Cyber attacks against Estonian state institutions, companies continued in January

Cyber attack.
Cyber attack. Photo: Sander Ilvest

The Estonian Information System Authority (RIA) registered a total of 188 cyber incidents that affected the work of companies, agencies and services or caused harm to people.

In addition, the authority's fresh risk assessment warns against ransomware attacks, spokespeople for RIA said on Thursday.

Distributed denial-of-service (DDoS) attacks, which attempt to take down websites and services en masse, have become a daily occurrence in the past year, it is only the targets that change from month to month.

«Last month, attackers focused on the Estonian financial sector and insurance providers. State institutions are under constant attack,» RIA cyber security expert Veikko Raasuke said.

He added that this year's first major wave of attacks in Estonia took place on Jan. 15.

«Mass requests were used to try to disrupt the work of the websites,,,,,,,, and Since we have implemented defensive measures, the desired effect was not achieved with the attacks,» Raasuke said.

On Jan. 19 and 20, the Ministry of Foreign Affairs was targeted more specifically, which is why there may have been short-term failures in the services. Another bigger wave was organized from Jan. 23 to 27, when state institutions and financial and insurance companies were attacked. Pro-Russian hacktivists also interfered with the work of Danish banks, which is why the websites of seven private banks were temporarily offline.

Other types of cyber attacks have not disappeared either -- phishing e-mails that try to imitate banks and e-mail service providers, such as, are still being sent to Estonian people. Websites imitating courier and logistics companies have also not disappeared.

«Scam websites and e-mails are of increasingly high quality, both linguistically and visually. It is increasingly difficult to determine whether a website is fake by its appearance. We advise people to pay attention to the website address. If an e-mail is sent from the address or, it should trigger an alert light. The same goes for website addresses. If the name of the website is or, then someone is trying to pull the wool over your eyes,» the expert said.

The CERT-EE cyber response unit of RIA was notified about scam e-mails impersonating the police on 176 occasions, which is just the tip of the iceberg. Many recipients of the e-mails do not even bother to inform RIA about them anymore, because they have become so commonplace. However, RIA is asking people to notify CERT-EE even if just for the purpose of collecting statistics by forwarding the received letter as an attachment to the e-mail address

Scam websites and e-mails are used to steal information and money from people.

«If the criminals have your data, they will try to move on to your money. You have to protect your data, because it eventually leads to your wallet. The more information there is, the easier it is to finally break open the wallet,» Raasuke said.

In January, ransomware attacks disrupted the British postal service Royal Mail, which was unable to send goods abroad for a while. The attack was likely carried out with the LockBit malware. DNV, one of the world's leading maritime software companies, was hit by a ransomware attack on Jan. 7, affecting the operation of a thousand vessels.

In February, there have been many reports of ransomware attacks exploiting a long-known vulnerability in VMware's ESXi servers. This vulnerability has been known for two years, but unpatched servers still exist. As of Feb. 8, approximately a few thousand ESXi systems have likely fallen victim to such ransomware attacks worldwide, with Europe seemingly the focus of them.

There is currently one case known in Estonia where a weakness was most likely used to carry out a ransomware attack. Since the use of VMware ESXi is quite common in Estonia, there may be many Estonian companies and organizations that are potentially at risk, according to CERT-EE. RIA prepared a risk assessment that provides an overview of the vulnerability and which systems are affected. The analysis also provides recommendations on how companies can protect themselves.