The Facebook data row surrounding British analytics company Cambridge Analytica has made waves in Romania, after a consultant revealed that the company scouted him to secretly work for Romania’s ruling Social Democratic Party in its triumphant 2016 election campaign.
Cambridge Analytica is in hot water after after it was revealed that it obtained access to more than 50 million Facebook users’ data in 2014.
This was then collected, shared, and stored without users’ consent and allegedly used in the 2016 Brexit referendum and the US presidential elections.
Both the British government and the European Union on Tuesday announced investigations into the company’s activities.
Meanwhile, a British public relations consultant and writer, Rupert Wolfe Murray, revealed on Facebook on Wednesday that Cambridge Analytica had scouted him in 2016 to work for Romania’s Social Democratic Party.
“I saw the Channel 4 report about Cambridge Analytica and they mentioned an East European country where they went in secretly and successfully manipulated an election. No name was given. ‘Nobody knew we were there,’ said the boss,” Murray said on his Facebook account.
“I recognised the boss’s name and found some emails from him dating August 2016. He’d offered me a job, but when he told me it was for the ruling party, which went on to win the election, I declined,” he added.
In 2017, RISE Project reported that Strategic Communications Laboratories Group, SCL, the British strategic communication company that owns Cambridge Analytica, had set up an office in Romania in 2011.
The SCL branch in Romania was still active in 2017, when it signed a lobbying contract with US-based firm Andreae & Associates.
The US lobbyist was asked to “provide government relations, communications counsel, and public affairs services for SCL Social relating to their anti-corruption efforts in Romania.”
The Social Democratic Party won the Romanian elections in December 2016 with 46 per cent of the votes and now controls the government.
In a press release on Wednesday night, the party denied working with the analytics firm in 2016 or any other electoral campaign.
However, the CEO of the Romanian branch of SCL, Peter Imre, said that his company never worked with any Romanian political faction.
The developer of the personality application that collected the data of over 30 million Facebook users and passed them to the British firm is a Moldovan-born psychology research at Cambridge University, Aleksandr Kogan.
Kogan told the BBC that he had no knowledge of how the information was subsequently used.
Analysts say that there are hundreds of apps like Kogan’s that are popular in Eastern Europe, whose users do not know that the apps allow companies behind them to collect, store and even sell their data.
Mihaela Pana, a Romanian journalist specializing in cybersecurity who writes for Cyber Media, says that after the row involving Cambridge Analytica broke last week, she looked closely at the apps her friends used on Facebook.
She followed up on what type of companies were behind them and realized that all quizzes used the same app for processing pictures, and that she had trouble finding contact information on the company behind the app in the Terms of Agreement.
Ioana Avadani, a media analyst and director of the Center for Independent Journalism in Bucharest, said that what Cambridge Analytica did was not only illegitimate but illegal.
“The problem was not that Cambridge Analytica profiled users, but that it fed those profiles with fake information,” she told BIRN.
“If it fed those profiles with real information, it would still be legal … Facebook also analyses my interest and prioritizes my feed. But the problem appears when you disseminate fake info into those profiles,” she added.
The innocent sounding email reached an official of the Montenegrin Defence Ministry in early January 2017.
Entitled: “NATO_secretary_meeting.doc”, it sounded like a communiqué from the Western alliance that Montenegro was soon to join.
However, IT experts say the message was not sent by NATO to update Montenegro on useful information.
It came from a notorious Russian hacking group, which wanted to break into the government’s IT systems and steal state secrets.
Also in January, according to BIRN sources, the Podgorica government received two more similar emails.
The subject line of the first read: “Draft schedule for British army groups’ visit to Montenegro”.
The title of the other was: “Schedule for a European military transfer program”.
All are believed to have come from the same Russian hacker group, which experts say is linked to the Kremlin.
Three
international IT security companies say the emails came from APT28,
also known as Fancy Bear, which US intelligence services say is
connected to the Russian military intelligence service, GRU.
European Union officials also believe that Montenegro suffered a serious cyber attack in June 2017.
Over
the last two years, Montenegro authorities have recorded a sharp rise
in the number of cyber attacks, mostly targeting state institutions and
media outlets.
From only 22 such incidents in 2013, almost 400
were recorded in only nine months of 2017, official data obtained by
CIN-CG/ BIRN show.
Not all are related to malware viruses or
attacks on state institutions, and not all the attacks can be attributed
to Fancy Bear.
But many of the attacks are believed to be linked
to the tiny Adriatic country’s decision to join NATO, which infuriated
the country’s old ally, Russia.
Montenegro has since tightened up cyber security defences. It has formed a specialised police taskforce to fight cyber crime.
But with only limited resources, the team greatly depends on the help of NATO and other Western countries.
“After
serial attacks in early 2017 we sought help from NATO and the UK to
help us fight back. We succeed in reducing the damage and repelled two
attacks in late 2017,” a senior police officer told CIN-CG/ BIRN,
declining to provide details of those actions.
CIN-CG/BIRN’s
investigation shows that the rise in cyber attacks coincided with the
final phase of the country’s NATO accession negotiations in late 2016.
In
addition, Montenegro’s leaders say Russia tried to interfere in the
country’s October 16, 2016 general elections, a charge that Moscow has
denied.
The authorities and the ruling parties claim that Russia sponsored a coup attempt on the election day.
Several Western governments, including the UK, support that interpretation of events.
Three
prominent international security companies, Fire Eye, Trend Micro and
ESET agree that Fancy Bear staged at least three separate attacks in
January, February and June 2017.
Upsurge feared ahead of election: Ahead of this April’s presidential election in Montenegro, experts warn that the country may experience more cyber threats. On April 15, citizens will elect anew president, as Filip Vujanovic, is completing his final term and cannot be re-elected. “Russia has strongly opposed Montenegro’s NATO accession process, so it is likely to continue using cyber capabilities to undermine Montenegro’s role in the alliance,” Pierluigi Paganini, from ENISA, warned.
So-called “lures” – spearphishing
emails – are common tactics used by the group to target victims who are
tempted to open messages mentioning specific topics relevant to them.
Targets
are fooled into believing the email is legitimate. Then, by clicking on
the link or attached document, they enable a virus to enter their
computers.
Ben Read, from the US security company Fire Eye, told
CIN-CG/ BIRN that the emails sent to the Montenegrin Defence Ministry in
January 2017 were designed to cause chaos.
“If you opened [them],
they would install the malware Game Fish on the victim’s system. That’s
signature malware for APT28,” he explained.
He said experts from
Fire Eye believed the hackers’ motive was Russia’s deep displeasure over
Montenegro’s NATO accession, and the cyber attacks formed part of a
broader plan to destabilise the country.
In January 2017, Fire Eye published a report
claiming that Fancy Bear primarily targeted entities in the US, Europe,
and the countries of the former Soviet Union, including government and
military targets, along with defence departments, media outlets, and
political dissidents or figures opposed to the Russian government.
“Russia is attacking these governments using both traditional means and as cyber-attacks,” Read added.
Before
January 2017, on election day in October 2016, many websites in
Montenegro were suddenly taken down by so-called DDoS attacks, in which
multiple compromised computer systems attack a website and cause a
denial of service for users.
However, the authorities never
disclosed what actually happened on that day although they announced a
detailed investigation, hinting at a Russian role in the large-scale
internet incident.
Four days after the elections, on October 20,
2016, another phishing attack was launched against the parliament of
Montenegro, most likely by Fancy Bear again, according to IT security specialists Trend Micro.
But,
government sources told CIN-CG/BIRN that this attack was less serious,
as it targeted the “wrong location”, the parliament, which does not deal
with confidential data.
“It was a blind shot,” said this official who insisted on remain anonymous.
A
bigger attack, which the Montenegro government describes as more
intense than the one in October 2016, started on February 15, 2017 and
peaked over the following days, government sources told CIN-CG/BIRN last
year.
This time, websites of the government and state
institutions, as well as some pro-government media, suffered a wave of
cyber-attacks, officials in Podgorica told CIN-CG/ BIRN.
“The
scope and diversity of the attacks, and the fact that they were being
undertaken on a professional level, indicates that this was a
synchronised action,” an official said.
The next attack, which a European official attributed to the same Russian source, happened in June 2017.
Pierluigi
Paganini, member of the European Union’s Agency for Network and
Information Security, ENISA, told CIN-CG/ BIRN that Montenegrin
infrastructure was again targeted by APT28, or Fancy Bear.
“In
June 2017, after Montenegro officially joined NATO, the attacks
continued; experts at the security firm Fire Eye who analyzed them
collected evidence that confirmed the involvement of Russia’s APT,”
Paganini said.
He added that the evidence included artefacts, malware, bait documents and exploit codes.
He
said that although attribution is always the most difficult part of a
forensic investigation, in this case, the information gathered “points
directly to the Russian APT28 group”.
BIRN asked the Russian Foreign Ministry about its connections to the group and to its attacks on Montenegro.
It
refused to respond specifically, noting only that “the mentioned issues
were repeatedly commented on by the Russian Foreign Ministry”.
Russia strongly denies that its state plays any role in hacking governments, media or elections across the globe.
Russian President Vladimir Putin told reporters in June 2017 that hacking groups, like artists, do their own bidding.
“Hackers
are like artists who choose their targets, depending how they feel when
they wake up in the morning. No such attacks could alter the result of
elections in Europe, America or elsewhere,” Putin told reporters.
Attacks disrupted Facebook services: Major cyber disruption was noted in Montenegro on election day, on October 16, 2016, when people in Montenegro were unable to use services such as Viber and WhatsApp. The government had to obtain permission from the Higher Court in Podgorica to temporarily block these applications for two hours on the election day and request a thorough investigation of the cyber attack. Facebook detected this incident in its Transparency report under the title “Internet Disruptions”. “We are aware of a disruption affecting access to Facebook products and services in Montenegro that took place during October 2016. This disruption impacted messaging services and coincided with the country’s parliamentary elections,” it said.
Cheap way of collecting intelligence:
America
disagrees. In a report, published on December 29, 2016, the US
Department of Homeland Security, DHS, and the FBI insisted that the
Kremlin sponsored Fancy Bear.
Fancy Bear has targeted many important international groups and individuals.
They
include Germany’s ruling Christian Democratic Union, CDU, the German
Bundestag, NATO, the World Anti-Doping Agency, the US Democratic
National Committee, the former White House senior official John Podesta,
the US Democratic Congressional Campaign Committee, and others.
Christopher
Bing, Associate Editor of CyberScoop, a US cybersecurity website that
has followed the attacks in Montenegro, agreed that Fancy Bear has
subjected the Balkans to an intensive campaign of cyber-espionage.
“These
activities largely serve as a cheap and effective way to collect
intelligence remotely and covertly – without getting caught,” he told
CIN-CG/ BIRN.
Bing explained that APT28 is a politically motivated threat group that is known to target geopolitical rivals of the Kremlin.
“APT28 is known to target military, governmental and civil society groups that are commonly of interest to the Russian state.
“As
part of this targeting pattern, the Balkans represents a territory
where Russia remains interested in controlling and asserting its
dominance,” Bing explained.
The IT company ESET, known for its
anti-virus and firewall products, also confirmed to CIN-CG/BIRN that
Fancy Bear was on active manoeuvres in the Balkans during summer 2017.
Not all cyber attacks are Russian:
New
analysis by the Public Administration Ministry on cyber threat to
Montenegro showed the number of hacking attacks rose in 2017. The
attacks were also “much more serious and sophisticated,” it said.
Over
380 attacks on websites, state institutions, online fraud and misuse of
personal accounts were reported in 2017. That compared with just six in
2012. The authorities promised to investigate the background to all
those attacks.
“The severity and sophistication of cyber-attacks
affecting Montenegro during 2017 were reflected in the increased number
of identified attacks on infrastructure and cyber espionage cases, as
well as through phishing campaigns that targeted civil servants,” the
ministry report said.
These attacks caught Montenegro on the hop,
as its small cyber security team had no experience of dealing with
attacks on this scale. It has only a dozen employees, who are being
trained by US and UK cyber experts.
Amid reports that Russian
hackers played a role in downing several websites on election day in
Montenegro, the government in December adopted new measures to tighten
cyber security.
It said it would strengthen the capacity of the
police and intelligence services to prevent hacking, after the attacks
on election day had highlighted the vulnerability of the entire system.
“It
not just Russian hackers that they are dealing with. The small,
under-equipped team is also dealing with the increase in online bank
frauds and other attacks that do not have political background,” a
government official told CIN-CG/BIRN.
BIRD Community
Are you a professional journalist or a media worker looking for an easily searchable and comprehensive database and interested in safely (re)connecting with more than thousands of colleagues from Southeastern and Central Europe?
We created BIRD Community, a place where you can have it all!