As North Macedonia’s government pledges to boost defences against online attacks, many state and local institutions remain worryingly vulnerable – with untrained staff and little awareness of the dangers.
From targeted DDoS attacks blocking access to key sites and data to the hijacking of entire websites and suspected theft of sensitive data, North Macedonia has experienced it all in the past few years.
The government and the Interior Ministry say they are hard at work strengthening defence mechanisms against such malevolent online players. The US and EU have jumped in to help as well, providing both technical and training assistance.
And, in late June, Interior Minister Oliver Spasovski said they had raised the salaries of employees in the ministry’s department of telecommunications and informatics and in the digital forensics section by 30 per cent.
“These people are really needed,” the minister said, admitting that the country as a whole must invest much more in boosting cyber security.
But while at central level the Interior, Defence and Information Society Ministries seem busy boosting security teams and shaping more capable teams of experts ready to offer competent response to threats, the more than 1,000 state or local government-run institutions, public enterprises and agencies, who are often the targets of such attacks, remain wide open.
“There, the situation is dire and harder to fix. For a long time, the issue of cyber security has been neglected in these institutions so their online presence and especially the issue of safeguarding it, have been an afterthought for the many heads and directors who often did not, and do not, understand the matter,” said Dejan Sokoloski, an IT expert and author of the IT.mk website.
As BIRN found out, some of these institutions lack any specialized IT security personnel and rely on just a few staffers to maintain their sites. Some have offloaded this work to private companies that often do not satisfy their needs.
“These institutions are often the first line of defence when it comes to preventing or intercepting cyber-attacks. If they had a secure and competently maintained web presences, we could say half of the job is done. But they don’t, so they are the weakest link – a ‘Swiss cheese’ of vulnerabilities and holes that need to be plugged,” Sokoloski added.
Photo by EPA/RITCHIE B. TONGO
Late realization of the threats
The Public Transportation Utility, JSP Skopje, is a public utility company under the City of Skopje that operates commuter bus services in the capital.
Among others, it provides online services to their commuters like buying tickets, and a GPS system tracks all the buses and informs users when the next bus will arrive at their station.
With just one successful attack, the transport system in the capital of more than half-a-million people could suffer greatly. However, the company told BIRN that while it has experts to maintain the system, it lacks specialized cyber security experts.
“We are constantly striving to upgrade our cyber security and the quality of our online services … and we hope that in the next city budget [for 2024] there will be funds to hire dedicated experts in IT security. So far, we’ve relied on help and instructions from the central authorities,” JSP told BIRN in a written response.
The National Information Agency, MIA, is in a similarly vulnerable position. This agency, which receives central government funds and was formed by a decision of parliament, was targeted by a DDoS attack in 2020 during the last parliamentary elections. Together with the Central Electoral Commission, its website was not functional for almost two days after voting day.
The agency still relies on a skeleton team of two general IT experts employed simply to maintain the website.
Photo by EPA-EFE/SASCHA STEINBACH
USB stick is all you need
Vladimir Stajovic, a cyber security expert who has been engaged in a private IT company from North Macedonia that offers its services to public enterprises and agencies, says such a qualified workforce that would answer needs does not exist yet in North Macedonia.
“The general population thinks all IT experts are the same and that they know everything, when in reality security experts are highly focused and skilled on this area alone – and are hard to find,” he said.
“We have many people employed in the IT sector, and that is our advantage if we want to invest in specializing some of them for security, but when it comes to existing security experts, they are mostly working abroad because the salaries there are much higher,” he explained.
Stajovic said a common misconception among clients is that they can quickly fix breaches and vulnerabilities after an attack has already happened.
“We’re not plumbers. We cannot fix a leaking faucet in five minutes in an apartment that has been neglected for decades and where the entire plumbing is rusty.
“The solution is much more regular maintainance of the entire system and updating and migrating the vulnerable files onto more secure and up-to-date platforms and servers. That needs a lot of programming, work, money and testing, and even then, nothing is 100-per-cent secure when it comes to cyber space,” he noted.
Stajovic says that, from his experience, many institutions in North Macedonia are so vulnerable that even a group of high school students could breach defences and wreak havoc in important organisations that employ hundreds of people.
Stressing the need to keep a constant guard and keep up with the latest threats, he mentioned the recent appearance of a USB stick available online for just over $100 US.
It sounds like something straight out of a spy movie.
“All it takes is for someone to physically enter an institution and put this stick in any USB port on any PC. The system falsely recognizes it as a normal peripheral, like a mouse or a keyboard, and then its malicious software, that may be programed for various activities like gathering data, deleting files or doing something else, starts working and can spread undetected,” he said.
North Macedonia’s Digital Society Ministry presented this year a plan for better and safer digitization of the administration. Photo by Information Society Ministry of North Macedonia
Not a hypothetical threat
North Macedonia is no stranger to cyber attacks.
To name just a few, in July 2020 a DDoS attack rendered the site of the State Electoral Commission useless for several days.
The attack delayed the announcement of the official results of tightly contested parliamentary elections, so the Commission had to improvise by releasing partial results through YouTube clips instead.
To make matters worse, the country’s most popular news aggregator, TIME.mk, experienced a similar attack at the same time.
Later that month hackers took down the sites of the Health and Education ministries.
In September 2021, a population headcount was marred by a slew of technical problems that forced many of the census takers to sit idle for days. Initially, authorities suspected a cyber attack but later said they had been misinterpreted. However, this only revealed the many weaknesses of all-too important systems.
In August 2022, the government’s site for public services, uslugi.gov.mk, was downed for almost two days.
Earlier, in February 2022, the Education Ministry reported another attack – but insisted that a video published on Twitter by a notorious group calling itself “Powerful Greek Army”, purportedly recorded by the ministry’s security cameras, was a fake.
Skopje. Photo by EPA-EFE/GEORGI LICOVSKI
Solutions must come ‘step by step’
North Macedonia has a total of almost 1,300 public institutions, data from the Information Society Ministry show. Most are in the area of education, healthcare, state administration, communal enterprises and culture.
Slightly more than half of these institutions are at a local municipal level while the rest come under the central authorities.
By time of publication, BIRN was not able to determine how many of them have permanently employed dedicated IT security stuff, or how many rely on private companies to do the work for them.
“We are at the forefront, so to speak, in this effort to boost cyber security across all of our state apparatus. We are aware of the acuteness of the problem but the solutions will come step by step,” said the Information Society Ministry.
It added that along with other government ministries they have already formed so-called quick response teams of IT security experts and that such teams are especially present within the Interior and Defence Ministries.
“Our particular part of the job is to also provide training and help to the many institutions you mentioned and that is underway,” the ministry informed.
“Trainings and communication for them are available, we are working on standardizing the platforms they are using in the online sphere.”
The Ministry also sees potential to speed up the process as many people employed in the country’s IT sector, if motivated correctly, could be trained in security.
So far, though, there is no projection about how much it would cost to train these new experts and motivate them to stay in the country for a better salary, or how long that could take.