Cyber Incident Victim: Eesti Energia
Date:
Nov 2022
Location:
Estonia
Summary
A pro-Kremlin cyberattack targeted the state electricity generator Eesti Energia, causing widespread outages of its website, mobile app, and related subsidiaries' digital platforms, including grid operator Elektrilevi. The distributed denial-of-service (DDoS) attack also impacted Estonia's Ministry of Economic Affairs, central bank, and business development agency with limited success due to their robust cybersecurity defenses, while simultaneous assaults affected institutions in Latvia, Poland, and Ukraine. CERT-EE attributed the incident to pro-Kremlin hackers, noting customer data remained secure and critical systems were protected despite service disruptions. The attack was successfully mitigated, with restoration efforts prioritized for customer-facing channels, mirroring previous regional cyber campaigns but with narrower overall impact.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 19, 2022, Estonian state energy company Eesti Energia experienced a significant cyberattack that disrupted its public-facing digital services. The attack, identified as a large-scale distributed denial-of-service (DDoS) incident, rendered the company's primary website and mobile application inaccessible. Related entities including grid maintenance firm Elektrilevi and renewable energy subsidiary Enefit Green also suffered service outages affecting their websites and mobile applications, notably Elektrilevi's MARU app. Concurrently, Estonia's Ministry of Economic Affairs and Communications, the central bank (Eesti Pank), and business development agency Enterprise Estonia (EAS) faced similar attacks, though these caused less severe disruptions due to their participation in the State Information System Authority's (RIA) protective infrastructure. The incident coincided with coordinated cyber assaults against targets in Latvia, Poland, and Ukraine, suggesting a regionally synchronized offensive. Eesti Energia's leadership confirmed customer data and internal IT systems remained secure despite the service interruptions, with Business and IT Head Ilmar Käär stating the attack had been successfully repelled through collaboration with security partners. Restoration efforts prioritized reinstating customer service channels, with Elektrilevi providing alternative emergency contact via helpline 1343 for power outage reporting during the disruption.
RIA's Computer Emergency Response Team (CERT-EE) attributed the attacks to pro-Kremlin cyber actors based on technical indicators and the pattern of multinational targeting, though officials emphasized definitive attribution remains challenging. The assault began shortly before 10:15 AM local time when RIA detected anomalous activity affecting five Estonian organizations, with Eesti Energia's digital infrastructure sustaining the most severe impact. While state-protected entities like Eesti Pank and EAS experienced only partial service degradation, an unnamed private sector company also fell victim to the same attack wave. Tõnu Tammer, head of CERT-EE, characterized the incident as substantial but less extensive than previous DDoS campaigns against Estonia in April and August 2022, which had targeted presidential office websites, media outlets, and multiple government platforms. RIA maintained continuous monitoring of affected systems throughout the incident, confirming core governmental and financial infrastructures remained operational despite intermittent service interruptions. The event marked another escalation in sustained cyber operations against Baltic nations following Russia's invasion of Ukraine, continuing a pattern of disruptive but non-destructive attacks against critical national infrastructure.