Month: June 2023

Media outlets in Bosnia and Herzegovina have a headache, and part of the cause is Facebook.

As anywhere else around the world, the social media giant, owned by Meta, is a vital means for Bosnian media outlets to reach readers.

But editors and journalists in Bosnia tell BIRN they struggle with its inconsistency in content moderation and a lack of transparency about its algorithms. And when they call Facebook for clarification, too often they are left hanging.

“The same content is treated differently on two different Facebook profiles,” said one in an anonymous response to a BIRN survey of newsrooms, referring to the same text posted on the Facebook pages of two different media. “On one, it’s coloured orange [denoting semi-restricted content]. On another, it’s green, without any warnings or restrictions.”

“It’s confusing, and the procedure lacks transparency,” said another. “There’s no explanation; analysing algorithms comes down to experience.”

Analysing algorithms

Posting content that is deemed to violate Facebook rules can have far-reaching consequences for small media outlets, which rely on the platform’s sheer scale to reach an audience and attract advertisers. Repeat occurrences of content being flagged as false or misleading can result in a media’s visibility being reduced, or it being locked out altogether.

Meta’s website states: “Pages, groups, accounts and websites that repeatedly share misinformation will face some restrictions, including having their distribution reduced. This includes content rated False or Altered by fact-checking partners; content that is nearly identical to what fact-checkers have debunked as False or Altered…”

But even content that passes the grade must negotiate complex algorithms that push, promote or suppress visibility, determining which feeds it reaches and how often. How these algorithms work exactly is kept under wraps, and they are constantly changing.

Experimentation is the only way to get anywhere close to figuring them out, said social media expert Haris Alisic.

“Algorithms are a business secret of every company in the IT industry,” Alisic told BIRN. “That’s their competitive advantage… And, of course, there is no significant transparency around it. They do share some stuff, but it’s very general. Based on that, it is hard to figure out how the algorithm really works.”

Social media expert Haris Alisic. Photo: Courtesy of Haris Alisic.

According to Facebook, its algorithm uses “hundreds of signals” to make a prediction as to how likely a user is to engage with a post. One of the signals is, ‘Who posted the story?’

Based on these signals, the algorithm creates a “relevancy score” – “our best guess at how meaningful you will find this story”.

Facebook, however, is constantly tweaking its algorithm in response to a range of factors, including news events. Keeping up is a matter of trial and error.

Moderating content

In Bosnia, hate speech, harassment and incitement to violence remain major issues almost three decades since the end of a 1992-95 war. This is reflected in the media, and online.

Most cases of digital rights violations in Bosnia identified in BIRN’s Annual Digital Rights Report 2022 concerned “breaches related to reputation, endangering security, discrimination and hatred, and pressures on individuals because of publishing information on the internet, among others”.

But social media companies on the whole lack detailed understanding of each society in which they operate.

According to a 2022 report on content moderation in Bosnia, published by Article 19, 

“87% of Facebook’s spending on misinformation goes to English-language content, despite the fact that only 9% of its users are English speaking”.

“It has also been revealed that most resources and means in terms of content moderation are being allocated to a limited number of countries.”

Content moderation becomes a problem for media outlets if it is inconsistent or ignorant of local context.

“In their policy explanations, Facebook names different reasons why certain content can be flagged, from hate speech to disinformation,” said another media worker surveyed. 

“But in reality, we could see this kind of content still not removed or marked in any way, so the reader is aware of it. The responsibility of flagging the content is somehow left more to the users [individuals and organisations] and less to the company [Facebook], which is inviting people to its platform to use it but yet doesn’t protect them from this kind of content.”

In order to weed out misinformation and disinformation, Facebook relies on local fact-checkers; in the case of Bosnia, one of its partners is Raskrinkavanje, a team of 14 with backgrounds in media, political sciences, international relations and human rights.

Raskrinkavanje flags content, but it falls to Facebook to limit its reach. Media outlets need to check what they’re posting, said Elma Muric, communications editor at Raskrinkavanje.

“Journalists are not only obliged to disseminate correct information but also to stick to the ethics of journalism and fairly and impartially report about happenings and phenomena in the world,” Muric told BIRN. 

“Journalists who do follow the professional and ethical standards in their reporting, for sure, will not publish anything that could be flagged as disinformation or fake news.”

META’s office in Paris. Photo: Courtesy of Haris Ališić.

Mixed experiences

Besides their headaches in trying to figure out algorithms, some editors and journalists say they also struggle to get answers from Meta itself on any number of issues.

“Tried twice; they were slow and inefficient,” said one. “Didn’t really fix the problem I was having.”

Another said: “Enable simpler contact with Meta and easier access to information, especially algorithmic changes and recommendations.”

“We need clearer procedures regarding algorithm rules,” the journalist added. “There is no alternative, especially since we keep talking about the importance they [Facebook] have regarding the public debate and online participation.”

Not everyone shares such frustration. One journalist who took part in the survey told BIRN about their experience resolving an attempted scam:

 “I reached out to the Meta team and in a very short time I had a phone call with one of their crew, who checked from their side, and besides assuring us that it was a scam, not a real note from them, they shared advice on what to do to protect ourselves immediately, and how to recognise in the future if something is sent from there, or if it’s again some scam.”

Alisic described his own experience dealing with Facebook as “amazing”.

“We had a very close relationship. We still do,” he said. “They were always very professional and very quick to respond. They have very hard-working people.”

Given Facebook’s sheer size, inevitably there will be issues with communication, he said.

“You have to understand that there are tens of millions of pages on Facebook. It is literally impossible for them to be able to respond to everything timely, quickly, or personally, so just like in every other company, I guess they have to prioritise.”

BIRN contacted Meta for a response to this story, but received no reply.

After two recent mass shootings in Serbia, one at a school in Belgrade, there was a surge of attempted copycat attacks in the Balkan region, but also a series of digital violations including the spread of misinformation, breaches of privacy, fake footage and misleading claims.

Albania experienced several disturbing incidents of its own, including a fake gun scare at a school in Tirana and a fatal stabbing stemming from an online feud in Gramshi, highlighting the role of online platforms in escalating conflicts among Albanian youth.

In Montenegro, incidents such as a concerning Facebook post by a pupil in Zabljak and threats made on a school’s Viber group in Podgorica highlighted the delicate balance between freedom of expression and the responsibility for safety within society, while Croatia faced its own challenges following the Serbian mass shooting, with incidents including a ‘hit list’ made by a student from Bjelovar being circulated on TikTok and a gun photo being shared in a Zagreb school’s WhatsApp group.

Following the mass shootings in Serbia, threats were made on social media in Bosnia and Herzegovina and a young man was arrested after allegedly announcing online that he planned to replicate the violence.

In Kosovo, false information was spread online through the sharing of misleading articles and recycled misinformation, while a threatening message was posted on Instagram in North Macedonia.

False reports and videos in Serbia

The mass shooting by a teenager at the Vladislav Ribnikar Elementary School in Belgrade on May 3, in which eight students and a teacher were killed, sent shockwaves through society and was followed by online violations such as the circulation of fake footage, the invasion of victims’ relatives’ privacy and the proliferation of misinformation.

A man reacts as he walks past police officers blocking a street near the ‘Vladislav Ribnikar’ elementary school in Belgrade, Serbia, 03 May 2023. Photo: EPA-EFE/ANDREJ CUKIC

The right to privacy of the families who were affected was violated by the tabloid website Republika, which on May 9 published a sensationalist report about the funeral proceedings, contravening Serbia’s journalistic code and inflicting further anguish on the grieving families.

False reports also began to circulate on media websites and social networks. Unfounded claims emerged that a wounded teacher had also succumbed to their injuries, that vaccinated citizens were ineligible as blood donors, and that N1 TV had demanded the release of the suspect.

Days after the shooting, a video claiming to depict the school massacre was circulated on social media. The footage was shared widely on TikTok on May 6, but closer scrutiny revealed that it was not from Belgrade but had been taken during a different school shooting in the United States.

On May 6, another video surfaced on TikTok, purporting to show students from the school that was targeted in Belgrade bullying the perpetrator. Accompanied by captions insinuating that the footage captured the moments preceding the massacre or depicted the treatment that the perpetrator endured at the school, the video gained widespread circulation.

However, it was soon discovered that the video was unrelated to the Belgrade incident and originated from a school in Russia several months earlier.

Violence in Albania echoes Serbian shooting

On May 10, Albanian media outlet Gazetatema.net published a video showing the mass shooting in Serbia. In the days following the shooting, there were also two violent incidents in Albania involving young men and weapons.

Police officers close off the crime scene at Cetinje, Montenegro, 12 August 2022. Photo: EPA-EFE/BORIS PEJOVIC

The first incident happened in Farka in Tirana when a 20-year-old male entered a schoolyard and discharged shots into the air using a fake gun, inciting fear among students and staff. The motives behind the incident remain under investigation.

In the second incident, a 15-year-old Albanian lost his life in a stabbing near his school in Gramshi. The stabbing occurred as a direct result of an online feud between the attackers and the victim’s cousin.

Online threats made in Montenegro

In the aftermath of the mass shooting in Serbia, there were also two online incidents in Montenegro that were reported to have been related to the crime in Belgrade.

The first incident unfolded in the town of Zabljak, where Montenegrin police questioned a 13-year-old pupil after he wrote a Facebook post that alarmed the authorities.

The pupil wrote: “I understand the shooter in the Serbian elementary school. I would do the same, but I don’t have access to guns.” The authorities took his statement seriously and initiated an investigation. However, charges were eventually dropped, with the prosecution urging local social workers and the school to intervene and address the situation.

In another case, Montenegrin police questioned a pupil from an elementary school in Podgorica after threats were made in the school’s Viber group. The school management reported that the pupil had sent a photo of a gun along with a list of students he intended to harm.

Prompt action was taken by the authorities, who questioned the pupil and his parents, and the plastic gun was handed over to the police. The outcome of the investigation has not yet been made public.

Illustration of TikTok logo displayed on a phone in Los Angeles, California, USA, 17 May 2023. Photo: EPA-EFE/CAROLINE BREHMAN

Croatia faces school safety concerns

In the aftermath of the mass shooting in Serbia, there were also two incidents involving school students in Croatia.

On May 12, a pupil in the city of Bjelovar who claimed to have drawn inspiration from the shooting in Belgrade compiled a ‘hit list’ containing the names of her classmates. The list allegedly surfaced on the popular social media platform TikTok before being removed after the student was detained by the police.

However, concerns remained as it is possible that screenshots of the list might still be circulating privately among other students. The student was expelled from the school the same day.

In another incident that occurred on May 18 at the Dragutin Domjanic Elementary School in Gajnice in Zagreb, an eighth-grade boy who had argued with a friend allegedly took a photo of a gun and bullets at his home and shared it in a WhatsApp group.

The school promptly contacted the police, who reportedly spoke with the boy. The parents sent a message saying that the boy was under supervision at home and that everyone was safe, while the school emphasised that students should continue attending classes as usual because the overall safety of the school was being maintained.

Copycat shooting threatened in Bosnia

In the wake of the mass shooting in Serbia, a young man in Bosnia and Herzegovina threatened a copycat incident in the city of Bihac. The young man posted a threatening message on Instagram, claiming to be preparing to stage a massacre at a school of economics. Police arrested him on charges of endangering security and terrorism. Reuters reported that he had a history of threats and bullying on social media and that charges against him were dropped last year because he was too young to be prosecuted.

Meanwhile, a threatening video was circulated on social media, made by a man from the town of Banovici who said he was going to commit a massacre in Bosnia and Herzegovina, linking it to the recent mass shooting in Serbia. Authorities from both countries worked together to identify the individual and prevent any potential violence.

Incidents in Kosovo and North Macedonia

In Kosovo, a misleading article entitled “SERIOUS: The Moment When a 14-Year-Old Kills His Classmates in Serbia is Published” was published by the Sprint.al website. The article claimed to feature a video depicting the Belgrade school shooting.

However, investigations by BIRN Kosovo’s Kryptometer team revealed that the video was not filmed in Serbia, as claimed, but in Mexico in 2017.

Meanwhile in North Macedonia, a student from the Slavcho Stojmenski high school in Shtip posted a threatening message on Instagram on May 11 and was subsequently detained by the police. The motives behind the student’s actions have not yet been made public.

Bosnia has been covered by Elma Selimovic and Aida Trepanić, Albania by Nensi Bogdani, North Macedonia by Bojan Stojkovski, Montenegro by Samir Kajosevic, Kosovo by Diedon Nixha, Croatia by Matej Augustin and Serbia by Bojan Perkov and Ninoslava Bogdanović of SHARE Foundation

The Balkan region has witnessed a significant increase in internet penetration and the integration of Biometrics and Digital Identity BDI technologies into various sectors, BIRN research shows.

Between 2020 and 2023, Albania, Bosnia and Herzegovina, North Macedonia, Kosovo and Serbia all experienced a notable increase in cyberattacks, specifically phishing and ransomware incidents.

BIRN has mapped 40 cases and has collated data on notable cyberattacks targeting the Balkan region’s BDI systems into a database. Research focused on cases that resulted in a significant data breach and/or compromised large amounts of data.

Data collection involved document analysis, case study examination and interviews with IT employees. These approaches provide insights into the state of BDI and cybersecurity threats in the Balkan region, as well as notable cyberattacks targeting critical infrastructure and public institutions.

The research shows a prevalence of cyberattacks targeting critical online infrastructure, services and computers. Inadequate public awareness and cybersecurity policies, and limited regional collaboration, have exacerbated the challenges the Balkan countries face in combating cybercrime.

The public sector, banks and individual citizens were primary targets of these cyberattacks. Perpetrators exploited vulnerabilities in the digital infrastructure and security measures of both private and public entities. 

A growing reliance on biometrics and digital identity in online banking, e-government services and border control is a key regional trend. Technological advances aimed at improving security and efficiency drove this reliance. However, implementing BDI systems has raised concerns about protecting individuals’ privacy, data, and the potential misuse of personal information. 

Addressing cybersecurity threats in the Balkan region requires increased public awareness, improved cybersecurity policies and practices and enhanced regional collaboration. 

The Balkan region faces significant risks and opportunities due to its growing reliance on biometrics and digital identity. Balancing security with privacy and data protection is crucial in this context.

The Balkan region has witnessed a significant increase in internet penetration and the integration of Biometrics and Digital Identity BDI technologies into various sectors, BIRN research shows.

Between 2020 and 2023, Albania, Bosnia and Herzegovina, North Macedonia, Kosovo and Serbia all experienced a notable increase in cyberattacks, specifically phishing and ransomware incidents. 

BIRN has mapped 40 cases and has collated data on notable cyberattacks targeting the Balkan region’s BDI systems into a database. Research focused on cases that resulted in a significant data breach and/or compromised large amounts of data.

Data collection involved document analysis, case study examination and interviews with IT employees. These approaches provide insights into the state of BDI and cybersecurity threats in the Balkan region, as well as notable cyberattacks targeting critical infrastructure and public institutions. 

The research shows a prevalence of cyberattacks targeting critical online infrastructure, services and computers. Inadequate public awareness and cybersecurity policies, and limited regional collaboration, have exacerbated the challenges the Balkan countries face in combating cybercrime.

The public sector, banks and individual citizens were primary targets of these cyberattacks. Perpetrators exploited vulnerabilities in the digital infrastructure and security measures of both private and public entities. 

A growing reliance on biometrics and digital identity in online banking, e-government services and border control is a key regional trend. Technological advances aimed at improving security and efficiency drove this reliance. However, implementing BDI systems has raised concerns about protecting individuals’ privacy, data, and the potential misuse of personal information. 

Addressing cybersecurity threats in the Balkan region requires increased public awareness, improved cybersecurity policies and practices and enhanced regional collaboration. 

The Balkan region faces significant risks and opportunities due to its growing reliance on biometrics and digital identity. Balancing security with privacy and data protection is crucial in this context.

Cyberttacks reveal cracks in North Macedonia’s defences

North Macedonia has become a target of almost relentless hacker attacks, placing various state institutions in jeopardy. These attacks are a sobering reminder of the country’s inadequate cyber security capabilities, leaving it ill-prepared and vulnerable. An attack on the Health Insurance Fund in February 2023 for example disrupted its operations for several weeks, exposing gaps in cyber security.

The Agriculture Ministry’s experience in September 2022 further exposed the weaknesses in the government’s defences; its staff had limited internet access for over a month following a cyberattack. 

These incidents have shed light on the urgent need for the government in Skopje to invest in strengthening its cyber security infrastructure and safeguarding sensitive data and systems from malicious actors.

Multiple leaks of email addresses and passwords from various ministries have also raised concerns. These breaches underscore the importance of bolstering cyber security measures across government entities. Recognizing these challenges, the country’s national centre for responding to computer incidents has conducted a report outlining noteworthy trends based on cybersecurity incidents.

One concerning trend highlighted in the report is the increasing number of Macedonian websites falling victim to hacking, particularly through phishing tactics. Attackers often install malicious content on server operating systems, allowing them to compromise websites. The report emphasizes the urgency of addressing this issue.

Another alarming development involves Macedonian public IPv4 addresses being identified abroad as sources of attacks and data theft from foreign servers. This discovery raises concerns about the security of these addresses, necessitating enhanced measures to prevent such activities and protect sensitive information.

A case involving compromising email accounts of government and public sector organizations in North Macedonia is of particular significance. Attackers exploited vulnerabilities in mail servers to send phishing emails from compromised accounts. This highlights the critical importance of securing email systems and preventing unauthorized access.

Furthermore, several North Macedonian organizations have fallen victim to cyberattacks due to compromises or vulnerabilities in their email servers. In some instances, hackers executed ransomware attacks by exploiting unaddressed vulnerabilities. These incidents underscore the need for robust security measures to protect against evolving threats.

Cyberattack motive per country in per cents.

Distributed Denial of Service or DDoS attacks have also posed a significant threat, targeting numerous institutions and organisations in North Macedonia over the past few years. These attacks disrupt services by overwhelming servers with an overwhelming amount of traffic.

According to MKD-CIRT’s report, the number of reported incidents increased from 1,443 in 2020 to 1,880 in 2021. However, it is worth noting that these figures include malicious activities detected outside the country, where Macedonian IP addresses were identified as the source of harmful activities. This highlights the need for collaborative efforts to combat cyber threats beyond national borders.

The escalating wave of cyber attacks and the vulnerabilities exposed in North Macedonia’s cyber security apparatus necessitates urgent action. Strengthening defences, investing in advanced technologies and fostering international cooperation are vital to safeguarding the country’s critical infrastructure, sensitive data, and digital systems from malicious actors in an increasingly interconnected world.

Cyberattacks Targeting Industries and Institutions in Kosovo Prompt Action

Over the past three years, Kosovo has faced a significant number of cyberattacks targeting various industries. Among the most common attacks are password thefts from social networks. Some notable attacks include wealth gain schemes, attacks on banks, hacking of politician profiles, and various scams.

In April 2020, Banka Ekonomike, one of Kosovo’s largest banks, fell victim to a ransomware attack known as DoppelPaymer. According to a threat assessment by the Danish Centre for Cyber Security in 2021, the hackers leaked over 70 GB of data, including sensitive information such as clients’ names, credit card numbers, income details and client loans. The leaked data also contained sensitive information about bank employees.

Just five months later, in September 2020, the Facebook account of former Deputy Interior Minister Zafir Berisha was hacked. The incident occurred shortly after Berisha was appointed Kosovo’s National Cyber Security Coordinator. As of April 2023, there is no official information on the identity of the hackers.

Target in the countries in per cents.

Public institutions in Kosovo have been targeted with phishing. The Ministry of Interior confirmed phishing cyberattacks in February 2022, although it said no infrastructure damage or significant harm occurred. These phishing attacks, where institutions receive fraudulent emails appearing to be from official sources, are quite frequent.

All reported cases have been handed over to the police, but there is no official update on the progress of investigations. 

Due to the lack of a centralized approach to combating hackers, Kosovo has introduced a legal foundation to prevent cybercrime. As part of a proposed bill to enhance computer security, a State Authority for Cyber Security will be established.

Furthermore, in response to the cyberattacks, the government has proposed the creation of an Agency for Cyber Security. In September 2022, the government approved a draft cyber security law that includes the formation of this agency. 

The law aims to strengthen computer security in Kosovo, and additional measures include establishing a 24/7 contact point within the police. These initiatives seek to bolster the country’s defences and protect against future cyber threats.

Bosnia grapples with rising cyberattacks and data leaks

In Bosnia and Herzegovina, there have been 11 cases of data leaks resulting from hacking attacks since 2020, BIRN research reveals. Ransomware and phishing campaigns were the most prevalent types of attacks.

One of the most recent notable cases occurred in September 2022 when a ransomware attack targeted the servers of the Parliament of Bosnia and Herzegovina. The parliament’s website and computers were rendered inaccessible for over two weeks.

However, many hacking incidents remain hidden from the public. The Ministry of Interior of Republika Srpska, one of the two entities in Bosnia and Herzegovina, reported 23 registered ransomware attacks during the targeted period.

Regarding phishing campaigns, Police recorded 107 such attacks, mainly targeting individuals. The police spokesperson for Republika Srpska noted the complexity of accurately registering such cases, as they can be classified as the creation and introduction of computer viruses, computer sabotage, unauthorized access to protected computers, computer networks, telecommunications networks, or electronic data processing.

In the Federation of Bosnia and Herzegovina, Bosnia’s other entity, Police reported a total of 117 cyberattacks; 33 were ransomware attacks, with the majority targeting private companies and individuals. Public institutions were subjected to various hacking attacks on 30 different occasions during the monitored period.

Type of attack depending on the target in per cents.

In September 2022, Bosnia’s Intelligence-Security Agency OSA urged institutions and individuals to safeguard their information and communication systems due to increased cyberattacks. OSA emphasized the importance of conducting security assessments and implementing protective measures promptly to proactively prevent attacks. They also highlighted their cooperation with domestic and international partners to counter the intensifying threats.

The first report on cyber threats in Bosnia and Herzegovina revealed that the country faces millions of cyberattacks each month. However, it lacks the necessary strategies, legislation and capacity to protect its citizens, institutions, and companies effectively.

During November 2022, over 9.2 million distinct cyberattacks targeted a wide range of entities in Bosnia, as highlighted in a report presented by the Center for Cybersecurity Excellence, CSEC, and BIRN in mid-April.

From Ransomware to Phishing, Serbia Faces Persistent Wave of Attacks

Serbia has seen its share of cyberattacks over the past years, from major national incidents to almost daily phishing and scam campaigns. 

The first one coincided with the Covid-19 pandemic. In early March 2020, the local public utility company Informatika in Novi Sad, Serbia’s second largest city, was hit by ransomware compromising its infrastructure and employees’ data. 

Another big cyber threat occurred in May two years later, blocking the databases of the Republic Geodetic Authority for nine days, with the attack, launched from five IP addresses, involving two malwares and Phobos ransomware.

Public institutions were not the only ones targeted. According to international cyber security platforms and watchdogs, hacker groups, such as LockBit and Quilin claimed they attacked BIG CEE and Gigatron, two large private companies and chains, and obtained their financial and employees’ data. 

Malware, ransomware, phishing and, to a degree, Distributed Denials of Service, DDos, are the main threats. According to the National CERT of the Republic of Serbia, the information security organisation, the most common incidents in 2020 and 2021 involved attempted intrusions into ICT systems and unauthorized data collection. In that period, around 40 million cyberattacks on Information and Communication Technology (ICT) systems occurred.

Phishing campaigns remain one of the most widespread methods jeopardizing the cyber security of government, but also the financial sector. 

Numerous banks have warned their clients of ongoing phishing and scam emails being circulated, with perpetrators setting up fake social media accounts and organizing fraudulent giveaways. Another frequent target of phishing campaigns was the public enterprise Post of Serbia. Scammers use Viber and other messaging apps, or email, to allegedly inform recipients that their packages are held and that they need to pay money to recover them. 

Although these cases get reported, a recent report by the State Auditing Institution points out that communication between institutions and the National CERT needs to improve, as public and governmental bodies and companies often do not inform the authorities of incidents. For that reason, some attacks remain unidentified for a long period, increasing the risk and damage to the information infrastructure and data.

Type of attack per country in per cents.

Cyber activists have discovered that the app MojDoktor [My Doctor], used for health appointments and connecting Serbian health centres with the integrated information system, was exploited for almost three years. This included several email servers from a local health centre, which were used for spam, phishing, but also malware and virus attacks.

Most cases in the past three years were reported to the Special Prosecution Office for High Tech Crime and Organised Crime. However, the perpetrators often remain unknown, and court epilogues are few. 

Series of cyber intrusions shakes Albania

Albania has faced several cyberattacks that have targeted its key institutions and businesses. These attacks have caused significant disruptions and raised concerns about cybersecurity.

One notable incident occurred on January 30, 2023, when Air Albania, a prominent airline company, fell victim to a cyberattack. The attackers, identified as the LockBit ransomware group, claimed they infiltrated Air Albania’s online infrastructure to extort a ransom. They claimed to have stolen and encrypted the company’s data, demanding payment for its release. 

The ransom notice was displayed on the LockBit group’s Dark Web Tor Blog page. Despite the attack, Air Albania assured the public that its data remained secure and that system updates were being implemented. The company did not comment further on the incident.

Another significant cyber incident involved Credins Bank, one of Albania’s largest financial institutions. On December 23, 2022, Credins Bank had to suspend its online services due to a cyberattack orchestrated by the Homeland Justice group. The attackers claimed they targeted the bank in response to the Albanian government’s support for the Iranian opposition group, MEK. 

In a concerning development, Homeland Justice shared documents allegedly obtained from the bank on one of their Telegram channels. The bank did not confirm the authenticity of these leaked documents, titled “ALLAccountsCustomers.zip,” which cautioned against their circulation.

The Albania Police Supervisory Agency also faced a cyber threat. On September 21, 2021, the agency reported an attempted attack on its servers. The attack was successfully blocked, however, and the agency stated that no data had been stolen.

The most significant cyber incident to date in Albania occurred on July 15, 2022, when the government’s centralized e-services system was breached. This breach affected various government infrastructure, resulting in the gradual leakage of sensitive information over several months. 

The attackers, masquerading as the Homeland Justice group on social network accounts, exposed emails belonging to the State Police director and a list of employees from the secret services. 

Microsoft Threat Intelligence investigations revealed that the initial access to the system occurred in May 2021 through a vulnerability in a SharePoint Server. By July 2021, the attackers had fortified their access using a misconfigured service account. Ransomware and wiper malware were employed to achieve their objectives. 

Microsoft and the FBI suggested that Iran might be behind the attack, leading Albania to sever diplomatic relations with Iran as a response. Iran has denied involvement, but Albania believes Tehran was responsible due to its decision to grant refuge to an Iranian opposition movement that is considered a terrorist group by the Iranian government.

These cyber incidents in Albania highlight the growing threat of cybercrime and the need for enhanced cybersecurity measures to protect critical infrastructure and businesses. The attacks have not only caused disruptions but also strained diplomatic relations. Albania’s government and institutions must remain vigilant and collaborate with international partners to strengthen their cybersecurity defences and mitigate future risks.

Journalists involved in conducting this research are Igor Ispanovic, Azem Kurtic, Gjergj Erebara, Xheneta Murtezaj, and Bojan Stojkovski.