Weekly review of the National Cyber Security Centre Finland (NCSC-FI) – 43/2025

Router is the protecting wall for your home network, do not connect your equipment to the network without it!

The router is a central protecting wall for a home network, that separates household devices from the public internet. Its most important thing is to prevent direct contacts from outside to individual equipment, such as computers, telephones or smart home equipment. If the equipment was directly connected to the public network without a router, it would be vulnerable to the internet traffic, such as attempted attacks, malware and unauthorised login attempts.

The router hides the components of internal networks from the external network. This way, only the address of the router is shown outside, not individual equipment. This means that third parties can not target attacks directly to certain equipment.

The router enables the use of the firewall and other protection features. It can prevent malicious traffic and offer protection also when equipment from several different manufacturers is connected to the network without equally strong information security. Therefore, it is important that you do not connect equipment directly to a public network but always through router. This applies also to connections for housing companies and fiber optical modems.

Why are the criminals interested in your equipment?

Criminals search the network manually or automatically for vulnerabilities, i.e. devices susceptible for breach, such as home routers. Once hijacked, network devices can be used to carry denial-of-service attacks, for example. Distributed denial-of-service attacks (DDos) have often implemented by steering a large amount of hijacked network devices. By securing your own devices do you not only protect yourself but also take part in the promotion of cyber security in the Finnish society.

Read more about our guidelines for home network and router security here! (External link)

The American information security and technology company F5 target of a data breach - F5 products are also being used in Finland

The American information security and technology company F5 has announced that it has been a target of a serious data breach. The party suspected for being a state threat actor had gained access to the internal systems of F5 and copied, among other things, source code for BIG-IP products as well as information about unpublished vulnerabilities.

This company’s products and services are widely used also in Finland. Organisations are advised to review their systems in case of leaked vulnerabilities and exploitation of them, if products or services of the F5 company are being used in the organisation’s own IT environment.

Measures recommended for organisations using F5 systems:

• Check the F5 equipment and services being used in your organisation. 
• Update the F5 equipment and services to the latest published version. 
• Harden the systems that are publicly visible in the network. 
• Activate and use the concentrated log system and incident monitoring (e.g. streaming of BIG-IP logs). 
• Monitor login attempts, failed authentications and changes in the right of use and changes in specifications in the systems.

The NCSC-FI has published an Information Security Now! article on the subject in which they take a wider look at the case and discuss protective measures that organisations should implement for F5-products.

Information Security Now! Article:  American information security and technology company F5 subject of a data breach (External link)

Cyber security in water supply service increases – the VESKY 2025 project published templates and processes for everybody

The joint VESKY project, which started in autumn 2025 and dealt with better reliability and cyber security in water supply, has produced a comprehensive collection of templates and processes which have now been published on the NCSC-FI website. This collection can be freely used by all organisations.

The template documents offer concrete templates and examples regarding information security policy, architecture policy, risk management and requirements for suppliers. The published documents give a good starting point for organisations to develop their governance models and each organisation can adapt them in a way that is suitable for their own activities. In the VESKY project, they also tested the Finnish Water Utilities Association’s tool for the information risk management.

Vesihuollon toimintavarmuuden ja kyberturvallisuuden parantamisen yhteishanke VESKY 2025 -materiaalit (External link), (in Finnish)

Finnish Water Utilities Association (FIWA): Vesihuoltolaitosten kyberturvallisuuden riskienhallinnan Excel-työkalu) (External link), (in Finnish)

International SIMcartel operation closed down infrastructure used for frauds

Europol performed together with other operators an international “SIMcartel” operation, and as a result, the SIMbox infrastructure in Latvia, used by suspected criminals, was taken down. The aim of the infrastructure was to enable nameless communication via mobile subscriptions for more than 80 different countries, and about 50 million accounts were created for different services which then were used for the frauds. It is estimated that the spoofing has had at least 3200 victims and it created a final loss for nearly five million euros.

As a result of the operation, 14 house searches were made, resulting in a confiscation of 1 200 SIM devices, about 40 000 SIM cards, servers, luxury cars and more than 600 000 euros in financial resources and crypto currency. The police also shut down websites related to the case. Five Latvian residents were arrested in the operation. They are suspected for having enabled the creation of the account for fraudulent purpose under the pretext of legal business.

The operation was carried out in international cooperation with Finland, Latvia, Estonia, Austria, Europol, Eurojust and Shadowserver Foundation. The Finnish representatives participating in the operation were the police, the National Bureau of Investigation, and the national Cyber-Enabled Crime Investigation Unit.

Europol: Cybercrime-as-a-service takedown: 7 arrested (External link) (External link)

In an international operation “SIMcartel”, the State Police dismantles IT infrastructure used for online fraud; five Latvian nationals arrested (External link) (External link)

Weekly malware review: Expiro

Expiro is a virus infecting Windows systems. It connects is malicious code with existing EXE-files and uses them in order to spread itself. It can install dangerous browser extensions, change security settings of the browser and steal users’ login details. After the infection, Expiro gives remote access to the compromised computer, and changes the security settings especially for Internet Explorer.

Until 2018, the new variants included advanced blocking technologies for risk-benefit analysis, and even more advanced methods for avoiding observation, stronger encryption and countermeasures against security programmes have been added in the 2022–2025 versions.

1. How to protect yourself from the Expiro malware:

• Keep systems up to date. Install all security updates for the operating system and software regularly.
• Use antivirus protection. Keep the real-time protection on and check the downloads, attachments and links before opening.
• Be careful with communications. Do not open suspicious e-mail or social media messages containing attachments or links.
• Start using multi-factor authentication. Protect your accounts, even if your password should fall into the wrong hands.

As Expiro modifies legal files and is hidden in them, the best protection is to stay alert, have safe download practise and up-to-date security software.

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.