The National Cyber Security Centre Finland’s weekly review – 16/2025

Elections proceeded without significant cyber incidents

Elections have often attracted various attempts at interference. In recent years, there has been widespread reporting around the world on different forms of meddling in numerous elections. Generally, such interference or disruption aims to undermine a country's domestic and foreign policy by eroding trust in the society's decision-making and public authorities.

The county and municipal elections held in Finland over the weekend proceeded calmly from a cybersecurity perspective, despite some denial-of-service attacks.

The pro-Russian hacktivist group NoName057(16) targeted Finnish organisations by directing their attacks against a large number of Finnish websites during the election week. The most relevant from the elections’ standpoint were the websites of political parties, municipalities, and individual candidates, but these had no actual impact on the conduct of the elections. However, the denial-of-service attacks received considerable media attention on election day itself, when the websites of certain parties were briefly unavailable.

Preparing for elections requires persistent cooperation between several different operators. Thanks to cooperation between ministries, government agencies, municipalities and individual polling stations, the Finnish election system is both stable and secure. For several years now, Traficom’s NCSC-FI has participated in supporting the Ministry of Justice and other election officials in preparing for national elections.

There will be a break from regular elections for a while, as the next ones are scheduled for 2027.

Phishing scams in the name of hotel booking services

The NCSC-FI has received multiple reports this spring about phishing attempts carried out via hotel booking services, where attackers have approached users based on genuine hotel reservations. These incidents have been observed particularly in connection with bookings made through the service booking.com. The method suggests that the attacker gained access to the booking system by phishing login credentials from a hotel and breaking into their account.

This phenomenon is a continuation of phishing campaigns targeting hotel and travel services, previously reported by the NCSC-FI last November in the article Hotel and travel booking service data breaches are being used to scam customers (External link). The number of phishing messages containing accurate information has increased compared to the beginning of the year, indicating that data breaches targeting such services have continued beyond the turn of the year.

Currently, a recurring pattern in these phishing attempts involves a user who has made a reservation via a hotel booking service. Soon after the booking, they are contacted under the name of the hotel or accommodation provider. The contact is often made through WhatsApp messages, but there have also been cases where attackers have used the messaging platform on the booking.com website. In the latter case, the message thread may also include earlier legitimate correspondence alongside the phishing attempt.

The phishing often begins with a “confirmation message” thanking the user for their reservation and including trust-building details such as the date of stay or booking reference. Shortly afterwards, the attacker sends another message claiming there is an issue or missing information related to the reservation, identity verification, or payment card. In every case, the user is instructed to follow a link in the message to a phishing site, which is used to steal payment card information.

The NCSC-FI advises users to exercise caution and good judgement when contacted in this way. Patience is key, and in suspicious cases it is advisable to verify the authenticity of the message by contacting the booking service and accommodation provider through alternative means—for example, using the contact details found on the accommodation provider’s own website.

NCSC-FI participated in the Digital Security fair in Jyväskylä

A sure sign of spring is the annual Digital Security (Digiturvallisuus) trade fair held in Jyväskylä. This year’s event, held on 10 April, brought together over 1,000 people interested in digital and cybersecurity at the Jyväskylä Paviljonki. Throughout the day, the event stages featured expert presentations on current topics related to cyber and digital security, as well as reflections on emerging technologies.

Traficom’s NCSC-FI took part in the event with its own stand, in cooperation with the EU’s Cyber Citizen project. In addition, the Centre’s experts spoke on stage about topical cybersecurity issues and showcased the services the NCSC-FI offers to organisations. Our stand attracted a great number of visitors interested in our work. Many thanks to everyone for the engaging conversations!

Photos from the event day

Webinar on 12 May: Cybersecurity Act entered into force – What has changed?

The NIS 2 Directive and the national Cybersecurity Act, which came into force on 8 April, impose obligations on operators in critical sectors to manage cybersecurity risks, report significant security incidents and register with the supervisory authority’s list of entities.

What does the entry into force of the Act mean in practice from an organisational perspective? What kind of obligations does the law impose on sectors critical to society? These and other related topics will be addressed in a Teams webinar hosted by Traficom on 12 May from 9.00 to 11.40.

In the webinar, Traficom’s experts will present information on the implementation and supervision of the Cybersecurity Act. Participants will also have the opportunity to pose questions to the experts.

Note! the webinar is in Finnish

Programme: Cybersecurity Act entered into force – What has changed?

9.00: Opening of the event: The current state of cybersecurity in Finland
• Director Pekka Jokinen, NCSC-FI at Traficom

9.05: The Cybersecurity Act has entered into force – what has changed?
• Senior Specialist Kalle Varjola, NCSC-FI at Traficom

9.50: Traficom’s recommendation on cybersecurity risk management measures for supervisory authorities
• Senior Specialist Päivi Timlin and Information Security Specialist Topi Talikka, NCSC-FI at Traficom

10.35: Break

10.45: Supervision of the Cybersecurity Act in the digital infrastructure sector
• Head of Unit Olli Lehtilä, NCSC-FI at Traficom 

11.30: Summary and closing of the event

Welcome!

CVE operations secure for now

On 15 April 2025, MITRE (External link) —the organisation maintaining the international CVE vulnerability database—sent a message to the members of the CVE Board, stating that support for the CVE programme would be discontinued as of 16 April 2025. At this stage, it is still unclear which specific CVE services this decision will affect.

CVE  (External link)(Common Vulnerabilities and Exposures) has been in use since 1999 as a standard identifier for naming and cataloguing discovered vulnerabilities. In 2024 alone, more than 40,000 CVE identifiers were assigned. The CVE system allows for the unique identification of vulnerabilities and has significantly contributed to streamlining the communication of these vulnerabilities across different stakeholders. In practice, nearly all current vulnerability management tools rely on CVE identifiers to categorise and identify vulnerabilities.

What could this mean in practice?

The potential effects remain uncertain. If the discontinuation of support leads to a disruption in CVE services, the consequences could be substantial. The NVD (National Vulnerability Database), maintained by the U.S. National Institute of Standards and Technology (NIST), relies on CVE identifiers. As a result, this change could affect the NVD service. Many vulnerability management tools also make use of the NVD database, so the functionality of these tools could be impacted. However, most tools do not rely solely on a single source of information, so the effect of a potential disruption may vary significantly between different tools.

It is also likely that the issuance of CVE identifiers for new vulnerabilities will slow down. This may delay the reporting of vulnerabilities to relevant parties, potentially lengthening the vulnerability coordination process.

Is there any change on the horizon?

A beta version of the European Vulnerability Database (EUVD), maintained by the European Union Agency for Cybersecurity (ENISA), was launched on Wednesday, 16 April. This new database will issue its own identifiers for vulnerabilities and therefore does not depend on CVE identifiers, though it will continue to make use of them as well. In addition, a new international body, the CVE Foundation (External link), has been established with the aim of securing the continuity of the CVE programme. The CVE Foundation has announced that it will provide more detailed information in the coming days regarding its operations and timelines.

The NCSC-FI continues to monitor the development of the situation and any potential impacts on the NCSC-FI's CNA operations (CVE Numbering Authority)  (External link). No effects have been observed thus far.

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.