Albania Prosecutors Seek to Grill Five Officials Over Cyber-attacks

The Tirana Court has received a prosecution request to arrest and investigate five civil servants over the recent cyber attacks that disabled various state institutions.

Its response was an “investigative secret”, a press statement said on Wednesday.

The prosecution request, which reached the court earlier Wednesday, is related to the crime of “abuse of duty” and accuses the five employees of not implementing safety regulations.

“The IT staff at DAP (public administration) could and should have requested a report from the economic operator contracted by DAP for the implementation and maintenance of the system in time, regarding the state in which this system was located, despite the lack of knowledge about how to implement the contract for the implementation of the administrata.al system,” the prosecution office said.

Albania has been hit by cyber-attacks since July 15, when the governmental portal e-albania was attacked. Since then, the hackers, through their website and Telegram group, both called “Homeland Justice”, have been releasing information, mostly from the police and State Information Service.

The Tirana Prosecution banned domestic media from reporting the content of the leaks in September, a move that was widely condemned by journalists and media watchdogs in Albania as censorship.

The hackers are believed to be Iranian; Tirana hosts a group of exiled Iranian dissidents called the MEK – People’s Mujahedin of Iran. The staff of the Iranian embassy in Tirana were expelled on September 7 over the attacks.

Since then, the hackers have conducted other operations, targeting the Traveler Information Management System, TIMS, on September 19, which caused chaos on the borders.

They also released the emails of Gledis Nano, the former chief of police, on September 19. Data from various databases was released after that, including the personal data of Prime Minister Edi Rama and Helidon Bendo, director of the State Information Service, and his wife.

According to an FBI report, Iranian hackers first accessed Albanian systems 14 months before the first cyberattack was reported on July 15, when government services became unavailable for some days.

“An FBI investigation indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber attack [in July], which included a ransomware-style file encryptor and disk wiping malware,” the report said.

Montenegro Blames Slowed Court Processes on Cyber-Attacks

Montenegro’s Judicial Council said on Wednesday that the court system had been slowed down by the massive cyber-attacks which have hit the country since August 22.

The digital infrastructure of a major part of Montenegro’s public administration has been offline since August 22 following an unprecedented series of a ransomware attacks on government servers.

The Judicial Council told BIRN that some trials had to be postponed due to technical problems.

“The reason for the postponement of certain trials lies in the fact that a small number of users are unable to access the Judicial Information System, PRIS, and enter the necessary data due to problems with the links provided by the Ministry of Public Administration.

“We are actively working on finding alternative ways to access the system for users who do not currently have it, until the establishment of a regular operating regime,” the Judicial Council’s press office said.

“So far, no data were compromised in the court system, nor was direct damage to the system detected,” it added.

On September 5, the Higher Court in Podgorica postponed the so-called “coup plot” trial, as it couldn’t provide technical conditions for the trial. It postponed the trial to November 28.

After the second cyber-attack on August 26, certain services were switched off temporarily for security reasons, causing problems in the functioning of the public administration. The websites of the government and the president are still offline.

Courts and the prosecution service are also working only offline, as are the State Property Administration, the Central Register of Business Entities and the fiscal system.

Government servers were hit with ransomware, a type of malware attack in which the attacker locks and encrypts the target’s data and important files and then demands a payment to unlock and decrypt the data. The head of State Cyber Security Service, Dusan Polovic, said on September 5, that some service could be switched to online mode in future days, stressing that a team from the FBI had joined the investigation.

“In the next few days, we expect developments. Citizens should understand the complexity of the attack. The situation we have, many countries have gone through,” Polovic told television Vijesti.

After the second wave of cyber-attacks on August 26, the Agency for National Security, ANB, accused Russian services of organizing the attacks. On September 1, Russia’s Foreign Ministry dismissed the claims as part of a “continuous policy of dismantling relations with Moscow in order to please the United States”.

On August 31, Public Administration Minister Marash Dukaj blamed Cuba Ransomware for the attack. He said this group had created a special virus for this attack, costing about 10 million dollars and which has not been used anywhere so far.

BIRN Hit by Cyber-Attacks After Turkish Fraudster Investigation

The Balkan Investigative Reporting Network and its Greek partner media outlet Solomon’s websites came under DDoS attack by hackers from early Saturday morning onwards in the wake of the publication of an investigation into a controversial Turkish businessman.

The attack began on Saturday morning and continued into Sunday. BIRN’s server was not compromised but at one point, BIRN’s flagship Balkan Insight website was completely inaccessible.

“The attack started on Saturday at 7.30am. That’s when the alarms went off, and around eight we had already started to react. It was a fierce battle, I never experienced a fight like that,” said an IT security expert whose company works for BIRN.

“At one point on Saturday, we had 35 million different IP connections from all over the world.  The site was brought down by the number of connections,” he explained.

BIRN’s technical experts determined that the attack was specifically aimed at bringing down the page on which the investigation into how a Turkish businessman who had been convicted of fraud bought his way to honorary Greek citizenship.

By Sunday evening, the attack had been repelled. But Solomon’s website remained under attack and was still offline on Monday morning.

Solomon, a Greek independent media outlet which worked with BIRN on the investigation, initially announced on Twitter on Saturday that it was experiencing difficulties because of a “massive DDoS attack on our site”.

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.

It is often used in attempts to target specific content published online and strike a blow at websites that need time to recover from such huge amounts of visits.

The investigation believed to have caused the DDoS attack looks at the case of Yasam Ayavefe, a Turkish businessman who was convicted of defrauding online gamblers in his home country in 2017 and arrested in Greece in 2019 while trying to cross the border into Bulgaria on a false Greek passport. He was later awarded honorary Greek citizenship.

The BIRN and Solomon investigation “examined how honorary citizenship, a state honour long reserved for those who have significantly promoted Greek culture, was turned into a golden visa scheme for those with deep pockets”, Solomon said in a Twitter post on Monday.

The investigative outlet Inside Story first broke the news in July, triggering a fierce debate over Ayavefe’s suitability for such an honour. Inside Story also came under DDoS attack after publishing its report on Ayavefe.

Montenegro Still Assessing Damage From Mystery Cyber Attacks

Montenegrin Minister of Public Administration Marash Dukaj said on Monday that organized cyber attacks on government servers have continued, adding that the damage to public data still has to be assessed.

Since August 22, the government has reported two series of cyber-attacks on government servers, claiming they managed to prevent any damage.

“The damage is being repaired and we are assessing its extent. The system will suffer no lasting effects. A huge amount of money was invested in this attack on our system,” Dukaj told a press conference.

Head of State Cyber Security Service Dusan Polovic said the authorities are not able to activate some services online, and a certain number of workstations are compromised.

“The cost of the virus used for the first attacks on the dark web is from 100 thousand to 2.5 million dollars,” said Polovic.

On August 26, the Ministry of Public Administration said some government servers were temporarily taken offline, while the Agency for National Security, ANB, accused Russian services of organizing coordinated cyber-attacks on government servers. The ANB said Montenegro was caught up in a “hybrid war”, claiming that an attack had been prepared for a long time.

The ANB did not respond to BIRN requests about the cyber-attacks’ investigation’s results. The head of the Electric Company, Milutin Djukanovic, on Monday meanwhile said ANB chief Savo Kentera had warned him about potential cyber-attacks on the electricity system, so they switched to a manual operating system.

On August 26, the US embassy in Montenegro warned its citizens that cyber-attacks may include disruptions to public utility, transportation and telecommunication sectors.

After a National Security session on August 26, outgoing Prime Minister Dritan Abazovic described the cyber-attacks as dangerous, but added that citizens’ personal data were safe. He said the authorities don’t have firm evidence yet about the organizers of the attack.

“We do not have clear information about the organizers. Security sector authorities couldn’t confirm that there is an individual, a group, a state behind this, nor could we deny it,” Abazovic said.

The government published a safe protocol for safety in cyberspace, calling on citizens to use licensed operative systems and create backup copies of all important data. The government noted that NATO members have helped Montenegrin authorities to prevent cyber-attack damage.

Reportedly, government servers were hit by ransomware, a type of malware attack in which the attacker locks and encrypts the victim’s data and important files, and then demands a payment to unlock and decrypt the data.

On Monday, Veselin Konatar, a professor from the University of Podgorica, said the government had not provided firm evidence about the cyber-attacks’ organizers.

“There is a real possibility that a cyber-attack on the government’s IT infrastructure could have been organized by both individuals and organized criminal groups… Also, the government surprisingly quickly assessed that there was no permanent damage to the IT infrastructure, nor any compromise of citizens’ data, which requires much more time to confirm,” Konatar told the daily Dan.

On Monday, IT specialist Branko Popovic urged authorities to present the results of the cyber-attacks investigation, warning also that the government doesn’t have the administrative capacities to deal with such attacks. “It’s possible that someone deliberately released a virus into the government servers in order to steal confidential information, correspondence or reports,” he posted on Facebook.

The government has not adopted a new Cyber Security Strategy after the last one became outdated in 2021. In July 2021, the then Minister of Public Administration, Digital Society and Media, Tamara Srzentic, said that the government would improve its administrative capacities in the cyber security sector, and push for international cooperation and staff education.

Albania Blames ‘Massive Cyber Attack’ as Govt Servers go Down

Albania has come under a “massive cybernetic attack”, the government announced on Monday, which pro-government media blamed on Russia.

The main servers of the National Agency for Information Society, which handles many services, were all down on Monday after being hit on Sunday by “an attack from abroad”.

“Albania is under a massive cybernetic attack that has never happened before. This criminal cyber-attack was synchronized… from outside Albania,” the Council of Ministers said in a press release.

“In order to not allow this attack to damage our information system, the National Agency of Information Society had temporarily shut down online services and other government websites,” it added.

The National Agency for Information Society, AKSHI, is a controversial institution, which some accuse of  misusing citizens’ personal data for political purposes. It has been also suspected of funneling millions of euros to progovernment media through procurements of various services.

The government of Prime Minister Edi Rama closed desk services for the population lately and ordered mandatory use of its online services for everything from enrolling in school to obtaining an ISBN number for a new book at the National Library.

However, several important services, such as online tax filing, are still working, as they use separate servers.

Sali Berisha, a former PM and opposition leader, blamed the ineptitude of the government rather than Russia for the meltdown, pointing out that the government had concentrated too many services in the AKSHI.

“How did it it happen that the government ordered almost all important services to go through this website?’ he asked. “How can such initiatives be undertaken while no professional policing against cyber crime is yet in place?” he added.

Greek Post Restarts Services After Cyber-Attack Downs System

Hellenic Post, ELTA, announced on Wednesday that it had restarted the system that enables objects and items to be sent abroad after a cyber-attack brought the computers down.

Days before, financial services and the sending of simple correspondence were also re-activated. The suspension of these operations, among other things, has caused delays in the payment of pensions.

After the cyber-attack in March brought down the ELTA computer systems, the company isolated the entire data centre and temporarily suspended the commercial information systems of all post offices.

The cyber-attack, aimed at crippling the operations of ELTA, started from malicious zero-time software, which was installed on a workstation and, with the ‘HTTPS reverse shell technique”, connected to a computer system controlled by the cyber group, said ELTA.

Kathimerini newspaper also reported that the hackers used ransomware – nowadays the most common form of corporate cyberattacks. Most times, the victim receives a phishing email including a malicious link or is infected with a ransomware attachment.

“This specific malware, when executed, encrypts part of the victim’s hard drive and, in order for the victim to receive the decryption key and retrieve the data, a ransom must be paid to the attacker,” Dimitris Aretis, Senior Manager EY Cybersecurity Consulting, told BIRN.

“Bitcoin or other cryptocurrencies is used as the form of payment as it provides anonymity to the attacker and makes the transfer of funds untraceable,” he added.

US President Joe Biden on March 22 warned US companies of potential Russian cyber-attackers. But a source from ELTA told BIRN that Russian hackers were not involved in this case.

The Communications Privacy Protection Authority, ADAE, which is responsible for the criminal investigation of the case, declined to comment to BIRN on the issue.

On January 17, two hospitals in the Attika region, Sotiria and Asklipieio Voulas, fell victim of cyber blackmailers who used the same type of ransomware.

Panagiotis Stathis, chief of the 1st Health District of Attica, told BIRN that the hackers attacked the servers of the hospitals. The hackers did not get access to patients’ personal health data but only to the hospitals’ invoices and visitors. Sources told BIRN that the investigation into these cases is still ongoing.

Hackers Attack Croatian Daily, Post Kremlin Propaganda

Croatian police are probing Tuesday’s hacking of the daily Slobodna Dalmacija website by an unknown assailant. The paper reported that “a couple of older articles in Slobodna Dalmacija were replaced with articles promoting Russian propaganda in the war with Ukraine”.

Around ten articles were replaced, it wrote. “Our services spotted the attack on time and are working on solving the problem. The articles have been removed and the attack was reported to the police,” it added.

“Western Deception Machine”, “Which Side Are You On?”, and “The United States of America Admitted They Have Hidden Laboratories in Ukraine”, are just some of the fake articles that the hackers posted online.

Hrvoje Zovko, president of the Croatian Journalists’ Association, HND, condemned the attack. “We condemn this attack and hope the investigation will reveal where it originated from and who was behind it. Unfortunately, something like this is not unexpected in conditions of war. We call all institutions to get involved in the case and all media to report similar incidents immediately, if they happened,” Zovko said.

He added that the incident was reported to the European Federation of Journalists, EFJ. Ricardo Gutiérrez, EFJ secretary, said: “We strongly condemn this act of piracy and call on all Croatian judicial bodies to identify and process the perpetrators. This way, media become a hostage! This is very serious. This is the first time we encountered this type of manipulation of opinion. We believe this type of cyber-attacks might become more and more common.”

The police’s cybercrimes unit is investigating the matter.

Editor-in-chief Sandra Lapenda Lemo told Croatian news agency HINA that the investigation is ongoing and that the articles in question had been deleted. The daily apologized to its readers for “seeing content which at no circumstances reflects the editorial policy of Slobodna Dalmacija”.

The daily newspaper is published in Split. Its first issue was published on June 17, 1943.

Kosovo Media Regulator Struggling to Recover from Cyber-Attack

Kosovo’s media regulatory body on Wednesday said it was subjected to a severe cyber-attack in January that has resulted in a loss of data and access to official email addresses and internal systems for almost two months.

Faruk Rexhaj, acting head of the Independent Media Commission, IMC, confirmed that many electronic services had been disabled because of the attack in January.

“We have not restored [the lost material] yet because we need to go through procurement procedures to hire an expert on restoring the servers. Procedures took some time but we are almost at the end,” Rexhaj told BIRN.

According to Rexhaj, the IMC is working to restore the system after the attack and blamed delays on the procurement procedures needed before hiring an expert to deal with the issue.

“We are in procedure to restore equipment, materials and systems to normalcy. We are working on it,” he added.

The IMC is an independent institution responsible for the regulation, management and oversight of the broadcasting frequency spectrum in Kosovo.

It licenses public and private broadcasters, establishes and implements policy and regulates broadcasting rights, obligations and responsibilities of individuals and entities who provide audio and audiovisual media services.

Rexhaj said police were informed about the attack. “We informed the police, and the Department for Cyber Crimes has taken all data they need. They have concluded that the attack was similar to some other cases and it is not related to anything specific. This kind of attack happens all over the world,” Rexhaj said.

North Macedonia Banks Targeted by Notorious Greek Hackers

A well known group of supposedly Greek-based hackers, calling themselves “Powerful Greek Army”, has claimed it took down the pages of several banks in North Macedonia on Tuesday evening for a couple of hours.

Only one bank, however, the private TTK Bank, has confirmed that its web page was in fact the target of a hacker attack, saying that it “successfully prevented” the attack and “there are no consequences”.

“Powerful Greek Army” posted on Monday that it intended to attack a range oif banks.

“ALL banks licensed by the National Bank of the Republic of North Macedonia/All Banks of North Macedonia will be downed … soon,” the group wrote on Twitter. On Tuesday, the group posted subsequent posts, claiming success in this.

BIRN asked North Macedonia’s central bank to comment but did not receive an answer by the time of publication.

This is not the first time the group has targeted North Macedonia’s institutions.

In February, the Education Ministry confirmed it came under attack by the group, which posted video footage of allegedly hacked video surveillance cameras from inside the ministry. However, the ministry said the camera footage was fake.

Earlier, in May 2020, “Powerful Greek Army” leaked dozens of email addresses and passwords from staffers in North Macedonia’s Ministry of Economy and Finance, as well as from the municipality of Strumica – and bragged about its exploits on Twitter.

The hacking group was reportedly founded in 2016, when it took down the website of the Greek Prime Minister. Since then it has taken offline a number of banks in Turkey and downed the websites of Turkish Airlines and the office of the Turkish president among other targets. In a recent interview, an alleged member said they had not particular motivation or ideology and chose their targets at random, from Greece and its neighbours to Nigeria and Azerbaijan.

Croatian Teen Suspected of Hacking Communication Company’s Data

Croatian news site Index.hr reported that the prime suspect for hacking the database of Croatia’s telecommunication operator’s, Tele Operator A1, exposing around 10 per cent of user data, is a 14-year-old primary school pupil from Slavonski Brod.

Police reportedly waited for the suspect at home after he came back from school on Monday and questioned him in the presence of his parents. They then searched his home and, according to reports, found the equipment he used to hack Tele Operator A1.

As the suspect is a minor, the police were unable to give many details, but Renato Grguric, head of the police’s Department of Cyber-Security, said there was “enough evidence that the person in question is the hacker. When the investigation is over, adequate criminal charges will be brought”.

The police also said that he had an accomplice, who was not from Croatia and who did not participate in the hacking itself.

Grguric said that when a crime perpetrator is a minor, the emphasis is not on punishment but on preventing further crimes. “People usually get three to five years in prison for a crime like this, but that’s not the point. In this case, the responsibility is on the minor, not the parents. Every person over 14 is responsible for their own actions,” Grguric explained.

On February 9, Croatian Tele Operator A1 was the target of a hacking attack that compromised round 10 per cent of A1’s user data, exposing their names, addresses, personal identification numbers and phone numbers.

The hacker demanded a $500,000 ransom or threatened to sell the data on the dark web. A1 did not pay the ransom and the hacker claimed to have sold the data anyway.

BIRD Community

Are you a professional journalist or a media worker looking for an easily searchable and comprehensive database and interested in safely (re)connecting with more than thousands of colleagues from Southeastern and Central Europe?

We created BIRD Community, a place where you can have it all!

Join Now