Alleged state-sponsored hackers have hijacked a small number of accounts at the Estonian email provider Mail.ee, they exploited a zero-day vulnerability in the attack. According to the end-of-year report published this month by Estonian Internal Security Service (KaPo), the hacked accounts belong to persons of interest to a foreign country.
The attacks took place in 2019 and since then the provider has identified the vulnerability and addressed it.
“[Mail.ee] It is widely used among the Estonian population, the attacker was able to run malicious code on target accounts by exploiting a critical security vulnerability that was unknown to the provider.” states the KaPo’s report.
“The vulnerability was only exploited to hijack a small number of email accounts belonging to persons of interest to a foreign country,”
The KaPo’s report doesn’t name the victims, it only confirmed that hackers used a malicious code in the email sent to the victims that triggered the zero-day flaw.
Once the recipient has opened the emails using the Mail.ee portal, the code was executed, then it enabled the email forwarding to the attacker.
“Specifically: if the attacker sent an email to the target, once it has opened the message the malicious code was executed and set up the email forwarding on the victim’s account.” continues the report. “From the moment the malicious message has been opened, all messages sent to the target were redirected an email account under the control of the attacker. We emphasize that it was enough to open the letter – there was no need to open an attachment or click on the attached link.”
According to the report, the attacks were highly targeted and hit “a small number of email accounts belonging to persons of interest to a foreign country.” The intelligence agency confirmed that the attack did not hit generic accounts.
The report also described spear-phishing attacks carried out by APT groups against organizations and businesses in Estonia. The Estonian intelligence attributed the attacks to Gamaredon and Silent Librarian.
“An attempt to gain access to some e-mail accounts related to the University of Tartu was also made by attackers. It was the case of a campaign carried out by the Iran-linked group known as the Silent Librarian and the Mabna Institute. The University was able to detect both the attacks.
“businesses and research institutions are often unaware that their data could be of interest to foreign intelligence agencies working in the economic interests of their country,”.
KaPo’s report also includes recommendations for companies that might be the target of nation-state actors.
Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
(SecurityAffairs – Mail.ee, hacking)