Category Archives: Incidents

DDoS attack against Omniva’s partner distrupts the work of parcel machines


The DDoS (Distributed Denial of Service) attack that started yesterday (22.10) at 2.30 p.m. and is still ongoing, was directed at the Integer network of Omniva’s cooperation partner, and resulted in a global error in Integer systems. The attack was isolated and main functions of the system were restored by 7 p.m. yesterday evening. The functionality check of parcel machines was completed at 8 p.m. By now, the attack no longer jeopardizes Omniva’s systems. In addition, databases and customer data stored in Integer are definitely protected and are not affected by the attack in any way.

In connection with the attack, sending parcels from parcel machines and receiving paid parcels from the parcel machines was disrupted from 2.30 p.m. to 7 p.m. Customers were able to use parcel machines for receiving packages that were free of charge.

From the description it seems that Omniva accessed Integer’s databases from the same public channel which was attacked, but now Omniva has non-public access to Integer’s databases, which is not available to the attackers.


Four PBGB officials fired in 2014 for misusing police database


Sixteen officials faced disciplinary proceedings for Police and Border Guard Board’s (PPA) KAIRI information system. Four lost to their jobs for unauthorized access. For example, one police officer from Jõhvi made 170 queries on 70 individuals, 52 vehicles and 11 phone numbers, none related to his official duties. “PPA takes data handling very seriously and exercises ever stronger control over the use of its information systems,” said Anne Abel from PPA’s internal audit office.

Good work by PPA’s internal audit office. What about other institutions which hold state information systems?


SEB Estonia Internet bank ID card authentication bypass


The flaw in SEB Estonia Internet bank allows to login just by knowing the victim’s username. The consequences of the flaw go beyond the read-only access to victim’s transaction history. The victim can be impersonated in any website that supports authentication through SEB (,,, etc.). The flaw can be abused to buy goods from online merchants (as shown in the video) since SEB does not require signature authorization for “banklink” transactions.

2015.05.11. 13:00 – reported to CERT-EE
2015.05.14. 12:00 – fixed by SEB Estonia

The time that was required for SEB to fix such a critical flaw surprises a bit.

SEB’s response:

SEB spokesman commented that “referred security issue existed in so-called laboratory conditions meaning that it needed several conditions to coincide and a specific knowledge”.

“Security issue got fixed and we also checked that the flaw was not maliciously exploited” said SEB’s spokesman and added that the problem got fixed faster than in an hour, after all the needed information was received.


Anto Veldre (RIA): It is better that ethical people with academic degree are looking for security holes than cyber criminals doing it. People should understand that new technology is complicated, systems at home and servers need to have updates everyday there is no such a thing like secure system (security) but there are people and control methods, if there is a problem it will be handled and afterwards logs are checked if something really happened.


Silver Vohu (SEB): It took less than an hour to make a fix. But reproducing the situation took most of the days and asking additional questions from CERT-EE was needed. In normal situation it was impossible to reproduce the problem.


EISA Cyber Security Report 2014


Interesting quotes from the report:

In 2014, RIA aggregated its functions related to guaranteeing cyber security in the cyber security branch. Incident response, risk control and regulation supervision, as well as research and development activities are now determined more clearly, which also allows for a more efficient use of resources.

Skilful phishing of cloud service accounts (e.g. Gmail, Hotmail), which has continued at unprecedented levels at the beginning of 2015 as well. E-mails seem to be coming from a seemingly trustworthy source and have significantly improved in quality both content and Estonian language wise, which means that the receiver of the e-mail has to be even more attentive and critical in order to detect the fraud.

Intrusion into websites is more difficult to identify. It is becoming more common that the infector uploads the malware for a very short time period and takes into consideration, which IP-address is used to visit the site. For instance, if users visit the website from Estonia, they receive a different type of malware than the users who access the website from the USA.

In 2014, there was a slight increase in the percentage of incidents that had actual consequences for the institutions and users. For instance, the use of document management system was disabled or, in more severe cases, digital prescription or Schengen information systems were down.

The incidents at the end of the year were mainly virus outbreaks and well-aimed phishing letters, but also distributed denial of service attacks, many of which did not last for a very long time, but according to RIA’s estimate, seemed to be mapping the resilience of systems.

As the life cycle of all algorithms is limited, the time to act in order to update all the cryptographic methods of services is even more limited. At some point, it might appear that smooth transition period has not been sufficient; e.g., when powerful quantum computers are used to break the cryptography. We need to have an action plan for the scenario when any of the algorithms important for some Estonian e-service has been broken. RIA sees a clear need to have such plans and to rehearse them.

The results of the Eurobarometer 2014 survey showed that Estonians trust the state as the guard of personal data more than in Europe on the average. Estonians are also less worried about the consequences of cyber-attacks and claim to be good at identifying fake e-mails.

On 1 July 2014, the Act for the Amendment and Application of the Law Enforcement Act entered into force. Pursuant to this act, starting from summer 2014, RIA is a law enforcement body. According to the changes, the Technical Regulatory Authority’s supervisory competency of guaranteeing the security and integrity of communication networks and services set in the Electronic Communications Act was transferred to RIA. The same draft also established RIA’s supervisory competency in the Emergency Act and the Public Information Act.

On 11 September, the government approved the “Cyber Security Strategy for 2014–2017” and its implementation plan. The strategy continues to target several goals set in the previous cyber security strategy, but there have also been new risks and requirements added. The dependency of the functioning of the state on information technology has increased and cross-dependencies have also increased, meaning that the provision of several critical services is no longer dependent on the functioning of Estonian IT-systems but also on the infrastructure and e-services in other countries.

In 2014, RIA, in cooperation with its partner organisations, developed common principles of readiness for emergency and cooperation in case of large-scale cyber incidents. An interagency working group lead by RIA prepared the draft for the Government of the Republic’s order “Plan for solving a large-scale cyber incident emergency”.

In addition to reacting to everyday vulnerabilities and risks, the key words for RIA in 2015 are improving the monitoring and resilience of the government network, cooperation with the field of medicine and solutions and risks related to the e-residents programme.


The hacker who attacked the website of “Meie Maa” newspaper fined EUR 455


A 22-year-old hacker has been fined 455 euros for breaching the Meie Maa media website and disabling the comments section, which then diverted readers to a rival site. The attack took place in May, forcing Meie Maa, a media outlet in Saare County, to temporarily shut down its comments section, Meie Maa reported. Readers entering the section were told the site is unsafe and were directed to Saarte Hääl, a rival news site.

The Western District Prosecutor’s Office fined the man 455 euros, of which 100 euros, which has already been paid, will go to Meie Maa as compensation for damages and 355 euros will go to state coffers. Head of Meie Maa, Priit Rauniste, said they are yet to decide whether they will pursue civil action against the man.

Escaped criminal punishment – Western District Prosecutor’s Office closed the criminal proceedings in this case.

Apparently, had a XSS vulnerability in the comments section, which was exploited by adding a HTML code which displayed the message and redirected visitor’s browser to other news site.

Not clear how the fine was calculated and what section under Estonian Penal Code was originally imposed against the attacker.