Estonia: Foreign hackers breached local email provider for targeted attacks

Hackers hijacked a small number of Mail.ee accounts "belonging to persons of interest to a foreign country."

Estonia flag

Image: Nikola Johnny Mirkovic

Special feature

Cyberwar and the Future of Cybersecurity

Today's security threats have expanded in scope and seriousness. There can now be millions -- or even billions -- of dollars at risk when information security isn't handled properly.

Read More

State-sponsored hackers have used a zero-day vulnerability to hijack a small number of high-profile email accounts at Estonian email provider Mail.ee.

The attacks took place last year and the vulnerability in Mail.ee's service has been fixed, the Estonian Internal Security Service (KaPo) said in an end-of-year report published this month.

"This vulnerability was only exploited [against] a small number of email accounts belonging to persons of interest to a foreign country," KaPo said, without naming the victims.

The agency said the attacks took place with the help of malicious code hidden in emails sent to Mail.ee recipients.

The code executed when the user opened the email in the Mail.ee web portal. No user interaction was needed beyond opening the email.

The malicious code would automate actions against the user's Mail.ee web portal and enable and set up email forwarding.

"From the moment the email with the malicious code was opened, all of the emails sent to the target were redirected to an email account controlled by the attacker," KaPo said.

mailee.png

Image: KaPo

The Estonian intelligence agency said the attacks were highly targeted against "a small number of email accounts belonging to persons of interest to a foreign country."

"The general public and users of mail.ee need not worry," KaPo said.

The same report also touched on other 2019 attacks that targeted businesses and individuals in Estonia. These included spear-phishing operations orchestrated by other state-sponsored groups, such as Gamaredon (suspected Russian threat actor) and Silent Librarian (suspected Iranian threat actor).

"We know from experience that businesses and research institutions are often unaware that their data could be of interest to foreign intelligence services working in the economic interests of their country," it added.

In the cases of companies that might be the target of foreign hackers, KaPo is recommending a series of steps for choosing an adequate email provider that includes a series of basic security features and privacy protections. These include:

  • Find out in which country the data of the email or other service are stored and in which country the (parent) company is located or registered.
  • Choose a service provider that stores data and is located in a country that respects people's rights and privacy.
  • Choose a service provider with various methods for ensuring security: two-step authentication, displaying the IP addresses of the last log-ins, allowing/restricting logging-in with IMAP and POP3, and linking to a specific device.
  • Every now and then, review the IP addresses used for logging in, and check whether the IP-WHOIS data corresponds to the IP you use at home, at work etc.
  • Every now and then, check whether your emails have been redirected to other email addresses, or which other email addresses are linked to your account.
  • If you see a news story about a leak of email user data connected to Estonia, check whether it is relevant to your email account, and if so, change your password or authentication method.

The KaPo report is available for download in PDF format from here.