A surge in cyberattacks, particularly phishing and ransomware, has left Balkan countries to improve their defences against cybercrime, BIRN research shows.
The Balkan region has witnessed a significant increase in internet penetration and the integration of Biometrics and Digital Identity BDI technologies into various sectors, BIRN research shows.
Between 2020 and 2023, Albania, Bosnia and Herzegovina, North Macedonia, Kosovo and Serbia all experienced a notable increase in cyberattacks, specifically phishing and ransomware incidents.
BIRN has mapped 40 cases and has collated data on notable cyberattacks targeting the Balkan region’s BDI systems into a database. Research focused on cases that resulted in a significant data breach and/or compromised large amounts of data.
Data collection involved document analysis, case study examination and interviews with IT employees. These approaches provide insights into the state of BDI and cybersecurity threats in the Balkan region, as well as notable cyberattacks targeting critical infrastructure and public institutions.
The research shows a prevalence of cyberattacks targeting critical online infrastructure, services and computers. Inadequate public awareness and cybersecurity policies, and limited regional collaboration, have exacerbated the challenges the Balkan countries face in combating cybercrime.
The public sector, banks and individual citizens were primary targets of these cyberattacks. Perpetrators exploited vulnerabilities in the digital infrastructure and security measures of both private and public entities.
A growing reliance on biometrics and digital identity in online banking, e-government services and border control is a key regional trend. Technological advances aimed at improving security and efficiency drove this reliance. However, implementing BDI systems has raised concerns about protecting individuals’ privacy, data, and the potential misuse of personal information.
Addressing cybersecurity threats in the Balkan region requires increased public awareness, improved cybersecurity policies and practices and enhanced regional collaboration.
The Balkan region faces significant risks and opportunities due to its growing reliance on biometrics and digital identity. Balancing security with privacy and data protection is crucial in this context.
The Balkan region has witnessed a significant increase in internet penetration and the integration of Biometrics and Digital Identity BDI technologies into various sectors, BIRN research shows.
Between 2020 and 2023, Albania, Bosnia and Herzegovina, North Macedonia, Kosovo and Serbia all experienced a notable increase in cyberattacks, specifically phishing and ransomware incidents.
BIRN has mapped 40 cases and has collated data on notable cyberattacks targeting the Balkan region’s BDI systems into a database. Research focused on cases that resulted in a significant data breach and/or compromised large amounts of data.
Data collection involved document analysis, case study examination and interviews with IT employees. These approaches provide insights into the state of BDI and cybersecurity threats in the Balkan region, as well as notable cyberattacks targeting critical infrastructure and public institutions.
The research shows a prevalence of cyberattacks targeting critical online infrastructure, services and computers. Inadequate public awareness and cybersecurity policies, and limited regional collaboration, have exacerbated the challenges the Balkan countries face in combating cybercrime.
The public sector, banks and individual citizens were primary targets of these cyberattacks. Perpetrators exploited vulnerabilities in the digital infrastructure and security measures of both private and public entities.
A growing reliance on biometrics and digital identity in online banking, e-government services and border control is a key regional trend. Technological advances aimed at improving security and efficiency drove this reliance. However, implementing BDI systems has raised concerns about protecting individuals’ privacy, data, and the potential misuse of personal information.
Addressing cybersecurity threats in the Balkan region requires increased public awareness, improved cybersecurity policies and practices and enhanced regional collaboration.
The Balkan region faces significant risks and opportunities due to its growing reliance on biometrics and digital identity. Balancing security with privacy and data protection is crucial in this context.
Cyberttacks reveal cracks in North Macedonia’s defences
North Macedonia has become a target of almost relentless hacker attacks, placing various state institutions in jeopardy. These attacks are a sobering reminder of the country’s inadequate cyber security capabilities, leaving it ill-prepared and vulnerable. An attack on the Health Insurance Fund in February 2023 for example disrupted its operations for several weeks, exposing gaps in cyber security.
The Agriculture Ministry’s experience in September 2022 further exposed the weaknesses in the government’s defences; its staff had limited internet access for over a month following a cyberattack.
These incidents have shed light on the urgent need for the government in Skopje to invest in strengthening its cyber security infrastructure and safeguarding sensitive data and systems from malicious actors.
Multiple leaks of email addresses and passwords from various ministries have also raised concerns. These breaches underscore the importance of bolstering cyber security measures across government entities. Recognizing these challenges, the country’s national centre for responding to computer incidents has conducted a report outlining noteworthy trends based on cybersecurity incidents.
One concerning trend highlighted in the report is the increasing number of Macedonian websites falling victim to hacking, particularly through phishing tactics. Attackers often install malicious content on server operating systems, allowing them to compromise websites. The report emphasizes the urgency of addressing this issue.
Another alarming development involves Macedonian public IPv4 addresses being identified abroad as sources of attacks and data theft from foreign servers. This discovery raises concerns about the security of these addresses, necessitating enhanced measures to prevent such activities and protect sensitive information.
A case involving compromising email accounts of government and public sector organizations in North Macedonia is of particular significance. Attackers exploited vulnerabilities in mail servers to send phishing emails from compromised accounts. This highlights the critical importance of securing email systems and preventing unauthorized access.
Furthermore, several North Macedonian organizations have fallen victim to cyberattacks due to compromises or vulnerabilities in their email servers. In some instances, hackers executed ransomware attacks by exploiting unaddressed vulnerabilities. These incidents underscore the need for robust security measures to protect against evolving threats.
Cyberattack motive per country in per cents.
Distributed Denial of Service or DDoS attacks have also posed a significant threat, targeting numerous institutions and organisations in North Macedonia over the past few years. These attacks disrupt services by overwhelming servers with an overwhelming amount of traffic.
According to MKD-CIRT’s report, the number of reported incidents increased from 1,443 in 2020 to 1,880 in 2021. However, it is worth noting that these figures include malicious activities detected outside the country, where Macedonian IP addresses were identified as the source of harmful activities. This highlights the need for collaborative efforts to combat cyber threats beyond national borders.
The escalating wave of cyber attacks and the vulnerabilities exposed in North Macedonia’s cyber security apparatus necessitates urgent action. Strengthening defences, investing in advanced technologies and fostering international cooperation are vital to safeguarding the country’s critical infrastructure, sensitive data, and digital systems from malicious actors in an increasingly interconnected world.
Cyberattacks Targeting Industries and Institutions in Kosovo Prompt Action
Over the past three years, Kosovo has faced a significant number of cyberattacks targeting various industries. Among the most common attacks are password thefts from social networks. Some notable attacks include wealth gain schemes, attacks on banks, hacking of politician profiles, and various scams.
In April 2020, Banka Ekonomike, one of Kosovo’s largest banks, fell victim to a ransomware attack known as DoppelPaymer. According to a threat assessment by the Danish Centre for Cyber Security in 2021, the hackers leaked over 70 GB of data, including sensitive information such as clients’ names, credit card numbers, income details and client loans. The leaked data also contained sensitive information about bank employees.
Just five months later, in September 2020, the Facebook account of former Deputy Interior Minister Zafir Berisha was hacked. The incident occurred shortly after Berisha was appointed Kosovo’s National Cyber Security Coordinator. As of April 2023, there is no official information on the identity of the hackers.
Target in the countries in per cents.
Public institutions in Kosovo have been targeted with phishing. The Ministry of Interior confirmed phishing cyberattacks in February 2022, although it said no infrastructure damage or significant harm occurred. These phishing attacks, where institutions receive fraudulent emails appearing to be from official sources, are quite frequent.
All reported cases have been handed over to the police, but there is no official update on the progress of investigations.
Due to the lack of a centralized approach to combating hackers, Kosovo has introduced a legal foundation to prevent cybercrime. As part of a proposed bill to enhance computer security, a State Authority for Cyber Security will be established.
Furthermore, in response to the cyberattacks, the government has proposed the creation of an Agency for Cyber Security. In September 2022, the government approved a draft cyber security law that includes the formation of this agency.
The law aims to strengthen computer security in Kosovo, and additional measures include establishing a 24/7 contact point within the police. These initiatives seek to bolster the country’s defences and protect against future cyber threats.
Bosnia grapples with rising cyberattacks and data leaks
In Bosnia and Herzegovina, there have been 11 cases of data leaks resulting from hacking attacks since 2020, BIRN research reveals. Ransomware and phishing campaigns were the most prevalent types of attacks.
One of the most recent notable cases occurred in September 2022 when a ransomware attack targeted the servers of the Parliament of Bosnia and Herzegovina. The parliament’s website and computers were rendered inaccessible for over two weeks.
However, many hacking incidents remain hidden from the public. The Ministry of Interior of Republika Srpska, one of the two entities in Bosnia and Herzegovina, reported 23 registered ransomware attacks during the targeted period.
Regarding phishing campaigns, Police recorded 107 such attacks, mainly targeting individuals. The police spokesperson for Republika Srpska noted the complexity of accurately registering such cases, as they can be classified as the creation and introduction of computer viruses, computer sabotage, unauthorized access to protected computers, computer networks, telecommunications networks, or electronic data processing.
In the Federation of Bosnia and Herzegovina, Bosnia’s other entity, Police reported a total of 117 cyberattacks; 33 were ransomware attacks, with the majority targeting private companies and individuals. Public institutions were subjected to various hacking attacks on 30 different occasions during the monitored period.
Type of attack depending on the target in per cents.
In September 2022, Bosnia’s Intelligence-Security Agency OSA urged institutions and individuals to safeguard their information and communication systems due to increased cyberattacks. OSA emphasized the importance of conducting security assessments and implementing protective measures promptly to proactively prevent attacks. They also highlighted their cooperation with domestic and international partners to counter the intensifying threats.
The first report on cyber threats in Bosnia and Herzegovina revealed that the country faces millions of cyberattacks each month. However, it lacks the necessary strategies, legislation and capacity to protect its citizens, institutions, and companies effectively.
During November 2022, over 9.2 million distinct cyberattacks targeted a wide range of entities in Bosnia, as highlighted in a report presented by the Center for Cybersecurity Excellence, CSEC, and BIRN in mid-April.
From Ransomware to Phishing, Serbia Faces Persistent Wave of Attacks
Serbia has seen its share of cyberattacks over the past years, from major national incidents to almost daily phishing and scam campaigns.
The first one coincided with the Covid-19 pandemic. In early March 2020, the local public utility company Informatika in Novi Sad, Serbia’s second largest city, was hit by ransomware compromising its infrastructure and employees’ data.
Another big cyber threat occurred in May two years later, blocking the databases of the Republic Geodetic Authority for nine days, with the attack, launched from five IP addresses, involving two malwares and Phobos ransomware.
Public institutions were not the only ones targeted. According to international cyber security platforms and watchdogs, hacker groups, such as LockBit and Quilin claimed they attacked BIG CEE and Gigatron, two large private companies and chains, and obtained their financial and employees’ data.
Malware, ransomware, phishing and, to a degree, Distributed Denials of Service, DDos, are the main threats. According to the National CERT of the Republic of Serbia, the information security organisation, the most common incidents in 2020 and 2021 involved attempted intrusions into ICT systems and unauthorized data collection. In that period, around 40 million cyberattacks on Information and Communication Technology (ICT) systems occurred.
Phishing campaigns remain one of the most widespread methods jeopardizing the cyber security of government, but also the financial sector.
Numerous banks have warned their clients of ongoing phishing and scam emails being circulated, with perpetrators setting up fake social media accounts and organizing fraudulent giveaways. Another frequent target of phishing campaigns was the public enterprise Post of Serbia. Scammers use Viber and other messaging apps, or email, to allegedly inform recipients that their packages are held and that they need to pay money to recover them.
Although these cases get reported, a recent report by the State Auditing Institution points out that communication between institutions and the National CERT needs to improve, as public and governmental bodies and companies often do not inform the authorities of incidents. For that reason, some attacks remain unidentified for a long period, increasing the risk and damage to the information infrastructure and data.
Type of attack per country in per cents.
Cyber activists have discovered that the app MojDoktor [My Doctor], used for health appointments and connecting Serbian health centres with the integrated information system, was exploited for almost three years. This included several email servers from a local health centre, which were used for spam, phishing, but also malware and virus attacks.
Most cases in the past three years were reported to the Special Prosecution Office for High Tech Crime and Organised Crime. However, the perpetrators often remain unknown, and court epilogues are few.
Series of cyber intrusions shakes Albania
Albania has faced several cyberattacks that have targeted its key institutions and businesses. These attacks have caused significant disruptions and raised concerns about cybersecurity.
Methodology Used in the Research
To explore the intricate world of BDI and cybersecurity in the Balkan region, this research
adopted a qualitative approach using mixed methods, including a desk review of relevant
studies and reports, interviews with IT employees at IT departments in public companies and
institutions, and the case study research design. This research methodology is appropriate for
enabling a deep understanding of the complex relationship between cybersecurity and BDI in
the Balkan region.
A multifaceted data collection approach was employed for this research, including document
analysis and case study examination. The researchers first conducted a literature review of
government and NGO reports, news articles, and industry reports.
Secondly, the researchers collated data on notable cyberattacks targeting the Balkan
region’s BDI systems into a database and interviewed IT employees. Selected
case studies offered invaluable insights into cyberattacks on critical infrastructure and public
institutions, servers and revealed large data breaches and leaks.
To analyze the data, the report relied on qualitative content and comparative analysis methods
to analyze cyberattack incidents across five Balkan countries. The research also relied on
triangulation, a technique used in mixed-methods research, to enhance validity and reliability by
cross-checking data from different sources.
One notable incident occurred on January 30, 2023, when Air Albania, a prominent airline company, fell victim to a cyberattack. The attackers, identified as the LockBit ransomware group, claimed they infiltrated Air Albania’s online infrastructure to extort a ransom. They claimed to have stolen and encrypted the company’s data, demanding payment for its release.
The ransom notice was displayed on the LockBit group’s Dark Web Tor Blog page. Despite the attack, Air Albania assured the public that its data remained secure and that system updates were being implemented. The company did not comment further on the incident.
Another significant cyber incident involved Credins Bank, one of Albania’s largest financial institutions. On December 23, 2022, Credins Bank had to suspend its online services due to a cyberattack orchestrated by the Homeland Justice group. The attackers claimed they targeted the bank in response to the Albanian government’s support for the Iranian opposition group, MEK.
In a concerning development, Homeland Justice shared documents allegedly obtained from the bank on one of their Telegram channels. The bank did not confirm the authenticity of these leaked documents, titled “ALLAccountsCustomers.zip,” which cautioned against their circulation.
The Albania Police Supervisory Agency also faced a cyber threat. On September 21, 2021, the agency reported an attempted attack on its servers. The attack was successfully blocked, however, and the agency stated that no data had been stolen.
The most significant cyber incident to date in Albania occurred on July 15, 2022, when the government’s centralized e-services system was breached. This breach affected various government infrastructure, resulting in the gradual leakage of sensitive information over several months.
The attackers, masquerading as the Homeland Justice group on social network accounts, exposed emails belonging to the State Police director and a list of employees from the secret services.
Microsoft Threat Intelligence investigations revealed that the initial access to the system occurred in May 2021 through a vulnerability in a SharePoint Server. By July 2021, the attackers had fortified their access using a misconfigured service account. Ransomware and wiper malware were employed to achieve their objectives.
Microsoft and the FBI suggested that Iran might be behind the attack, leading Albania to sever diplomatic relations with Iran as a response. Iran has denied involvement, but Albania believes Tehran was responsible due to its decision to grant refuge to an Iranian opposition movement that is considered a terrorist group by the Iranian government.
These cyber incidents in Albania highlight the growing threat of cybercrime and the need for enhanced cybersecurity measures to protect critical infrastructure and businesses. The attacks have not only caused disruptions but also strained diplomatic relations. Albania’s government and institutions must remain vigilant and collaborate with international partners to strengthen their cybersecurity defences and mitigate future risks.
Journalists involved in conducting this research are Igor Ispanovic, Azem Kurtic, Gjergj Erebara, Xheneta Murtezaj, and Bojan Stojkovski.