which
several years. gives organisations a quick assessment of
IT systems around the world are being their information security situation and allows
attacked all the time, and the security vulner- authorities to compare the level of informa-
abilities that have been discovered and made tion security.
public can be of great benefit to those who are That is how we are building a safer Estonia
trying to get rich or gain influence. RIA regis- step by step. ●
Cyber Security in Estonia 2022 7
The Situation
in Cyberspace:
A Year of Security
Vulnerabilities
2021 will go down in the history of cybersecurity as a year of major
security vulnerabilities. The largest of these was the vulnerability
identified in the Log4j logging application, but there were also
those that only affected the Estonian e-state.
8 Cyber Security in Estonia 2022
T
here are security vulnerabilities in
almost every system and in every code
– you just have to search for them.
Serious security
Most of them are identified and vulnerabilities have
addressed quickly. It is a common practice in
information security communities that the per-
impacted the society
son who discovers a security vulnerability noti- before, but in 2021,
fies the owner of the system or service first.
They give enough time to develop security
there seemed to be
patches or code updates, and only then reveal no end to them.
the vulnerability to the rest of the world.
This was not the case with the major security
vulnerabilities discovered in 2021. Serious Although the vulnerability only gave the attack-
security vulnerabilities have impacted the soci- er access to document photos – with which one
ety before, but in 2021, there seemed to be no can do almost nothing in the age of digital docu-
end to them. ments – it raised legitimate concerns about
whether the Estonian e-state can keep data secure
IF YOU DO NOT KNOW YET and protect it from thieves. However, the course
THAT YOU ARE VULNERABLE of the incident proved that the principle of data
In 2021, the Estonian society was probably most separation we use in our e-state is correct. Every
affected by the news that an attacker found a query for a document photo left a trace, which
security vulnerability in the system managed by allowed the police to detain the attacker and he
the Information System Authority (RIA) and was not able to obtain any other data.
obtained document photos of hundreds of thou- By security vulnerabilities, we also mean
sands of people (you can read more about this configuration errors. One of these was discov-
attack on page 14). ered by an observant citizen in the self-service ❱
Cyber Security in Estonia 2022 9
73,826
Incidents and notifications in 2021
60,000
55,635
50,000
40,000
30,000
24,369
20,000 22,896
20,077
17,440
15,730 14,332
10,000 10,649
3,139 3,473 3,164 2,722 2,237
0
2017 2018 2019 2020 2021
● Number of reports ● Incidents with an impact
● Automated infection notifications ● Automated security vulnerability notifications
environment of eesti.ee for entrepreneurs, Social Affairs, and the Ministry of Foreign Affairs
where the first and last names, personal identi- were attacked, and we saw attacks with similar
fication codes, places of work, and, in some cas- handwriting also in 2021. What is common for
es, connections with previous positions of more all of them is that the attacker scanned web serv-
than 300,000 people related to legal entities ers with publicly available tools, found security
were visible. The system was originally designed vulnerabilities, uploaded malicious code, and
so that authorised persons could see the data of thus gained unauthorised access to the servers.
other authorised persons and it had not been In February, we were informed that a compa-
updated over the years. We are extremely grate- ny which provides cloud services and software to
ful that the case was reported to us: we were many public sector authorities (ministries and
able to fix the bug before the general public or a local governments) and another company which
malicious attacker had the opportunity to view provides remote access services to public sector
or misuse third-party data. authorities had been compromised. Both of
A security vulnerability that is so new that them handled the incidents professionally: they
only an attacker knows about it and the owner fixed their services, informed customers, and
of the service has not even had a day to fix it is worked in full cooperation with CERT-EE.
called a zero-day vulnerability. However, if an
update to a vulnerable service already exists, it IF THE WHOLE WORLD KNOWS
is a whole other story. Unfortunately, owners of YOU ARE VULNERABLE
larger networks and e-services often do not The public will only hear about the consequenc-
have a detailed overview of all their online ser- es of some security vulnerabilities much later,
vices and their vulnerabilities. The owners as their effects may become apparent in a mat-
should look at their IT infrastructure through ter of months. In March, Microsoft disclosed
the eyes of an attacker, as they are constantly four zero-day vulnerabilities in its mail server
looking for security flaws. software that allowed attackers extensive access
At the end of 2020, the Ministry of Economic to the entire server, including e-mails and pass-
Affairs and Communications, the Ministry of words. According to Microsoft, the attackers
10 Cyber Security in Estonia 2022quickly built tools that began searching the
entire world for vulnerable Exchange servers
that had not been updated and once they found
them, the servers were compromised and
infected with malware. Log4j vulnerability –
At the end of August, Atlassian announced what is it?
that their world-wide wiki platform Confluence The critical security vulnerability Log4Shell
also had a critical security vulnerability that was identified in the Log4j function of the Java
required a software update. Confluence is com- programming language used in billions of
monly used for business process documenta- devices and software products around the
tion or internal web sites. By early September, world. The severity of the security vulnerability
attackers had already been able to exploit the is rated the highest possible by the international
vulnerability and use automated systems to CVE standard (10 out of 10 points), potentially
gain access to Confluence servers exposed to allowing an attacker to run their code freely on
Internet around the world, including in Estonia a vulnerable device.
(see page 18 for more information). An attacker could exploit the vulnerability
The security vulnerability with the greatest by sending a command in a specific format to a
impact was only revealed at the end of the year, vulnerable server, device, or system (beginning
when players on the popular Minecraft gaming with ‘$ {jndi:’) and adding a reference to
platform began experimenting with a newly malware that may be located on a third-party
discovered security vulnerability that allowed server. The vulnerable server logs the com-
them to send commands to the game server. mand, Log4j searches for the uploaded
The critical security vulnerability Log4Shell malware, downloads it, and runs it. Depending
identified in the Log4j logging function of the on the nature of the malware, it may give a
Java programming language, which is used in third party access to the device.
billions of devices and software products
around the world, had already been patched by
software, web services, and more. This was also
the case in Estonia, as many Estonian e-servic-
es use the hugely popular Java programming
The owners should look language as well as the Log4j function.
at their IT infrastructure The general public may not have noticed this,
but the combined effort of the global IT com-
through the eyes of munity to identify the extent of the vulnerabili-
an attacker, as they are ty and to support each other was impressive. IT
professionals did not mind national borders,
constantly looking for open-source or commercial services and occa-
security flaws. sionally they even forgot their sleep and loved
ones. However, we will most likely see the full
impact of the Log4j vulnerability only later,
the manufacturer, but these same devices and when it becomes clear how much the attackers
the software used in them had not been updat- managed to exploit the vulnerability before it
ed yet. was patched.
As news of the vulnerability spread, IT pro-
fessionals, developers, and security profession- IT ALL STARTS WITH ACCESS:
als around the world rushed to update the Log4j RANSOMWARE AND OTHER INCIDENTS
function in their own software and then wait for Ransomware attacks received a lot of attention
software updates for all their other products — around the world this year – and for good rea-
industrial devices, network devices, antivirus son. The attack on Colonial Pipeline, a U.S. fuel ❱
Cyber Security in Estonia 2022 11Other
178
Phishing
Incidents with an 775
impact in 2021 Malware
79
● Denial-of-service attack 47 Botnet
● Data leak 43 98
● SEO spam 34 ALTOGETHER
2,237
● Ransomware 30 Fraud
99
Compromised
accounts INCIDENTS
168
supplier, made headlines, halting fuel Account
supplies to the U.S. East Coast, but multi- takeover Malicious redirect
milliondollar ransom demands and 170 262
Service
encrypted IT systems caused widespread interruption
problems in many countries. 254
The most expensive ransomware attacks
usually target companies operating in the Unit-
ed States or in the wider English-speaking busi- On many occasions, CERT-EE specialists
ness environment. In Estonia, ransomware have been able to help recover data that is
incidents involve smaller enterprises, and the encrypted with ransomware without the vic-
demands are usually in the range from a few tims having to pay the ransom. Sometimes,
thousand euros to tens of thousands of euros. ransomware has left much of the data available
We were informed of a total of 30 ransomware (for example, it encrypts only the beginning or
incidents in 2021 (33 in 2020). It seems that the end of the files); other times, decryptors can
the small size of Estonia and our language envi- be found to recover the data. In case of a ran-
ronment works in our favour, as does the stead- somware incident, we encourage companies to
ily improving cyber hygiene. contact CERT-EE and to always keep in mind
Cyber hygiene and compliance with stand- that paying the ransom only motivates the
ards are relatively effective against ransomware criminals to launch further attacks.
attacks. In 2021, attackers accessed the systems
of their victims mostly through a remote desk- WHAT HAPPENED
top application (Remote Desktop Protocol or TO THE YEAR OF PHISHING?
RDP in Windows). Some versions have publicly We called 2020 the year of phishing in the last
known security vulnerabilities, and in some yearbook – the number of phishing sites had
cases, passwords that are still in use can be increased by a fifth, and phishing was often a
found in leaked password databases. means by which attackers could learn the pass-
IT companies providing services to third par- words of an employee of an organisation.
ties should pay special attention to the preven- Phishing attacks continued in 2021. The
tion of potential ransomware attacks. In April, number of phishing site incidents increased
we learned of a case where a ransomware attack both in percentage (35% of all incidents with an
targeted an IT service company, through which impact compared to 26% a year earlier) and in
it spread to four more companies. In May, there overall numbers (755 in 2021 and 711 in 2020,
was an attempt to launch a ransomware attack respectively). These figures reflect how many
against a local government which had been times phishing sites have been taken down at
accessed through an accounting service provid- the request of CERT-EE specialists; the num-
er that had been compromised. bers of notifications are much higher.
12 Cyber Security in Estonia 2022Similarly to the year before, the sites can be September, we have seen continuous short-term
broadly divided into two: bank account phish- attacks on general education schools, vocational
ing and account credentials phishing. The training institutions, universities, as well as the
phishing sites are usually almost identical with e-learning environments managed by the Edu-
the originals, but the address is different. In the cation and Youth Board.
case of bank account phishing, the victim The attacks are often ordered by schoolchil-
unknowingly sends money to the wrong dren from relatively accessible online forums. In
account, and the passwords entered on the such places, DDoS attacks are offered as a ser-
account credentials phishing sites are most vice: an attacker has amassed a large number of
often used to break into e-mail accounts. As a routers and other IoT devices with security vul-
rule, using multi-factor authentication helps to nerabilities or poor configuration on the botnet
protect your account even if you have acciden- and is using it to launch DDoS attacks for a small
tally entered your password on a phishing site. sum of money.
Bank account phishing attacks that have tar- However, these attacks affect not only the
geted Estonians for several years are already infrastructure of that school, but also other
familiar to us. It seems more profitable for the authorities that use the same name servers, for
criminals to call victims and persuade them to example.
send money. In terms of account details, how-
ever, it does not look like the phishing attacks
will cease any time soon.
It seems that the small
BOTNETS ENABLE NEW size of Estonia and our
DENIAL-OF-SERVICE ATTACKS
The unpleasant surprise of 2021 was the high
language environment
impact of distributed denial-of-service (DDoS) works in our favour,
attacks. The overall figures also show an
increase: compared to 2020, the number of
as does the steadily
major DDoS attacks increased from 32 to 47 improving cyber hygiene.
(these are the attacks that were reported to
CERT-EE). We have also gained better visibility
of smaller DDoS attacks since the summer of In one of the denial-of-service attacks in May,
2020, which also shows a clear upward trend. we identified a router with a security vulnerabil-
In 2021, we saw several waves of DDoS attacks ity in Estonia that was connected to a botnet and
with a significant impact. In January and Febru- participated in an attack on a vocational educa-
ary, several banks and technology companies tional institution. We informed the owner of the
operating in Estonia received DDoS attacks router, and at least this device can no longer be
accompanied by extortion letters. Similar attacks used for a DDoS attack. Read more about deni-
had been carried out on the same companies al-of-service attacks on page 22.
three months earlier, and the threatening letters This incident also shows that security vulner-
referred to previous attacks, saying ‘we have not abilities, out-of-date software, and configura-
received your payment’, ‘we are back now, pay tion errors enable attacks that have a major
off’, and ‘if you do not pay us now, we will be impact on our daily lives. Therefore, it is
back soon’. Similar attacks took place in other extremely important for device and system
European countries (at least in five Member owners to pay full attention to security patches
States according to CERT-EU) and beyond. and security vulnerability notifications (includ-
We also saw the first attack on a school in Tal- ing the daily notifications of CERT-EE). This
linn in January, which briefly disrupted the work way, you can trust that your router, smart TV,
of educational institutions throughout the city. or fridge does not give attackers a chance to dis-
This became a trend in spring and autumn. Since rupt Estonian life. ●
Cyber Security in Estonia 2022 13How Did
a Hacker Steal
300,000
Document Photos?
One of the most serious incidents last year was due to a security
vulnerability in the service of the Information System Authority (RIA).
The attacker downloaded nearly 300,000 document photos, but was
caught a few days after the data theft was discovered.
O
n 21 July, CERT-EE detected that service) that is used when a person wants to
286,438 document photos had been download their document photo.
illegally downloaded from the data- You can download your document photo
base of identity documents. They either directly from the state portal or through
had been downloaded en masse from 9,000 the DigiDoc application. In both cases, the per-
Estonian and foreign IP addresses since 12 son must first authenticate themselves. Once
July. This was caused by a security vulnerability the request has been made, the system requests
in the photo transfer service (so-called photo the photo from the service that mediates it, the
so-called photo service, which is managed by
RIA. The photo service requests the photo over
Lessons from the the X-tee from the database of identity docu-
ments, which belongs to the Police and Border
photo theft Guard Board, and sends it back to the person.
RIA analysed and improved its workflows to Upon detection of the attack, RIA temporarily
prevent future incidents caused by such security closed this function for DigiDoc.
vulnerabilities. In addition, the case inspired us
to create a national bug bounty programme to HOW WAS THE ATTACKER
motivate good hackers. This means that in the ABLE TO DOWNLOAD THE PHOTOS?
future, hackers who have discovered security DigiDoc makes requests over a public URL. By
vulnerabilities in state systems may receive a manipulating this, the attacker managed to give
reward from the state. However, the reward is the photo service the impression that the
only paid if the hacker follows the established request comes from an authenticated user who
rules and conditions. The rewards programme wants to download their document photo.
is currently being worked on. However, behind the request was an attacker
14 Cyber Security in Estonia 2022DIGIDOC
PIN1 + certificate
eesti.ee
verification
State authentication ATTACKER
service
Identification
SECURITY
!
PHOTO SERVICE VULBERABILITY
Database
of identity
documents
Secure
communication
A fake certificate is sent
to the photo service.
The service does not fully
verify the validity of the
certificate and sends
a document photo.
!
over the
X-tee
who turned directly to the photo service using CERT-EE analysed logs starting from 30
forged or self-created certificates (see figure). June 2018 and found no other anomalies. This
To create a fake certificate, the attacker had to leads to the conclusion that the security vulner-
have the personal identification code and name ability of the photo transfer service had not
of the person. been abused before (i.e. before July 2021).
The photo service should have recognised that The police detained the suspect a few days
the certificates used by the attacker were not after the incident was discovered and confiscat-
issued by SK ID Solutions – that they were ed the downloaded data. Preliminary informa-
forged. Although the attacker had marked SK ID tion suggested that the photos were simply
Solutions as the issuer of the fake certificates, stored on the computer of the attacker. The
‘looking in’ them would have shown that they proceedings conducted by the Office of the
actually came from elsewhere. Due to the securi- Prosecutor General are still ongoing.
ty vulnerability, the service did not do this.
As a result of the attack, the criminal did not
have access to the database of identity docu- The police detained the
ments, but managed to download document pho-
tos from it. A few days after the discovery, the suspect a few days after
security vulnerability was patched and RIA reo- the incident was discovered
pened the photo service for DigiDoc so that peo-
ple could download their document photos again. and confiscated the
downloaded data.
WHAT CAUSED THIS SECURITY
VULNERABILITY?
Reportedly, the security vulnerability in the It is not common for attackers behind cyber
photo transfer service occurred in November incidents to be caught so quickly. They are often
2018. The interruption of the service was prob- located abroad and their traces are difficult – if
ably related to the exchange of ID-card certifi- not impossible – to detect. In this case, we
cates – changes were made in the information managed to do so thanks to quick and efficient
systems to support authentication with new cooperation between the police, CERT-EE, and
certificates. the Prosecutor’s Office. ●
Cyber Security in Estonia 2022 15Legacy
Brought
Bad Surprises
Last summer, we got a painful reminder that if the attitude towards
data protection changes, so must the information system.
O
n 6 July, an entrepreneur informed data of others when, for example, they searched
us that on the website for entrepre- for ‘Paul’ – in which case they were shown all
neurs on the state portal eesti.ee, a the people called Paul in the database.
database with 336,733 data rows is It was not a classic cyber incident – the sys-
available to users authenticated in the self-ser- tem was not attacked or broken. However, that
vice environment of the access rights manage- information should not have been visible in
ment system (AAR). The first and last names, that way. So what happened?
personal identification codes, places of work,
and, in some cases, connections with previous THE SYSTEM BECAME OUTDATED
positions and roles (e.g. job title, start and end The entire administration system for access
date of employment) of people were visible. The rights – including its self-service environment
database contained persons from both the pub- on the state portal – was designed and built so
lic and private sectors. that all data is visible to all people in the data-
This data was visible to the people appointed base. The world around this system has
to represent the authority or company, i.e. to all changed, especially the approach to data pro-
those for whom there was a row in the same tection. Thus, the structure of the system
database. All data rows became visible when became inappropriate.
somebody performed a so-called empty or It was clear we had to change it. In July, the
parameterless search. The person also saw the Information System Authority (RIA) closed the
self-service environment of the access rights
system on the state portal. Now, the RIA help-
desk must be contacted at help@ria.ee to
What is the AAR? change roles and grant accesses. Before, cus-
The AAR, or administration system for access tomers themselves could provide access quickly
rights, is a system for authorised persons of an and directly. Now, however, it has become a lit-
authority or a company in which they can tle more inconvenient. It takes more time and
provide others access to various services. effort to create an authorisation, digitally sign
For example, the head of a company can grant it, send it to RIA, and receive a response.
rights to an accountant to transfer employee We did not consider it appropriate to con-
data to the employment register maintained tribute to the thorough development of the old
by the Tax and Customs Board. system to reopen the self-service environment
16 Cyber Security in Estonia 2022The state is contributing
to the solution of the
problem with legacy systems
An additional 14.4 million euros was allocated
from the state budget in 2022 for the updating
and maintenance of outdated information
systems and platforms. In addition, the govern-
ment allocated 500,000 euros from the reserve
fund for additional investments for the rapid
updating and, if necessary, closure of the
outdated information systems of the state
c y portal eesti.ee.
a
g
le
Outdated systems are used in both the public
and private sectors. This is understandable in
many ways – replacing the legacy is costly and
time-consuming and can also lead to a change
in the usual functionalities. So what can you
do? The first step could be to get to know the
there. One important argument was that RIA is legacy systems of your organisation. This gives
already developing a new administration sys- you an idea of the state of the system, what fea-
tem for access rights, Pääsuke. Another impor- tures it offers, as well as its vulnerabilities and
tant argument was that changing old systems, crossdependencies.
or so-called legacy systems, may not be as easy
as one might think.
A WIDER PROBLEM So what can you do?
Legacy is a system, technology, or software that is
still running but is actually outdated and becom- The first step could
ing more and more vulnerable over time. Legacy
is a problem in many long-established companies
be to get to know
and authorities. For example, the current owners the legacy systems
of a system developed 10 years ago may not have
a full understanding of its structure and func- of your organisation.
tions. Organisations change over time, people are
replaced, and often, the solutions put in place are
not properly documented for the new employees. This is exactly what RIA has done. We have
Therefore, it is often not known exactly what become even more familiar with our legacy and
effect an upgrade of one part may have on anoth- set up processes so that our systems are updat-
er part of the system. ed at all times.●
Cyber Security in Estonia 2022 17Patching
Vulnerabilities
Is Still a Problem
People tend to put off until tomorrow what they can do today.
Last year, we saw all too often what happens when this principle
is followed when fixing critical vulnerabilities.
.
O
n 2 March 2021, Microsoft announ- the start of the race against time – between the
ced that the popular e-mail server attackers who used automated tools to search
software Exchange Server had four for and attack vulnerable mail servers and the
zero-day vulnerabilities that could server owners and administrators who now had
allow an attacker to install malware on the serv- the means to patch the ability.
er of the victim and gain access to their e-mail,
contacts, passwords, and administrator privi- THE MAÑANA ATTITUDE
leges. In the same announcement, Microsoft DOES NOT HELP
also released security patches and asked users In many cases, the attackers won. On 3 March,
to install them as soon as possible. Microsoft announced that there were ‘a limited
Until that point, few people knew about the number of victims’. On 8 March, however, there
vulnerabilities (according to Microsoft, they were more than 60,000. The day after the vul-
were used for attacks by the Chinese cyber nerabilities were disclosed, CERT-EE identified
group HAFNIUM), but from 2 March, the infor- more than 80 mail servers with the mentioned
mation was available to everyone. This marked vulnerabilities in the Estonian cyberspace. We
informed their owners and administrators, as
well as public sector security managers and
vital and important service providers. When we
Speed matters repeated the monitoring on 10 March, we
There is nothing new about critical security unfortunately discovered that two-thirds of
vulnerabilities in software, but the pace at these servers were still using unpatched soft-
which cyber groups and individual criminals ware and were therefore vulnerable to attacks.
detect and compromise unpatched systems is While three-quarters of the vulnerable servers
unprecedented. It used to take weeks, but now, were patched worldwide in a week, only a third
it only takes days or hours. Those responsible were patched in Estonia.
for cyber security must keep pace and patch Therefore, we were not surprised by reports
dangerous security vulnerabilities as soon of compromised mail servers. The criminals
as possible, rather than postponing them. managed to attack local governments and pri-
18 Cyber Security in Estonia 2022Record number vate companies, as well as the medical sector
and educational institutions.
of vulnerabilities
- The National Vulnerability Database (NVD) DIFFERENT SOFTWARE, THE SAME SCHEME
of the US National Institute of Standards A similar sequence unfolded in late August and
and Technology (NIST) recorded 20,046 early September. On 25 August, Atlassian, the
vulnerabilities in 2021 (18,351 in 2020, maker of the wiki platform, announced that
17,382 in 2019, and 17,252 in 2018). their Confluence software contained a critical
- Attackers did not need good technical vulnerability that could allow remote code exe-
skills to take advantage of 90 per cent of cution. The security vulnerability allowed an
these vulnerabilities. unauthenticated user to compromise the Con-
- For 61 per cent of the vulnerabilities, carrying fluence server of an enterprise or authority and
out an attack did not require any action edit, add, delete, and/or copy data there. In
on the part of the victim: clicking on a link, addition, it allowed malicious code to be
sharing passwords, launching software, installed on the systems of the victim to mine
or the like. cryptocurrency or create a backdoor to carry
out new attacks. Atlassian rated the threat
severity of these vulnerabilities with 9.8 on a
ten-point scale.
Confluence is not as common as Microsoft
Exchange, but it is also used by many Estonian
state agencies and private companies as an
intranet platform.
In September, we learned that three state
agencies had been attacked through this
security vulnerability. Early detection
of the attackers allowed the agencies
to avoid major damage,
but these attacks
would have been
preventable if the
software had
been updated in
time. ●
The criminals
managed to attack local
governments and private
companies, as well as
the medical sector and
educational institutions.
Cyber Security in Estonia 2022 19Log4j Caused
an IT Earthquake
On 9 December, IT professionals had to respond to one of the biggest
security vulnerabilities in recent years: the Log4j zero day vulnerability.
The IT community witnessed a severe earthquake all over the world at
the same time and started preparing for a devastating tsunami.
J
ava is one of the most widely used soft- sidewalks and crosswalks or crossing the streets
ware development platforms. Its open in wrong places. If there is an accident in the
source logging framework Log4j is very area, the police can find out the circumstances
common – billions of computers use it to of the accident by looking at the recording. This
keep apps and services running. The function is is essentially how logging works.
used by Apple, Steam, Twitter, Amazon, Tesla, However, if a vulnerability of the camera
IBM, Minecraft, LinkedIn, and thousands of allows the information systems and databases
other well-known and lesser-known companies. of the city government to be taken over, the sit-
uation is equivalent to the critical vulnerability
WHAT IS THE LOG4J FUNCTION? of Log4j, which gives criminals power not only
Each software logs or stores data in one way or over this particular function (camera) but the
another to have an overview of what is going on entire infrastructure.
with the software. This is necessary for three
reasons: to keep the software running, for HOW IS THE SECURITY
development, and for ensuring security. Log- VULNERABILITY EXPLOITED?
ging or storing data is essential. Although a tsunami was expected after the
Logging can be compared to a smart camera weakness became apparent and people started
on the main street and square in a city. It gives getting ready to board Noah’s Ark, the end of
the city authorities the opportunity to check the IT world has not yet come. The impact of
whether the Christmas tree is still standing, the vulnerability may not become apparent for
whether the streets are covered in snow, or years to come. At this time, we do not know if
whether city services are working as they and where the attackers intruded before the
should. In addition, it helps to analyse how peo- security updates were installed.
ple behave there: whether they use the existing Attackers could exploit the vulnerability by
20 Cyber Security in Estonia 2022sending a message in a specific format and an
What did RIA do?
additional reference to malware located some-
where on the third server to a vulnerable server, - On 10 December, we informed the Estonian
device, or system that could be accessed from public about the security vulnerability and
the Internet. The vulnerable server read the its impact.
command from the message, Log4j searched - On 13 and 19 December, we sent additional
for the malware, downloaded it, and ran it. It information about the security vulnerability
was as if a person were knocking themselves to the public sector and vital service
out. Depending on the nature of the malware, it providers.
may give a third party access to the device. - On 22 December, we published a post on
The security vulnerability primarily affects the RIA blog focusing on the security
companies and authorities, as it is potentially vulnerability.
possible to gain access to their systems. Once a - We identified RIA services that are affected
it is exploited by criminals and they are able to by the vulnerability. We installed updates
install malware on popular services, it will also or countermeasures.
affect end users. - CERT-EE monitors what is happening in
As at the end of 2021, there has been no mass Estonian cyberspace 24/7 and searches
exploitation of the Log4j vulnerability in Esto- for attack attempts.
nia or in the world, but as we wrote, its impact
could still be revealed. Criminals are currently
actively monitoring online services to find sys- SITUATION IN ESTONIA
tems that have not been addressed. Vulnerable In the days following the disclosure of the secu-
devices are also being searched for in Estonia. rity vulnerability, CERT-EE identified Estonian
companies and authorities that were at risk due
WHAT SHOULD I DO? to the vulnerability and asked to update or close
First, inspect services built on the Java plat- the respective services. CERT-EE will continue
form that are part of your service portfolio. to look for new cases, as not all service users
Check for updates to the products you use. If have yet patched the vulnerability. In addition,
there are updates, install them as soon as possi- there is not a security patch for all services yet.
ble because they address a critical security RIA has not received reports of attacks with
vulnerability. This is especially important for serious consequences resulting from the Log4j
systems that are available online. vulnerability. However, malware has been
However, this does not mean you are safe. On installed in Estonia on computers through the
28 December, a smaller vulnerability was dis- vulnerability, which mines cryptocurrency.
covered in the next version of Log4j. IT profes- Because this malware slows down services,
sionals need to keep a close eye on what is going these cryptocurrency miners are quickly found
on with this vulnerability and be prepared that and removed.
the update needs to be updated as well. It should There have been reports abroad that attempts
also be borne in mind that a security patch has have been made to prepare for ransomware
not yet been developed for all services. The vul- attacks through the vulnerability. If criminals
nerability may never materialise if the vulnera- have launched malware on a system that is dif-
ble service is not open to the Internet or devices ficult to detect right away, data leaks can occur
are prevented from accessing the Internet. much later. ●
First, inspect services built on the Java platform
that are part of your service portfolio.
Cyber Security in Estonia 2022 21In 2021, There
Were 50% More
DDoS Attacks
Than Last Year
Last year, we registered 47 distributed denial-of-service attacks
(DDoS), which is 50% more than last year as in 2020. Until the spring,
ransom denial-or-service attacks targeted companies, but in the
autumn, schools and learning environments became the victims.
O
ne cold afternoon in February, a Usually, the victim is given more time to
threatening e-mail was sent to a react. This time, however, the attack started ten
commercial bank operating in Esto- minutes later. At one point, neither Internet
nia. Transfer two Bitcoins (worth banking, card payments, nor the internal ser-
nearly 56,000 euros at the time) to the account vices of the bank were available. Although the
specified on the e-mail, or we will launch a mas- attack lasted with varying intensity until the
sive denial-of-service attack against your busi- evening of the same day, and its effects were felt
ness. The bank had received a similar e-mail by both the customers and employees of the
and undergone a so-called sample attack four bank, the protection measures helped to pre-
months prior. vent the worst.
RANSOM DDOS ATTACKS ENDED
Such ransom denial-or-service attacks returned
To prevent safe-looking to Estonian cyberspace in the autumn of 2020
and continued in the beginning of 2021. The tar-
devices from becoming gets were a number of companies in the techno-
logy and financial sectors that have a lot to lose
a dangerous tool in the from the disruption of e-services, but which also
hands of cybercriminals, have above-average levels of cyber security.
The victims who were attacked in the autumn
always make sure to were attacked again a few months later. The
attacks were mostly based on intimidation, but
update their software. there were exceptions. For example, a blackmai-
ler who organised a denial-of-service attack wro-
22 Cyber Security in Estonia 2022The number of DDoS attacks is growing
From the summer of 2020, we also collect automatic notifications of denial-of-service
attacks without a significant impact, which are clearly on the rise.
50
40
30
20
10
May June July Aug Sept Oct Nov Dec Jan Feb Mar Apr May June July Aug Sept Oct Nov Dec
2020 2021
te that they needed money for their daughter’s ments almost every day. Some of them did not
surgery and had ran out of other ideas to earn have a significant impact, but some of the attacks
the money they needed. disrupted the daily work of the schools: it was
The methods, scale, and impact of the attacks not possible to add or view lesson plans, grades,
varied, but the victims were united by the deci- absences, teaching materials, and take tests.
sion not to submit to extortion. The fact that the There were also attacks that affected other aut-
business plan of the criminals did not work was horities that used the same network or name ser-
probably the reason why ransom denial-of-ser- vers in addition to the target school.
vice attacks almost disappeared after the first A young person might think that by ordering
quarter. an attack on their school, they could avoid taking
a test or could skip school without anyone
ATTACKS ON SCHOOLS noticing. An adult, however, knows that this is
They were replaced by a new problem: attacks not the case.
on schools and the Tahvel and Moodle learning
information systems. These attackers were not DEVICES LOCATED IN ESTONIA ARE
motivated by the desire to get rich – as far as we ALSO USED FOR ATTACKS
know, there have been no attacks on educational In most cases, foreign devices are used in denial-
institutions that involved a financial demand. of-service attacks against our e-services, but
Instead, we suspect that students in the same when analysing incidents, we have also found
school who had not prepared for a test or did not Estonian IP addresses. Their owners may not be
want to go to school were behind the attacks. The aware that their router, printer, or security
attacks on schools or learning information sys- camera is infected with malware, is connected
tems usually took place during school hours. into a botnet, and attempts to ‘take down’ their
They disappeared during weekends and school home bank or the school of their children. To
breaks, and returned when school began again. prevent safe-looking devices from becoming a
In September, we received reports of denial- dangerous tool in the hands of cybercriminals,
of-service attacks on schools or learning environ- always make sure to update their software. ●
Cyber Security in Estonia 2022 23Financial Fraud
Has Become
More Diverse
Last year, we received 20% more reports of fraud than the year before
about incidents in which Estonian people and companies lost money.
The Information System Authority (RIA) only sees the tip of the iceberg,
because victims of financial fraud turn primarily to the police.
W
hile attempts are still being made Although both the police and the Estonian
to defraud companies of money Banking Association have worked hard to raise
with various invoice frauds, last awareness of the problem (see, for example, the
year stood out with the number campaign page eiaitah.ee) and it has also been
of frauds against individuals. This may be due to widely covered in the media, there are still
people having more money on their account as a many people who believe the callers and end up
result of the pension reform and the pandemic losing their savings. The figures speak for them-
situation, as well as the growing interest in cryp- selves: according to the police, in the first ten
tocurrencies. At the same time, the fraudsters months of the year, people lost 2.8 million
are evolving rapidly and successfully using psy- euros in this way. The fraudsters were most
chological manipulation techniques. In addi- active during autumn.
tion, they have always been able to reap the ben- At the end of 2021, there was also a wave of
efits of changing circumstances. calls imitating the police: the caller claims to be
from the Estonian police and informs the per-
FRAUDULENT CALLS son that a large loan has been taken on their
FROM THE BANK AND THE POLICE behalf, or asks for information about a third
Much of the reports we receive about financial party and then informs the person that the
fraud against individuals still involve fraudu- bank account of the person has been hacked.
lent calls on behalf of a bank. The caller is usu- The purpose of the call is to phish the personal
ally a Russian-speaking person, but at the end identification code and other data that can be
of the year, there was also a trend where the used to carry out frauds.
conversation was started in Estonian and only The fraudsters try various techniques to
then handed over to a Russian-speaking ‘cus- increase their credibility, such as mentioning
tomer service representative’. The purpose of their police token number. Behind these calls is
the calls is to find out the PINs of the person an internationally organised network whose
and use them to clear the bank account. call centres make thousands of calls a day and
24 Cyber Security in Estonia 2022constantly seek to make them more credible to
generate revenue.
CRYPTOCURRENCY FRAUDS
ARE A RISING TREND
Frauds also have
Various frauds related to cryptocurrencies, the indirect victims
losses of which ranged from a few hundred euros In addition to direct financial loss, invoice fraud
to almost 100,000 euros, were a growing trend can also have indirect victims whose business
last year. The most typical were cases where a or reputation may be temporarily damaged. In
person had created an account and started oper- 2021, there was an example of a company in
ating on a cryptocurrency trading platform, but the medical sector, whose name and details
found that later it was no longer possible to with- were used to send fake invoices to partners in
draw the money. It often turned out to be a fake the same field. This temporarily damaged the
platform − a temporary environment specially good name of the company and also caused
created by criminals to entice people to make delays in receiving payments, as partners no
transactions there. After a while, the platform longer knew which invoices to trust and which
was closed and the money was stolen. not.
Various frauds related to cryptocurrencies, the losses
of which ranged from a few hundred euros to almost
100,000 euros, were a growing trend last year.
❱
Cyber Security in Estonia 2022 25An example of a classic CEO fraud
It is relatively easy to carry out this type of In addition to fake platforms, we also received
fraud scheme, as the regulation of cryptocur- reports of criminals breaking into a crypto wal-
rencies is still under development all over the let of a person (the application where crypto
world (a bill regulating the respective field in assets were stored) and stealing the contents.
Estonia is expected to be approved this spring). The average reported loss was around a few
So far, almost anyone can create or buy a trad- thousand euros. Well-known applications, such
ing environment for cryptocurrencies, buy fake as MetaMask, are not inherently unsafe, but
users and followers, and advertise it on influen- they are vulnerable to common threats such as
tial social media channels. While the initial rec- weak passwords, security vulnerabilities in
ommendation before purchasing any crypto- applications such as web browsers, or the user
currency or joining any environment is always accidentally entering their own crypto keys on a
to do a thorough background check, it may not phishing site. While in the case of banks, the
be enough – fake platforms may have fake user responsibility of the bank for depositing money
reviews and negative feedback from deceived is very clearly regulated and depositors are pro-
customers may not reach the forums until it is tected by law, theft in the crypto world usually
too late. In addition, there are criminals also means the permanent loss of one’s assets.
following the forums and rushing ‘to help’ those
who have lost money and direct them to new INVESTMENT ADVICE FROM TINDER?
phishing sites or fake environments. Many of the frauds we found out about were
linked to a specific scheme. In this scheme, vic-
tims meet the fraudster on a dating platform –
Upistic disappeared often on Tinder or Facebook Dating. After some
time, the ‘beautiful Asian girl’ or ‘young French
with the money man’ starts talking about investment opportu-
of the investors nities that they have used to improve their lives
In the last two months of the year, we received and on which they have been consulted by a
reports about the environment upistic.com, ‘relative working in the finance field’.
which advertised itself as the leading provider The conversation was often not intrusive at
of crypto investment services in Estonia and all and the topic was casually mentioned while
attracted investors from all over the world. talking about their daily activities. These fraud-
However, the environment stopped working and sters often wait for the victims to become inter-
investors, mostly foreigners, lost their money. In ested and start asking additional questions.
the cases reported to us, the damages ranged Once they got to know each other more and
from a few hundred to a few thousand euros. some trust was established, the new acquaint-
26 Cyber Security in Estonia 2022ance agreed to share their investment recom- The story of one fraud
mendations, helped create an account in a spe- Martin is a successful middle-aged entrepre-
cially designed environment, and showed how neur who works in the field of consulting and
the initial investment was earning good profit. communicates with a large number of people
Over time, they encouraged the victim to in Estonia and abroad. One day, he received
invest ever-increasing amounts of money. a Facebook friend request from a lady who
However, when the person wanted to take out introduced herself as a representative of the
the investment, it proved impossible. It was international fashion industry. She said she
essentially an investment fraud, but instead of had been on holiday in Estonia and was looking
aggressive telephone sales, contact was made for marketing contacts here. Her communica-
on a dating platform and the fraudster spent tion style was polite and professional. In
time to get to know the victim. addition, she sent Martin materials related
to her professional work and was not in any
THERE WERE FEWER FAKE way intrusive. The lady also talked about her
INVOICES THIS YEAR background and achievements and sent
2021 broke the record with two attempts to pictures – nothing seemed suspicious.
commit invoice fraud, the figures of which were After several weeks of communication,
unprecedented in Estonia. Fortunately, they she mentioned her experience in crypto and
remained only attempts. The largest of these her plans for specific transactions. As Martin
took place in the early summer, when criminals was also interested in the field, he asked for
began to monitor the e-mail exchange of a large more information and received references and
Estonian company with a cooperation partner links to various environments. Martin checked
abroad. At the appropriate time, they inter- them and found no indications that the
vened and presented fake invoices for a total of environments were fake.
several million euros on behalf of the partner. Martin then decided to invest 1,000 euros
The e-mail filter system of the company dis- in crypto, which started to make a profit, and
covered the fraud fairly quickly and no losses initially, he was able to grow his investment.
were incurred. The Estonian company also did Encouraged by the positive experience,
not find any signs of a break-in in its e-mail sys- he made two additional investments.
tem, so it could be assumed that the mailbox of At one point, however, Martin said his
the cooperation partner located in Central ‘intuition awoke’ and when he tried to transfer
Europe had been compromised. the earned money back to his crypto account,
The second case took place at the beginning it failed. In total, Martin lost 8,000 euros. The
of the year, when the attentive staff of a con- police says there is not much hope to get it
struction company was able to prevent a similar back and Martin will have to take it as a lesson.
attempt to commit invoice fraud for 900,000 As for money and investment, his advice is to
euros. Both of these cases show that appropri- be very careful with any new contacts and not
ate protection measures and staff awareness of to trust their advice, no matter how skilfully
the most common scams pay off indeed. presented.
There were some successful invoice frauds
too in 2021. To our knowledge, the largest
amount lost was 35,000 euros. or a member of the management board request-
In addition to the way described above, where ing an urgent transfer to a foreign bank account.
fraud is carried out by breaking into the system In at least one case, the transfer was made and
and hijacking the e-mail conversation, the clas- 15,000 euros reached the account of the fraud-
sic CEO frauds are also still used. In December, ster. However, general awareness of this type of
a dozen companies informed us that their fraud has grown over the years and there are
accountant had received a letter from the CEO fewer cases of major financial losses. ●
Cyber Security in Estonia 2022 27You can also read
