Tuesday 30th July 2019

Hacktivists take Eastern Europe by storm

Two leaks of historic proportions occurred in Eastern Europe this July. In Bulgaria, the personably identifiable information (PII) of most Bulgarian adults was compromised. In Russia, 7.5TB worth of information on secret projects conducted by the security services found its way to the press and onto social media. While the breaches differ in some ways, in this blog, we assess that two key common elements underpin them: the potentially massive impacts that can be caused by less capable actors, and the socio-political environment in Eastern Europe that looks set to produce further such incidents.

The leaks: Russia vs Bulgaria

The two incidents can be compared and contrasted by looking several different features. Firstly, whereas the perpetrator in the Russian case is an external cyber activist group, identified only by the moniker 0v1ru$, in the Bulgarian case the perpetrators were industry insiders. Bulgarian authorities initially apprehended Kristian Boykov, an employee at the Sofia branch of US cybercompany company Tad Group, and later also arrested Georgi Yankov, a manager at the same company. Both now face terrorism charges.

As a result of these differing perspectives, the sophistication required to conduct the two operations was also different. 0v1ru$’s operation, which breached a contractor to the Russian Federal Security Service (the infamous successor to the KGB), was likely much more sophisticated than Boykov and Yankov’s, who compromised a government agency with poor cyber hygiene, and a familiar target.

In both cases however the compromised data is now available or partly available online. Our research indicates that the PII compromised in the Bulgarian breach made its way to RaidForums, an infamous deep web forum specialising in leaks, and is now being offered for download by a community member using the moniker instakilla (pictured below).

Some of the data from the Russian leak has meanwhile been made publicly accessible by cyber activist group DigitalRevolution (pictured below).

This leads to another difference – intent. It is not clear if the data from the Bulgarian breach was ever meant to be made public. Initially a small part of it was shared with the Bulgarian press and there were threats to publish it in its entirely via Torrents. But its actual leak appears to have been an accident, showcasing the gulf between politically-motivated operations and actual activist campaigns. In the Russian case it is more straightforward: 0v1ru$ shared their bounty with the Russian press and DigitalRevolution in a clear effort to discredit the FSB. The information they leaked confirmed fears but did not compromise state secrets.

Impact is considerable for both – just in different ways. Politically-motivated operations are not a novelty. Successful targeting of government agencies with weak security postures (as occurred in Bulgaria) or government subcontractors who often represent the weak links in an agency’s defences (as occurred in Russia) is not a novelty either. But it is not often that the two combine to produce leaks so big or so damaging. The Bulgarian tax agency where the leak originated faces a fine of up to EUR 20 million under the EU’s GDPR regulations. In Russia, the potential reputational damage to the FSB is considerable. This matters because Russia’s various agencies rest as much on their reputation as on their actual capabilities, and in recent years have sought to cultivate what has been dubbed “dark power” or shadow soft power, trying to paint themselves as infallible and omniscient. Worse still, the data 0v1ru$ stole was on projects that confirm Russian citizens’ worst fears about their government (pictured below) – scraping social media, de-anonymising the Tor browser, and trying to cut off the Russian internet off from the world web (see also our blog series on the Balkanisation of the internet).

Translation: All of us, journalists, students and even pensioners, are being supervised by the FSB. Join us, as well as 0v1ru$, in protecting our future! They will not drown our voices! (featured are screenshots from projects Nautilus-C and Nautilus, to de-anonymise the Tor browser and scape social media, respectively)

Underlying drivers

Perhaps the key factor underpinning both operations is a palpable sense of anger by citizens at their governments for failings that are well-documented in Eastern Europe: corruption and incompetence (as the Bulgarian operation pointed out), coupled with authoritarian tendencies inherited from decades of totalitarian rule (as made evident in the Russian leak).

Both operations called out their respective governments in very unflattering terms. The initial message attached to the Bulgarian hack, which targeted an agency inside the Finance Ministry, could be translated as “your government is stupid” – or, more bluntly, as “your government is retarded”. It added that said government’s cybersecurity was a “parody”. In the Russian case, stolen data pertaining to FSB ended up in the possession of cyber activist group DigitalRevolution, who posted screenshots and made it available for download – with a defiant message stating they are not afraid of Kremlin “dogs” (pictured below).

Translation: We will not be silent! Kremlin dogs don’t scare us. Watch yourself, be careful. The Digital Revolution is catching momentum.

0v1ru$ themselves did not think the FSB contractor they breached, Sytech, was worth that many words. Instead 0v1ru$ decided to deface their website (pictured below). 

This anger has become prevalent throughout former communist Europe, if the increasing frequency of street protests is any indicator. If so, the publicity around these two successful leaks, their historical proportions and the relative ease with which they were carried out might encourage copycats.

Another key driver is capability. Boykov and Yankov were industry insiders. Boykov had familiarised himself with government IT infrastructure years before the leak, reportedly exposing faults in the Bulgarian education ministry’s website in 2017; he claimed then it was his “civic duty” to do so.

He is just one of many angry Eastern European citizens with the capacity to deal governments some damage. Russian-language forums on the dark web are full of people sharing tips and tools, and Russian-speaking cybergangs are a commonplace occurrence. But it’s not just the countries of the former USSR – smaller countries in the region have also produced grass-roots cyber threats. Romania for example is a cybercrime hub, with hackers that have engaged in politics before: Marcel Lazăr Lehel, better known by the moniker Guccifer, breached the emails of former US President George W Bush and former US Secretary of State Colin Powell. Later he would say he learnt everything he knew online, and had no special equipment to aid him; a poster child for the kind of grass-roots threat actors Eastern Europe specialises in. Add to this the civic anger that seems to permeate Romania, a country where street protests brought down a government in 2012 and forced officials to change course on controversial bills, and you have the perfect recipe for the kind of leak that took place in neighbouring Bulgaria or in Russia – and now the knowledge that it can be done.

Georgiana Nicolae is a researcher on Orpheus’ Analysis team

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.