Two years after a major cyber attack on the entire information infrastructure of the Government of Montenegro, the State Prosecutor's Office is still trying to find the direct perpetrator of the attack.
In August 2022, the servers of the Government of Montenegro were affected by ransomware, a type of malicious software (malware) in which the attacker locks and encrypts the target's data and important files, then demands payment to unlock and decrypt the data.
After a series of attacks from August 22 to 26, 2022, the Ministry of Public Administration warned public companies that provide electricity and water distribution services, ports, airports, and telecommunications service providers to immediately raise the level of information security to the highest level.
Due to the cyber attack, the digital infrastructure of a large part of the Montenegrin public administration was out of order, including the ministries, the Property Administration, the Revenue and Customs Administration, and the courts, which is why the issuance of documents and fiscal accounts did not work.
On Question of BIRN has the mastermind of the cyber attack been found The Ministry of Public Administration reiterated that the "Cuba-Ransomwer" group claimed responsibility for the attack on its website. The ministry said that all information about the case was forwarded to the state prosecutor's office.
The Basic State Prosecutor's Office in Podgorica told BIRN that the case of the cyber attack is still in the investigation phase, and that an urgent action has been sent to the Police Directorate, the Criminal Intelligence Department and the High-Tech Crime Suppression Group.
"In the Basic State Prosecutor's Office in Podgorica, a case has been established against, for now, an unknown perpetrator or several of them, for the criminal offense of creating and importing computer viruses, which is under investigation. Certain evidentiary actions have been taken in the case so far," said the manager. Prosecutor's Office in Podgorica, Duško Milanović.
The Police Administration did not answer what stage the investigation is in.
Citing unofficial intelligence sources, BIRN reported in September 2022 that an internal investigation showed that the attack was carried out by directly injecting malware from a computer connected to a government server. The Government did not officially confirm this information.
From hybrid warfare to cybercriminals
After the second wave of attacks on August 26, 2022, the National Security Agency (ANB) accused the Russian security services of waging a "hybrid war" against Montenegro, stating that the attacks were "long-prepared".
"It is a very serious matter, and this is a very serious attack. We are monitoring the situation, the National Security Agency, the Police Directorate, and the Ministry of Defense are also involved. In my opinion, this is a politically motivated attack," said then Prime Minister Dritan Abazović at the conference for the media on August 26, 2022.
Russian Foreign Ministry spokeswoman Maria Zakharova dismissed Podgorica's claims as part of a "continuous policy of severing relations with Moscow in order to please the United States of America (USA)."
Diplomatic relations between Montenegro and Russia have deteriorated since 2014, when Podgorica supported European Union sanctions imposed on Moscow due to the annexation of Crimea.
On August 29, 2022, the Minister of Public Administration Maraš Dukaj said that individuals were not behind the attack, but a recognized criminal group in cyber terrorism, Cuba Ransomware. Dukaj then told Javni servis that the attack on government servers had been planned for a long time.
"The virus cannot be formed in a month. They were waiting for a certain time, that is, when to carry out such an attack. The creation of the virus cost about 10 million dollars and it has not been used anywhere so far," said Dukaj at the time.
The "Cuba Ransomware" cyber group has a history of attacks, and according to the US Federal Bureau of Investigation (FBI), by November 2021, the group had targeted 49 organizations, including some within the US government. The attacks were spread across five "critical infrastructures", including the financial, healthcare, manufacturing and IT sectors. According to the FBI, the attackers demanded $76 million in ransom, and received at least $43,9 million.
After the "Cuba Ransomware" announced on its website that it possesses data belonging to the Public Relations Department of the Parliament of Montenegro, the director of the government's Directorate for Information Security, Infrastructure and Digitization, Dušan Polović, confirmed that around 150 workstations in 10 state institutions have been compromised. .
At the request of the Government of Montenegro in September 2022, experts from the FBI and the French National Agency for the Security of Information Systems (ANSSI) joined the investigation of the attack.
The Police Department said in January 2023 that the FBI handed them a report on cyber attacks on government servers, explaining that the report was based on a significant volume of data collected through the network of the Ministry of Public Administration and the movement of data from various systems.
The FBI report was never published, while the Ministry of the Interior refused to provide it to BIRN, stating that it was a confidential document.
Cyber security expert Aleksandar Obradović believes that it is worrying that the results of the investigation were never published.
"No one will know if any of the data has been compromised, i.e. deleted or destroyed, except for the people who were involved in the investigation or have access to the reports. Of course, "Cuba Ransomware" knows that too, but we will not be able to count on them to give us accurate information, what was compromised and what was taken from the data," Obradović told BIRN.
"The public will be informed of the extent of the damage if the aforementioned report is leaked or after the statutory period for maintaining the secrecy of the report has expired," Obradović added.
The Ministry of Public Administration told BIRN that the FBI report showed which techniques and malicious viruses were used by the attackers, explaining that they were also provided with indicators of compromise "that help them take adequate actions to strengthen the resilience of the Government's infrastructure and the network of state bodies".
After a cyber attack, the defense system is strengthened
Two years after the cyber attack, the Ministry of Public Administration claims that thanks to the "back up" systems, no data was destroyed, nor was it compromised. The government department explained that the data was hacked on individual workstations, not information systems.
When asked why the Disaster Recovery Site (DRS), which enables the smooth functioning of the system, was not used during the attack, the ministry said that the system is applicable exclusively for the Government's information and communication infrastructure. A disaster recovery site (DRS) is a backup site that takes over the functioning of the system, without losing data, and allows users to use information system services without delay.
The ministry also said that by the end of 2024, the availability of the DRS service on the Internet will be enabled in case of incidents.
In December 2022, a new Directorate for Information Security was formed, which is in charge of protecting government systems through monitoring, prevention and elimination of the consequences of cyber threats and attacks. According to the current systematization, 22 jobs are planned in the Directorate, but the ministry did not answer whether all the jobs were filled.
The Government Computer Incident Response Team (CIRT), which was formed in 2012, is responsible for research, analysis and response to cyber incidents within the network of state administration bodies. Nine employees are currently employed at CIRT.
In December 2022, the Government announced the formation of the Cyber Security Agency, tasked with analyzing the application of regulations, strategies and action plans in the field of information security and making proposals and recommendations for its improvement.
However, the first condition for the establishment of the Agency has not yet been met, because the Parliament of Montenegro has not adopted the Law on Information Security, which defines the work of the Agency.
Obradović warns that awareness of the importance of cyber security in the state administration is low in Montenegro. He recalled the official data according to which there are over 52.250 employees in the state administration, which is 23 percent of the total number of employees in the state.
"Most of them have access to computer devices as well as the infrastructure itself. Knowing that the human factor is the most susceptible to manipulation, we come to the worrying fact that we have 52.250 potential vectors of attacks on the state's ICT infrastructure, which it seems that no one actively takes care of," claims Obradović.
This article was developed in partnership with the regional initiative Western Balkans Anti-Disinformation Hub, implemented by the Metamorphosis Foundation with financial support from the Ministry of Foreign Affairs of the Kingdom of the Netherlands. The contents of the article are the responsibility of PARTNER and do not necessarily reflect the positions of the project partners and donor.
This article was written in partnership with the regional initiative Western Balkans Anti-Disinformation Hub, implemented by the Metamorphosis Foundation, with the financial support of the Ministry of Foreign Affairs of the Kingdom of the Netherlands. The content of the article is the responsibility of the PARTNER organization and does not necessarily reflect the views of the project partners or financiers.
This article was developed in partnership with the Western Balkans Anti-Disinformation Hub regional initiative, implemented by the Metamorphosis Foundation, with financial support from the Ministry of Foreign Affairs of the Kingdom of the Netherlands. The content of the article is the sole responsibility of PARTNER and does not necessarily reflect the views of the partners and supporters of the project.
Bonus video:
