Estonian intelligence reports foreign hackers breached email provider

Pierluigi Paganini April 29, 2020

State-sponsored hackers have compromised a small number of accounts of the Estonian email provider belonging to high-profile people.

Alleged state-sponsored hackers have hijacked a small number of accounts at the Estonian email provider, they exploited a zero-day vulnerability in the attack. According to the end-of-year report published this month by Estonian Internal Security Service (KaPo), the hacked accounts belong to persons of interest to a foreign country.

The attacks took place in 2019 and since then the provider has identified the vulnerability and addressed it.

“[] It is widely used among the Estonian population, the attacker was able to run malicious code on target accounts by exploiting a critical security vulnerability that was unknown to the provider.” states the KaPo’s report.

“The vulnerability was only exploited to hijack a small number of email accounts belonging to persons of interest to a foreign country,”

The KaPo’s report doesn’t name the victims, it only confirmed that hackers used a malicious code in the email sent to the victims that triggered the zero-day flaw.

Once the recipient has opened the emails using the portal, the code was executed, then it enabled the email forwarding to the attacker.

“Specifically: if the attacker sent an email to the target, once it has opened the message the malicious code was executed and set up the email forwarding on the victim’s account.” continues the report. “From the moment the malicious message has been opened, all messages sent to the target were redirected an email account under the control of the attacker. We emphasize that it was enough to open the letter – there was no need to open an attachment or click on the attached link.”

According to the report, the attacks were highly targeted and hit “a small number of email accounts belonging to persons of interest to a foreign country.” The intelligence agency confirmed that the attack did not hit generic accounts.

The report also described spear-phishing attacks carried out by APT groups against organizations and businesses in Estonia. The Estonian intelligence attributed the attacks to Gamaredon and Silent Librarian.

“An attempt to gain access to some e-mail accounts related to the University of Tartu was also made by attackers. It was the case of a campaign carried out by the Iran-linked group known as the Silent Librarian and the Mabna Institute. The University was able to detect both the attacks.

businesses and research institutions are often unaware that their data could be of interest to foreign intelligence agencies working in the economic interests of their country,”.

KaPo’s report also includes recommendations for companies that might be the target of nation-state actors.

Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs –, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment