Russia's GRU stole thousands of confidential documents from Estonia's ministries
Thousands of confidential Estonian documents were stolen by hackers from Russia's military intelligence (GRU) in 2020, including business secrets and health data. Estonia is seeking three people in connection with the cyberattacks.
On Thursday evening, an international joint operation – including Estonia's security services – attributed a string of cyberattacks against NATO, Ukraine and EU member states to Unit 29155 of Russia's military intelligence (GRU)
This is the first time Estonia has attributed cyberattacks against the state to the perpetrator of the attacks.
The Ministry of Economy Affairs and Communications (MKM) was the worst hit in the November 2020 incident, with 360 gigabytes of data stolen. But the Transport Administration, Maritime Administration, Geological Survey, Consumer Protection and Technical Regulatory Authority, and the Civil Aviation Administration were also attacked.
No state secrets were accessed, Internal Security Service (ISS) Director General Margo Palloson said on Friday. However, some confidential information intended for internal use was taken.
"Of course, all the information about Estonian infrastructure, especially critical infrastructure, critical service providers, it's all in the focus of Russian special services," said Palloson. "This is the kind of information that they are trying to collect and map, and it is undoubtedly circulating within the Ministry of Economic Affairs and Communications."
Hackers who broke into the information systems indiscriminately downloaded everything they could.
"On the more substantive side, we are talking about generic strategy documents, staff lists, pay scales, and other such working documents," said Ago Ambur, head of the Cybercrime Bureau at the National Criminal Police of Estonian Police and Border Guard Board (PPA).
GRU stole personal data and business secrets
MKM Secretary General Ahti Kuningas said the hackers could access everything in the ministry's public document registers. At the time of the attack, this included documents from several years ago.
"For example, personal data of employees, salary documents, various strategy documents, other working documents. And correspondence with companies, where companies have also had certain sensitive data," he said.
Kuningas said it is difficult to estimate how many companies' trade secrets could have been stolen as the whole package of leaked documents has not been reviewed.
"As a rule, companies do not share trade secrets with us either," the secretary general said. "There is more direct communication with the state's own companies, which may contain information sensitive to a particular company."
He added that no sensitive navigation data was leaked and its value disappears quickly anyway.
"And anything that concerns state secrets and high-level strategic documents of the state does not move in this system. They move in a separate system," Kuningas stressed.
Freely available software used in the attack
GRU agents also stole the health data of nearly 10,000 people infected with the coronavirus from the Health and Welfare Information Systems Center (TEHIK), which is under the administration of the Ministry of Social Affairs.
But they could only get their hands on public information on the web server from the Ministry of Foreign Affairs, which suffered the least during the attack.
Ambur said the hackers reached the institutions' internal networks through security holes in the web servers. GRU used fairly common and freely available tools to map security holes and steal data, he said.
Estonian security authorities can only guess what was done with the stolen information.
"This data can certainly be used to plan future intelligence operations. Both for human intelligence and cyber intelligence," Palloson said. "It is also common for this data to be altered and leaked to damage the reputation of the Estonian state."
Palloson added that, to date, this information has not been leaked to the ISS.
Unit 29155 attacked 26 countries
Ambur said the first suspect was identified shortly after the attacks: "From there, we took the time to work with both national and international partner institutions to put together a complete picture."
GRU's unit 29155 is at the center of the story. Operating since 2008, the unit has been linked to the 2018 poisoning of former GRU officer Sergei Skripal in the UK and to the attempted coup in Montenegro in 2016. The Czechs also blame the unit in connection with the 2014 ammunition depot explosions.
"And as of 2020, the same GRU has also developed cyber capabilities and actively engaged in attacks against NATO and EU countries," Palloson said.
The attacks that hit Estonia in November of the same year were just the beginning. He said 26 countries have been attacked to date, including Ukraine, which was hit particularly hard in 2022 just before Russia's full-scale invasion.
According to the U.S. Department of Justice, in August 2022, the same group also attacked the transport infrastructure of a Central European country that supports Ukraine.
Estonia seeking three suspects
As the attacks increased, more and more countries joined the international investigation, and the collaboration was named Operation Toy Soldier. On Thursday evening, the countries made the operation public.
The USA's Department of Justice is seeking five GRU officers and one civilian in connection with the attacks. A $10 million bounty has been put up to capture them all.
Among them are Col. Yuri Denisov, the head of the GRU cyber unit, and Nikolay Korchagin, a member of the unit. The Estonian Prosecutor's Office said both men were also involved in the attacks that hit Estonia. In addition, the Harju County Court authorized the arrest of Vitaly Shevchenko, another member of the cyber unit.
"The State Prosecutor's Office has reason to suspect them of preparing a computer crime, illegally obtaining access to a computer system and intelligence activities against the Republic of Estonia," said State Prosecutor Vahur Verte. "These are crimes for which they could face up to 20 years in prison if convicted."
All the suspects are currently in Russia, he said.
Number of successful cyber attacks rising
This is the first time in history that Estonia attributes cyber attacks against the state to the perpetrators of the crime.
"The qualitative meaning of this attribution is that we can show that Estonia itself is capable of conducting such research and achieving real results," said Tanel Sepp, ambassador at large for cyber diplomacy of the Ministry of Foreign Affairs, and added that the ministry is trying to promote the responsible behavior in cyberspace.
"The attributions are the milestones of how we can call countries to account," Sepp said.
Palloson said GRU's attempts to attack Estonia and other countries' information systems continue to this day.
However, these are only a small part of the attacks that hit Estonia.
Gert Auväärt, head of the Cyber Security Center at the Information System Authority (RIA), said that in 2023 there were approximately 3,300 cyber incidents in Estonia.
"I am referring to an incident in which the attacker either partially or completely achieved his objective. In the seven months of this year, we have come up to the same number," he said.
RIA: MKM received €8,000 fine
After the 2020 attack, RIA found the system errors that enabled the attack.
"This particular supervision resulted in a misdemeanor proceeding against the Ministry of Economic Affairs and Communications," said Auväärt. The ministry was handed a €8,000 as it was unable to correct the errors quickly enough.
This was also acknowledged by Kuningas. "In the past, the work had been somewhat slow, but when I entered the process myself, the changes were made very quickly," said the ministry's secretary general, who took office in the fall of 2022.
He stressed that the critical repair work was started at the ministry immediately after the attack. "The whole authentication system was immediately changed. All the passwords were changed and security shields were also put on," Kuningas listed.
"But RIA was unhappy with the internal processes within the ministry, i.e. how risk is assessed and how assets are mapped," he added. "Document management and housekeeping was not yet as good as the RIA would have liked."
Kuningas said the ministry spent over €2 million on improving information systems. "All back-end software was shut down, existing assets upgraded, the server fleet upgraded," he said and added that today the ministry's IT affairs are organized quite differently.
--
Follow ERR News on Facebook and Twitter and never miss an update!
Editor: Marko Tooming, Helen Wright