In the year since a cyber-attack on Elektroprivreda Srbije, authorities have said almost nothing about what sensitive data was stolen. Only scraps of information have surfaced in media reports.
In February, Energy Minister Dubravka Djedovic Handanovic said only administrative functions were affected.
“Bills were slightly delayed by technical challenges due to the hacking attack, but the system has been brought back up bit by bit,” the daily Danas reported the minister as saying. “What is most important is that this attack did not compromise production, but was of an administrative nature and did not compromise security data.”
Cybersecurity expert and co-founder of the Bezbedni Balkan [Secure Balkan] forum Ivan Markovic told Insajder that, according to sources, the impact was greater than the authorities were letting on and that some members of the public received bills with “illogical values, which can also be a consequence of the attack”.
Official silence
On December 19, 2023, EPS said it had come under a “crypto-type” hacker attack and was in the process of recovery. Because of the attack, the company’s bill payment portal stopped working and bills for November were late in being sent.
EPS did not respond to a request for comment for this story. Nor did the Department of High-tech Crime within the High Prosecutor’s Office in Belgrade, which reportedly launched an investigation following the attack.
However, the impact of the cyber-attack is visible in the company’s own quarterly reports on its three-year business programme, including, for example, in the company’s ability to carry out maintenance work.
“Maintenance costs were realised in the amount of 20.1 billion dinars and are 4% lower than planned,” EPS said in one report from this year.
“One of the reasons for the lower maintenance realisation is the hacker attack on the ICT infrastructure of EPS AD, when the systems were seriously endangered and when continuous work was being done to upgrade them.”
In July, Radio Free Europe reported that business documentation from the previous few years, as well as the individual personal data of employees at Bajina Basta Hydroelectric Power Plant, part of EPS, in southwestern Serbia had been published online. The data included scanned ID cards and university diplomas.
Neither EPS nor the government confirmed or denied the report or offered any explanation as to what EPS data had been published on the dark web.
No public information
Serbia’s National Centre for the Prevention of Security Risks in ICT systems, CERT, declined to specify what data or documentation had been published by the hackers, telling BIRN: “Hacker groups trade various information on the Dark Web, but it remains an open question whether and how valid this data is. The National CERT, within its competencies, has no authority or ability to determine whether certain data belong to an institution.”
EPS reported the attack to the CERT, but CERT declined to go into details, citing the fact the information had been classified as TLP: AMBER.
TLP, or Traffic Light Protocol, is a set of international standards for sharing sensitive information in the event of a computer security incident.
“Bearing in mind that the obtained information is marked with the TLP: AMBER mark, it is not possible to share it with the general public, and we are unable to provide you with the requested information,” CERT told BIRN.
But Nevena Ruzic, an expert on personal data protection, said that regardless of international protocols, the state itself must rule such information confidential in accordance with domestic laws.
“There must be a decision on confidentiality and the degree of secrecy must be determined,” Ruzic told BIRN.
Ruzic said it is difficult to give an estimate of the scale of damage inflicted by the hack.
“That damage is not immediate, nor does it happen at the same time as the attack, regardless of whether the data refers to persons [customers or employees] or to business data.”
Too often, such incidents are forgotten, Ruzic said.
“After some commotion that arises and media coverage that is often sensational, we stop thinking about what systemic error was involved, whose responsibility it is and what lesson was learned.”
“If we remember the way EPS communicated after the attack, it was in such a way that the individual did not know what happened in the end.”
Earlier warnings
The office of Serbia’s Commissioner for Information of Public Importance and Personal Data Protection said it had looked into the attack and had not found any “publication of personal data about the users of the supervised entity’s services, nor EPS employees, as a result of the reported attack”.
Bezbedni Balkan had already warned about problems with EPS cybersecurity. Markovic said that in 2022 and the first seven months of 2023, email accounts related to EPS were compromised at least 15 times. EPS denied this.
Previous research by BIRN has highlighted the need for Balkan states to improve their defences against cybercrime because of a surge in cyberattacks, particularly phishing and ransomware.
The BIRN report cited a series of cyberattacks targeting critical online infrastructure, services and computers. Inadequate public awareness and cybersecurity policies, plus limited regional collaboration, have exacerbated the challenges Balkan countries face in combatting cybercrime, it said.