Estonia: Foreign hackers hack into local email provider for targeted attacks
State-sponsored hackers used a zero-day vulnerability to hijack a small number of high-profile email accounts at Estonian email provider Mail.ee.
The attacks took place last year and the vulnerability of the Mail.ee service has been patched, the Estonian Internal Security Service (KaPo) said in a year-end report released this month.
“This vulnerability was only exploited [against] a small number of email accounts owned by people of interest to a foreign country, ”KaPo said, without naming the victims.
The agency said the attacks were carried out using malicious code hidden in emails sent to Mail.ee recipients.
The code executed when the user opened the email on the Mail.ee web portal. No user interaction was required beyond opening the email.
The malicious code would automate actions against the user’s Mail.ee web portal and enable and configure email forwarding.
“From the moment the email containing the malicious code was opened, all emails sent to the target were redirected to an email account controlled by the attacker,” KaPo said.
The Estonian intelligence agency said the attacks heavily targeted “a small number of email accounts belonging to persons of interest to a foreign country”.
“The general public and mail.ee users need not worry,” KaPo said.
The same report also referred to other 2019 attacks targeting businesses and individuals in Estonia. These include spear-phishing operations orchestrated by other state-sponsored groups, such as Gamaredon (suspected actor of the Russian threat) and Silent Librarian (suspected Iranian threat actor).
“We know from experience that companies and research institutes are often unaware that their data could be of interest to foreign intelligence services working in the economic interest of their country,” he added.
For businesses that might be the target of foreign hackers, KaPo recommends a series of steps for choosing a suitable email provider that includes a series of basic security and privacy protection features. These include:
- Find out in which country the email or other service data is stored and in which country the (parent) company is located or registered.
- Choose a service provider that stores the data and is located in a country that respects people’s rights and privacy.
- Choose a service provider with different methods to ensure security: two-step authentication, viewing IP addresses of the last connections, allowing / restricting the connection with IMAP and POP3, and binding to a specific device.
- Every now and then, check the IP addresses used to connect and check if the IP-WHOIS data matches the IP address you use at home, at work, etc.
- From time to time, check to see if your emails have been redirected to other email addresses, or what other email addresses are linked to your account.
- If you see an article about a data leak of email users logged in to Estonia, check if this is relevant to your email account, and if so, change your password or your email method. authentication.
The KaPo report is available for download in PDF format at here.