Ministry did not patch security vulnerabilities after cyberattack
The Estonian Information System Authority (RIA) launched misdemeanor proceedings against the Ministry of Economic Affairs and Communications (MKM) following a 2020 cyberattack by Russian military intelligence, which resulted in a fine. The ministry failed to address system security vulnerabilities in a timely manner.
In the 2020 cyberattack against Estonian state institutions, Russian military intelligence (GRU) stole the most data from the Ministry of Economic Affairs and Communications (MKM), amounting to 360 gigabytes. Although GRU did not gain access to state secrets, they obtained internal information intended for use within the ministry.
"There were some documents with a certain level of restricted access (AK). These included, for example, employees' personal data, payroll documents, various strategy papers, work documents and correspondence with companies, which also contained certain sensitive information," explained Ahti Kuningas, secretary general of the Ministry of Economic Affairs and Communications.
Mihkel Kukk, head of cybersecurity ervices at KPMG Baltics, noted that the primary target of the attack was a web server. "In this case, the web server was the initial target, and from there, they moved into the organization's file servers and registers, from where the documents were obtained," Kukk said.
Following the attack, the Information System Authority (RIA) launched an oversight procedure at the ministry, uncovering multiple deficiencies.
"From an organizational perspective, there were various internal regulations that were missing or inadequate, as well as processes and procedures that had not been properly established. From a technical standpoint, there were definitely issues with the system architecture, software and so on," said Ilmar Toom, head of RIA's supervisory department.
According to RIA, the oversight process took a long time, primarily because the ministry received several instructions to address the deficiencies and comply with legal requirements.
"When these efforts did not yield results, we concluded that administrative supervision had exhausted its tools. Therefore, we closed the administrative proceedings and initiated a misdemeanor proceeding, during which the legal entity's guilt was established, resulting in a fine of €8,000. I sincerely hope things have improved significantly there, but we certainly plan to take another look in the future," Toom said.
The Ministry of Foreign Affairs was the least affected by the GRU attack, with only publicly available web server information accessed.
Toom pointed out that different state institutions have varying levels of maturity in addressing information security, and systemic cybersecurity efforts often start at the leadership level of the organization. Kukk added that to prevent future attacks, ministries should improve the monitoring of their networks.
"In Estonia, the main focus is often on building the largest possible firewall, but occasionally cracks appear, and the problem arises when the first line of defense is breached. What happens inside the organization or company is not always as carefully monitored, making it harder to detect if any data leak is occurring," Kukk said.
Kukk also noted that while the leak of a single document marked with restricted access might not seem significant, several such documents could allow criminals to piece together a more complete picture.
--
Follow ERR News on Facebook and Twitter and never miss an update!
Editor: Valner Väino, Marcus Turovski