Tag: cyber security

Romanians Behind Cyber-Fraud Ring Plead Guilty in US

Posted on by Ivana Jeremic

Fifteen defendants including several Romanians have pleaded guilty before a US judge of involvement in a multi-million dollar scheme to defraud US citizens through online auctions of non-existing goods, a US Justice Department statement issued on Monday by the US embassy in Bucharest said.

The defendants, many of whom were extradited from Romania in 2019, are yet to be sentenced in the US. Most of them operated from the city of Alexandria in Teleorman Country near the border with Bulgaria, in the south of Romania, court documents show.

The syndicate was active from 2013 and most of its members were arrested in 2018 in Romania.

They typically made money posting ads of cars that didn’t exist and convincing American victims to “send money for the advertised goods by crafting persuasive narratives, for example, by impersonating a military member who needed to sell the advertised item before deployment,” the statement read. To carry out the fraud, they created fictitious online accounts, often using stolen identities of US citizens. 

They also delivered fake invoices issued in the name of reputable companies to make the transactions look legitimate, and went as far as setting up call centres operated by ring members who impersonated customer support agents to assure victims of the authenticity of the ads.

The latest to plead guilty did so last week before a court in Kentucky. 

One suspect, Bogdan-Stefan Popescu, 30, who operated a carwash in Bucharest at the time of the events, admitted to managing the ring’s activities by distributing “the language and photographs for fake advertisements as well as usernames and passwords for IP address anonymizing services” used to defraud its victims in the US.

Popescu said he connected members of the syndicate with those “who would impersonate eBay customer service representatives over the phone”. Starting from 2013, he also oversaw Bitcoin transactions with the money obtained from the frauds, the plea documents show.

Another who last week pleaded guilty was Liviu-Sorin Nedelcu, 34, who posted fake vehicle ads online using fictitious entities to sell vehicles. Once Nedelcu and his co-conspirators convinced victims to purchase falsely advertised goods, they sent the victims invoices for payment that appeared to be from legitimate sellers, such as eBay Motors,” the US statement read. Nedelcu and his co-defendants “engaged in a sophisticated money laundering scheme to convert the victim payment into Bitcoin”.

Weeks before, on May 19, Vlad-Calin Nistor, 33, also pleaded guilty. He confessed to being the founder of a Bitcoin exchange company based in Romania and to having “exchanged over $1.8 million worth of Bitcoin for co-defendant Bogdan Popescu.” Another member of the ring, Beniamin-Filip Ologeanu, 30, also from Romania, worked with others to post advertisements in auction websites such as eBay and classifieds online service Craiglist and conspired with the gang US-based associates to launder the proceeds.

Computer Virus Stops Sarajevo Municipality Issuing Birth Certificates

Posted on by Ivana Jeremic

A Sarajevo municipality has temporarily stopped issuing birth certificates due to a computer virus that locks documents in its database for the second time in some two weeks.  

The central Centar Municipality, whose offices are next door to the Bosnian presidency building, said on its website that the problem caused by a “ransomware virus” was detected on Saturday. Such viruses typically block computer systems and their originators demand payment in exchange for removing them.  

But the municipality denied that it was the target of a hacker attack, or that the central electronic register with all birth and death certificates in Bosnia’s Federation entity was in danger of being wiped out, as the Interior Ministry of the Federation entity was quoted as saying by the media.   

“Information about a targeted attack on the IT system of the Center Municipality and the destruction of the registar and documents is not true,” the municipality said. It added the problem was reported to the police, as it was the second time in a little over two weeks that this happened.  

On May 22, the municipality reported on its website that the issue of birth, death and marriage certificates was stopped because of “an electrical problem” but added that it was soon resolved.

Bosnia lags behind with the introduction of e-government, but the Centar municipality has provided a number of services electronically. 

Hackers Expose Gaping Holes in North Macedonia’s IT Systems

Posted on by BIRD

North Macedonia’s officials are trying to persuade the country that after hackers recently leaked dozens of email addresses and passwords from staffers in public institutions, the situation is under control.

But, as they did so, some of the key pages of Skopje’s main local government’s website could not be reached since Thursday – in what looked like yet another serious breach of cyber-security.

Some pages on Skopje city’s official website, including the one about taxes, are currently marked not secure for use due to an “expired security certificate” – which experts said could lead to another breach of data privacy.

Web browsers such as Mozila and Google Chrome blocked access to some of the pages on the skopje.gov.mk website, meaning that the system could either be vulnerable to a hacker attack, or that the website’s users could be vulnerable to a “man-in-the-middle attack”, or MITM.

This is when attackers secretly alter communications between two sides and steal key information, such as passwords, messages or credit card numbers.

The latest security breach came after a Greek hacking group, called “Powerful Greek Army” leaked dozens of email addresses and passwords from staffers in the North Macedonia’s Ministry of Economy and Finance, as well as from the municipality of Strumica – and bragged about their exploits on Twitter on May 10.

When and how the hackers got into these systems is still unclear, but both the North Macedonia’s Interior Ministry in charge of cyber-crime and the Greek authorities promised a swift joint investigation.

Recently, the Powerful Greek Army hacker group also took down the website of the Institute for Sociological, Political and Juridical Research at the country’s main Sts Cyril and Methodius University in Skopje.

Over the past few years, the government has promised to take action following a series of sophisticated and coordinated IT security breaches and hacker attacks on websites containing citizens’ data.

But some consider the country’s current response to cyber threats far too weak.

Speaking about the latest May 10 attack, the authorities shrugged off the threat, insisting that the hacked email accounts could not be accessed with the leaked passwords or with any other data sets. The data obtained by the hackers was more than seven years old, dating from 2013, they added.

“We have no evidence that the current email systems of those institutions have been hacked lately, and we are investigating all the details related to this case,” the government said in an upbeat statement.

It added that official email systems had been updated since 2013, and that protocols with complex passwords for official email addresses have been set, as well as other cybersecurity protocols in the systems that should reduce the risk of systems being compromised.

However, experts warn that although some steps have been taken, they are far from meeting the criteria that are needed. They say the latest incident should be seen as a warning about the kind of cybersecurity practices now being used in the country.

Experts say too many old operating systems are still being used, leaving state institutions vulnerable to hackers attacks, while staffers in these institutions lack proper training on security protocols.

A study in 2018 by the Ponemon Institute, which conducts independent research into data protection, looking at the cost of data breaches, said an average public-sector data breach could cost up to 2 million euros.

Government data breaches are meanwhile two-and-a-half times more likely to remain undetected for a year or more than those in the private sector, said a report by The Daily Swig, which focuses on bugs, viruses and data security issues.

In 2018, the then North Macedonia’s government adopted a national strategy and an action plan on cyber-security, but little has been done since.

In recent years, there have been other examples of poor protection of state institutions. Last year, a former member of parliament was arrested for hacking into the Central Registry.

In 2015, the Ministry of Information Society and Administration and the State Prosecution Office were among several institutions targeted by a hacker group, believed to have ties with jihadist groups in the Middle East.

Outdated operating systems are big concern


Photo: Screenshot

One of the major problems for North Macedonia’s IT systems is that most of the operating systems are outdated, and so are more vulnerable to attacks.

“The security of IT systems in the country most often does not meet the necessary standards,” Milan Popov, a Skopje-based cyber-security engineer with years of experience of IT security in the public sector, told BIRN.

“Old operating systems are still being used, websites often do not use security certificates, and weak passwords are used to log into systems,” he added.

“For example, many state institutions are still using the Windows XP system, known for its security vulnerabilities. All this leads to a great danger of compromising systems and potentially extracting sensitive data from users,” Popov continued.

The government adopted a national strategy and an action plan for cyber-security for the period of 2018-2022 in July 2018. The strategy aimed to define the critical infrastructure, and the role of each institution regarding cybersecurity efforts as a whole.

In 2019, it also formed a National Council for Cyber-security, comprising the ministers of Interior, Defence and Information Society. Although it was two years in the making, the council has held only one meeting so far, in January this year, when it held a constitutive session.

Regarding its goals, the council has stated that it will aim to implement the recommendations and cybersecurity practices of fellow NATO-member countries.

Strong and resilient cyber-defences are part of NATO’s core tasks of collective defence, crisis management and cooperative security.

One of NATO’s main objectives is strengthening its members’ capabilities in cyber-education, training and exercises. Member countries are also committed to enhancing information-sharing and mutual assistance in preventing, mitigating and recovering from cyber attacks.

According to the government budget for 2020, the country is investing just over 6 million euros in institutional IT support, from a projected budget of 71.6 million euros. The same amount was spent on IT support in 2019.

Staff need more education in IT security


Illustration. Photo: Unsplash

The email list published by the Powerful Greek Army hackers was concerning also as the employees of the Ministry of Economy and Finance might have used the same passwords for other accounts.

The attack aimed to reveal just how weak the system’s IT protection was. The hackers also promised a return visit. On their Twitter profile they wrote that they would “not stop attacking Skopje”.

The leaked lists contained examples of worryingly weak passwords. According to cyber-security experts, this alone was a cause of concern when it comes to the security of the administrative systems and the data of employees.

“Some of the security concerns here include passwords leaks, plaintext passwords, passwords that contain a part of the last name, are only in letters or only in numbers, are shorter than eight characters, and are without special characters,” Martin Spasovski, a Skopje-based software engineer, told BIRN.

Some of the methods that hackers use to steal passwords are phishing, password spraying, or keylogging. When it comes to passwords, he said users should always pay attention to password strength. In most cases, a strong password policy can make a difference in preventing such attacks.

To prevent more such incidents, state institutions have to educate IT staff more about the various challenges that hacking threats pose, experts note. “Protection requires a serious investment of hardware and software, but the most crucial need is to educate the IT staff on how to use all of this,” Popov emphasized.

“It’s also extremely important to educate non-IT staff on how to recognize various hazards such as social engineering, malicious websites, or working with sensitive data.”

A study conducted by international cybersecurity scholars in 2018 reached similar conclusions about the importance of training.

“Within public institutions, training in cybersecurity issues both for IT staff and general staff is very limited, and it is often at the discretion of management whether a member of staff is permitted to attend a general cybersecurity training or certification course,” it noted.

The Defence Ministry, one of the main components of the cyber-security critical infrastructure, says it regularly conducts cyber-security training for its employees.

“During 2019, 10 trainings on raising cyber-security awareness were conducted, in which 152 ministry employees participated. The Army also conducted training that covered over 1,200 members,” the Defence Ministry told BIRN in a statement.

For 2020, the Defence Ministry planned to conduct training for 150 employees that was supposed to start in April, but had to delay them because of the pandemic measures.

“Securing the cyberspace, being of utmost importance to all organizations involved in the digital world in any aspect, is the main focus of the Cybersecurity Specialist Academic Track – part of the Computer Networks Academy at SEDC”, Toni Todorov, senior DevOps engineer with SEDC, one of the country’s biggest computer education centres, told BIRN.

“Governments across Europe are heavily investing (and will invest even more) time and resources in raising awareness and remediating the threat to the security of their citizens, especially the digital kind,” Todorov added.

Turkish Police Hunt Musical Minaret Hackers

Posted on by Ivana Jeremic

In last two days, unknown persons in Turkey have hacked mosques’ digital audio systems in the coastal city of Izmir and played the anti-fascist song Ciao Bella and other songs with revolutionary messages.

After videos of the stunt were widely shared, Izmir police announced that they had started an investigation on Thursday and detained several people for insulting religion.

The detainees included Banu Ozdemir a former city official of main opposition Republican People’s Party, CHP.

The Turkish Religious Authority, the Diyanet, announced that it had filed a criminal complaint about the hacking.

“These people are unknown and evil-minded. They insulted our sacred religious values in the holy month of Ramadan. We have filed a criminal complaint at the city prosecutor’s office,” the chief cleric in Izmir, Mufti Sukru Balkan, said on Thursday.

The Diyanet had to suspend all calls to prayers, known as adhans, in Izmir because of the attacks until further notice.

The digital attacks and the playing of songs from minarets angered local politicians.

“We condemn these attacks on our mosques. Whoever has a problem with mosques also has problems with the nation,” Omer Celik, the spokesperson of the ruling Justice and Development Party, said on Thursday.

Tunc Soyer, the Mayor of Izmir, from the CHP, also called the incidents provocative. “The incidents made me and the people of Izmir very sad. This is a provocative and villainous act to set us against each other. We should not fall into this trap,” Soyer told the media.

Several Turkish media outlets said the attacks were likely organised by a Marxist hacker group known as Redhack.

Redhack previously hacked several Turkish government websites, including the Ankara city police department and the Turkish parliament. The group also hacked the email account of Berat Albayrak, the Finance Minister and son-in-law of President Recep Tayyip Erdogan.

Taylan Kulacoglu, an alleged member of Redhack, was arrested on May 20 after he led a group called “Movement of the Unnamed” on social media platforms that said it intended to “stop the manipulation and disinformation spread by pro-government social media trolls”.

President Erdogan’s Islamist government had close links to the mosques, which have backed the government’s policies during the COVID-19 pandemic.

The Aegean seaport of Izmir is an industrial, touristic and agricultural centre on the coast and is a stronghold of the main opposition CHP.

COVID-Related Boom Reveals Video Conferencing’s Dark Side

Posted on by Ivana Jeremic

More than ever before, because of the coronavirus outbreak, use of video conferencing is on the rise.

Whether it is attending work meetings or online seminars and conferences, or taking part in leisure activities like online fitness classes and birthday parties – video conferencing and social media apps have brought huge relief, and a sense of continuity, to people feeling trapped inside their homes by government-imposed lockdowns.

However, while the coronavirus wreaks havoc outside, this time of increased online activities has also generated growing challenges. While some of the most popular video conferencing and video sharing apps, such as Zoom, Houseparty, and TikTok, have seen record-breaking growth in the numbers of users, the apps have also faced serious data breaches and other cybersecurity-related issues.

Cybersecurity experts say that while use of the apps has clearly reduced the risk of people getting infected with the virus by going outside, the same isn’t true for other viral problems, talking about cyberspace.

“Disclosure of personal data, recording sensitive information, or storing people’s profiles on unauthorized servers are some of the risks that go hand in hand with the use of video-conferencing tools,” says Skopje-based cybersecurity practitioner Daniel Trenchov.

“Greater use of virtual telecommunication tools does eliminate pandemic-induced risks,” he adds, “but not necessarily cybersecurity ones.”

Zoom ‘bombing’ is on the rise:


Illustration. Photo: EFE/MATTIA SEDDA

Last Friday, Michael Oghia, a Belgrade-based internet governance consultant, was getting ready for his weekly Zoom conference call with colleagues all over the world.

Usually, the group uses these meetings to chat and discuss ongoing social developments. This time, however, they experienced something more unpleasant.

“Around 45 minutes into the event, when one of the speakers went to share his screen, all of a sudden a child pornography video appeared. Once I realized what was happening, I immediately shut my laptop out of shock,” Oghia said.

“I couldn’t believe it. For a moment I thought that maybe it didn’t even happen. Then re-entered the Zoom call and wanted to see if the others had experienced it. Around 15 or 20 minutes later, another Zoom-bombing happened – again child porn. It was absolutely vile,” Oghia told BIRN.

“Zoom-bombing” incidents like this have become a regular occurrence for those using the app lately. In the last few months, since the coronavirus outbreak started, the app has seen the number of daily users increase hugely from 10 millio to 300 million.

After the incident, Oghia contacted Zoom to report what had happened. The company replied that it would investigate.

“Zoom-bombing is on the rise, and in this particular case, I’ve heard of multiple instances over the past few days of it happening (one group was the UK-based Open Rights Group, for instance),” Oghia explained.

“There will always be issues with safety concerns, but this is no excuse. I’ve used Zoom for years, and the ease of using the platform and the features it has have made video-conferencing easier. But they need to do an even better job at ensuring their privacy and making sure the security features are clear and easy to use.”

The incident prompted Oghia and his colleagues to prepare a short “zoom-bombing” prevention and resources guide to help others that are using Zoom and other video conferencing software.

In its latest statement, Zoom said that it would release an improved version of the app, addressing security concerns about phemonena like “bombing”, while also having upgraded encryption features.

More education in safe use of apps needed:


Illustration. Photo: EPA-EFE/AMEL PAIN

When it comes to the security of video-conferencing apps, several factors are crucial, cybersecurity experts explain. One is having a proper education in the safe use of these social tools.

“These apps have a very useful role and that is why their use should not be avoided, but it is necessary to educate ourselves more, to provide the highest possible protection,” a Skopje-based personal data protection expert, Ljubica Pendaroska, told BIRN.

It is essential to note that not every app is designed for use at home. Zoom was designed for use by large businesses with in-house IT specialists who would set up and control the software when using it, Pendaroska explained.

Now, especially during lockdowns, while Zoom is still mostly used for business purposes, people are using it more for family events such as birthdays, or even wedding celebrations.

“Potential hazards also come from the fact that these apps detect and remove issues most often on the go, or as they occur,” she said.

“What’s particularly concerning is that most of these tools are not encrypted by end-user to end-user, which increases the possibility of so-called ‘interception’ of communications by unwanted and malicious participants,” she added.

Houseparty, another popular video conferencing app, has also faced intense security scrutiny over the last months.

The app is popular with teenagers and youngsters who use it to play various group games, giving it a more fun-based approach compared to other apps. At the same time, these groups are potentially vulnerable to various security issues that can arise.

“There are also apps, for example like Houseparty, where to make it easier to find friends, you can connect your account with phone contacts and social media accounts,” Pendaroska noted. “This enormously increases the potential danger not only for your safety but also for the safety of all these contacts,” she added.

“There could be hacker attacks; during the meeting, the administrator can see details such as the operating system, IP address and location data of each of the participants; also, uninvited users in the communication, if the password is not authenticated, could use the conversation to spread malicious links or send files,” she explained.

Espionage concerns linked to China: 


Illustration. Photo: Pxhere

TikTok, a Chinese video-sharing social network, is increasingly popular in the Balkans, especially among teenagers who post various challenges to each other, such as dance-offs, sing-offs and so on.

But in some parts of the world, there are initiatives to ban it. In the US, lawmakers have introduced a bill to the Senate, which cites the company’s connection to the Chinese government, saying its potential collection of data from US citizens represents a security risk to the US.

Global cybersecurity companies have also identified many security vulnerabilities in the app that could allow malicious actors to manipulate its content and reveal the personal data of its users.

Cybersecurity experts say one way that tech companies could deal with such security risks and the consequences for their users is by having transparency reports.

“This could also include independent security audits of their code looking for weaknesses and flaws – akin to what Microsoft and Apple do with their operating systems, or what Google does with its “bug bounty” program,” Oghia suggested.

When it comes to the users themselves, the best prevention is to know not only what these apps bring to the table, but just as importantly, what their software solutions and vulnerabilities are.

Research by Picodi.com, an international e-commerce platform, says interest in video messaging clients has increased by seven times since the coronavirus restrictions were introduced in many European countries.

WhatsApp was the most frequently searched messaging app in 22 European countries. It is also a favourite app in the Czech Republic, Albania, Romania and Turkey.

Worldwide interest in the Zoom video app is skyrocketing, in Europe as well, with it being the most popular app in 14 countries, including Moldova, North Macedonia and Slovenia.

Besides WhatsApp and Zoom, people were massively using Skype – in Hungary, Poland, Slovakia and Greece, Viber – in Bosnia and Herzegovina and Montenegro, and Microsoft teams – in Croatia and Bulgaria.

Picodi.com analyzed the average number of online search queries of 19 messaging clients which enable video chatting.

North Macedonia Leads Region in COVID-19 Tracing App

Posted on by Ivana Jeremic

North Macedonia has become the first country in the Western Balkans to launch a contact-tracing app to tackle the spread of COVID-19, with the government at pains to stress user data will be protected.

StopKorona! went live on April 13 as a Bluetooth-based smartphone app that warns users if they have come into contact with someone who has tested positive for the novel coronavirus, based on the distance between their mobile devices.

The app, downloaded more than 5,000 times on its first day, was developed and donated to the Macedonian authorities by Skopje-based software company Nextsense.

States are increasingly looking at digital solutions to control the spread of COVID-19 as they move to open up their economies while limiting the burden on their health services. The European Union and data protection campaigners, however, have voiced concern over the threat such technology poses to individual privacy.

Presenting the app, Health Minister Venko Filipce said North Macedonia was looking to use “all tools and possibilities” to combat a disease that, as of April 15, had killed 44 people.

Information Society Minister Damjan Manchevski said all data would be securely stored.

“This data is recorded on a secure server of the Ministry of Health,” Manchevski said at the launch. “And no other user has access to mobile numbers, nor is there any data stored about the owner of the number.”

If a person tests positive for COVID-19, they can “voluntarily” submit their data to the Ministry of Health, Manchevski said, enabling the app to warn other users if they come into contact with that person.

Data privacy concerns linger


Macedonian Minister of Health Venko Filipce accompanied by Prime Minister Oliver Spasovski in Skopje, Republic of North Macedonia, 2020. Photo: EPA-EFE/NAKE BATEV

China, Singapore, Israel and Russia are among a number of countries that have developed their own coronavirus mobile tracking apps, mainly using Bluetooth, GPS, cellular location tracking and QR codes. The Chinese government app colour codes citizens according to risk level.

The technology, however, has set alarm bells ringing among data protection campaigners and rights organisations concerned about the threat posed by mass surveillance and loosening of data protection laws.

Nextsense director Vasko Kronevski, however, said his firm’s StopKorona! app adhered to all legal requirements.

“This is a mobile app made by following best practices around the world in dealing with the coronavirus,” he said. “It guarantees the complete protection of users’ privacy.”

“The success will depend on the mass use of the application. It is important to emphasise that we used global experiences from different countries.”

One of those examples is Singapore’s TraceTogether app, which helped the Asian country successfully contain the COVID-19 outbreak within its borders while, unlike most countries, keeping businesses and schools open.

According to data privacy experts, the decentralized design of North Macedonia’s app guarantees that data will only be stored on those devices that run it, unless they voluntarily submit it to the ministry.

“The key part is that the citizen maintains full control over their data until the moment they decide to send it to the Ministry after being diagnosed,” said Danilo Krivokapic, director of the Serbia-based digital rights watchdog SHARE Foundation.

“Additionally, all data stored on the phone is being deleted after 14 days,” he told BIRN. “In that context, the app is in line with the legislation that covers Data Protection.”

Krivokapic stressed that once data is shared with the authorities, the Ministry and all data users are obliged to respect the legal framework regarding privacy and data protection.

EU countries warming up to digital solutions


People wearing face masks in Skopje, Republic of North Macedonia, 2020. Photo: EPA-EFE/GEORGI LICOVSKI

France and Germany are reported to be working on similar contact-tracing apps, while Poland has made the biggest progress within the EU.

Polish authorities have already launched a smartphone app for those in quarantine and are now working on another, similar to StopKorona!

The first app was mandatory for people in quarantine, meaning that they had to upload selfies so the authorities could track their exact location.

According to Krzysztof Izdebski, policy director at ePanstwo Foundation, a Poland-based NGO that promotes transparency and open data, the coronavirus pandemic has already posed significant threats to privacy, with governments deploying technologies primarily created for the surveillance of their citizens.

With the second app, the Bluetooth-based ProteGO, authorities have published the app’s source code online, to get feedback and opinions from IT experts before implementing it.

So ProteGO, said Izdebski, is an example of an app that is trying to meet privacy requirements.

“The data is stored on personal devices for up to two weeks, and only if the user is sick and agrees to share data with respective authorities, they are being sent to the server – without information on the location,” Izdebski told BIRN.

And while digital solutions such as these could become a game-changer in containing the outbreak, experts note that success still depends on how many people are willing to use them.

“For the technical solution to have some results, a substantial number of citizens need to run the apps and to decide to share their data in case they are diagnosed,” said SHARE Foundation’s Krivokapic. “This way, the app can serve its purpose.”

Romania: From ‘Hackerville’ to Cybersecurity Powerhouse

Posted on by BIRD

First there was Guccifer, real name Marcel Lazar Lehel, who hacked the email accounts of the Bush family in the United States; then came Hackerville, the moniker given to the town of Ramnicu Sarat due to the international cybergangs it was home to.

Fairly or not, hackers put Romania on the global online map, honing their skills to strike Internet users and companies in the West, particularly the US.

But today, 30 years since the fall of communism, IT and cybersecurity firms are looking to tap the same rich vein of ambition, ingenuity and education that made Romanian hackers so feared and famous.

“Romania is currently one of the largest pools of talent in the IT&C space,” said Bogdan Botezatu, senior e-threats analyst at Romanian antivirus and cybersecurity giant Bitdefender. 

“Based on our tradition in STAMP [Software Testing Amplification] and research, universities deliver engineers, reverse engineers, people who are highly skilled in IT.”

Romania, he said, is already internationally recognised in the field of cybersecurity, and has the potential to play an even greater role.

Made in Romania – a global leader in cybersecurity

Bitdefender is one of the global leaders in cybersecurity, with more than 500 million customers worldwide and a network of research labs in Romania – the largest such network in Europe – to combat online threats.

Some 40 per cent of the antivirus and digital security companies on the market currently use at least one technology developed by Bitdefender. Such success is unparalleled in Romania, a European Union member state where almost no other company has a significant international footprint.

From Bucharest and other Romanian cities, Bitdefender’s experts have led or participated in operations to halt some of the most damaging cyber attacks the world has seen in recent years. 

In 2018, Bitdefender partnered with Europol, Interpol, the FBI and police in a number of EU countries to take down a group of hackers – believed to be from Russia – behind a ransomware called GandCrab. The inventors of the malware sold it on to other hackers who used it against private and corporate users.


View of the Bitdefender’s central headquarters in Bucharest. Photo: BIRN

“It became such a large phenomenon that half of the ransomware attacks happening at that moment were caused by GandCrab,” Botezatu told BIRN. 

“We managed to decrypt [the computers of] 60,000 victims, saving the victims around 70 million dollars.”

Despite its unusual level of sophistication, GandCrab was created as a way for the private individuals behind it to steal other people’s money.

Another type of cyberthreat, however, is state-sponsored and is known among experts as Advanced Persistent Threats, or APTs. 

The goal in this case is to undermine the functioning of key strategic foreign infrastructures or steal secret information from other states. That was the purpose of NotPetya, or GoldenEye, which emerged in 2017 as the work of hackers suspected to have been working for the Kremlin.

These hackers infected the update servers of an accountancy product widely used in the Ukrainian state administration. Everytime a Ukrainian public servant updated the program, the virus entered his or her computer and encrypted all its files. 

The virus had a worm component and quickly contaminated the entire networks to which infected computers were connected, bringing, for example, the Kiev metro to a halt and shutting down at least one airport, several banks and the radiation monitoring system at Chernobyl.

It spread globally, including to Romania, where Bitdefender took charge of the preliminary investigation that led to the identification of the virus after its researchers identified a pattern in the threats suffered by many users of their antivirus products. 

‘You can’t trace them back’

Like the rest of the former Soviet bloc, Romania spent more than four decades under communism, when education placed a premium on scientific and technological training. 

That expertise – and a resourcefulness developed under communism and during the painful transition to capitalism and democracy after 1989 – is now at the disposal of the EU and NATO as they try to combat cyber threats from Russia and other countries vying for a geopolitical upper hand.

And the Romanian state is doing its bit too, via bodies like the Romanian Information Service, SRI, an intelligence agency that took part in investigations that led to the 2018 exposure of Russian state involvement in a cyber espionage and warfare group called Fancy Bear. 

Also known as Sofacy or APT28, Fancy Bear targeted governments and civil society organisations in countries including the Netherlands, Britain, Germany, Romania and the US.


Bogdan Botezatu from Bitdefender. Photo: BIRN

Botezatu said the fact that the infections happened between 9 a.m. and 5 p.m. Moscow Standard Time led investigators to conclude they were being launched from government offices, said Botezatu of Bitdefender, which uncovered the campaign in 2015.

“Behind these kinds of attacks there is a country, and particularly the intelligence community of that country,” said General Anton Rog, head of SRI’s Cyberint centre.

“Of course, governments don’t act directly; through their intelligence services, they infiltrate or create these cybercrimes groups in a way that you can’t trace them back to say that they work with an information service.”

Most APT attacks, Rog told BIRN, are mounted in order to steal sensitive information. “It is a modality of espionage,” he said, “but through cables and cybernetic tools.” 

SRI’s Cyberint centre relies on tip-offs from foreign agencies, technology that recognises abnormal online activity and cyber informers.

Hybrid attacks

Sometimes the dividing line between financial-motivated attacks and APTs becomes blurred, as in the case of the malware family known as Cobalt Strike.

Cobalt Strike was used by the so-called Carbanak group from Russia and Ukraine to extract more than one billion euros from around 100 banks in over 40 countries, including Romania.

“The technology used is [characteristic of an] APT, but the motivation is strictly financial,” said Botezatu. 

Bitdefender conducted ‘post-mortems’ at two of the affected banks. Botezatu said the malware was “extremely sophisticated”, managing even to access the banks’ payment systems.

“With that level of access, the nefarious individuals authorise fraudulent bank transfers, raise the balance of mule accounts or command affected ATMs to spit out the money for them,” Europol said in a statement on the arrest in Spain of alleged Carbanak leader ‘Denis K’ in a 2018 operation that Romania took part in.

“Our suspicion is that… these attacks are used to make money to sponsor strategic attacks,” said SRI’s Rog. “In our evaluation, we take into account the fact that these groups have members who are in contact with governments or information communities,” he told BIRN, noting the costs and human and technical resources needed to develop malware like Cobalt Strike.

“They [governments] don’t want to spend money from their budget, they want to steal money from other countries and sponsor strategic attacks with it,” Rog said.

Strong cybersecurity “ecosystem”

To strengthen security at home and boost Romania’s role in the global cybersecurity game, SRI’s Cyberint centre says it is trying to create “an ecosystem” already being nurtured by courses offered by Cyberint at several universities across the country.

Likewise, Bitdefender partners with universities and high schools in training the next generation.

They may be people like Alexandru Coltuneac, a White Hat Hacker so called because of his transition from developing an Internet virus as a teenager to using his self-taught skills to help giants like Google, Facebook, PayPal, Microsoft and Adobe test their product security.

“I have set myself a target,” Coltuneac told BIRN. “I want to find at least one vulnerability in a product of each big company.”

Coltuneac, who is one of a number of Romanian White Hat Hackers recognised by Google and other companies as stars of ‘bug hunting’, now runs his own company together with a colleague.

Called LooseByte, the firm offers businesses cybersecurity tests and services to improve their protection levels.

Coltuneac said he finds pleasure in outsmarting the world’s best professionals.

“It’s a way of doing hacking without harming anyone,” he said.

EU Court Rules Against Romania In Cyber Domestic Abuse Case

Posted on by BIRD

A judgment issued on Tuesday by the European Court of Human Rights, ECHR, ordered Romania to pay a victim of domestic abuse 10,000 euros for failing to protect her when police refused to investigate her husband for breaching her internet privacy. The court recognised this as one of “the various forms that domestic violence may take”. 

On 18 March 2014, the ruling recalled, newly divorced Gina-Aurelia Buturuga told the police that her ex-husband had accessed her email and Facebook accounts without permission. She had previously filed complaints against him, identified only as M.V. in the sentence, for domestic violence.

According to the judgment, Buturuga wanted the family computer examined after her former husband allegedly “made copies of her private conversations, documents and photos” that he found on her personal accounts.

But in June 2014, the police in Tulcea, eastern Romania, rejected the request, saying “that the information that might have been obtained was unrelated to the threats and violence charges formulated against M.V.,” the ruling reads.

In September 2014, Buturuga reported her husband to the police again for a “secrecy of correspondence violation”, and the complaint was registered and included in the investigation against her husband for alleged domestic violence.

However, the prosecution dismissed the case in February 2015, saying there was insufficient evidence to prove M.V. had subjected Buturuga to the physical violence she said she had suffered.

Alleged death threats were considered “not serious enough to qualify as a crime”. As for the “secrecy of correspondence violation”, prosecutors said it was not reported on time.

Before addressing the ECHR, Buturuga appealed to a Romanian court, which confirmed the prosecutors’ conclusion and also ruled that the material retrieved by her ex-husband from her social media accounts was already public when he accessed it. The case was closed without a court hearing and M.V. received a fine of 250 euros.

The ECHR concluded that the Romanian authorities failed to properly investigate the woman’s allegations of domestic abuse. It established that part of the information the ex-husband copied from her digital accounts was not public, as the Romanian judges had claimed. It said the authorities should have conducted a proper investigation to determine the nature of that information.

“The court considers that the authorities have shown excessive formalism in rejecting any connection with the acts of domestic violence which the applicant had already brought to their attention,” the ECHR said. “They thus failed to take into consideration the various forms that domestic violence may take.” According to the ruling, Romania has to pay Buturuga 10,000 euros in compensation for moral damage.

BIRD Community

Are you a professional journalist or a media worker looking for an easily searchable and comprehensive database and interested in safely (re)connecting with more than thousands of colleagues from Southeastern and Central Europe?

We created BIRD Community, a place where you can have it all!

Join Now