BIRN investigation shows at least three malware viruses attacked Serbia’s cadaster system – not one – jeopardizing the staff’s personal data.
Illustration by Pixabay
A BIRN investigation shows that Serbia’s cadaster system, RGZ, was infected by not just one malware computer virus but by at least three malicious programs and that at least one of them entered the server via the RGZ mail server, from where it tried to spread.
The servers of the Republic Geodetic Institute stopped working on June 14, when it was announced that a hacker attack had been carried out.
For this reason, management said they locked the entire system preventively, which made it impossible to use its services, including the cadastre of property ownership.
RGZ later said the computer sabotage was carried out from abroad using the ransomware virus “Phobos”.
This works by locking the device, disks and databases that only become available again when the hackers are compensated. However, RGZ insisted that “so far, the message with a request for redemption [cash] has not been identified”.
But BIRN discovered that, beside Phobos, the system was infected with Qakbot and Mirai Botnet as well.
Vladimir Cicovic, a cyber security expert, told BIRN that hackers may have used Qakbot to insert the Phobos virus into the system of the Geodetic Institute.
“One group is selling access, and the other is breaking in. The cooperation of several groups is not excluded. In the institution, they were looking for Phobos, but they didn’t look at how it got in, that is, who opened it,” explained Cicovic.
In special databases, the date of detection of the Mirai botnet on the RGZ mail server is May 8, 2022, while the version of Qakbot from the infected email was detected on May 13.
This is about a month earlier compared to the date officially listed as the start of the hacker attack, and two weeks before the virus allegedly entered the system.
A BIRN journalist had himself received an email from RGZ employee with whom BIRN journalists had been in contact in recent months. The title of the email, as well as other details, made everything look like a continuation of the correspondence, but the content of the email was in Dutch!
Cicovic believes that the fact that the author of the infected email wrote in a foreign language indicates that the malicious program was most likely not intended for Serbia. “If a professional was doing this, the email would be in Serbian. The campaign, or whatever, was not intended for Serbia,” Cicovic said.
He added that the infected email, received by a BIRN journalist, is directly related to the hacker attack on the Geodetic Institute because it shows that the earlier correspondence between the RGZ official and the BIRN journalist was leaked and is now in the hands of hackers.
“The BIRN journalist’s correspondence with the RGZ official is in someone’s hands. A hacker can sell, give, publish this data, but the fact is that the data has been stolen. The email received by the BIRN journalist is sufficient evidence for such a thing. It is possible that other information is also available,” he said, stating that this shows there was a threat of compromising private data.
It is not known whether any other citizen received a similar malicious email.
BIRN contacted the office of the Commissioner for the Protection of Information of Public Importance, which replied that the infected email is not proof that personal data has been compromised and that, as such, it has nothing to do with the hacker attack on RGZ.
According to a report by Kaspersky antivirus solutions company , in the first half of this year, Serbia ranked 13th in the world in terms of the number of cyber-attacks on management systems and critical infrastructure, after Vietnam, Sudan, Tanzania, Yemen and Bangladesh.