INFORMATION SYSTEM AUTHORITY
8 May 2020
The new yearbook introduces the work of RIA and the events of 2019 in Estonian cyberspace
The yearbook describes the role of the departments of the Information System Authority (RIA) in the e-state and gives an overview of cyber incidents of 2019 in Estonia.
‘Last year was full of changes for the Information System Authority. A large part of our management changed, creating an essentially new mindset for the authority. New people mean new ideas and new directions to boost the e-state. So far, our annual summaries have focused on cybersecurity, but in the new book, we cover all of RIA’s areas of activity and the authority’s future plans as well as discuss cyber attacks and prevention thereof,’ said Margus Noormaa, Director General of RIA.
The book introduces the current and future tasks of RIA’s departments. ‘In cooperation with the Ministry of Social Affairs and other partners, RIA is developing a consent service that would open up the Estonian data economy and provide momentum for personal medicine,’ Noormaa brought an example. Among other things, the book features information about the state network, DigiDoc4 software, protection of critical information infrastructure, and CERT-EE.
In the Estonian cyberspace, 2019 was the year of phishing, as the frequency of phishing data from users and the number of websites created for this purpose doubled. Last year, RIA’s Incident Response Department (CERT-EE) received almost 25,000 notifications of cyber incidents. More than 3,000 among those caused disruptions in the confidentiality, integrity, or availability of information or systems.
The yearbook of the Information System Authority is available on RIA’s website. Excerpts from the yearbook on cybersecurity (starting from page 32):
Stolen account data
In addition to phishing letters and sites created to steal money, phishing campaigns that stole account data also did a lot of damage. A simple e-mail that warns you that your mailbox is full or asks you to change your password can, at first glance, give criminals easy access to your personal messages and the ability to spread their phishing e-mails further. However, there is often a long-term plan behind such account data breaches – to look up the agency’s business partners in the e-mails, to intervene in e-mail conversations, and to send an e-mail at the right time stating that the bank account for payment has changed. Last year, we repeatedly saw phishing scams that could be prevented with multi-level authentication. Employees from local governments, at least three of Estonia’s largest universities, hospitals, as well as smaller institutions such as a fuel company and a road maintenance company have fallen victim to such phishing. Eliminating the consequences of incidents and determining the extent of information leaks is often complicated by the fact that information security teams (if there are any) or service providers do not have enough logs to determine which e-mail accounts were compromised and to what extent. Proper management of logs is essential if the authority is to understand what type of information has been stolen.
Bec schemes are waiting for new data
The biggest impact in 2018 was caused by financial fraud initiated through compromised e-mail accounts (business e-mail compromise or BEC schemes), which caused at least 600,000 euros in damage to Estonian companies. In 2019, we also paid attention to these incidents, but fortunately we learned about significantly less damage. As far as we know, the largest amount transferred to the wrong bank account due to fraud was 112,000 euros. That time, the company recovered the lost amount thanks to cooperation between banks. It is important to note that BEC schemes can affect anyone and any Estonian company cooperating with a foreign partner may lose data (and then money) as a result of phishing account data.
In most cases, the victims were importers of certain products (tools, tyre products, industrial equipment, medical equipment, etc.) and the amounts lost ranged from 1,000 euros to 70,000 euros. However, we have also heard of several cases that were discovered by attentive accountants or managers and where no damage was suffered. We were also informed of situations where foreign business partners of Estonian companies suffered losses due to similar schemes. Therefore, it is important that Estonian companies that have managed to avoid the account data leakage incident also inform their foreign partners, who may become the next target of fraudsters.
Significant service interruptions
In 2019, we wrote in the Cybersecurity Yearbook: ‘Maintaining cybersecurity in Estonia requires constant effort and vigilance from business and government leaders. Updates and security standards are important and it is also vital to invest time and money in updates and standards. To avoid significant cyber incidents in the future, this work needs to be done.’ In 2019, we saw significant service interruptions that could have had a far-reaching impact on the people of Estonia: a software error left the Emergency Response Centre’s phones silent for 20 minutes in September; due to the unnoticed breakage of the state network cables, the digital prescription and the state portal were inaccessible for hours in November; then, the digital prescription was again inaccessible in December due to the maintenance of aging systems. The transfer of Mobile-ID to new systems cut off this method of authentication and signing for 24 hours in May; the population register, the national authentication service, the new version of X-tee, etc. also suffered failures. The Estonian people are so used to digital services that it is necessary to invest in their availability, check the continuity of operations, test systems, improve procedures, and test again. Service interruptions in 2019 were mostly caused by human error, administrative errors, or natural causes, but vulnerable systems can also fail due to malicious people and threats with public connections who do not care about our safety or health.