Category: Security

North Macedonia Probes Election Day Cyber Attacks

Posted on by BIRD

Authorities in North Macedonia have announced an investigation into election day’s cyber attack while experts are still puzzled about how the attack occurred on July 15, targeting the website of the state election commission, SEC, and the news aggregator website.

“It is not clear whether the [SEC] website was tested to withstand a large amount of connections for a short period of time, and whether it had the necessary DDoS protection,” cyber-security engineer Milan Popov told BIRN on Friday.

The Interior Ministry confirmed that it is looking into the matter. “The SEC reported the case and, immediately after the report, the Sector for Computer Crime and Digital Forensics took measures and activities to clear up the case,” ministry spokesman Toni Angelovski told BIRN.

Polling day on July 15 saw two of the highest profile cyber attacks the country has ever seen. In a single night, both the election commission’s website and the most popular news aggregator, TIME.mk, were brought down for several hours.

While TIME.mk quickly recovered, the SEC website is still having difficulties functioning. According to the SEC head, Oliver Derkovski, the attack probably came from abroad.

“We informed the Interior Ministry about this cybercrime. They were here today and I hope they will resolve it soon. It was an attack from abroad,” Derkovski said.

The IT company that runs the SEC election results page section, Duna Computers, said its own application functions flawlessly and the main issue came from the SEC website experiencing a sophisticated cyber attack.

The second cyber attack of the night, the denial of service, DDoS, attack that hit TIME.mk, involved more than 35 million addresses that generated thousands of clicks per second.

“There were brief interruptions but mostly the site withstood the attack. Unfortunately, we did not have the best protection, and this was our mistake, which we have corrected, so that it will not happen again,” the website’s founder, Igor Trajkovski, wrote on Twitter.

“I can say for sure that, for the second part of the attack, someone is connected to one of the sites that we index, because that is the only way through which they can find out our IP address,” Trajkovski added.

Unlike the SEC cyber attack, responsibility for this one was claimed by a hacker group that uses a logo similar to that of the famous hacktivist group Anonymous, and calls itself “Anonopsmkd”.

The group left a message in which it voiced displeasure with the election process in the country, and said it had targeted the TIME.mk website mostly because of its popularity. Regarding the group itself, information is scarce. However, in their message, they warned ominously that they are ready to strike again, and that they “neither forgive nor forget”.

North Macedonia Election Commission ‘Cyber-Attacked During Polls’

Posted on by BIRD

The website of North Macedonia’s State Electoral Commission, SEC, suffered an alleged denial-of-service, DDoS, attack for more than three hours during the parliamentary elections on Wednesday.

The attack delayed the SEC’s announcement of the official results of the tightly-contested vote on its website and it had to improvise by releasing partial results through YouTube clips instead.

SEC officials insisted that the alleged attack did not affect the data that they had been collecting throughout the day.

“From what I know so far, this was an attempted external attack. But until this is confirmed, I cannot speculate, we will know more about it tomorrow [Thursday]. The data wasn’t attacked and no damage was caused in the process,” SEC President Oliver Derkovski told a press conference.

At the same time as the SEC suffered the alleged attack, the country’s most popular news aggregator TIME.mk was also targeted by a heavy DDoS attack, which took the website down for a couple of hours. The site’s founder, Igor Trajkovski, said that Cloudflare, a US-based website security company, had to block millions of IP addresses involved in the attack.

“So far, Cloudflare has blocked three million IP addresses. And more new ones are appearing. We have never had such a DDOS attack before. Someone paid a lot of money to do this,” Trajkovski wrote on Twitter.

The attack was later claimed by a hacker group calling itself Anonymous Macedonia, which left a message on the website voicing displeasure with the election process, citing “empty promises from all political parties in this beautiful country”.

“We had yet another ‘democratic election process’, and as we can see, it is the same story repeating every three to four years,” the message said.

“It had to be your website because it has the highest number of visitors – no hard feelings,” It added.

With more than 90 per cent of the ballots counted, the ruling SDSM party was ahead of the opposition VMRO-DPMNE by some 10,000 votes.

Romanians Behind Cyber-Fraud Ring Plead Guilty in US

Posted on by Ivana Jeremic

Fifteen defendants including several Romanians have pleaded guilty before a US judge of involvement in a multi-million dollar scheme to defraud US citizens through online auctions of non-existing goods, a US Justice Department statement issued on Monday by the US embassy in Bucharest said.

The defendants, many of whom were extradited from Romania in 2019, are yet to be sentenced in the US. Most of them operated from the city of Alexandria in Teleorman Country near the border with Bulgaria, in the south of Romania, court documents show.

The syndicate was active from 2013 and most of its members were arrested in 2018 in Romania.

They typically made money posting ads of cars that didn’t exist and convincing American victims to “send money for the advertised goods by crafting persuasive narratives, for example, by impersonating a military member who needed to sell the advertised item before deployment,” the statement read. To carry out the fraud, they created fictitious online accounts, often using stolen identities of US citizens. 

They also delivered fake invoices issued in the name of reputable companies to make the transactions look legitimate, and went as far as setting up call centres operated by ring members who impersonated customer support agents to assure victims of the authenticity of the ads.

The latest to plead guilty did so last week before a court in Kentucky. 

One suspect, Bogdan-Stefan Popescu, 30, who operated a carwash in Bucharest at the time of the events, admitted to managing the ring’s activities by distributing “the language and photographs for fake advertisements as well as usernames and passwords for IP address anonymizing services” used to defraud its victims in the US.

Popescu said he connected members of the syndicate with those “who would impersonate eBay customer service representatives over the phone”. Starting from 2013, he also oversaw Bitcoin transactions with the money obtained from the frauds, the plea documents show.

Another who last week pleaded guilty was Liviu-Sorin Nedelcu, 34, who posted fake vehicle ads online using fictitious entities to sell vehicles. Once Nedelcu and his co-conspirators convinced victims to purchase falsely advertised goods, they sent the victims invoices for payment that appeared to be from legitimate sellers, such as eBay Motors,” the US statement read. Nedelcu and his co-defendants “engaged in a sophisticated money laundering scheme to convert the victim payment into Bitcoin”.

Weeks before, on May 19, Vlad-Calin Nistor, 33, also pleaded guilty. He confessed to being the founder of a Bitcoin exchange company based in Romania and to having “exchanged over $1.8 million worth of Bitcoin for co-defendant Bogdan Popescu.” Another member of the ring, Beniamin-Filip Ologeanu, 30, also from Romania, worked with others to post advertisements in auction websites such as eBay and classifieds online service Craiglist and conspired with the gang US-based associates to launder the proceeds.

Computer Virus Stops Sarajevo Municipality Issuing Birth Certificates

Posted on by Ivana Jeremic

A Sarajevo municipality has temporarily stopped issuing birth certificates due to a computer virus that locks documents in its database for the second time in some two weeks.  

The central Centar Municipality, whose offices are next door to the Bosnian presidency building, said on its website that the problem caused by a “ransomware virus” was detected on Saturday. Such viruses typically block computer systems and their originators demand payment in exchange for removing them.  

But the municipality denied that it was the target of a hacker attack, or that the central electronic register with all birth and death certificates in Bosnia’s Federation entity was in danger of being wiped out, as the Interior Ministry of the Federation entity was quoted as saying by the media.   

“Information about a targeted attack on the IT system of the Center Municipality and the destruction of the registar and documents is not true,” the municipality said. It added the problem was reported to the police, as it was the second time in a little over two weeks that this happened.  

On May 22, the municipality reported on its website that the issue of birth, death and marriage certificates was stopped because of “an electrical problem” but added that it was soon resolved.

Bosnia lags behind with the introduction of e-government, but the Centar municipality has provided a number of services electronically. 

Montenegro Court to Examine Publication of Self-Isolating Citizens’ Names

Posted on by Ivana Jeremic

Montenegro’s Constitutional court had agreed to examine whether the government violated the human rights of citizens ordered to self-isolate during the coronavirus by publishing their names.

On Friday it said it would consider the appeal brought by the local NGO Civil Alliance against the decision to publish the names of people undergoing self-isolation, which the alliance said violated their constitutional right to privacy.

The court will examine whether the decisions of National Coordination Body for Infectious Diseases violated constitutional rights,” the court said. 

The government published the names on March 21, despite warnings from opposition parties and civic society organizations that it risked violating constitutionally guaranteed human rights.

The government said it had to publish the list because some citizen were not respecting self-isolation obligations. It also claimed it had the approval of the Agency for Personal Data Protection. It stressed that security forces could not control every citizen who should be in self-isolation, and anyone who failed to self-isolate posed a threat to the entire community.

Prime Minister Dusko Markovic said no compromises would be made with those who violated preventative measures amid the global COVID-19 pandemic. He also warned that the government would continue to publish the names of citizens who had been ordered to self-isolate.

“The lives of our citizens are the priority. We have estimated that the right to health and life is above the right to unconditional protection of personal data,” Markovic said.

Opposition parties and the civil society sector urged the government not to publish the lists, insisting it would violate the constitutional right to privacy. They also warned that citizens whose names were published might sue the state before the court.

The Head of the EU Delegation to Montenegro, Aivo Orav, called on the authorities to find the right balance between protecting the health and respecting the confidentiality of health information and the right to privacy of citizens.

On April 8, the Prosecutor’s Office filed criminal charges against a medical staffer in the Health Centre in the capital, Podgorica, after he published the list of names of infected people and their ID numbers on social networks.

It said that the man, known only by the initials M.R., was not unauthorized to collect and use personal information on COVID-19 patients through the IDO system and forward them via Viber to other persons.

Turkish Police Hunt Musical Minaret Hackers

Posted on by Ivana Jeremic

In last two days, unknown persons in Turkey have hacked mosques’ digital audio systems in the coastal city of Izmir and played the anti-fascist song Ciao Bella and other songs with revolutionary messages.

After videos of the stunt were widely shared, Izmir police announced that they had started an investigation on Thursday and detained several people for insulting religion.

The detainees included Banu Ozdemir a former city official of main opposition Republican People’s Party, CHP.

The Turkish Religious Authority, the Diyanet, announced that it had filed a criminal complaint about the hacking.

“These people are unknown and evil-minded. They insulted our sacred religious values in the holy month of Ramadan. We have filed a criminal complaint at the city prosecutor’s office,” the chief cleric in Izmir, Mufti Sukru Balkan, said on Thursday.

The Diyanet had to suspend all calls to prayers, known as adhans, in Izmir because of the attacks until further notice.

The digital attacks and the playing of songs from minarets angered local politicians.

“We condemn these attacks on our mosques. Whoever has a problem with mosques also has problems with the nation,” Omer Celik, the spokesperson of the ruling Justice and Development Party, said on Thursday.

Tunc Soyer, the Mayor of Izmir, from the CHP, also called the incidents provocative. “The incidents made me and the people of Izmir very sad. This is a provocative and villainous act to set us against each other. We should not fall into this trap,” Soyer told the media.

Several Turkish media outlets said the attacks were likely organised by a Marxist hacker group known as Redhack.

Redhack previously hacked several Turkish government websites, including the Ankara city police department and the Turkish parliament. The group also hacked the email account of Berat Albayrak, the Finance Minister and son-in-law of President Recep Tayyip Erdogan.

Taylan Kulacoglu, an alleged member of Redhack, was arrested on May 20 after he led a group called “Movement of the Unnamed” on social media platforms that said it intended to “stop the manipulation and disinformation spread by pro-government social media trolls”.

President Erdogan’s Islamist government had close links to the mosques, which have backed the government’s policies during the COVID-19 pandemic.

The Aegean seaport of Izmir is an industrial, touristic and agricultural centre on the coast and is a stronghold of the main opposition CHP.

Hiljade.kamera.rs: Community Strikes Back Against Mass Surveillance

Posted on by BIRD

Serbian citizens have launched the website hiljade.kamera.rs as a response to the deployment of state-of-the-art facial recognition surveillance technology in the streets of Belgrade. Information regarding these new cameras has been shrouded in secrecy, as the public was kept in the dark on all the most important aspects of this state-lead project.

War, especially in the past hundred years, has propelled the development of exceptional technology. After the Great War came the radio, decades after the Second World War brought us McLuhan’s “global village” and Moore’s law on historic trends. Warfare itself has changed too – from muddy trenches and mustard gas to drone strikes and malware. Some countries, more than others, have frequently been used as testing grounds for different kinds of battle.

Well into the 21st century, Serbia still does not have a strong privacy culture, which has been left in the shadows of past regimes and widespread surveillance. Even today, direct police and security agencies’ access to communications metadata stored by mobile and internet operators makes mass surveillance possible. 

As appearances matter most, control over the flow of information is a key component of power in the age of populism. We have recently seen various developments in this context – Twitter shutting down around 8,500 troll accounts pumping out support for the ruling Serbian Progressive Party and its leader and the country’s President Aleksandar Vucic. These trolls are also frequently used to attack political opponents and journalists, exposing the shady dealings of high ranking public officials. Reporters Without Borders and Freedom House have noted a deterioration in press freedom and democracy in the Balkan country.

However, a new threat to human rights and freedoms in Serbia has emerged. In early 2019, the Minister of Interior and the Police Director announced that Belgrade will receive “a thousand” smart surveillance cameras with face and license plate recognition capabilities, supplied by the Chinese tech giant – Huawei. Both the government in Serbia and China have been working on “technical and economic cooperation” since 2009, when they signed their first bilateral agreement. Several years later, a strategic partnership forged between Serbia’s Ministry of Interior and Huawei, paving the way to the implementation of the project “Safe Society in Serbia”. Over the past several months, new cameras have been widely installed throughout Belgrade.  

This highly intrusive system has raised questions among citizens and human rights organisations, who have pointed to Serbia’s interesting history with surveillance cameras. Sometimes these devices have conveniently worked and their footage is somehow leaked to the public, and in some cases, they have not worked or recordings of key situations have gone missing, just as conveniently. Even though the Ministry was obliged by law to conduct a Data Protection Impact Assessment (DPIA) of the new smart surveillance system, it failed to fulfil the legal requirements, as warned by civil society organisations and the Commissioner for Personal Data Protection

The use of such technology to constantly surveil the movements of all citizens, who are now at risk of suddenly becoming potential criminals, has run counter to the fundamental principles of necessity and proportionality, as required by domestic and international data protection standards. In such circumstances, when there was no public debate whatsoever nor transparency, the only remaining option is a social response, as reflected in the newly launched website. 

“Hiljade kamera” (“Thousands of Cameras”) is a platform started by a community of individuals and organisations who advocate for the responsible use of surveillance technology. Their goals are citizen-led transparency and to hold officials accountable for their actions, by mapping cameras and speaking out about this topic to the public. The community has recently started tweeting out photos of cameras in Belgrade alongside the hashtag #hiljadekamera and encouraged others to do so as well.

The Interior Ministry has yet to publish a reworked and compliant Data Protection Impact Assessment (DPIA) but the installation of cameras continues under sketchy legal circumstances.

Bojan Perkov is a researcher at SHARE Foundation. 


COVID-Related Boom Reveals Video Conferencing’s Dark Side

Posted on by Ivana Jeremic

More than ever before, because of the coronavirus outbreak, use of video conferencing is on the rise.

Whether it is attending work meetings or online seminars and conferences, or taking part in leisure activities like online fitness classes and birthday parties – video conferencing and social media apps have brought huge relief, and a sense of continuity, to people feeling trapped inside their homes by government-imposed lockdowns.

However, while the coronavirus wreaks havoc outside, this time of increased online activities has also generated growing challenges. While some of the most popular video conferencing and video sharing apps, such as Zoom, Houseparty, and TikTok, have seen record-breaking growth in the numbers of users, the apps have also faced serious data breaches and other cybersecurity-related issues.

Cybersecurity experts say that while use of the apps has clearly reduced the risk of people getting infected with the virus by going outside, the same isn’t true for other viral problems, talking about cyberspace.

“Disclosure of personal data, recording sensitive information, or storing people’s profiles on unauthorized servers are some of the risks that go hand in hand with the use of video-conferencing tools,” says Skopje-based cybersecurity practitioner Daniel Trenchov.

“Greater use of virtual telecommunication tools does eliminate pandemic-induced risks,” he adds, “but not necessarily cybersecurity ones.”

Zoom ‘bombing’ is on the rise:


Illustration. Photo: EFE/MATTIA SEDDA

Last Friday, Michael Oghia, a Belgrade-based internet governance consultant, was getting ready for his weekly Zoom conference call with colleagues all over the world.

Usually, the group uses these meetings to chat and discuss ongoing social developments. This time, however, they experienced something more unpleasant.

“Around 45 minutes into the event, when one of the speakers went to share his screen, all of a sudden a child pornography video appeared. Once I realized what was happening, I immediately shut my laptop out of shock,” Oghia said.

“I couldn’t believe it. For a moment I thought that maybe it didn’t even happen. Then re-entered the Zoom call and wanted to see if the others had experienced it. Around 15 or 20 minutes later, another Zoom-bombing happened – again child porn. It was absolutely vile,” Oghia told BIRN.

“Zoom-bombing” incidents like this have become a regular occurrence for those using the app lately. In the last few months, since the coronavirus outbreak started, the app has seen the number of daily users increase hugely from 10 millio to 300 million.

After the incident, Oghia contacted Zoom to report what had happened. The company replied that it would investigate.

“Zoom-bombing is on the rise, and in this particular case, I’ve heard of multiple instances over the past few days of it happening (one group was the UK-based Open Rights Group, for instance),” Oghia explained.

“There will always be issues with safety concerns, but this is no excuse. I’ve used Zoom for years, and the ease of using the platform and the features it has have made video-conferencing easier. But they need to do an even better job at ensuring their privacy and making sure the security features are clear and easy to use.”

The incident prompted Oghia and his colleagues to prepare a short “zoom-bombing” prevention and resources guide to help others that are using Zoom and other video conferencing software.

In its latest statement, Zoom said that it would release an improved version of the app, addressing security concerns about phemonena like “bombing”, while also having upgraded encryption features.

More education in safe use of apps needed:


Illustration. Photo: EPA-EFE/AMEL PAIN

When it comes to the security of video-conferencing apps, several factors are crucial, cybersecurity experts explain. One is having a proper education in the safe use of these social tools.

“These apps have a very useful role and that is why their use should not be avoided, but it is necessary to educate ourselves more, to provide the highest possible protection,” a Skopje-based personal data protection expert, Ljubica Pendaroska, told BIRN.

It is essential to note that not every app is designed for use at home. Zoom was designed for use by large businesses with in-house IT specialists who would set up and control the software when using it, Pendaroska explained.

Now, especially during lockdowns, while Zoom is still mostly used for business purposes, people are using it more for family events such as birthdays, or even wedding celebrations.

“Potential hazards also come from the fact that these apps detect and remove issues most often on the go, or as they occur,” she said.

“What’s particularly concerning is that most of these tools are not encrypted by end-user to end-user, which increases the possibility of so-called ‘interception’ of communications by unwanted and malicious participants,” she added.

Houseparty, another popular video conferencing app, has also faced intense security scrutiny over the last months.

The app is popular with teenagers and youngsters who use it to play various group games, giving it a more fun-based approach compared to other apps. At the same time, these groups are potentially vulnerable to various security issues that can arise.

“There are also apps, for example like Houseparty, where to make it easier to find friends, you can connect your account with phone contacts and social media accounts,” Pendaroska noted. “This enormously increases the potential danger not only for your safety but also for the safety of all these contacts,” she added.

“There could be hacker attacks; during the meeting, the administrator can see details such as the operating system, IP address and location data of each of the participants; also, uninvited users in the communication, if the password is not authenticated, could use the conversation to spread malicious links or send files,” she explained.

Espionage concerns linked to China: 


Illustration. Photo: Pxhere

TikTok, a Chinese video-sharing social network, is increasingly popular in the Balkans, especially among teenagers who post various challenges to each other, such as dance-offs, sing-offs and so on.

But in some parts of the world, there are initiatives to ban it. In the US, lawmakers have introduced a bill to the Senate, which cites the company’s connection to the Chinese government, saying its potential collection of data from US citizens represents a security risk to the US.

Global cybersecurity companies have also identified many security vulnerabilities in the app that could allow malicious actors to manipulate its content and reveal the personal data of its users.

Cybersecurity experts say one way that tech companies could deal with such security risks and the consequences for their users is by having transparency reports.

“This could also include independent security audits of their code looking for weaknesses and flaws – akin to what Microsoft and Apple do with their operating systems, or what Google does with its “bug bounty” program,” Oghia suggested.

When it comes to the users themselves, the best prevention is to know not only what these apps bring to the table, but just as importantly, what their software solutions and vulnerabilities are.

Research by Picodi.com, an international e-commerce platform, says interest in video messaging clients has increased by seven times since the coronavirus restrictions were introduced in many European countries.

WhatsApp was the most frequently searched messaging app in 22 European countries. It is also a favourite app in the Czech Republic, Albania, Romania and Turkey.

Worldwide interest in the Zoom video app is skyrocketing, in Europe as well, with it being the most popular app in 14 countries, including Moldova, North Macedonia and Slovenia.

Besides WhatsApp and Zoom, people were massively using Skype – in Hungary, Poland, Slovakia and Greece, Viber – in Bosnia and Herzegovina and Montenegro, and Microsoft teams – in Croatia and Bulgaria.

Picodi.com analyzed the average number of online search queries of 19 messaging clients which enable video chatting.

North Macedonia Leads Region in COVID-19 Tracing App

Posted on by Ivana Jeremic

North Macedonia has become the first country in the Western Balkans to launch a contact-tracing app to tackle the spread of COVID-19, with the government at pains to stress user data will be protected.

StopKorona! went live on April 13 as a Bluetooth-based smartphone app that warns users if they have come into contact with someone who has tested positive for the novel coronavirus, based on the distance between their mobile devices.

The app, downloaded more than 5,000 times on its first day, was developed and donated to the Macedonian authorities by Skopje-based software company Nextsense.

States are increasingly looking at digital solutions to control the spread of COVID-19 as they move to open up their economies while limiting the burden on their health services. The European Union and data protection campaigners, however, have voiced concern over the threat such technology poses to individual privacy.

Presenting the app, Health Minister Venko Filipce said North Macedonia was looking to use “all tools and possibilities” to combat a disease that, as of April 15, had killed 44 people.

Information Society Minister Damjan Manchevski said all data would be securely stored.

“This data is recorded on a secure server of the Ministry of Health,” Manchevski said at the launch. “And no other user has access to mobile numbers, nor is there any data stored about the owner of the number.”

If a person tests positive for COVID-19, they can “voluntarily” submit their data to the Ministry of Health, Manchevski said, enabling the app to warn other users if they come into contact with that person.

Data privacy concerns linger


Macedonian Minister of Health Venko Filipce accompanied by Prime Minister Oliver Spasovski in Skopje, Republic of North Macedonia, 2020. Photo: EPA-EFE/NAKE BATEV

China, Singapore, Israel and Russia are among a number of countries that have developed their own coronavirus mobile tracking apps, mainly using Bluetooth, GPS, cellular location tracking and QR codes. The Chinese government app colour codes citizens according to risk level.

The technology, however, has set alarm bells ringing among data protection campaigners and rights organisations concerned about the threat posed by mass surveillance and loosening of data protection laws.

Nextsense director Vasko Kronevski, however, said his firm’s StopKorona! app adhered to all legal requirements.

“This is a mobile app made by following best practices around the world in dealing with the coronavirus,” he said. “It guarantees the complete protection of users’ privacy.”

“The success will depend on the mass use of the application. It is important to emphasise that we used global experiences from different countries.”

One of those examples is Singapore’s TraceTogether app, which helped the Asian country successfully contain the COVID-19 outbreak within its borders while, unlike most countries, keeping businesses and schools open.

According to data privacy experts, the decentralized design of North Macedonia’s app guarantees that data will only be stored on those devices that run it, unless they voluntarily submit it to the ministry.

“The key part is that the citizen maintains full control over their data until the moment they decide to send it to the Ministry after being diagnosed,” said Danilo Krivokapic, director of the Serbia-based digital rights watchdog SHARE Foundation.

“Additionally, all data stored on the phone is being deleted after 14 days,” he told BIRN. “In that context, the app is in line with the legislation that covers Data Protection.”

Krivokapic stressed that once data is shared with the authorities, the Ministry and all data users are obliged to respect the legal framework regarding privacy and data protection.

EU countries warming up to digital solutions


People wearing face masks in Skopje, Republic of North Macedonia, 2020. Photo: EPA-EFE/GEORGI LICOVSKI

France and Germany are reported to be working on similar contact-tracing apps, while Poland has made the biggest progress within the EU.

Polish authorities have already launched a smartphone app for those in quarantine and are now working on another, similar to StopKorona!

The first app was mandatory for people in quarantine, meaning that they had to upload selfies so the authorities could track their exact location.

According to Krzysztof Izdebski, policy director at ePanstwo Foundation, a Poland-based NGO that promotes transparency and open data, the coronavirus pandemic has already posed significant threats to privacy, with governments deploying technologies primarily created for the surveillance of their citizens.

With the second app, the Bluetooth-based ProteGO, authorities have published the app’s source code online, to get feedback and opinions from IT experts before implementing it.

So ProteGO, said Izdebski, is an example of an app that is trying to meet privacy requirements.

“The data is stored on personal devices for up to two weeks, and only if the user is sick and agrees to share data with respective authorities, they are being sent to the server – without information on the location,” Izdebski told BIRN.

And while digital solutions such as these could become a game-changer in containing the outbreak, experts note that success still depends on how many people are willing to use them.

“For the technical solution to have some results, a substantial number of citizens need to run the apps and to decide to share their data in case they are diagnosed,” said SHARE Foundation’s Krivokapic. “This way, the app can serve its purpose.”

Romania: From ‘Hackerville’ to Cybersecurity Powerhouse

Posted on by BIRD

First there was Guccifer, real name Marcel Lazar Lehel, who hacked the email accounts of the Bush family in the United States; then came Hackerville, the moniker given to the town of Ramnicu Sarat due to the international cybergangs it was home to.

Fairly or not, hackers put Romania on the global online map, honing their skills to strike Internet users and companies in the West, particularly the US.

But today, 30 years since the fall of communism, IT and cybersecurity firms are looking to tap the same rich vein of ambition, ingenuity and education that made Romanian hackers so feared and famous.

“Romania is currently one of the largest pools of talent in the IT&C space,” said Bogdan Botezatu, senior e-threats analyst at Romanian antivirus and cybersecurity giant Bitdefender. 

“Based on our tradition in STAMP [Software Testing Amplification] and research, universities deliver engineers, reverse engineers, people who are highly skilled in IT.”

Romania, he said, is already internationally recognised in the field of cybersecurity, and has the potential to play an even greater role.

Made in Romania – a global leader in cybersecurity

Bitdefender is one of the global leaders in cybersecurity, with more than 500 million customers worldwide and a network of research labs in Romania – the largest such network in Europe – to combat online threats.

Some 40 per cent of the antivirus and digital security companies on the market currently use at least one technology developed by Bitdefender. Such success is unparalleled in Romania, a European Union member state where almost no other company has a significant international footprint.

From Bucharest and other Romanian cities, Bitdefender’s experts have led or participated in operations to halt some of the most damaging cyber attacks the world has seen in recent years. 

In 2018, Bitdefender partnered with Europol, Interpol, the FBI and police in a number of EU countries to take down a group of hackers – believed to be from Russia – behind a ransomware called GandCrab. The inventors of the malware sold it on to other hackers who used it against private and corporate users.


View of the Bitdefender’s central headquarters in Bucharest. Photo: BIRN

“It became such a large phenomenon that half of the ransomware attacks happening at that moment were caused by GandCrab,” Botezatu told BIRN. 

“We managed to decrypt [the computers of] 60,000 victims, saving the victims around 70 million dollars.”

Despite its unusual level of sophistication, GandCrab was created as a way for the private individuals behind it to steal other people’s money.

Another type of cyberthreat, however, is state-sponsored and is known among experts as Advanced Persistent Threats, or APTs. 

The goal in this case is to undermine the functioning of key strategic foreign infrastructures or steal secret information from other states. That was the purpose of NotPetya, or GoldenEye, which emerged in 2017 as the work of hackers suspected to have been working for the Kremlin.

These hackers infected the update servers of an accountancy product widely used in the Ukrainian state administration. Everytime a Ukrainian public servant updated the program, the virus entered his or her computer and encrypted all its files. 

The virus had a worm component and quickly contaminated the entire networks to which infected computers were connected, bringing, for example, the Kiev metro to a halt and shutting down at least one airport, several banks and the radiation monitoring system at Chernobyl.

It spread globally, including to Romania, where Bitdefender took charge of the preliminary investigation that led to the identification of the virus after its researchers identified a pattern in the threats suffered by many users of their antivirus products. 

‘You can’t trace them back’

Like the rest of the former Soviet bloc, Romania spent more than four decades under communism, when education placed a premium on scientific and technological training. 

That expertise – and a resourcefulness developed under communism and during the painful transition to capitalism and democracy after 1989 – is now at the disposal of the EU and NATO as they try to combat cyber threats from Russia and other countries vying for a geopolitical upper hand.

And the Romanian state is doing its bit too, via bodies like the Romanian Information Service, SRI, an intelligence agency that took part in investigations that led to the 2018 exposure of Russian state involvement in a cyber espionage and warfare group called Fancy Bear. 

Also known as Sofacy or APT28, Fancy Bear targeted governments and civil society organisations in countries including the Netherlands, Britain, Germany, Romania and the US.


Bogdan Botezatu from Bitdefender. Photo: BIRN

Botezatu said the fact that the infections happened between 9 a.m. and 5 p.m. Moscow Standard Time led investigators to conclude they were being launched from government offices, said Botezatu of Bitdefender, which uncovered the campaign in 2015.

“Behind these kinds of attacks there is a country, and particularly the intelligence community of that country,” said General Anton Rog, head of SRI’s Cyberint centre.

“Of course, governments don’t act directly; through their intelligence services, they infiltrate or create these cybercrimes groups in a way that you can’t trace them back to say that they work with an information service.”

Most APT attacks, Rog told BIRN, are mounted in order to steal sensitive information. “It is a modality of espionage,” he said, “but through cables and cybernetic tools.” 

SRI’s Cyberint centre relies on tip-offs from foreign agencies, technology that recognises abnormal online activity and cyber informers.

Hybrid attacks

Sometimes the dividing line between financial-motivated attacks and APTs becomes blurred, as in the case of the malware family known as Cobalt Strike.

Cobalt Strike was used by the so-called Carbanak group from Russia and Ukraine to extract more than one billion euros from around 100 banks in over 40 countries, including Romania.

“The technology used is [characteristic of an] APT, but the motivation is strictly financial,” said Botezatu. 

Bitdefender conducted ‘post-mortems’ at two of the affected banks. Botezatu said the malware was “extremely sophisticated”, managing even to access the banks’ payment systems.

“With that level of access, the nefarious individuals authorise fraudulent bank transfers, raise the balance of mule accounts or command affected ATMs to spit out the money for them,” Europol said in a statement on the arrest in Spain of alleged Carbanak leader ‘Denis K’ in a 2018 operation that Romania took part in.

“Our suspicion is that… these attacks are used to make money to sponsor strategic attacks,” said SRI’s Rog. “In our evaluation, we take into account the fact that these groups have members who are in contact with governments or information communities,” he told BIRN, noting the costs and human and technical resources needed to develop malware like Cobalt Strike.

“They [governments] don’t want to spend money from their budget, they want to steal money from other countries and sponsor strategic attacks with it,” Rog said.

Strong cybersecurity “ecosystem”

To strengthen security at home and boost Romania’s role in the global cybersecurity game, SRI’s Cyberint centre says it is trying to create “an ecosystem” already being nurtured by courses offered by Cyberint at several universities across the country.

Likewise, Bitdefender partners with universities and high schools in training the next generation.

They may be people like Alexandru Coltuneac, a White Hat Hacker so called because of his transition from developing an Internet virus as a teenager to using his self-taught skills to help giants like Google, Facebook, PayPal, Microsoft and Adobe test their product security.

“I have set myself a target,” Coltuneac told BIRN. “I want to find at least one vulnerability in a product of each big company.”

Coltuneac, who is one of a number of Romanian White Hat Hackers recognised by Google and other companies as stars of ‘bug hunting’, now runs his own company together with a colleague.

Called LooseByte, the firm offers businesses cybersecurity tests and services to improve their protection levels.

Coltuneac said he finds pleasure in outsmarting the world’s best professionals.

“It’s a way of doing hacking without harming anyone,” he said.

BIRD Community

Are you a professional journalist or a media worker looking for an easily searchable and comprehensive database and interested in safely (re)connecting with more than thousands of colleagues from Southeastern and Central Europe?

We created BIRD Community, a place where you can have it all!

Join Now