Earlier this week, the Information System Authority (RIA) sent an email to various institutions warning about a circulating phishing campaign.

The phishing email, which also reached ERR, invites recipients — under the name of Frederick Kempe, head of the internationally recognized think tank Atlantic Council — to register for a closed-door strategic discussion.

Ironically, the fabricated event created by the scammers is titled "Fault Lines & Firewalls: Protecting Europe's Security Amid International Instability."

While phishing itself is nothing new, what makes this case unusual is that it involves so-called spear phishing.

A selected group targeted

In typical phishing schemes, scammers often create a nearly identical copy of a victim's bank website where the victim unknowingly enters their personal data. The scammers then use that information to log in to the real bank site and transfer money to their own accounts.

According to information available to ERR, however, this particular message was sent only to a select group — mostly individuals in senior positions — both to their work and private email addresses. This makes the attack a case of spear phishing.

The goal of spear phishing is usually not direct financial gain, but rather access to sensitive personal data. That is also the case in this incident.

Whereas large-scale phishing attacks typically require victims to enter their information themselves, this email employed a so-called DarkSword-type cyberattack. In this case, simply clicking on the registration link is enough for attackers to take control of the phone, gaining access to all data stored on the device.

DarkSword is a tool that exploits vulnerabilities in older iOS software, allowing attackers to seize control of data on affected devices.

Because DarkSword does not require users to download any application and can compromise a device within minutes, such an attack is nearly impossible to detect after the fact.

No clear overview of the attacks' extent

The Information System Authority (RIA) declined to comment to ERR and referred the matter to the Estonian Internal Security Service (ISS).

ISS press spokesperson Marta Tuul said the attack is global in nature, but its exact scope in Estonia is still under investigation.

"Mapping activities are not yet complete, so it is not possible to provide a detailed overview at this time," Tuul said.

An identical phishing message also reached targets abroad, including Leonid Volkov, the former campaign manager of Russian opposition figure Alexei Navalny.

I received a suspicious email with a weird link yesterday.

My first thought was this is yet another phishing attempt, albeit well-tailored.
I was wrong: researchers with whom I shared this email told me I was targeted by a very recent DarkSword attack used by the GRU.

If I… pic.twitter.com/AixNJ302bE

— Leonid Volkov (@leonidvolkov) March 27, 2026

Previous DarkSword attacks have been traced to IP addresses in Russia and a possible connection to Russian special services has been suggested.

In March, RIA was notified of 886 incidents affecting the confidentiality, integrity or availability of data or information systems.

--

Follow ERR News on Facebook and X and never miss an update!