Ministry rejects opposition claim that it kept the ransomware group’s attack secret – and that significant documents and data might have gone missing.
North Macedonia’s Agriculture Minister, Ljupco Nikolovski. Archive photo: mzsv.gov.mk
North Macedonia’s Agriculture Ministry has admitted that on September 12 it was attacked by the ransomware group BlackByte, previously known most for attacking key US infrastructure and agencies.
The admission came after the head of the agriculture committee for the main opposition VMRO DPMNE party, Cvetan Tripunoski, on Sunday accused the ministry of keeping silent about the attack.
The ministry has now confirmed some documents were compromised during the attack and its work blocked for some time, but it denied having lost any significant documents and data in the process.
“There has been damaging or decryption of data from office documents such as Word, Excel and PDF, while the applications of the ministry … were not damaged by the attack but were shut down as a preventive measure, and are now active again,” the ministry told BIRN on Monday.
It did not reveal what kind of data were contained in these documents that are among the most commonly used document formats in many public institutions.
It added that the ministry’s “archive is also [now] functional and works, without a single document gone missing or damaged”.
“From sources inside the ministry, we found out that a large part of the documents from ministry’s archive have gone missing,” Tripunovski said on Sunday, alleging that they had heard of data gone missing from the ministry’s register of farms, wine buyers, agricultural companies and organic producers.
The opposition official added that the register of active contracts for leasing agricultural land was also missing, as well as the list of ministry’s debtors and the documentation on all the administrative disputes that the ministry is involved in.
Tripunovski also gave the entire affair an unexpected spin by speculating whether the digital attack was for real, or a device to cover up crimes.
“The silence of the Agriculture Minister, Ljupco Nikolovski, casts serious doubt on whether this is even a hacker attack, or whether this was done to cover up criminal actions and misuses by the government of the Anti-Macedonian SDS [the main ruling Social Democrats],” he said.
The ministry on Monday said the allegations were “nonsense”.
Asked about why the public only found out about the attack that happened on September 12 in a press release on its website on Sunday, the ministry insisted that while the website had functioning properly all the time, it had informed the public about the attack on the day it happened, but only on its Facebook page.
According to research done by the online security company Trend Micro, published in July, BlackByte ransomware group has been building a name for itself since 2021 by going after “critical infrastructure for a higher chance of a getting a pay-out”.
The North Macedonian Ministry did not clarify whether the group demanded a payout, or if and how it responded to such demands.
BlackByte made its debut in July 2021, the research notes, adding that in Its first year of activity it garnered the attention of the US FBI and the US Secret Service, USS, for going after “at least three US critical infrastructure sectors, notably the government facilities, financial, and food and agriculture.”
The research notes: “At present, BlackByte continues to target organizations from all over the world. However, like LockBit, RansomEXX, and many other ransomware families, BlackByte avoids attacking Russia-based entities.”
The latest attack on a North Macedonian ministry comes after the country’s education ministry’s site was downed earlier this month, seemingly by an unrelated group of hackers, prompting North Macedonia’s National Centre for Computer Incident Response to urge all state institutions and companies to beef up their online security protocols against potential cyber-attacks.
It follows a spate of cyber-attacks on state institutions in Montenegro, Kosovo and Albania, which some observers suspect it might lead to a connection with Russia, which Moscow has denied.