Category Archives: Countersurveillance

Estonian Internal Security Service (KaPo) Yearbook 2016

KaPo annual review 2016 discusses cyber security on page 21:

In 2016, Estonia also saw some attempts to access the information of the state’s high-level decision-makers. The attacks were extremely skilfully executed from the technical point of view with the use of credible fake e-mails and previously unknown technical methods. In view of the functioning mechanisms of the abovementioned APTs, it is clear that attacks cannot be avoided entirely, but they need to be identified, and major damage needs to be mitigated.
As far as Estonia is concerned, we forecast that cyber threats will increase in 2017 due to the EU presidency and the arrival of NATO units.

The section “Protection of state secrets” covers the case of Alexander Goncharov and Ivo Jurak on which we reported before.


Russian special forces operated fake GSM base station in Pärnu


In April 2015 NATO brought their special forces to Estonia for a secret NATO exercise. In the days that followed Russia unleashed a series of aggressive counter measures to monitor their exercises.

Estonian signals intelligence quickly discovered an IMSI-catcher – a false cell phone tower in the local cellular network. NATO believes that the Russians attempted to identify the key NATO personnel.

Classified NATO report: “The ghost tower came online briefly twice during the day. It overtook all local towers and hijacked all the local recipients before it dropped offline.”


Estonian Internal Security Service (KaPo) Yearbook 2015


In providing cyber security, the objective of the Internal Security Service is to identify cyber-attacks that could have been initiated by a foreign state or may threaten national security. The Information System Authority, the Estonian Information Board and the Police and Border Guard Board play an important role in the national cyber security community.

ISS doesn’t have much to inform us about. The section “Cyber Security” on page 22 and 23 contains mainly compilation of cyber security best practices.

Defacement and denial-of-service attacks can also become parts of sending a message to the enemy, i.e. influence operations. Some Estonian websites were defaced with Daesh symbols and messages in 2015. Although this was part of a global marketing campaign, it could also be regarded as a message to Estonian society.


GSM jammer found on the table of deputy mayor of Tallinn


An unique device was noticed on the table of Tallinn deputy mayor Kalle Klandorf during a interview which took place on Thursday. It is probably a jammer. Jammer is an electronic device which fills specific frequencies with electromagnetic noise. Other devices using the same frequencies are unable to transmit.

Even though the exact inscription is not seen, it may be [this device, costing USD 208]. The device blocks frequencies 925-960 MHz, 1805-1880 MHz and 1930-1990 Mhz used for mobile phones. It also blocks WiFi connection on 2.4GHz and UHF frequencies 400-470 MHz.

Klandorf laughed at the question if there is an jammer on his table. “I haven’t noticed. Maybe it’s not mine? I haven’t bough. I don’t know” he replied. He suggested that it may be a handheld radio. Ten of those were recently bought for the municipal police and crisis team. Klandorf thought that it could be a amplifier. Considering wiretapping, Klandorf said that he wouldn’t mind if they listen.

According to Electronic Communication Act p. 23 it is forbidden to use devices which create interference and disturbs radio communication. It is forbidden to sell, facilitate etc. and importing into EU. [According to the Technical Regulatory Authority], it is forbidden to allow such devices to the market and take into use because they do not comply with the regulations.

The use of frequency jammers is probably one of the methods how bribery allegations facing mayor of Tallinn tried to prevent eavesdropping by KAPO.

Comment by Estonian jammer vendor:

According to research director of OÜ Rantelon professor emeritus Andres Taklaja, the device in Klandorf’s office is meant to interrupt wiretapping devices. OÜ Rantelon produces commercial jamming devices for govermental agencies and defence forces. He said that most certainly it is a jammer. It looks like a cheap jammer with separate antenna for every frequency range. He suggested that if there is a jammer, then there must be bugs.

“These gentlemen should know the frequencies used by the bugs as they were former militiamen. They probably chose the device according to the potential bugs. The looks of the device depends on the frequencies it is meant to interfere. The length of the antennas depends on the wavelength of the radio-waves. It is possible to deduce the frequencies by external observation.”

“If the device is too powerful, then it may interfere with other equipment in the building, so I suspect that it is quite low-power. The device is powered from the plug and the power can be adjusted. It could have a battery but such devices take quite a lot of power. If it is unplugged, then it is probably turned off.” Rantelon produces bigger and more powerful devices as they are meant to be used in the field. The professor didn’t suggest how the deputy mayor could have obtained the jammer.


The suspected mayor of Tallinn ordered regular bug sweeps


By eavesdropping on telephone calls, the investigators were aware who and when Mr Savisaar met and what to keep in mind while collecting evidence. The investigators were aware that dark matters are not discussed over the phone, and that plain speech would be avoided if at all possible.

Here is where hidden cameras are helpful, installed by court permission. However, even these are in danger to be discovered. Especially with Mr Savisaar, as the all-suspecting Mayor of Tallinn is in the habit of asking people close to him «bug control» places linked to him from time to time. Therefore, Kapo was at pains to diligently plan where and for how long to install stuff.


US Embassy collects personal data about people in Tallinn


Postimees possesses a document proving that a secret unit at US Embassy has for years been surveying people on streets of Tallinn, collecting personal data citing security, and entering those whose behaviour causes suspicion into global terror database. All this is approved by Estonian interior ministry and happens with help by police.

The rules regarding reporting suspicious behaviour are so strict that it seemingly takes trivialities to get reported. As an example of that, there is this Tallinn housewife included who often waits long for her child at the Südalinna School. Or take the old lady walking her dog in Lembitu Park. Need some more? A report has also been filed on a man who attends Alcoholics Anonymous close by.

The activity of the unit is okayed by Estonian government. Its information reaches the police, as agreed between the two countries. Automatic inquiry reaches Central Criminal Police which, as requested by the embassy, discloses personal data – such as background of the owner of a car, the person on the picture and his/her background. These data are added to the SIMAS report. Depending on the behaviour of the people concerned, entries may remain active for 5 to 20 years – or permanently. Getting entered may affect decision by USA whether or not to grant visa for entry.

Erkki Koort of the Ministry of the Interior comments:

Why and on what basis does Estonian police hand personal data of our citizens to US Embassy as soon as they apply for it?
State agencies share data with third parties strictly pursuant to law. Suspected attack against a diplomatic representation or danger towards human lives or health is reason enough, doubtless, to exchange data. The question leaves one with the impression like Estonian state agencies would submit data upon initial request. This definitely is not the case.