Recent attacks on state institutions in the country have revealed how vulnerable most of their IT systems are to cyber-crime – prompting experts to warn that they must start to raise their game.
North Macedonia’s officials are trying to persuade the country that after hackers recently leaked dozens of email addresses and passwords from staffers in public institutions, the situation is under control.
But, as they did so, some of the key pages of Skopje’s main local government’s website could not be reached since Thursday – in what looked like yet another serious breach of cyber-security.
Some pages on Skopje city’s official website, including the one about taxes, are currently marked not secure for use due to an “expired security certificate” – which experts said could lead to another breach of data privacy.
Web browsers such as Mozila and Google Chrome blocked access to some of the pages on the skopje.gov.mk website, meaning that the system could either be vulnerable to a hacker attack, or that the website’s users could be vulnerable to a “man-in-the-middle attack”, or MITM.
This is when attackers secretly alter communications between two sides and steal key information, such as passwords, messages or credit card numbers.
The latest security breach came after a Greek hacking group, called “Powerful Greek Army” leaked dozens of email addresses and passwords from staffers in the North Macedonia’s Ministry of Economy and Finance, as well as from the municipality of Strumica – and bragged about their exploits on Twitter on May 10.
When and how the hackers got into these systems is still unclear, but both the North Macedonia’s Interior Ministry in charge of cyber-crime and the Greek authorities promised a swift joint investigation.
Recently, the Powerful Greek Army hacker group also took down the website of the Institute for Sociological, Political and Juridical Research at the country’s main Sts Cyril and Methodius University in Skopje.
Over the past few years, the government has promised to take action following a series of sophisticated and coordinated IT security breaches and hacker attacks on websites containing citizens’ data.
But some consider the country’s current response to cyber threats far too weak.
Speaking about the latest May 10 attack, the authorities shrugged off the threat, insisting that the hacked email accounts could not be accessed with the leaked passwords or with any other data sets. The data obtained by the hackers was more than seven years old, dating from 2013, they added.
“We have no evidence that the current email systems of those institutions have been hacked lately, and we are investigating all the details related to this case,” the government said in an upbeat statement.
It added that official email systems had been updated since 2013, and that protocols with complex passwords for official email addresses have been set, as well as other cybersecurity protocols in the systems that should reduce the risk of systems being compromised.
However, experts warn that although some steps have been taken, they are far from meeting the criteria that are needed. They say the latest incident should be seen as a warning about the kind of cybersecurity practices now being used in the country.
Experts say too many old operating systems are still being used, leaving state institutions vulnerable to hackers attacks, while staffers in these institutions lack proper training on security protocols.
A study in 2018 by the Ponemon Institute, which conducts independent research into data protection, looking at the cost of data breaches, said an average public-sector data breach could cost up to 2 million euros.
Government data breaches are meanwhile two-and-a-half times more likely to remain undetected for a year or more than those in the private sector, said a report by The Daily Swig, which focuses on bugs, viruses and data security issues.
In 2018, the then North Macedonia’s government adopted a national strategy and an action plan on cyber-security, but little has been done since.
In recent years, there have been other examples of poor protection of state institutions. Last year, a former member of parliament was arrested for hacking into the Central Registry.
In 2015, the Ministry of Information Society and Administration and the State Prosecution Office were among several institutions targeted by a hacker group, believed to have ties with jihadist groups in the Middle East.
Outdated operating systems are big concern
One of the major problems for North Macedonia’s IT systems is that most of the operating systems are outdated, and so are more vulnerable to attacks.
“The security of IT systems in the country most often does not meet the necessary standards,” Milan Popov, a Skopje-based cyber-security engineer with years of experience of IT security in the public sector, told BIRN.
“Old operating systems are still being used, websites often do not use security certificates, and weak passwords are used to log into systems,” he added.
“For example, many state institutions are still using the Windows XP system, known for its security vulnerabilities. All this leads to a great danger of compromising systems and potentially extracting sensitive data from users,” Popov continued.
The government adopted a national strategy and an action plan for cyber-security for the period of 2018-2022 in July 2018. The strategy aimed to define the critical infrastructure, and the role of each institution regarding cybersecurity efforts as a whole.
In 2019, it also formed a National Council for Cyber-security, comprising the ministers of Interior, Defence and Information Society. Although it was two years in the making, the council has held only one meeting so far, in January this year, when it held a constitutive session.
Regarding its goals, the council has stated that it will aim to implement the recommendations and cybersecurity practices of fellow NATO-member countries.
Strong and resilient cyber-defences are part of NATO’s core tasks of collective defence, crisis management and cooperative security.
One of NATO’s main objectives is strengthening its members’ capabilities in cyber-education, training and exercises. Member countries are also committed to enhancing information-sharing and mutual assistance in preventing, mitigating and recovering from cyber attacks.
According to the government budget for 2020, the country is investing just over 6 million euros in institutional IT support, from a projected budget of 71.6 million euros. The same amount was spent on IT support in 2019.
Staff need more education in IT security
Illustration. Photo: Unsplash
The email list published by the Powerful Greek Army hackers was concerning also as the employees of the Ministry of Economy and Finance might have used the same passwords for other accounts.
The attack aimed to reveal just how weak the system’s IT protection was. The hackers also promised a return visit. On their Twitter profile they wrote that they would “not stop attacking Skopje”.
The leaked lists contained examples of worryingly weak passwords. According to cyber-security experts, this alone was a cause of concern when it comes to the security of the administrative systems and the data of employees.
“Some of the security concerns here include passwords leaks, plaintext passwords, passwords that contain a part of the last name, are only in letters or only in numbers, are shorter than eight characters, and are without special characters,” Martin Spasovski, a Skopje-based software engineer, told BIRN.
Some of the methods that hackers use to steal passwords are phishing, password spraying, or keylogging. When it comes to passwords, he said users should always pay attention to password strength. In most cases, a strong password policy can make a difference in preventing such attacks.
To prevent more such incidents, state institutions have to educate IT staff more about the various challenges that hacking threats pose, experts note. “Protection requires a serious investment of hardware and software, but the most crucial need is to educate the IT staff on how to use all of this,” Popov emphasized.
“It’s also extremely important to educate non-IT staff on how to recognize various hazards such as social engineering, malicious websites, or working with sensitive data.”
A study conducted by international cybersecurity scholars in 2018 reached similar conclusions about the importance of training.
“Within public institutions, training in cybersecurity issues both for IT staff and general staff is very limited, and it is often at the discretion of management whether a member of staff is permitted to attend a general cybersecurity training or certification course,” it noted.
The Defence Ministry, one of the main components of the cyber-security critical infrastructure, says it regularly conducts cyber-security training for its employees.
“During 2019, 10 trainings on raising cyber-security awareness were conducted, in which 152 ministry employees participated. The Army also conducted training that covered over 1,200 members,” the Defence Ministry told BIRN in a statement.
For 2020, the Defence Ministry planned to conduct training for 150 employees that was supposed to start in April, but had to delay them because of the pandemic measures.
“Securing the cyberspace, being of utmost importance to all organizations involved in the digital world in any aspect, is the main focus of the Cybersecurity Specialist Academic Track – part of the Computer Networks Academy at SEDC”, Toni Todorov, senior DevOps engineer with SEDC, one of the country’s biggest computer education centres, told BIRN.
“Governments across Europe are heavily investing (and will invest even more) time and resources in raising awareness and remediating the threat to the security of their citizens, especially the digital kind,” Todorov added.