Alleged state-sponsored hackers have exploited a zero-day flaw in Estonian email service Mail.ee in order to get access to high-profile email accounts, the Estonian Internal Security Service (KaPo) said in an end-of-year report released this month.
According to the report, the attacks took place last year and since then the provider has identified the vulnerability and addressed it.
“It [Mail.ee] is widely used among the Estonian population, the attacker was able to run malicious code on target accounts by exploiting a critical security vulnerability that was unknown to the provider,” the report said.
KaPo did not reveal names of the victims, but said that only a small number of accounts belonging to persons of interest to a foreign country have been compromised.
The attack involved emails containing a malicious code sent to Mail.ee recipients. Once the email was opened using the Mail.ee portal, the malicious code was executed. It then would enable and set up email forwarding so that all of the emails sent to the target were redirected to an email account controlled by the hackers.
“Specifically: if the attacker sent an email to the target, once it has opened the message the malicious code was executed and set up the email forwarding on the victim’s account. From the moment the malicious message has been opened, all messages sent to the target were redirected an email account under the control of the attacker. We emphasize that it was enough to open the letter – there was no need to open an attachment or click on the attached link,” the agency said.
Additionally, the report described other 2019 attacks that were aimed at businesses and individuals in Estonia, including spear-phishing campaigns conducted by other state-sponsored groups, such as Gamaredon (believed to have ties to Russia) and Iran-linked Silent Librarian APT group.