Kosovo’s media regulatory body on Wednesday said it was subjected to a severe cyber-attack in January that has resulted in a loss of data and access to official email addresses and internal systems for almost two months.
Faruk Rexhaj, acting head of the Independent Media Commission, IMC, confirmed that many electronic services had been disabled because of the attack in January.
“We have not restored [the lost material] yet because we need to go through procurement procedures to hire an expert on restoring the servers. Procedures took some time but we are almost at the end,” Rexhaj told BIRN.
According to Rexhaj, the IMC is working to restore the system after the attack and blamed delays on the procurement procedures needed before hiring an expert to deal with the issue.
“We are in procedure to restore equipment, materials and systems to normalcy. We are working on it,” he added.
The IMC is an independent institution responsible for the regulation, management and oversight of the broadcasting frequency spectrum in Kosovo.
It licenses public and private broadcasters, establishes and implements policy and regulates broadcasting rights, obligations and responsibilities of individuals and entities who provide audio and audiovisual media services.
Rexhaj said police were informed about the attack. “We informed the police, and the Department for Cyber Crimes has taken all data they need. They have concluded that the attack was similar to some other cases and it is not related to anything specific. This kind of attack happens all over the world,” Rexhaj said.
A well known group of supposedly Greek-based hackers, calling themselves “Powerful Greek Army”, has claimed it took down the pages of several banks in North Macedonia on Tuesday evening for a couple of hours.
Only one bank, however, the private TTK Bank, has confirmed that its web page was in fact the target of a hacker attack, saying that it “successfully prevented” the attack and “there are no consequences”.
“Powerful Greek Army” posted on Monday that it intended to attack a range oif banks.
“ALL banks licensed by the National Bank of the Republic of North Macedonia/All Banks of North Macedonia will be downed … soon,” the group wrote on Twitter. On Tuesday, the group posted subsequent posts, claiming success in this.
BIRN asked North Macedonia’s central bank to comment but did not receive an answer by the time of publication.
This is not the first time the group has targeted North Macedonia’s institutions.
In February, the Education Ministry confirmed it came under attack by the group, which posted video footage of allegedly hacked video surveillance cameras from inside the ministry. However, the ministry said the camera footage was fake.
Earlier, in May 2020, “Powerful Greek Army” leaked dozens of email addresses and passwords from staffers in North Macedonia’s Ministry of Economy and Finance, as well as from the municipality of Strumica – and bragged about its exploits on Twitter.
The hacking group was reportedly founded in 2016, when it took down the website of the Greek Prime Minister. Since then it has taken offline a number of banks in Turkey and downed the websites of Turkish Airlines and the office of the Turkish president among other targets. In a recent interview, an alleged member said they had not particular motivation or ideology and chose their targets at random, from Greece and its neighbours to Nigeria and Azerbaijan.
Croatian news site Index.hr reported that the prime suspect for hacking the database of Croatia’s telecommunication operator’s, Tele Operator A1, exposing around 10 per cent of user data, is a 14-year-old primary school pupil from Slavonski Brod.
Police reportedly waited for the suspect at home after he came back from school on Monday and questioned him in the presence of his parents. They then searched his home and, according to reports, found the equipment he used to hack Tele Operator A1.
As the suspect is a minor, the police were unable to give many details, but Renato Grguric, head of the police’s Department of Cyber-Security, said there was “enough evidence that the person in question is the hacker. When the investigation is over, adequate criminal charges will be brought”.
The police also said that he had an accomplice, who was not from Croatia and who did not participate in the hacking itself.
Grguric said that when a crime perpetrator is a minor, the emphasis is not on punishment but on preventing further crimes. “People usually get three to five years in prison for a crime like this, but that’s not the point. In this case, the responsibility is on the minor, not the parents. Every person over 14 is responsible for their own actions,” Grguric explained.
On February 9, Croatian Tele Operator A1 was the target of a hacking attack that compromised round 10 per cent of A1’s user data, exposing their names, addresses, personal identification numbers and phone numbers.
The hacker demanded a $500,000 ransom or threatened to sell the data on the dark web. A1 did not pay the ransom and the hacker claimed to have sold the data anyway.
North Macedonia’s Education Ministry on Sunday said it had been a target of a hacking attack over the past few days, but said video footage published on the Twitter account of a hacker group called “Powerful Greek Army”, as proof of the hacking, was fake.
The video footage, that seems to be taken from a camera surveillance system, “was not taken by or within the ministry because the ministry does not have such a system”, it said.
The ministry did not yet disclose whether it suffered damage from the attack, or whether any documentation had been lost or hijacked.
“Powerful Greek Army” published the short video on Twitter on Friday last week, writing that it had hacked the Education Ministry of the neighbouring country. “We have access even in their camera systems, we watch you 24/7, we have eyes everywhere, Skopje,” the group twitted.
This post caught attention in North Macedonia over the weekend.
It was far an isolated incident in the country. After several attacks on state institutions over the past few years, experts have warned that the country’s IT system is particularly vulnerable to cyber-crime, and is in dire need of security improvements.
The Greek hacking group behind ther latest post is also not unknown to the public in North Macedonia.
In May 2020, “Powerfull Greek Army” leaked dozens of email addresses and passwords from staffers in North Macedonia’s Ministry of Economy and Finance, as well as from the municipality of Strumica – and bragged about its exploits on Twitter.
A database circulating online containing private information of Albanian citizens’ salaries, and another with private information and comments on political preferences that circulated in April, have raised concerns about public security in the country.
Prosecutors in Tirana started verification hours after a massive data breach of citizens’ private information started circulating online, initially through “Whatsapp”. The data contain the salaries, job positions, employer names and ID numbers of some 630,000 citizens, from both the public and private sectors.
The opposition Democratic Party condemned “an extraordinary scandal” and accused the Socialist government of failing to protect citizens’ private data.
The excel file that was leaked contained the salaries of the citizens for the month of January, while another which started circulating on Thursday contained salaries for April.
On Thursday Prime Minister Edi Rama called it “an attempt to create confusion and to foster instability”, implying also that the destabilization efforts came from the country’s divided opposition.
Enri Hide, a security expert and professor at the European University in Tirana, called it “an open threat to the national security” and added that “the institutional reaction “is not at all serious and proportionate to the degree of risk”.
“First of all, it shows the weaknesses of Albania’s cyber-security infrastructure. Second, it shows the lack of a response plan in such cases,” Hide told BIRN.
Asked if a specific group of people such as Intelligence or Army are more threatened than others, Hide said that the exposure “has extremely serious consequences for Intelligence” and the military.
“The long-term consequences for the Intelligence and Security and Defence system are 1. Use of the data by foreign actors in order to monitor the payment system of the sector. 2. Now that this level is being clarified, foreign intelligence agencies may attempt to ‘intervene’ or try to ‘offer rewards’ to actors in key / sensitive positions,” he told BIRN.
He added that the private sector was also at risk by making citizens vulnerable to blackmail.
“Cyber-security must be taken seriously. We need a strategy based not on letters but on modus operandi. We need a clear protocol of what should happen if we have such leaks. There is not any and it is shameful,” he said.
Fabian Zhilla, a security expert based in Tirana, said the leak of the database with the private information of citizens data that, “the public loses trust in public institutions and the loss of trust is directly related to the cooperation that citizens should have with institutions:”. If this threat is not addressed “citizens will be exposed and blackmailed and this includes employees of important state institutions”.
“If we talk about the protection of personal data, there is no doubt that the bodies that deal with the monitoring of all servers of public institutions such as National Agency for Information Society, AKSHI, must have a protocol and if there is no protocol … AKSHI should definitely set up a working group to make an assessment of preventive measures but also measures in case of information leaks and how it can be managed in real-time to prevent their spread in public,” Zhilla told BIRN.
He confirmed that secret service employees, intelligence services, military intelligence units and counter-terrorism units were at special risk.
“It is very important that a commission be set up at the ministerial level, perhaps with the request of Parliament to make a better assessment of the protection protocol, the measures related to the status quo of the infrastructure that the official institutions have today to protect the personal data,” he added.
The head of AKSHI, Linda Karancaj, said on Thursday that “the tax system is not certified by ISO, but we are in the process”.
In April 2021, a few days before elections in the country, a database with the private information of around 910,000 voters in Tirana was leaked to the media.
It was claimed that the database belonged to the ruling Socialist Party and was taken from state institutions and used for electoral purposes.
The database, which BIRN has seen, contained some 910,000 entries including names, addresses, birth dates, personal ID cards, employment information and other data.
The Socialist Party denied wrongdoing, insisting that the information was gathered in door-in-door surveys. The case is still with the prosecution.
The violations recorded in the second half of October show that routine digital violations are not disappearing. Hate speech, discrimination and war-mongering flourish in Bosnia’s digital environment, and, following the introduction of a new decree by the President of the Serb-led entity, Republika Srpska, digital violations have accelerated further.
Local elections in Hungary and North Macedonia, where ruling parties suffered setbacks, also caused a rise in violations, triggered by a climate of political antagonism.
Finally, in Serbia and Romania, the presence of unsolved issues at home resulted in the resurgence of the one and the same violations.
Hate Speech and War-mongering Rhetoric Poison Bosnia
With 45 violations recorded in our database out of a total of 101 cases between August 1, 2020, and August 31, 2021, hate speech and discrimination remain the most widespread form of violation in the Bosnian digital environment.
Zeljka Cvijanovic (L) speaks during the 29th Economic Forum in Krynica-Zdroj, southern Poland, 03 September 2019. Photo: EPA-EFE/GRZEGORZ MOMOT POLAND OUT
Following recent developments, including the entry into force of a presidential decree from Zeljka Cvijanovic, head of Bosnia’s Serb-dominated entity, Republika Srpska, aimed at not complying with a state law banning the denial of genocide and war crimes, there has been a further acceleration in hate speech and war-mongering rhetoric in the country.
Two hate speech and warmongering incidents were recorded in the second half of October. After the release of a video on Twitter on October 22 from the online news outlet Istraga, several comments inciting ethnic hatred and war propaganda showed up. Footage had showed Dragan Lukač, RS Minister of Interior, with members of the RS special forces doing exercises in Jahorina.
The second case involved Muhamed Velic, a Muslim cleric in Sarajevo, who called for war on his Facebook page, garnering 2,200 likes and 60 shares. The post, published on October 16 and later removed, said: “Ammunition in Konjic and Gorazde! Howitzers in Travnik! RPGs in Hadžići! Etc. Trust yourself and your hooves! They know that this is not a joke and that Bosnian might is not a small cat!” The message, which was then shared on Twitter by Bosnia’s consul in Frankfurt, Admir Atović, forced the country’s Foreign Ministry to intervene and seek urgent clarifications from him.
Hungarian Opposition Primaries Prompt Flow of Digital Violations
The 2021 Hungarian opposition primary, held in two rounds between September 18 and October 16, featured a harsh political confrontation between opposition candidates and the ruling Fidesz party. The stakes were high: to choose the challenger against Prime Minister Viktor Orbán in next year’s parliamentary elections. After the second round of the primary, voters elected Peter Marki-Zay, the conservative mayor of Hódmezővásárhely, to lead the opposition into the 2022 parliamentary election.
Hungarian opposition leader Peter Marki-Zay gives an international press conference at Brussels Press club, Belgium, 11 November 2021. Marki-Zay was nominated as a candidate by six-party opposition alliance formed specifically to oust Hungarian Prime Minister Viktor Orban in next year’s election. Photo: EPA-EFE/OLIVIER HOSLET
Before and during the primaries, a series of cyberattacks were carried out. The opposition asked Ferenc Frész, a senior cyber defence expert, to investigate the causes and origins of these DDoS attacks. The aftermath of the election after the second round was also a breeding ground for online violations. Three independent media outlets were attacked on announcing the primary election results. The pro-government website, Origo, was also repeatedly hit by DDoS attacks between October 22 and 24, making the site inaccessible. Internal investigations suggested that unknown individuals externally attacked the website. In the final days of the primaries, strange advertisements, apparently promoting the main opposition candidate, appeared in the news feeds of several Hungarian Facebook users, claiming that Márki-Zay was building a “new Fidesz” party. The messages quoted and distorted many of his statements on subjects like the corporal punishment of children.
Another incident recorded in our database involved the temporary suspension and unavailability of Valasz.hu, a website storing the complete archive of Heti Válasz, a conservative weekly established by Fidesz in 2001 and shut down in June 2018, after Lajos Simicska, a business magnate close to Orban, bought its publisher. As reported earlier by BIRN, Hungary remains a critical country in terms of the role of genuinely independent media. Members of Orban’s closest circle now own almost 88 media outlets.
Interference in North Macedonia’s Election Alleged, COVID Certificates Hacked
A woman votes at the polling station in Skopje, Republic of North Macedonia, 17 October 2021. Photo: EPA-EFE/GEORGI LICOVSKI
In the second half of October, political confrontation worsened in North Macedonia following two rounds of local elections on October 17 and 31. As Balkan Insight reported, the elections were of crucial significance, as the opposition VMRO-DPMNE party, for the first time since 2017, re-established itself as the dominant political force, also declaring that it now had the strength in parliament to lead a government.
On October 24, Stevcho Jakimovski, leader of the Citizen Option for Macedonia Party GROM and a candidate in the local elections for the municipality of Karpos, claimed that Chinese troll farms targeted his Facebook profile. He called on political rivals to behave ethically and not engage in such campaigns during the election. GROM, in coalition with VMRO-DPMNE at national level, ran alone in the Karpos mayoral race. On October 29, as our new focus page on COVID-19 Crisis and Tech Response reported, the Ministry of Health withdrew its EU digital certificates and QR codes, following a hacker attack.
Users of a forum said the hackers, who broke into the system and started issuing QR codes, using data from Macedonian citizens, penetrated the unprotected Macedonian server, from where they managed to get the key to the codes. IT.mk, a Macedonian information technology portal, showed how easy it was to bypass the national health system and has shared several posts of Twitter users with valid certificates, issued for Adolf Hitler, Sponge Bob and other dead or fictitious characters.
COVID-19 Fake News and Online Harassment Persist in Romania
Following a global trend, Romania’s digital environment is experiencing a rise in fake news, misinformation, and other manipulative content on the COVID-19 pandemic. Romania’s online space also continued to record a high number of episodes of misogyny towards women, especially those working in education. For instance, on January 6, a former presidential candidate and TikTok influencer, Alexandru Cumpanasu, was arrested for sending comments of a sexual nature, and instigating hatred and discrimination, against teachers and professors. Some violations that occurred in October confirm this trend in Romania’s digital environment.
On October 19, Piatra Neamț County Police opened a criminal investigation into the spread of false information after a woman streamed herself on Facebook in front of a critical care ward, where COVID patients were being treated in Piatra Neamț, north-east Romania. The woman, filming from a distance, claimed that “there is no one” inside the clinic, suggesting the pandemic was fiction. The video also became known thanks to a Facebook post of Oana Gheorghiu, cofounder of the NGO Dăruiește Viață, who immediately reported the incident.
A Romanian woman gets a Pfizer vaccine dose from a volunteer nurse, at a Covid-19 Marathon Vaccination For Life center organized at Children Palace venue in Bucharest, Romania, 22 October 2021. Photo: EPA-EFE/ROBERT GHEMENT
A second case concerned Florentina Golea, a schoolteacher who was harassed after posting photos on Facebook while teaching a class of 12-year-old girls on the importance of vaccination. On October 5, RO vaccinare, the official page of the National Committee for Vaccination, promoting the vaccination campaign in Romania, shared photos from the teacher’s profile on Facebook. After that, the teacher received hundreds of insulting comments via Facebook, from “profiteer” and “be ashamed” to “monster” and “criminal”. The teacher also received death threats from people who claimed to know where she lived and the address of her school in Tecuci, in Galați County. Sorin Cîmpeanu, Minister of Education, announced that he would support the teacher if she sued those who had harassed her on Facebook.
COVID-19 Manipulation and Threats to Journalists in Serbia
Manipulation, conspiracy theories and other fake news have spread fast in Serbia’s online environment, where most cases still seem to be linked to the COVID pandemic.
The logo of the messaging application Viber pictured on a smartphone. Photo: EPA/RITCHIE B. TONGO
Recently, a case was uncovered where some citizens were wrongly prescribed anti-parasite treatment for COVID via a Viber group. At the same time, alarmingly, Serbia stands out as one of the countries with the most attacks on independent journalists. Between August 1, 2020, and August 31, 2021, 30 out of a total of 111 such cases targeted journalists. BIRN editor and investigative journalist Ivana Jeremić was threatened by a Twitter user last December 2.
The latest cases recorded by our monitoring team confirm this trend in the Serbian digital space.
On October 10, after Serbian virologist Ana Banko stated on Radio Television of Serbia RTS that vaccinated citizens can transmit the Delta strain of the coronavirus, part of her statement was spread on social media with the intention of manipulating her words. The video shared by many users, together with the title, took the sentence out of context, leading readers to the wrong conclusion. The virologist was answering a series of questions on a talk show, and her intention was not to diminish the effects of the vaccine but only to emphasize the speed of transmission of the new Delta variant.
On October 21, meanwhile, online threats targeted two Serbian journalists, Jovana Gligorijević and Snežana Čongradin, the historian Dubravka Stojanović and the literary critic, Jelena Lalatović.
The threats, which have been condemned by the Independent Association of Journalists of Serbia, were misogynistic and anti-feminist, and were posted from an anonymous Twitter account. This is not the first-time threats have been sent from this account. A year ago, the journalist Vesna Mališić was also threatened by the same profile, which called for a lynch and her murder.
Greek journalist Stavros Malichudis has described the activities of the country’s National Intelligence Service, EYP as “alarming” after a report alleged that he and others were put under surveillance.
“In theory, the National Intelligence Service is tasked with protecting the national security of the country. But journalism does not threaten society, it serves society,” Malichudis told BIRN.
The report by Greek journalist Dimitris Terzis for the newspaper EFSYN on Sunday presented evidence that journalists, civil servants and lawyers dealing with refugees, as well as members of the anti-vaccination movement, are being monitored by the EYP.
Terzis’ report alleged that wiretapping of telephone conversations and the creation of “ideological profiles” are some of the measures that have been used by the EYP, which comes under the control of Greek Prime Minister Kyriakos Mitsotakis’s office.
The report claimed that Malichudis, a BIRN contributor, was targeted over his report for the Greek investigative media outlet Solomon about a 12-year-old refugee child from Syria who was forced to live for months in administrative detention with his family on the island of Kos.
Terzis alleged that the EYP knew the content of conversations between Malichudis and an employee of the International Organization for Migration, IOM who helped him with the report for Solomon.
Malichudis questioned the EYP’s motives for the surveillance.
“The question that needs to be answered is why was the EYP interested in the work of Solomon, and to whom is the intelligence that is collected provided?” he asked.
The International Press Institute said it was “deeply concerned” by the report that Solomon and Malichudis were “secretly monitored by the National Intelligence Service”. Greek media outlets such as Reporters United and Inside Story also expressed concerns.
Terzis said that his in-depth investigation gained him access to secret documents.
“It’s unquestionable that the secret service monitors people and it cannot deny this. In the last two-and-a-half years, with the transfer of the Secret Service to the administration of the prime minister’s office, and in combination with the general context of state repression, the instrumentation of the secret service by the state is obvious,” he said.
At a press briefing on Monday, government spokesperson Giannis Oikonomou indirectly confirmed the claims that the EYP monitors specific citizens because of risks to public safety from “internal or external threats”.
The Greek government’s spokesperson did not respond to BIRN’s request for a comment.
SYRIZA, the main opposition to the right-wing ruling party, has asked for parliament’s Special Standing Committee on Institutions and Transparency to be convened and the commander of the EYP to be summoned for a hearing.
We would like to hear from parents and teachers willing to share their experience with us to help in an upcoming investigation into the safety of children and young teenagers using TikTok.
Scroll down for more information about how to take part.
The key things we want to know:
What steps did parents take to protect their children and young teenagers on the platform?
Were there any cases in which children and young teenagers were the targets of bullying, identity theft, privacy issues etc.?
If/how the potential danger in the digital environment is harming their childrens’ physical safety?
What do teachers know about the network and how do they educate children about it?
We will not publish any documents or names without prior consent and we do not plan to use specific examples, but rather show more general systemic problems. Your responses are secure and encrypted.
Your stories will be used to help us with an ongoing investigation.
Days after authorities announced that the Witting public hospital in Bucharest had been targeted by hackers, the Romanian Information Service, SRI, has called on the government to take “urgent” action to protect state-owned medical institutions from these disruptive threats.
Romania’s national intelligence service has warned of widespread deficiencies when it comes to cybersecurity in hospitals, in spite of their increasing reliance on informatics and online systems to run their daily operations.
“Such attacks against some hospitals in Romania represent a sign of alarm about the low level of cybersecurity that exists,” the agency’s statement issued on Friday said, stressing “the need to adopt centralized decisions” that make it mandatory for all medical institutions to impose “minimal cybersecurity measures”.
The intelligence service has briefed the ministries of Health and Transport and Infrastructure concerning the “way in which the attack [reported this month against the Witting hospital] was conducted”, warning the two ministries about the “vulnerabilities of which attackers took advantage”, the SRI statement on Friday said.
The secret service also presented both departments with a “series of measures to be implemented on urgent basis, in order to limit the effects generated of the attack as well as to prevent future ransomware attacks.
“Although they are of a medium or reduced complexity, this kind of ransomware attacks can generate major dysfunctions in the activities carried out by medical field’s institutions,” the SRI statement explained.
In the absence of clear general standards, the level of cybersecurity in public hospitals and most Romanian state institutions largely depends on the competence and awareness of the personnel in charge, specialists told BIRN.
On 22 July this year, the SRI said the servers of the Witting hospital in Bucharest were targeted by a cyberattack conducted with a ransomware application known as PHOBOS.
“After encrypting the data, the attackers demanded that a ransom be paid for them to decrypt them again,” the intelligence service said at the time.
The attack did not affect the functioning of the hospital, which assured the continuity of operations using data from offline registries. According to the SRI, no ransom was paid to the hackers.
Bulgaria’s actions in handing back a journalist wanted by the Turkish authorities in 2016 were unlawful and were part of the systematic expulsion of refugees and migrants with no examination of the risk of torture, inhuman or degrading treatment, the European Court of Human Rights decided on Tuesday.
The Bulgarian state was ordered to pay the journalist 15,000 euros in damages.
The court in Strasbourg found that he was forced to leave Turkey amid a widespread crackdown in the aftermath of a failed coup in July 2016.
“I was working as a journalist in the town of Bozova. After the attempted coup, I was dismissed from the newspaper. I changed address and found out that the police had been looking for me at my former address,” said the journalist, according to the court’s legal summary of the case.
Along with eight other refugees from Turkey and Syria, he was captured in a truck at the Bulgarian-Romanian border on October 14, 2016.
Despite expressing his fear of return, at no point did the Bulgarian authorities assess the risk of torture, mistreatment and further political persecution, the court ruling said. He was not granted access to a lawyer or interpreter.
He was returned to Turkey within less than 24 hours. Upon arrival, he was detained, and in December 2019, sentenced to seven-and-a-half years in prison for membership of a terrorist organisation.
According to the European Court of Human Rights, the Turkish verdict was largely based on the fact that he had the messenger application Bylock installed on his mobile phone. The app is used by the movement led by cleric Fethullah Gulen, which the Turkish government claims was behind the attempted coup and regards as a terrorist organisation.
“The ECtHR’s decision provides belated but important satisfaction for the applicant. It sets a strong counterpoint to Bulgaria’s longstanding practice of denying refugees protection from persecution and handing them straight back to their persecutors,” said the journalist’s lawyer, Carsten Gericke.
There has been no immediate official reaction from Bulgaria to the court’s ruling.
A BIRN investigation in October 2019 found that over 250 Turkish citizens requested asylum in Kosovo, Bosnia, North Macedonia and Bulgaria following the failed coup in Turkey.
BIRD Community
Are you a professional journalist or a media worker looking for an easily searchable and comprehensive database and interested in safely (re)connecting with more than thousands of colleagues from Southeastern and Central Europe?
We created BIRD Community, a place where you can have it all!
