Cyber Security in Estonia 2022

Page created by Roberta Stephens
 
CONTINUE READING
Cyber Security in Estonia 2022
Cyber
 Security
in Estonia
   2022
Cyber Security in Estonia 2022
Cyber Security in Estonia 2022
Cyber Security
in Estonia
2022
Cyber Security in Estonia 2022
Contents
    6
         Learning From Security
         Vulnerabilities Makes Us
         Stronger
         Last year will go down in history as
         the year of security vulnerabilities,
         where in the race against time and
         criminals, we had to learn some
         painful lessons. However, all experi-
         ences are useful and must be shared,
         says Gert Auväärt, Director of the
         Cyber Security Branch of the Informa-
         tion System Authority (RIA).

    8
         The Situation in Cyberspace: A
         Year of Security Vulnerabilities
         2021 will go down in the history of

                                                    20
         cybersecurity as a year of major                Log4j Caused an IT Earthquake
         security vulnerabilities. The largest of        In December, IT professionals had to
         these was the vulnerability identified          respond to one of the biggest security
         in the Log4j logging application, but           vulnerabilities in recent years:
         there were also those that only                 the Log4j zero day vulnerability.
         affected the Estonian e-state.                  The IT community witnessed a severe
                                                         earthquake all over the world at the

    14
         How Did a Hacker Steal                          same time and started preparing for
         300,000 Document Photos?                        a devastating tsunami.
         One of the most serious incidents last

                                                    22
         year was due to a security vulnerability        In 2021, There Were 50%
         in the service of RIA. The attacker             More Denial-Of-Service
         downloaded nearly 300,000 document              Attacks Than Last Year
         photos, but was caught a few days               Last year, we registered 47 impactful
         after the data theft was discovered.            denial-of-service attacks, which is
                                                         twice as many as in 2020. Until the

    16
         Legacy Brought Bad Surprises                    spring, ransom denial-of-service
         The access rights system of the state           attacks targeted companies, but in
         portal eesti.ee was a painful reminder          the autumn, schools and learning
         that if the attitude towards data               environments became the victims.
         protection changes, so must the

                                                    24
         information system.                             Financial Fraud Has
                                                         Become More Diverse

    18
         Patching Vulnerabilities Is                     Last year, we received 20% more
         Still a Problem                                 reports of fraud than the year before
         People tend to put off until tomorrow           about incidents in which Estonian
         what they can do today. Last year, we           people and companies lost money.
         saw all too often what happens when             RIA only sees the tip of the iceberg,
         this principle is followed when fixing          because victims of financial fraud
         critical vulnerabilities.                       turn primarily to the police.

4                                                                     Cyber Security in Estonia 2022
Cyber Security in Estonia 2022
28
                   Cannot Get Through the
                   Gate Until the Gate is Open
                   Most of us follow simple principles to
                   ensure our physical security, but many
                   seem to think that digital assets are
                   able to protect themselves, writes
                   Oskar Gross, Head of the Cybercrime
                   Unit of the Central Criminal Police.

      30
                   Ransomware Attacks Rarely
                   Have a Happy Ending
                   While heroes in Hollywood hostage
                   films are usually able to escape,
                   then in hostage-taking in cyberspace,
                   where criminals gain access to
                   corporate or personal information,
                   the victim often has to choose

                                                            36
                   between bad and very bad options.
                                                                 What Happened in International
                                                                 Cyberspace in 2021?

      32
                   What Did We Learn From                        Last year, news of cyber incidents
                   the Local Elections?                          and security reached even those who
                   Some functional errors caused public
                                                                 had not heard of these topics before.
                   disapproval, but we did not identify
                                                                 Many incidents directly and severely
                   any malicious activity that could have
                                                                 disrupted the daily lives of people and
                   impacted the 2021 local elections.
                                                                 crossed the news threshold.

      34                                                    40
                   Hackers, Help the State!                      Potential Disasters Avoided
                   We are working on a model that would
                                                                 When it comes to cybersecurity,
                   allow state agencies to work with
                                                                 the focus is often on high-impact
                   hackers and pay them for information
                                                                 incidents and the damage they cause:
                   about security vulnerabilities.
                                                                 be it stolen data, encrypted systems,
                                                                 or lost money. However, there are also
                                                                 incidents with a happy ending.

                                                            42
                                                                 The Cyber Hygiene of the
                                                                 Estonian Population is
                                                                 Improving
                                                                 The level of the cyber hygiene of the
                                                                 Estonian population has improved
                                                                 in three years, but there is room
                                                                 for improvement, according to data
                                                                 collected in cooperation with
                                                                 Statistics Estonia.

                                                            44
                                                                 What Will 2022 Bring in
                                                                 Cyberspace?
                                                                 Last year brought a lot of security
                                                                 vulnerabilities and a ransomware
                                                                 epidemic. What’s in store this year?

Cyber Security in Estonia 2022                                                                             5
Cyber Security in Estonia 2022
● FOREWORD

        Learning
     From Security
     Vulnerabilities
    Makes Us Stronger
     Last year will go down in history as the year of security vulnerabilities,
      where in the race against time and criminals, we had to learn some
    painful lessons. However, all experiences are useful and must be shared,
        says Gert Auväärt, Director of the Cyber Security Branch of the
                       Information System Authority (RIA).

    M
                 y time in RIA started with big          vices and have not been renewed. We have
                 challenges. In July, two critical       carried out an internal analysis of these cases
                 weaknesses were identified in our       and streamlined the processes within RIA to
                 own systems that allowed access         avoid incidents like this in the future.
    to users’ personal data. In essence, you could          In both cases, we received the first indica-
    say that even though the door was locked, the        tion that something may be wrong from peo-
    key had been left nearby.                            ple outside of our organisation. This illus-
      A month later, we found out about possible         trates that the state alone may not be able to
    vulnerabilities in other national e-services, as a   find the weaknesses of a 20-year-old e-state
    result of which some personal data was not           and that security can be created in partner-
    appropriately protected. Vulnerabilities in the      ship with the community. It is very important
    real estate and marital property register were       that we all take security vulnerabilities seri-
    patched and according to our current knowl-          ously and patch them. We must share infor-
    edge, the data had not been misused in any way.      mation because it allows us to learn from oth-
                                                         ers and we must not ignore tips and
    SECURITY COMES FROM COOPERATION                      suggestions. The consequences of the vulnera-
    Both incidents with our services, the data leak      bilities depend on the speed with which we act
    of access rights in the self-service environ-        – whether we are able to patch them before
    ment of eesti.ee for entrepreneurs and the ille-     criminals manage to exploit them.
    gal download of document photos (both cases
    will be discussed in more detail in this year-       WARNINGS ARE NOT TAKEN SERIOUSLY
    book) happened partly due to the fact that old       In March last year, when Microsoft disclosed
    system interfaces are still present in some ser-     its Exchange server vulnerability and provid-

6                                                                                Cyber Security in Estonia 2022
Cyber Security in Estonia 2022
ters more than 20,000 notifications and near-
                                                          ly 2,500 cyber incidents a year that have a real
                                                          impact on the system or how it works.
                                                          Although most attempts to attack fail, we
                                                          must stay vigilant.

                                                          FOR A SAFER ESTONIA
                                                          Ransomware attacks, which are becoming
                                                          more and more popular in the world, cause
                                                          losses to entrepreneurs that are comparable
                                                          to the budget of an average Estonian state
                                                          agency. Estonia has not yet been successfully
                                                          targeted with high-impact ransomware
                                                          attacks, but it is only a matter of time as our
                                                          daily lives, including the functioning of the
                                                          country, depend on digital services.
                                                             Although the security of the systems is the
                                                          responsibility of their owner, we must all play
                                                          our part. Just as the state must protect its peo-
                                                          ple who have entrusted their data to it, so
                                                          must any other owner of a database or service.
       GERT AUVÄÄRT                                       The digital society is based on trust.
       director of the Cyber Security Branch of RIA          In order to protect the reliability and securi-
                                                          ty of our e-state, we have also increased our
                                                          capabilities in RIA, both in terms of people as
       ed information on how to patch it, we notified     well as our tools and infrastructure. We put
       our partners and other authorities. However,       together a team of testers, developed a bug
       a week later our monitoring revealed that two-     bounty programme to detect and patch ser-
       thirds of those informed had not yet taken the     vice vulnerabilities, and increased the security
       necessary action. The e-mail servers of these      of the state network.
       organisations were still vulnerable, meaning          In order to create and maintain security, we
       that the mailboxes of the employees were           have taken another important step in RIA: the
       essentially unprotected. The warning had not       Estonian Information Security Standard
       been taken seriously.                              (E-ITS) is finally ready. This is the most
         Unpatched systems usually result in crimi-       important guide for companies to prevent
       nals finding them and compromising them –          potential risks. At the end of 2021, the first
       installing malware, stealing data, etc. Cyber-     pilot group started its work, the main role of
       crime is one of the most lucrative and thus the    which is to develop best practices in the imple-
       fastest growing types of crime in the world.       mentation of the standard and to prepare new
       However, catching those criminals is difficult,    E-ITS experience consultants. Together with
       as it is easier to hide traces in cyberspace and   the University of Tartu, the initial E-ITS-
       the consequences of crime can appear after         based maturity model was completed, which
       several years.                                     gives organisations a quick assessment of
         IT systems around the world are being            their information security situation and allows
       attacked all the time, and the security vulner-    authorities to compare the level of informa-
       abilities that have been discovered and made       tion security.
       public can be of great benefit to those who are       That is how we are building a safer Estonia
       trying to get rich or gain influence. RIA regis-   step by step. ●

Cyber Security in Estonia 2022                                                                                 7
Cyber Security in Estonia 2022
The Situation
     in Cyberspace:
    A Year of Security
     Vulnerabilities
     2021 will go down in the history of cybersecurity as a year of major
      security vulnerabilities. The largest of these was the vulnerability
       identified in the Log4j logging application, but there were also
                those that only affected the Estonian e-state.

8                                                          Cyber Security in Estonia 2022
Cyber Security in Estonia 2022
T
                here are security vulnerabilities in
                almost every system and in every code
                – you just have to search for them.
                                                          Serious security
                Most of them are identified and           vulnerabilities have
       addressed quickly. It is a common practice in
       information security communities that the per-
                                                          impacted the society
       son who discovers a security vulnerability noti-   before, but in 2021,
       fies the owner of the system or service first.
       They give enough time to develop security
                                                          there seemed to be
       patches or code updates, and only then reveal      no end to them.
       the vulnerability to the rest of the world.
          This was not the case with the major security
       vulnerabilities discovered in 2021. Serious           Although the vulnerability only gave the attack-
       security vulnerabilities have impacted the soci-   er access to document photos – with which one
       ety before, but in 2021, there seemed to be no     can do almost nothing in the age of digital docu-
       end to them.                                       ments – it raised legitimate concerns about
                                                          whether the Estonian e-state can keep data secure
       IF YOU DO NOT KNOW YET                             and protect it from thieves. However, the course
       THAT YOU ARE VULNERABLE                            of the incident proved that the principle of data
       In 2021, the Estonian society was probably most    separation we use in our e-state is correct. Every
       affected by the news that an attacker found a      query for a document photo left a trace, which
       security vulnerability in the system managed by    allowed the police to detain the attacker and he
       the Information System Authority (RIA) and         was not able to obtain any other data.
       obtained document photos of hundreds of thou-         By security vulnerabilities, we also mean
       sands of people (you can read more about this      configuration errors. One of these was discov-
       attack on page 14).                                ered by an observant citizen in the self-service      ❱

Cyber Security in Estonia 2022                                                                                      9
Cyber Security in Estonia 2022
73,826
     Incidents and notifications in 2021
     60,000

                                                                                   55,635
     50,000

     40,000

     30,000

                                                            24,369
     20,000                                                                                 22,896
                                                                                                             20,077
                                      17,440
                                                                                     15,730              14,332
     10,000     10,649

                      3,139                 3,473                 3,164                 2,722              2,237
           0
                    2017                  2018                  2019                  2020                  2021
     ● Number of reports ● Incidents with an impact
     ● Automated infection notifications ● Automated security vulnerability notifications

     environment of eesti.ee for entrepreneurs,                 Social Affairs, and the Ministry of Foreign Affairs
     where the first and last names, personal identi-           were attacked, and we saw attacks with similar
     fication codes, places of work, and, in some cas-          handwriting also in 2021. What is common for
     es, connections with previous positions of more            all of them is that the attacker scanned web serv-
     than 300,000 people related to legal entities              ers with publicly available tools, found security
     were visible. The system was originally designed           vulnerabilities, uploaded malicious code, and
     so that authorised persons could see the data of           thus gained unauthorised access to the servers.
     other authorised persons and it had not been                  In February, we were informed that a compa-
     updated over the years. We are extremely grate-            ny which provides cloud services and software to
     ful that the case was reported to us: we were              many public sector authorities (ministries and
     able to fix the bug before the general public or a         local governments) and another company which
     malicious attacker had the opportunity to view             provides remote access services to public sector
     or misuse third-party data.                                authorities had been compromised. Both of
        A security vulnerability that is so new that            them handled the incidents professionally: they
     only an attacker knows about it and the owner              fixed their services, informed customers, and
     of the service has not even had a day to fix it is         worked in full cooperation with CERT-EE.
     called a zero-day vulnerability. However, if an
     update to a vulnerable service already exists, it          IF THE WHOLE WORLD KNOWS
     is a whole other story. Unfortunately, owners of           YOU ARE VULNERABLE
     larger networks and e-services often do not                The public will only hear about the consequenc-
     have a detailed overview of all their online ser-          es of some security vulnerabilities much later,
     vices and their vulnerabilities. The owners                as their effects may become apparent in a mat-
     should look at their IT infrastructure through             ter of months. In March, Microsoft disclosed
     the eyes of an attacker, as they are constantly            four zero-day vulnerabilities in its mail server
     looking for security flaws.                                software that allowed attackers extensive access
        At the end of 2020, the Ministry of Economic            to the entire server, including e-mails and pass-
     Affairs and Communications, the Ministry of                words. According to Microsoft, the attackers

10                                                                                            Cyber Security in Estonia 2022
quickly built tools that began searching the
       entire world for vulnerable Exchange servers
       that had not been updated and once they found
       them, the servers were compromised and
       infected with malware.                                Log4j vulnerability –
          At the end of August, Atlassian announced          what is it?
       that their world-wide wiki platform Confluence        The critical security vulnerability Log4Shell
       also had a critical security vulnerability that       was identified in the Log4j function of the Java
       required a software update. Confluence is com-        programming language used in billions of
       monly used for business process documenta-            devices and software products around the
       tion or internal web sites. By early September,       world. The severity of the security vulnerability
       attackers had already been able to exploit the        is rated the highest possible by the international
       vulnerability and use automated systems to            CVE standard (10 out of 10 points), potentially
       gain access to Confluence servers exposed to          allowing an attacker to run their code freely on
       Internet around the world, including in Estonia        a vulnerable device.
       (see page 18 for more information).                      An attacker could exploit the vulnerability
          The security vulnerability with the greatest       by sending a command in a specific format to a
       impact was only revealed at the end of the year,      vulnerable server, device, or system (beginning
       when players on the popular Minecraft gaming          with ‘$ {jndi:’) and adding a reference to
       platform began experimenting with a newly             malware that may be located on a third-party
       discovered security vulnerability that allowed        server. The vulnerable server logs the com-
       them to send commands to the game server.             mand, Log4j searches for the uploaded
       The critical security vulnerability Log4Shell         malware, downloads it, and runs it. Depending
       identified in the Log4j logging function of the       on the nature of the malware, it may give a
       Java programming language, which is used in           third party access to the device.
       billions of devices and software products
       around the world, had already been patched by
                                                          software, web services, and more. This was also
                                                          the case in Estonia, as many Estonian e-servic-
                                                          es use the hugely popular Java programming
          The owners should look                          language as well as the Log4j function.
          at their IT infrastructure                         The general public may not have noticed this,
                                                          but the combined effort of the global IT com-
               through the eyes of                        munity to identify the extent of the vulnerabili-
            an attacker, as they are                      ty and to support each other was impressive. IT
                                                          professionals did not mind national borders,
             constantly looking for                       open-source or commercial services and occa-
                     security flaws.                      sionally they even forgot their sleep and loved
                                                          ones. However, we will most likely see the full
                                                          impact of the Log4j vulnerability only later,
       the manufacturer, but these same devices and       when it becomes clear how much the attackers
       the software used in them had not been updat-      managed to exploit the vulnerability before it
       ed yet.                                            was patched.
          As news of the vulnerability spread, IT pro-
       fessionals, developers, and security profession-   IT ALL STARTS WITH ACCESS:
       als around the world rushed to update the Log4j    RANSOMWARE AND OTHER INCIDENTS
       function in their own software and then wait for   Ransomware attacks received a lot of attention
       software updates for all their other products —    around the world this year – and for good rea-
       industrial devices, network devices, antivirus     son. The attack on Colonial Pipeline, a U.S. fuel       ❱

Cyber Security in Estonia 2022                                                                                        11
Other
                                                                          178
                                                                                               Phishing
     Incidents with an                                                                         775
     impact in 2021                                     Malware
                                                          79
     ● Denial-of-service attack 47                Botnet
     ● Data leak 43                               98
     ● SEO spam 34                                                     ALTOGETHER

                                                                       2,237
     ● Ransomware 30                             Fraud
                                                 99

                                                  Compromised
                                                  accounts              INCIDENTS
                                                  168
     supplier, made headlines, halting fuel                 Account
     supplies to the U.S. East Coast, but multi-            takeover                        Malicious redirect
     milliondollar ransom demands and                       170                             262
                                                                          Service
     encrypted IT systems caused widespread                               interruption
     problems in many countries.                                          254
        The most expensive ransomware attacks
     usually target companies operating in the Unit-
     ed States or in the wider English-speaking busi-          On many occasions, CERT-EE specialists
     ness environment. In Estonia, ransomware               have been able to help recover data that is
     incidents involve smaller enterprises, and the         encrypted with ransomware without the vic-
     demands are usually in the range from a few            tims having to pay the ransom. Sometimes,
     thousand euros to tens of thousands of euros.          ransomware has left much of the data available
     We were informed of a total of 30 ransomware           (for example, it encrypts only the beginning or
     incidents in 2021 (33 in 2020). It seems that          the end of the files); other times, decryptors can
     the small size of Estonia and our language envi-       be found to recover the data. In case of a ran-
     ronment works in our favour, as does the stead-        somware incident, we encourage companies to
     ily improving cyber hygiene.                           contact CERT-EE and to always keep in mind
        Cyber hygiene and compliance with stand-            that paying the ransom only motivates the
     ards are relatively effective against ransomware       criminals to launch further attacks.
     attacks. In 2021, attackers accessed the systems
     of their victims mostly through a remote desk-         WHAT HAPPENED
     top application (Remote Desktop Protocol or            TO THE YEAR OF PHISHING?
     RDP in Windows). Some versions have publicly           We called 2020 the year of phishing in the last
     known security vulnerabilities, and in some            yearbook – the number of phishing sites had
     cases, passwords that are still in use can be          increased by a fifth, and phishing was often a
     found in leaked password databases.                    means by which attackers could learn the pass-
        IT companies providing services to third par-       words of an employee of an organisation.
     ties should pay special attention to the preven-         Phishing attacks continued in 2021. The
     tion of potential ransomware attacks. In April,        number of phishing site incidents increased
     we learned of a case where a ransomware attack         both in percentage (35% of all incidents with an
     targeted an IT service company, through which          impact compared to 26% a year earlier) and in
     it spread to four more companies. In May, there        overall numbers (755 in 2021 and 711 in 2020,
     was an attempt to launch a ransomware attack           respectively). These figures reflect how many
     against a local government which had been              times phishing sites have been taken down at
     accessed through an accounting service provid-         the request of CERT-EE specialists; the num-
     er that had been compromised.                          bers of notifications are much higher.

12                                                                                       Cyber Security in Estonia 2022
Similarly to the year before, the sites can be     September, we have seen continuous short-term
       broadly divided into two: bank account phish-         attacks on general education schools, vocational
       ing and account credentials phishing. The             training institutions, universities, as well as the
       phishing sites are usually almost identical with      e-learning environments managed by the Edu-
       the originals, but the address is different. In the   cation and Youth Board.
       case of bank account phishing, the victim                The attacks are often ordered by schoolchil-
       unknowingly sends money to the wrong                  dren from relatively accessible online forums. In
       account, and the passwords entered on the             such places, DDoS attacks are offered as a ser-
       account credentials phishing sites are most           vice: an attacker has amassed a large number of
       often used to break into e-mail accounts. As a        routers and other IoT devices with security vul-
       rule, using multi-factor authentication helps to      nerabilities or poor configuration on the botnet
       protect your account even if you have acciden-        and is using it to launch DDoS attacks for a small
       tally entered your password on a phishing site.       sum of money.
          Bank account phishing attacks that have tar-          However, these attacks affect not only the
       geted Estonians for several years are already         infrastructure of that school, but also other
       familiar to us. It seems more profitable for the      authorities that use the same name servers, for
       criminals to call victims and persuade them to        example.
       send money. In terms of account details, how-
       ever, it does not look like the phishing attacks
       will cease any time soon.
                                                             It seems that the small
       BOTNETS ENABLE NEW                                    size of Estonia and our
       DENIAL-OF-SERVICE ATTACKS
       The unpleasant surprise of 2021 was the high
                                                             language environment
       impact of distributed denial-of-service (DDoS)        works in our favour,
       attacks. The overall figures also show an
       increase: compared to 2020, the number of
                                                             as does the steadily
       major DDoS attacks increased from 32 to 47            improving cyber hygiene.
       (these are the attacks that were reported to
       CERT-EE). We have also gained better visibility
       of smaller DDoS attacks since the summer of              In one of the denial-of-service attacks in May,
       2020, which also shows a clear upward trend.          we identified a router with a security vulnerabil-
          In 2021, we saw several waves of DDoS attacks      ity in Estonia that was connected to a botnet and
       with a significant impact. In January and Febru-      participated in an attack on a vocational educa-
       ary, several banks and technology companies           tional institution. We informed the owner of the
       operating in Estonia received DDoS attacks            router, and at least this device can no longer be
       accompanied by extortion letters. Similar attacks     used for a DDoS attack. Read more about deni-
       had been carried out on the same companies            al-of-service attacks on page 22.
       three months earlier, and the threatening letters        This incident also shows that security vulner-
       referred to previous attacks, saying ‘we have not     abilities, out-of-date software, and configura-
       received your payment’, ‘we are back now, pay         tion errors enable attacks that have a major
       off’, and ‘if you do not pay us now, we will be       impact on our daily lives. Therefore, it is
       back soon’. Similar attacks took place in other       extremely important for device and system
       European countries (at least in five Member           owners to pay full attention to security patches
       States according to CERT-EU) and beyond.              and security vulnerability notifications (includ-
          We also saw the first attack on a school in Tal-   ing the daily notifications of CERT-EE). This
       linn in January, which briefly disrupted the work     way, you can trust that your router, smart TV,
       of educational institutions throughout the city.      or fridge does not give attackers a chance to dis-
       This became a trend in spring and autumn. Since       rupt Estonian life. ●

Cyber Security in Estonia 2022                                                                                     13
How Did
      a Hacker Steal
        300,000
     Document Photos?
        One of the most serious incidents last year was due to a security
      vulnerability in the service of the Information System Authority (RIA).
      The attacker downloaded nearly 300,000 document photos, but was
              caught a few days after the data theft was discovered.

     O
                n 21 July, CERT-EE detected that          service) that is used when a person wants to
                286,438 document photos had been          download their document photo.
                illegally downloaded from the data-          You can download your document photo
                base of identity documents. They          either directly from the state portal or through
     had been downloaded en masse from 9,000              the DigiDoc application. In both cases, the per-
     Estonian and foreign IP addresses since 12           son must first authenticate themselves. Once
     July. This was caused by a security vulnerability    the request has been made, the system requests
     in the photo transfer service (so-called photo       the photo from the service that mediates it, the
                                                          so-called photo service, which is managed by
                                                          RIA. The photo service requests the photo over
     Lessons from the                                     the X-tee from the database of identity docu-
                                                          ments, which belongs to the Police and Border
     photo theft                                          Guard Board, and sends it back to the person.
     RIA analysed and improved its workflows to           Upon detection of the attack, RIA temporarily
     prevent future incidents caused by such security     closed this function for DigiDoc.
     vulnerabilities. In addition, the case inspired us
     to create a national bug bounty programme to         HOW WAS THE ATTACKER
     motivate good hackers. This means that in the        ABLE TO DOWNLOAD THE PHOTOS?
     future, hackers who have discovered security         DigiDoc makes requests over a public URL. By
     vulnerabilities in state systems may receive a       manipulating this, the attacker managed to give
     reward from the state. However, the reward is        the photo service the impression that the
     only paid if the hacker follows the established      request comes from an authenticated user who
     rules and conditions. The rewards programme          wants to download their document photo.
     is currently being worked on.                        However, behind the request was an attacker

14                                                                                Cyber Security in Estonia 2022
DIGIDOC

                                             PIN1 + certificate
       eesti.ee
                                                verification

     State authentication                                                         ATTACKER
            service

     Identification

                                                                                            SECURITY
                                                                                                     !
                                 PHOTO SERVICE                                            VULBERABILITY

        Database
        of identity
       documents
                                                                  Secure
                                                                  communication
                                                                                            A fake certificate is sent
                                                                                              to the photo service.
                                                                                           The service does not fully
                                                                                            verify the validity of the
                                                                                             certificate and sends
                                                                                               a document photo.
                                                                                                                         !
                                                                  over the
                                                                  X-tee

       who turned directly to the photo service using            CERT-EE analysed logs starting from 30
       forged or self-created certificates (see figure).      June 2018 and found no other anomalies. This
       To create a fake certificate, the attacker had to      leads to the conclusion that the security vulner-
       have the personal identification code and name         ability of the photo transfer service had not
       of the person.                                         been abused before (i.e. before July 2021).
          The photo service should have recognised that          The police detained the suspect a few days
       the certificates used by the attacker were not         after the incident was discovered and confiscat-
       issued by SK ID Solutions – that they were             ed the downloaded data. Preliminary informa-
       forged. Although the attacker had marked SK ID         tion suggested that the photos were simply
       Solutions as the issuer of the fake certificates,      stored on the computer of the attacker. The
       ‘looking in’ them would have shown that they           proceedings conducted by the Office of the
       actually came from elsewhere. Due to the securi-       Prosecutor General are still ongoing.
       ty vulnerability, the service did not do this.
          As a result of the attack, the criminal did not
       have access to the database of identity docu-          The police detained the
       ments, but managed to download document pho-
       tos from it. A few days after the discovery, the       suspect a few days after
       security vulnerability was patched and RIA reo-        the incident was discovered
       pened the photo service for DigiDoc so that peo-
       ple could download their document photos again.        and confiscated the
                                                              downloaded data.
       WHAT CAUSED THIS SECURITY
       VULNERABILITY?
       Reportedly, the security vulnerability in the            It is not common for attackers behind cyber
       photo transfer service occurred in November            incidents to be caught so quickly. They are often
       2018. The interruption of the service was prob-        located abroad and their traces are difficult – if
       ably related to the exchange of ID-card certifi-       not impossible – to detect. In this case, we
       cates – changes were made in the information           managed to do so thanks to quick and efficient
       systems to support authentication with new             cooperation between the police, CERT-EE, and
       certificates.                                          the Prosecutor’s Office. ●

Cyber Security in Estonia 2022                                                                                           15
Legacy
                 Brought
               Bad Surprises
         Last summer, we got a painful reminder that if the attitude towards
              data protection changes, so must the information system.

     O
                 n 6 July, an entrepreneur informed       data of others when, for example, they searched
                 us that on the website for entrepre-     for ‘Paul’ – in which case they were shown all
                 neurs on the state portal eesti.ee, a    the people called Paul in the database.
                 database with 336,733 data rows is         It was not a classic cyber incident – the sys-
     available to users authenticated in the self-ser-    tem was not attacked or broken. However, that
     vice environment of the access rights manage-        information should not have been visible in
     ment system (AAR). The first and last names,         that way. So what happened?
     personal identification codes, places of work,
     and, in some cases, connections with previous        THE SYSTEM BECAME OUTDATED
     positions and roles (e.g. job title, start and end   The entire administration system for access
     date of employment) of people were visible. The      rights – including its self-service environment
     database contained persons from both the pub-        on the state portal – was designed and built so
     lic and private sectors.                             that all data is visible to all people in the data-
        This data was visible to the people appointed     base. The world around this system has
     to represent the authority or company, i.e. to all   changed, especially the approach to data pro-
     those for whom there was a row in the same           tection. Thus, the structure of the system
     database. All data rows became visible when          became inappropriate.
     somebody performed a so-called empty or                 It was clear we had to change it. In July, the
     parameterless search. The person also saw the        Information System Authority (RIA) closed the
                                                          self-service environment of the access rights
                                                          system on the state portal. Now, the RIA help-
                                                          desk must be contacted at help@ria.ee to
     What is the AAR?                                     change roles and grant accesses. Before, cus-
     The AAR, or administration system for access         tomers themselves could provide access quickly
     rights, is a system for authorised persons of an     and directly. Now, however, it has become a lit-
     authority or a company in which they can             tle more inconvenient. It takes more time and
     provide others access to various services.           effort to create an authorisation, digitally sign
     For example, the head of a company can grant         it, send it to RIA, and receive a response.
     rights to an accountant to transfer employee            We did not consider it appropriate to con-
     data to the employment register maintained           tribute to the thorough development of the old
     by the Tax and Customs Board.                        system to reopen the self-service environment

16                                                                                  Cyber Security in Estonia 2022
The state is contributing
                                                                 to the solution of the
                                                                 problem with legacy systems
                                                                 An additional 14.4 million euros was allocated
                                                                 from the state budget in 2022 for the updating
                                                                 and maintenance of outdated information
                                                                 systems and platforms. In addition, the govern-
                                                                 ment allocated 500,000 euros from the reserve
                                                                 fund for additional investments for the rapid
                                                                 updating and, if necessary, closure of the
                                                                 outdated information systems of the state

                                           c y                   portal eesti.ee.

                                         a
                                       g
                                    le
                                                               Outdated systems are used in both the public
                                                             and private sectors. This is understandable in
                                                             many ways – replacing the legacy is costly and
                                                             time-consuming and can also lead to a change
                                                             in the usual functionalities. So what can you
                                                             do? The first step could be to get to know the
       there. One important argument was that RIA is         legacy systems of your organisation. This gives
       already developing a new administration sys-          you an idea of the state of the system, what fea-
       tem for access rights, Pääsuke. Another impor-        tures it offers, as well as its vulnerabilities and
       tant argument was that changing old systems,          crossdependencies.
       or so-called legacy systems, may not be as easy
       as one might think.

       A WIDER PROBLEM                                       So what can you do?
       Legacy is a system, technology, or software that is
       still running but is actually outdated and becom-     The first step could
       ing more and more vulnerable over time. Legacy
       is a problem in many long-established companies
                                                             be to get to know
       and authorities. For example, the current owners      the legacy systems
       of a system developed 10 years ago may not have
       a full understanding of its structure and func-       of your organisation.
       tions. Organisations change over time, people are
       replaced, and often, the solutions put in place are
       not properly documented for the new employees.          This is exactly what RIA has done. We have
       Therefore, it is often not known exactly what         become even more familiar with our legacy and
       effect an upgrade of one part may have on anoth-      set up processes so that our systems are updat-
       er part of the system.                                ed at all times.●

Cyber Security in Estonia 2022                                                                                     17
Patching
       Vulnerabilities
     Is Still a Problem
            People tend to put off until tomorrow what they can do today.
           Last year, we saw all too often what happens when this principle
                      is followed when fixing critical vulnerabilities.
                                            .

     O
                  n 2 March 2021, Microsoft announ-      the start of the race against time – between the
                  ced that the popular e-mail server     attackers who used automated tools to search
                  software Exchange Server had four      for and attack vulnerable mail servers and the
                  zero-day vulnerabilities that could    server owners and administrators who now had
     allow an attacker to install malware on the serv-   the means to patch the ability.
     er of the victim and gain access to their e-mail,
     contacts, passwords, and administrator privi-       THE MAÑANA ATTITUDE
     leges. In the same announcement, Microsoft          DOES NOT HELP
     also released security patches and asked users      In many cases, the attackers won. On 3 March,
     to install them as soon as possible.                Microsoft announced that there were ‘a limited
        Until that point, few people knew about the      number of victims’. On 8 March, however, there
     vulnerabilities (according to Microsoft, they       were more than 60,000. The day after the vul-
     were used for attacks by the Chinese cyber          nerabilities were disclosed, CERT-EE identified
     group HAFNIUM), but from 2 March, the infor-        more than 80 mail servers with the mentioned
     mation was available to everyone. This marked       vulnerabilities in the Estonian cyberspace. We
                                                         informed their owners and administrators, as
                                                         well as public sector security managers and
                                                         vital and important service providers. When we
     Speed matters                                       repeated the monitoring on 10 March, we
     There is nothing new about critical security        unfortunately discovered that two-thirds of
     vulnerabilities in software, but the pace at        these servers were still using unpatched soft-
     which cyber groups and individual criminals         ware and were therefore vulnerable to attacks.
     detect and compromise unpatched systems is          While three-quarters of the vulnerable servers
     unprecedented. It used to take weeks, but now,      were patched worldwide in a week, only a third
     it only takes days or hours. Those responsible      were patched in Estonia.
     for cyber security must keep pace and patch            Therefore, we were not surprised by reports
     dangerous security vulnerabilities as soon          of compromised mail servers. The criminals
     as possible, rather than postponing them.           managed to attack local governments and pri-

18                                                                               Cyber Security in Estonia 2022
Record number                                        vate companies, as well as the medical sector
                                                            and educational institutions.
       of vulnerabilities
       - The National Vulnerability Database (NVD)          DIFFERENT SOFTWARE, THE SAME SCHEME
         of the US National Institute of Standards          A similar sequence unfolded in late August and
         and Technology (NIST) recorded 20,046              early September. On 25 August, Atlassian, the
         vulnerabilities in 2021 (18,351 in 2020,           maker of the wiki platform, announced that
         17,382 in 2019, and 17,252 in 2018).               their Confluence software contained a critical
       - Attackers did not need good technical              vulnerability that could allow remote code exe-
         skills to take advantage of 90 per cent of         cution. The security vulnerability allowed an
         these vulnerabilities.                             unauthenticated user to compromise the Con-
       - For 61 per cent of the vulnerabilities, carrying   fluence server of an enterprise or authority and
         out an attack did not require any action           edit, add, delete, and/or copy data there. In
         on the part of the victim: clicking on a link,     addition, it allowed malicious code to be
         sharing passwords, launching software,             installed on the systems of the victim to mine
         or the like.                                       cryptocurrency or create a backdoor to carry
                                                            out new attacks. Atlassian rated the threat
                                                            severity of these vulnerabilities with 9.8 on a
                                                            ten-point scale.
                                                               Confluence is not as common as Microsoft
                                                            Exchange, but it is also used by many Estonian
                                                            state agencies and private companies as an
                                                            intranet platform.
                                                                In September, we learned that three state
                                                                    agencies had been attacked through this
                                                                      security vulnerability. Early detection
                                                                        of the attackers allowed the agencies
                                                                                     to avoid major damage,
                                                                                          but these attacks
                                                                                            would have been
                                                                                             preventable if the
                                                                                             software      had
                                                                                           been updated in
                                                                                         time. ●

                                                                      The criminals
                                                             managed to attack local
                                                             governments and private
                                                               companies, as well as
                                                              the medical sector and
                                                             educational institutions.

Cyber Security in Estonia 2022                                                                                    19
Log4j Caused
     an IT Earthquake
      On 9 December, IT professionals had to respond to one of the biggest
     security vulnerabilities in recent years: the Log4j zero day vulnerability.
      The IT community witnessed a severe earthquake all over the world at
         the same time and started preparing for a devastating tsunami.

     J
            ava is one of the most widely used soft-     sidewalks and crosswalks or crossing the streets
            ware development platforms. Its open         in wrong places. If there is an accident in the
            source logging framework Log4j is very       area, the police can find out the circumstances
            common – billions of computers use it to     of the accident by looking at the recording. This
     keep apps and services running. The function is     is essentially how logging works.
     used by Apple, Steam, Twitter, Amazon, Tesla,          However, if a vulnerability of the camera
     IBM, Minecraft, LinkedIn, and thousands of          allows the information systems and databases
     other well-known and lesser-known companies.        of the city government to be taken over, the sit-
                                                         uation is equivalent to the critical vulnerability
     WHAT IS THE LOG4J FUNCTION?                         of Log4j, which gives criminals power not only
     Each software logs or stores data in one way or     over this particular function (camera) but the
     another to have an overview of what is going on     entire infrastructure.
     with the software. This is necessary for three
     reasons: to keep the software running, for          HOW IS THE SECURITY
     development, and for ensuring security. Log-        VULNERABILITY EXPLOITED?
     ging or storing data is essential.                  Although a tsunami was expected after the
       Logging can be compared to a smart camera         weakness became apparent and people started
     on the main street and square in a city. It gives   getting ready to board Noah’s Ark, the end of
     the city authorities the opportunity to check       the IT world has not yet come. The impact of
     whether the Christmas tree is still standing,       the vulnerability may not become apparent for
     whether the streets are covered in snow, or         years to come. At this time, we do not know if
     whether city services are working as they           and where the attackers intruded before the
     should. In addition, it helps to analyse how peo-   security updates were installed.
     ple behave there: whether they use the existing       Attackers could exploit the vulnerability by

20                                                                                Cyber Security in Estonia 2022
sending a message in a specific format and an
                                                               What did RIA do?
       additional reference to malware located some-
       where on the third server to a vulnerable server,       - On 10 December, we informed the Estonian
       device, or system that could be accessed from             public about the security vulnerability and
       the Internet. The vulnerable server read the              its impact.
       command from the message, Log4j searched                - On 13 and 19 December, we sent additional
       for the malware, downloaded it, and ran it. It            information about the security vulnerability
       was as if a person were knocking themselves               to the public sector and vital service
       out. Depending on the nature of the malware, it           providers.
       may give a third party access to the device.            - On 22 December, we published a post on
          The security vulnerability primarily affects           the RIA blog focusing on the security
       companies and authorities, as it is potentially           vulnerability.
       possible to gain access to their systems. Once a        - We identified RIA services that are affected
       it is exploited by criminals and they are able to         by the vulnerability. We installed updates
       install malware on popular services, it will also         or countermeasures.
       affect end users.                                       - CERT-EE monitors what is happening in
          As at the end of 2021, there has been no mass          Estonian cyberspace 24/7 and searches
       exploitation of the Log4j vulnerability in Esto-          for attack attempts.
       nia or in the world, but as we wrote, its impact
       could still be revealed. Criminals are currently
       actively monitoring online services to find sys-     SITUATION IN ESTONIA
       tems that have not been addressed. Vulnerable        In the days following the disclosure of the secu-
       devices are also being searched for in Estonia.      rity vulnerability, CERT-EE identified Estonian
                                                            companies and authorities that were at risk due
       WHAT SHOULD I DO?                                    to the vulnerability and asked to update or close
       First, inspect services built on the Java plat-      the respective services. CERT-EE will continue
       form that are part of your service portfolio.        to look for new cases, as not all service users
       Check for updates to the products you use. If        have yet patched the vulnerability. In addition,
       there are updates, install them as soon as possi-    there is not a security patch for all services yet.
       ble because they address a critical security            RIA has not received reports of attacks with
       vulnerability. This is especially important for      serious consequences resulting from the Log4j
       systems that are available online.                   vulnerability. However, malware has been
          However, this does not mean you are safe. On      installed in Estonia on computers through the
       28 December, a smaller vulnerability was dis-        vulnerability, which mines cryptocurrency.
       covered in the next version of Log4j. IT profes-     Because this malware slows down services,
       sionals need to keep a close eye on what is going    these cryptocurrency miners are quickly found
       on with this vulnerability and be prepared that      and removed.
       the update needs to be updated as well. It should       There have been reports abroad that attempts
       also be borne in mind that a security patch has      have been made to prepare for ransomware
       not yet been developed for all services. The vul-    attacks through the vulnerability. If criminals
       nerability may never materialise if the vulnera-     have launched malware on a system that is dif-
       ble service is not open to the Internet or devices   ficult to detect right away, data leaks can occur
       are prevented from accessing the Internet.           much later. ●

       First, inspect services built on the Java platform
       that are part of your service portfolio.

Cyber Security in Estonia 2022                                                                                    21
In 2021, There
      Were 50% More
       DDoS Attacks
      Than Last Year
         Last year, we registered 47 distributed denial-of-service attacks
      (DDoS), which is 50% more than last year as in 2020. Until the spring,
        ransom denial-or-service attacks targeted companies, but in the
        autumn, schools and learning environments became the victims.

     O
                ne cold afternoon in February, a           Usually, the victim is given more time to
                threatening e-mail was sent to a         react. This time, however, the attack started ten
                commercial bank operating in Esto-       minutes later. At one point, neither Internet
                nia. Transfer two Bitcoins (worth        banking, card payments, nor the internal ser-
     nearly 56,000 euros at the time) to the account     vices of the bank were available. Although the
     specified on the e-mail, or we will launch a mas-   attack lasted with varying intensity until the
     sive denial-of-service attack against your busi-    evening of the same day, and its effects were felt
     ness. The bank had received a similar e-mail        by both the customers and employees of the
     and undergone a so-called sample attack four        bank, the protection measures helped to pre-
     months prior.                                       vent the worst.

                                                         RANSOM DDOS ATTACKS ENDED
                                                         Such ransom denial-or-service attacks returned

 To prevent safe-looking                                 to Estonian cyberspace in the autumn of 2020
                                                         and continued in the beginning of 2021. The tar-
 devices from becoming                                   gets were a number of companies in the techno-
                                                         logy and financial sectors that have a lot to lose
 a dangerous tool in the                                 from the disruption of e-services, but which also

hands of cybercriminals,                                 have above-average levels of cyber security.
                                                            The victims who were attacked in the autumn
    always make sure to                                  were attacked again a few months later. The
                                                         attacks were mostly based on intimidation, but
  update their software.                                 there were exceptions. For example, a blackmai-
                                                         ler who organised a denial-of-service attack wro-

22                                                                                Cyber Security in Estonia 2022
The number of DDoS attacks is growing
         From the summer of 2020, we also collect automatic notifications of denial-of-service
         attacks without a significant impact, which are clearly on the rise.

    50

    40

    30

    20

    10

          May June July Aug Sept Oct Nov Dec          Jan Feb Mar Apr May June July Aug Sept Oct Nov Dec
                             2020                                                 2021

         te that they needed money for their daughter’s           ments almost every day. Some of them did not
         surgery and had ran out of other ideas to earn           have a significant impact, but some of the attacks
         the money they needed.                                   disrupted the daily work of the schools: it was
            The methods, scale, and impact of the attacks         not possible to add or view lesson plans, grades,
         varied, but the victims were united by the deci-         absences, teaching materials, and take tests.
         sion not to submit to extortion. The fact that the       There were also attacks that affected other aut-
         business plan of the criminals did not work was          horities that used the same network or name ser-
         probably the reason why ransom denial-of-ser-            vers in addition to the target school.
         vice attacks almost disappeared after the first            A young person might think that by ordering
         quarter.                                                 an attack on their school, they could avoid taking
                                                                  a test or could skip school without anyone
         ATTACKS ON SCHOOLS                                       noticing. An adult, however, knows that this is
         They were replaced by a new problem: attacks             not the case.
         on schools and the Tahvel and Moodle learning
         information systems. These attackers were not            DEVICES LOCATED IN ESTONIA ARE
         motivated by the desire to get rich – as far as we       ALSO USED FOR ATTACKS
         know, there have been no attacks on educational          In most cases, foreign devices are used in denial-
         institutions that involved a financial demand.           of-service attacks against our e-services, but
         Instead, we suspect that stu­dents in the same           when analysing incidents, we have also found
         school who had not prepared for a test or did not        Estonian IP addresses. Their owners may not be
         want to go to school were behind the attacks. The        aware that their router, printer, or security
         attacks on schools or learning information sys-          camera is infected with malware, is connected
         tems usually took place during school hours.             into a botnet, and attempts to ‘take down’ their
         They disappeared during weekends and school              home bank or the school of their children. To
         breaks, and returned when school began again.            prevent safe-looking devices from becoming a
            In September, we received reports of denial-          dangerous tool in the hands of cybercriminals,
         of-service attacks on schools or learning environ-       always make sure to update their software. ●

Cyber Security in Estonia 2022                                                                                         23
Financial Fraud
            Has Become
            More Diverse
     Last year, we received 20% more reports of fraud than the year before
      about incidents in which Estonian people and companies lost money.
     The Information System Authority (RIA) only sees the tip of the iceberg,
          because victims of financial fraud turn primarily to the police.

     W
                     hile attempts are still being made       Although both the police and the Estonian
                     to defraud companies of money         Banking Association have worked hard to raise
                     with various invoice frauds, last     awareness of the problem (see, for example, the
                     year stood out with the number        campaign page eiaitah.ee) and it has also been
     of frauds against individuals. This may be due to     widely covered in the media, there are still
     people having more money on their account as a        many people who believe the callers and end up
     result of the pension reform and the pandemic         losing their savings. The figures speak for them-
     situation, as well as the growing interest in cryp-   selves: according to the police, in the first ten
     tocurrencies. At the same time, the fraudsters        months of the year, people lost 2.8 million
     are evolving rapidly and successfully using psy-      euros in this way. The fraudsters were most
     chological manipulation techniques. In addi-          active during autumn.
     tion, they have always been able to reap the ben-        At the end of 2021, there was also a wave of
     efits of changing circumstances.                      calls imitating the police: the caller claims to be
                                                           from the Estonian police and informs the per-
     FRAUDULENT CALLS                                      son that a large loan has been taken on their
     FROM THE BANK AND THE POLICE                          behalf, or asks for information about a third
     Much of the reports we receive about financial        party and then informs the person that the
     fraud against individuals still involve fraudu-       bank account of the person has been hacked.
     lent calls on behalf of a bank. The caller is usu-    The purpose of the call is to phish the personal
     ally a Russian-speaking person, but at the end        identification code and other data that can be
     of the year, there was also a trend where the         used to carry out frauds.
     conversation was started in Estonian and only            The fraudsters try various techniques to
     then handed over to a Russian-speaking ‘cus-          increase their credibility, such as mentioning
     tomer service representative’. The purpose of         their police token number. Behind these calls is
     the calls is to find out the PINs of the person       an internationally organised network whose
     and use them to clear the bank account.               call centres make thousands of calls a day and

24                                                                                   Cyber Security in Estonia 2022
constantly seek to make them more credible to
       generate revenue.

       CRYPTOCURRENCY FRAUDS
       ARE A RISING TREND
                                                             Frauds also have
       Various frauds related to cryptocurrencies, the       indirect victims
       losses of which ranged from a few hundred euros       In addition to direct financial loss, invoice fraud
       to almost 100,000 euros, were a growing trend         can also have indirect victims whose business
       last year. The most typical were cases where a        or reputation may be temporarily damaged. In
       person had created an account and started oper-       2021, there was an example of a company in
       ating on a cryptocurrency trading platform, but       the medical sector, whose name and details
       found that later it was no longer possible to with-   were used to send fake invoices to partners in
       draw the money. It often turned out to be a fake      the same field. This temporarily damaged the
       platform − a temporary environment specially          good name of the company and also caused
       created by criminals to entice people to make         delays in receiving payments, as partners no
       transactions there. After a while, the platform       longer knew which invoices to trust and which
       was closed and the money was stolen.                  not.

       Various frauds related to cryptocurrencies, the losses
       of which ranged from a few hundred euros to almost
       100,000 euros, were a growing trend last year.
                                                                                                              ❱

Cyber Security in Estonia 2022                                                                                     25
An example of a classic CEO fraud

        It is relatively easy to carry out this type of      In addition to fake platforms, we also received
     fraud scheme, as the regulation of cryptocur-        reports of criminals breaking into a crypto wal-
     rencies is still under development all over the      let of a person (the application where crypto
     world (a bill regulating the respective field in     assets were stored) and stealing the contents.
     Estonia is expected to be approved this spring).     The average reported loss was around a few
     So far, almost anyone can create or buy a trad-      thousand euros. Well-known applications, such
     ing environment for cryptocurrencies, buy fake       as MetaMask, are not inherently unsafe, but
     users and followers, and advertise it on influen-    they are vulnerable to common threats such as
     tial social media channels. While the initial rec-   weak passwords, security vulnerabilities in
     ommendation before purchasing any crypto-            applications such as web browsers, or the user
     currency or joining any environment is always        accidentally entering their own crypto keys on a
     to do a thorough background check, it may not        phishing site. While in the case of banks, the
     be enough – fake platforms may have fake user        responsibility of the bank for depositing money
     reviews and negative feedback from deceived          is very clearly regulated and depositors are pro-
     customers may not reach the forums until it is       tected by law, theft in the crypto world usually
     too late. In addition, there are criminals also      means the permanent loss of one’s assets.
     following the forums and rushing ‘to help’ those
     who have lost money and direct them to new           INVESTMENT ADVICE FROM TINDER?
     phishing sites or fake environments.                 Many of the frauds we found out about were
                                                          linked to a specific scheme. In this scheme, vic-
                                                          tims meet the fraudster on a dating platform –
     Upistic disappeared                                  often on Tinder or Facebook Dating. After some
                                                          time, the ‘beautiful Asian girl’ or ‘young French
     with the money                                       man’ starts talking about investment opportu-
     of the investors                                     nities that they have used to improve their lives
     In the last two months of the year, we received      and on which they have been consulted by a
     reports about the environment upistic.com,           ‘relative working in the finance field’.
     which advertised itself as the leading provider         The conversation was often not intrusive at
     of crypto investment services in Estonia and         all and the topic was casually mentioned while
     attracted investors from all over the world.         talking about their daily activities. These fraud-
     However, the environment stopped working and         sters often wait for the victims to become inter-
     investors, mostly foreigners, lost their money. In   ested and start asking additional questions.
     the cases reported to us, the damages ranged         Once they got to know each other more and
     from a few hundred to a few thousand euros.          some trust was established, the new acquaint-

26                                                                                 Cyber Security in Estonia 2022
ance agreed to share their investment recom-             The story of one fraud
       mendations, helped create an account in a spe-           Martin is a successful middle-aged entrepre-
       cially designed environment, and showed how              neur who works in the field of consulting and
       the initial investment was earning good profit.          communicates with a large number of people
          Over time, they encouraged the victim to              in Estonia and abroad. One day, he received
       invest ever-increasing amounts of money.                 a Facebook friend request from a lady who
       However, when the person wanted to take out              introduced herself as a representative of the
       the investment, it proved impossible. It was             international fashion industry. She said she
       essentially an investment fraud, but instead of          had been on holiday in Estonia and was looking
       aggressive telephone sales, contact was made             for marketing contacts here. Her communica-
       on a dating platform and the fraudster spent             tion style was polite and professional. In
       time to get to know the victim.                          addition, she sent Martin materials related
                                                                to her professional work and was not in any
       THERE WERE FEWER FAKE                                    way intrusive. The lady also talked about her
       INVOICES THIS YEAR                                       background and achievements and sent
       2021 broke the record with two attempts to               pictures – nothing seemed suspicious.
       commit invoice fraud, the figures of which were             After several weeks of communication,
       unprecedented in Estonia. Fortunately, they              she mentioned her experience in crypto and
       remained only attempts. The largest of these             her plans for specific transactions. As Martin
       took place in the early summer, when criminals           was also interested in the field, he asked for
       began to monitor the e-mail exchange of a large          more information and received references and
       Estonian company with a cooperation partner              links to various environments. Martin checked
       abroad. At the appropriate time, they inter-             them and found no indications that the
       vened and presented fake invoices for a total of         environments were fake.
       several million euros on behalf of the partner.             Martin then decided to invest 1,000 euros
          The e-mail filter system of the company dis-          in crypto, which started to make a profit, and
       covered the fraud fairly quickly and no losses           initially, he was able to grow his investment.
       were incurred. The Estonian company also did             Encouraged by the positive experience,
       not find any signs of a break-in in its e-mail sys-      he made two additional investments.
       tem, so it could be assumed that the mailbox of             At one point, however, Martin said his
       the cooperation partner located in Central               ‘intuition awoke’ and when he tried to transfer
       Europe had been compromised.                             the earned money back to his crypto account,
          The second case took place at the beginning           it failed. In total, Martin lost 8,000 euros. The
       of the year, when the attentive staff of a con-          police says there is not much hope to get it
       struction company was able to prevent a similar          back and Martin will have to take it as a lesson.
       attempt to commit invoice fraud for 900,000                 As for money and investment, his advice is to
       euros. Both of these cases show that appropri-           be very careful with any new contacts and not
       ate protection measures and staff awareness of           to trust their advice, no matter how skilfully
       the most common scams pay off indeed.                    presented.
          There were some successful invoice frauds
       too in 2021. To our knowledge, the largest
       amount lost was 35,000 euros.                         or a member of the management board request-
          In addition to the way described above, where      ing an urgent transfer to a foreign bank account.
       fraud is carried out by breaking into the system      In at least one case, the transfer was made and
       and hijacking the e-mail conversation, the clas-      15,000 euros reached the account of the fraud-
       sic CEO frauds are also still used. In December,      ster. However, general awareness of this type of
       a dozen companies informed us that their              fraud has grown over the years and there are
       accountant had received a letter from the CEO         fewer cases of major financial losses. ●

Cyber Security in Estonia 2022                                                                                      27
You can also read