Two leaks of historic proportions occurred in Eastern Europe
this July. In Bulgaria, the personably identifiable information (PII) of most
Bulgarian adults was compromised. In Russia, 7.5TB worth of information on
secret projects conducted by the security services found its way to the press
and onto social media. While the breaches differ in some ways, in this blog, we
assess that two key common elements underpin them: the potentially massive
impacts that can be caused by less capable actors, and the socio-political environment
in Eastern Europe that looks set to produce further such incidents.
The leaks: Russia vs Bulgaria
The two incidents can be compared and contrasted by looking several different features. Firstly, whereas the perpetrator in the Russian case is an external cyber activist group, identified only by the moniker 0v1ru$, in the Bulgarian case the perpetrators were industry insiders. Bulgarian authorities initially apprehended Kristian Boykov, an employee at the Sofia branch of US cybercompany company Tad Group, and later also arrested Georgi Yankov, a manager at the same company. Both now face terrorism charges.
As a result of these differing perspectives, the sophistication required to conduct the two operations was also different. 0v1ru$’s operation, which breached a contractor to the Russian Federal Security Service (the infamous successor to the KGB), was likely much more sophisticated than Boykov and Yankov’s, who compromised a government agency with poor cyber hygiene, and a familiar target.
In both cases however the compromised data is now available or partly available online. Our research indicates that the PII compromised in the Bulgarian breach made its way to RaidForums, an infamous deep web forum specialising in leaks, and is now being offered for download by a community member using the moniker instakilla (pictured below).
Some of the data from the Russian leak has meanwhile been made publicly accessible by cyber activist group DigitalRevolution (pictured below).
This leads to another difference – intent. It is not
clear if the data from the Bulgarian breach was ever meant to be made public.
Initially a small part of it was shared with the Bulgarian press and there were
threats to publish it in its entirely via Torrents. But its actual leak appears
to have been an accident, showcasing the gulf between politically-motivated
operations and actual activist campaigns. In the Russian case it is more
straightforward: 0v1ru$ shared their bounty with the Russian press and DigitalRevolution
in a clear effort to discredit the FSB. The information they leaked confirmed
fears but did not compromise state secrets.
Impact is considerable for both – just in different ways. Politically-motivated operations are not a novelty. Successful targeting of government agencies with weak security postures (as occurred in Bulgaria) or government subcontractors who often represent the weak links in an agency’s defences (as occurred in Russia) is not a novelty either. But it is not often that the two combine to produce leaks so big or so damaging. The Bulgarian tax agency where the leak originated faces a fine of up to EUR 20 million under the EU’s GDPR regulations. In Russia, the potential reputational damage to the FSB is considerable. This matters because Russia’s various agencies rest as much on their reputation as on their actual capabilities, and in recent years have sought to cultivate what has been dubbed “dark power” or shadow soft power, trying to paint themselves as infallible and omniscient. Worse still, the data 0v1ru$ stole was on projects that confirm Russian citizens’ worst fears about their government (pictured below) – scraping social media, de-anonymising the Tor browser, and trying to cut off the Russian internet off from the world web (see also our blog series on the Balkanisation of the internet).
Translation: All of us, journalists, students and even pensioners, are being supervised by the FSB. Join us, as well as 0v1ru$, in protecting our future! They will not drown our voices! (featured are screenshots from projects Nautilus-C and Nautilus, to de-anonymise the Tor browser and scape social media, respectively)
Underlying drivers
Perhaps the key factor underpinning both operations is a
palpable sense of anger by citizens at their governments for failings
that are well-documented in Eastern Europe: corruption and incompetence (as the
Bulgarian operation pointed out), coupled with authoritarian tendencies
inherited from decades of totalitarian rule (as made evident in the Russian
leak).
Both operations called out their respective governments in
very unflattering terms. The initial message attached to the Bulgarian hack,
which targeted an agency inside the Finance Ministry, could be translated as
“your government is stupid” – or, more bluntly, as “your government is
retarded”. It added that said government’s cybersecurity was a “parody”. In the
Russian case, stolen data pertaining to FSB ended up in the possession of cyber
activist group DigitalRevolution, who posted screenshots and made it available
for download – with a defiant message stating they are not afraid of Kremlin
“dogs” (pictured below).
Translation: We will not be silent! Kremlin dogs don’t scare us. Watch yourself, be careful. The Digital Revolution is catching momentum.
0v1ru$ themselves did not think the FSB contractor they
breached, Sytech, was worth that many words. Instead 0v1ru$ decided to deface
their website (pictured below).
This anger has become prevalent throughout former communist Europe, if the increasing frequency of street protests is any indicator. If so, the publicity around these two successful leaks, their historical proportions and the relative ease with which they were carried out might encourage copycats.
Another key driver is capability. Boykov and Yankov were industry insiders. Boykov had familiarised himself with government IT infrastructure years before the leak, reportedly exposing faults in the Bulgarian education ministry’s website in 2017; he claimed then it was his “civic duty” to do so.
He is just one of many angry Eastern European citizens with the capacity to deal governments some damage. Russian-language forums on the dark web are full of people sharing tips and tools, and Russian-speaking cybergangs are a commonplace occurrence. But it’s not just the countries of the former USSR – smaller countries in the region have also produced grass-roots cyber threats. Romania for example is a cybercrime hub, with hackers that have engaged in politics before: Marcel Lazăr Lehel, better known by the moniker Guccifer, breached the emails of former US President George W Bush and former US Secretary of State Colin Powell. Later he would say he learnt everything he knew online, and had no special equipment to aid him; a poster child for the kind of grass-roots threat actors Eastern Europe specialises in. Add to this the civic anger that seems to permeate Romania, a country where street protests brought down a government in 2012 and forced officials to change course on controversial bills, and you have the perfect recipe for the kind of leak that took place in neighbouring Bulgaria or in Russia – and now the knowledge that it can be done.
Georgiana Nicolae is a researcher on Orpheus’ Analysis team
Get our latest cyber intelligence insights straight into your inbox
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Orpheus is a leading cyber security company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence. Cyber security jobs and careers.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.
