Cybersecurity experts say Serbian state bodies and public enterprises are failing to act on indications that the email credentials of their employees are being sold on the dark net.
Late last year, reports surfaced in the online forum ‘Bezbedan Balkan’ [Secure Balkan] concerning the black market sale of email account credentials associated with a number of Serbian state institutions and public companies.
“Multiple sources” reported the phenomenon, said Ivan Markovic, a cybersecurity expert and co-founder of the forum.
“This means that someone, for the right price, was able to read through the official communication of the public enterprise Elektroprivreda Srbije [Serbia’s power utility] or [main gas distributor] Srbijagas, or send a message pretending to be from the National Employment Service,” Markovic told BIRN.
When Markovic and his colleagues dug deeper, they found that the email credentials of several public enterprises and state institutions had been compromised for more than a year and offered for sale for $100 or less.
The email accounts contained information on contracts, redundancy notices, bank statements, public procurement, and union meetings. Sale ads included screenshots of open email inboxes as proof for potential buyers.
Yet almost all of the bodies concerned told BIRN the reports were false.
According to Markovic and other cybersecurity experts, their failure to act only makes things worse.
“Black market platforms depend on their credibility and usually don’t sell fake data; those sellers who do quickly get sanctioned,” he said. “What’s more dangerous is that this data is sold multiple times to different malicious groups.”
Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
Ads selling addresses linked to public enterprise Beogradski vodovod i kanalizacija were the first to appear online. Since January 2022, at least four ads were posted, with their total value at $367,5. BIRN inquired about the incidents, but “Beogradski vodovod i kanalizacija” did not respond to our questions.
Ads for email accounts for Elektroprivreda Srbije appeared alongside other compromised addresses – Bezbedan Balkan (Screenshot)
First two ads offering access to email accounts related to Elektroprivreda Srbije, Serbia’s power utility, are posted on an online market. This, along with information on breaches for other public and private companies, was revealed in November on the Bezbedan Balkan forum, which analyses cybersecurity incidents.
Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
Ads continued to pop up throughout the summer. In September, at least seven ads were published, the most of any previous month. Their total value was almost $700. The screenshots of inboxes posted by the sellers indicated the legitimacy of the ads. They contained information on bank statements, public procurement plans, and union meetings.
Cybersecurity site detects malicious activity – Bezbedan Balkan (Screenshot)
Spam messages were sent from an IP address linked to Elektroprivreda Srbije. The same IP address was reportedly abused again several months later, for other malicious activities. At the time,the National CERT, the state body dealing with the prevention of cybersecurity incidents, said it had informed the institutions whose email accounts were suspected of having been compromised
Four new ads appeared between January and March 2023 – Bezbedan Balkan (Screenshot)
Ads selling access to email accounts of Elektroprivreda Srbije continued appearing online. In total, at least fifteen ads were posted since they were first published in March last year, which is more than for any other public company whose email accounts were compromised.
Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
Since December 2022, at least two ads offering accounts connected with state-owned Telekom were posted online. Their total value was $129. Telekom told BIRN it ran internal checks after information appeared online, but determined no accounts were compromised.
Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
One ad, worth $30, selling email address linked to public utility company Infostan appeared. BIRN inquired about the incidents, but Infostan did not respond to our questions.
Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
One ad, worth $30, selling email address related to the National Employment Service, was posted on the internet. The Service told BIRN it was not aware of email accounts being offered online, nor that it identified any incidents related to this. However, they said that email accounts of private citizens, not employees, on their platform did get compromised in the past.
Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
One ad, worth $85, selling accounts related to grid operator Elektromreža Srbije was posted online. Previously, another ad appeared in January 2023, offering data for $14. Elektromreža Srbije told BIRN they identified the incident, which was a result of a phishing campaign. It received information on this from the National CERT.
Inbox of one of the email accounts offered on the market – Anonymous Source (Screenshot)
An ad, worth $10, selling email account linked to public gas company Srbijagas surfaced online. BIRN inquired about the incidents, but Srbijagas did not respond to our questions.
Conclusion in the Commissioner’s report on the oversight – Bezbedan Balkan (Screenshot)
After being informed of the incidents in early April, the Commissioner for Information of Public Importance and Personal Data Protection initiated a review of Elektroprivreda’s information security and safety protocols. Taking into consideration the technical limitations of the review, as well as measures the public enterprise has in place, the Commissioner was not able to identify any harm related to personal data handled by the company. Responding to BIRN, Elektroprivreda Srbije dismissed the claims concerning the breaches as inaccurate.
Reluctant to report
Since January last year, according to Markovic, email accounts related to Elektroprivreda Srbija, EPS, have been compromised at least 15 times.
But EPS told BIRN this was untrue.
State-owned telecoms provider Telekom Srbije also said the email accounts of its employees were secure, as did the National Employment Service. Srbijagas did not respond to a request for comment for this story.
Only grid operator Elektromreza Srbije confirmed an incident involving a compromised corporate email account.
Alerted by the state CERT – the regulatory authority for electronic communications and postal services – to a case of phishing, Elektromreza Srbije said it “blocked the account, examined the activities on the system of the compromised user, changed the passwords and initiated additional training on information security and potential threats”.
CERT, however, has no authority to monitor the implementation of such security measures. That rests with the Ministry of Information and Telecommunications, which has just one inspector dedicated to the task.
Last year, leading cybersecurity firm Kaspersky tracked posts on the dark net offering access to compromised corporate data and found some 260,000 passwords, PIN numbers and other biometric data belonging to users in Serbia, though without identifying specific companies.
According to Kaspersky, the mere appearance of a corporate email address on the dark net, even without a password, already puts the security of the organisation in question at risk.
“The attack surface within its infrastructure increases as the number of potentially vulnerable targets grows,” Kaspersky told BIRN. “The public availability of corporate email addresses can pique the interest of cybercriminals and trigger discussions on dark net resources such as forums, messengers, onion sites, and more, regarding potential attacks on the organisation. Additionally, a corporate email address is more likely to be used for phishing and social engineering purposes.”
Kaspersky’s investigation also revealed a worrying lack of corporate preparedness and a tendency to deny claims that their protections have been breached.
This was also documented by the Serbian State Audit, which reported in xxxx that public enterprises and the state administration are reluctant to report incidents to CERT. A lack of awareness about whom to turn to and a fear of the hit to a company’s reputation are among the reasons why.
This is worrying, said Bojan Perkov, digital policy coordinator at SHARE Foundation, which works to promote and protect digital rights.
“Unauthorised access to email accounts and their abuse can be an entry point for other, far more serious attacks,” Perkov told BIRN.
“If the same combination of credentials – let’s say email, username or password – was used for multiple accounts, of which some contain highly sensitive information such as a large database with the details of private citizens, this can be quite damaging. The attacker can also continue to abuse the email address for phishing schemes and social engineering in order to gain further access to the system.”
Phishing for employees
It’s not only companies that are reluctant to admit to cybersecurity breaches. Employees are also often unwilling to admit they may have unwittingly compromised their employer.
“A member of staff said that she received an email, but did not click on it. But her computer was blinking,” an employee in the IT department of a Serbian public company told BIRN, speaking on condition of anonymity.
The case in question was phishing. A bot introduced itself as an administrator to a staff member, and the email she received contained a link which allegedly led the person to change the password.
“It took us a month to solve the problem,” the IT employee said. “First, the Outlook file, where the emails were stored, started duplicating her emails. Once that was fixed, suddenly she couldn’t receive any emails, then the ports would get mixed up, the configuration I set up would turn off. I thought we could just repair the file, but ended up taking down the entire system of her computer.”
The use of an official email address for private purposes is one of the most common mistakes made by employees in public companies and institutions, CERT told BIRN.
“This leaves them particularly vulnerable to phishing attacks and social engineering. Also, sending sensitive and private data via instant messaging apps, such as Viber and WhatsApp, can have similar undesirable consequences.”
Most email accounts of Serbian public enterprises sold on the black market used Outlook’s Web App.
“The problem with this, or any other webmail app accessed through a browser, arises when the user chooses the option for remembering the password,” said another IT employee at a Serbian public institution, who also spoke on condition of anonymity.
“The browser on the computer or laptop doesn’t have any additional protection when someone accesses their account through remembered credentials,” he said. “Once the computer is infected with a virus, the data will become available. And since most institutions attempt to network all their computers, the virus spreads really fast within the system and can collect their accounts.”
In the case of EPS, Markovic informed authorities about the compromised emails, but only the Commissioner for Information of Public Importance and Personal Data Protection took any action, he said. Limited in the degree it can inspect, the Commissioner also failed to find any issue.
“Given this outcome, we can only say that this problem is being ignored,” Markovic said.