The State Information System’s Authority (RIA) discovered three similar attacks against Estonian IT infrastructure in November that also left perpetrators with people’s personal information. The Health Board will notify people whose data was compromised.
Cybercriminals attack three ministries
The cyberattacks hit Ministry of Economic Affairs and Communications (MKM), Ministry of Social Affairs and Ministry of Foreign Affairs servers.
The attackers managed to access MKM administrative area servers, while several access attempts included elements of criminal activity.
Head of cybersecurity policy for MKM Raul Rikk said that the attacks were aimed at agencies in the ministry’s administrative area. A total of 350 gigabytes of data was lifted from Road Administration, Consumer Protection Authority, Technical Regulatory Authority, Geology Service, Civil Aviation Administration and Maritime Administration databases.
Public services safe
Data leaked from a total of 11 servers and mostly consisted of public information of an outdated document system. Rikk said the full extent of the leak is being investigated.
The attack hit MKM agencies the hardest. “Despite the severity of these attacks, public services are safe. We have included both private and public sector IT specialists in investigating the incident. Initial security measures have been taken and we are working toward making sure such attacks could not happen again,” the cybersecurity policy director said.
Criminals managed to access information of 9,158 people in the administrative area of the Ministry of Social Affairs. The data breach concerned circumstances of the spread of infectious diseases. The Health and Welfare Information Systems Center (TEHIK) cut the attacker off from the system after eight hours. The Health Board and TEHIK will contact people the breach concerns in the coming days.
Head of security at TEHIK Tõnis Komp said that the center’s online environment was breached to access Health Board data. Komp emphasized that digital medical records were not accessed.
“We will analyze the security of systems to ensure quality operation. Our time is currently spent monitoring the systems as attempts to breach them seem to be continuing. We are working round the clock,” Komp said.
Head of RIA’s cybersecurity service Lauri Aasmann said that the Ministry of Foreign Affairs was the least hit.
“They only managed to hijack accounts that can be used to alter content on the ministry’s website,” Aasmann explained.
He described all three attacks as very serious incidents.
“We have the situation under control by today. We have given both public and private sector partners information to make it less likely such attacks could be successfully repeated. RIA will continue analyzing the incidents in more detail. We have been in touch with the software developer and the vulnerabilities have been patched by now,” he added.
Criminal proceedings launched
The Central Criminal Police have launched criminal proceedings to trace the origin and perpetrators of the attacks but cannot divulge much at this point.
State prosecutor Eleliis Rattam said that it cannot be revealed when the incidents took place, adding that the Prosecutor’s Office launched proceedings in November.
Rattam said proceedings are based on the Penal Code section that deals with illegally accessing computer systems. The maximum punishment for such an offense is five years in prison.
“We are in the phase of actively collecting evidence and cannot disclose much. I can assure you that we are actively working on identifying the attacker, also in international cooperation, which is very time-consuming. We also cannot speculate as to the location of the attacker as such information could make it harder to apprehend them,” Rattam explained.
The method used to access the data will not be disclosed, while it is clear freely available software was used. Head of cybersecurity policy Raul Rikk admitted that not everything can be prevented. “We can compare it to a traffic accident – there will always be incidents to jeopardize the system.”
Deputy head of cybersecurity for RIA Lauri Aasmann said the attack came as a surprise as authorities believed the software to be secure. “The vulnerability took us by surprise. We have informed the developer and are waiting for the software to be patched,” he said.