Hackers stole data from the Romanian Parliament, demanding money for ransom. Such ransomware attacks are launched by both criminals and state actors.
Cyber-attacks on Romania’s state institutions; Hackers steal the Prime Minister's personal data
The beginning of last week was marked by the ”cyber incident” at the Romanian Parliament following which, according to official statements, approximately 300 MB of digital information was downloaded from the database of the Chamber of Deputies. The seriousness of the event, although deeply minimized by the authorities, determined the urgent amendment, by the Executive, of the cyber security law. One of the reasons for this reaction is that, according to several sources, the ”incident” was actually a ransomware attack, with the hackers demanding 0.8 bitcoins, which is about 40,000 euros, as a ransom. More easily overlooked, a second incident took place a day after the attack on the database of the Chamber of Deputies, directed precisely against the institution investigating the Parliament security breach, namely the National Cyber Security Directorate. The NCSD website was attacked overnight, but to no avail, as the hackers were unable to download any files or bring the site down, the authorities claim.
The event brought to public attention the phenomenon of cyber-attacks on state institutions, which the Romanian Ministry of Digitization says are 200 per day at country level. In total, according to the same source, Romania faces between 25,000 and 50,000 cyber-attacks every day. Worldwide, almost two million cyber-attacks take place every day , about 70% of which are ransomware attacks. They range from attacks on personal computers to compromising the networks of large companies and even government institutions, paralyzing and endangering the activity and proper functioning of entire regions and even countries as a whole. Usually, there are financial interests behind these attacks, but the political crises and armed conflicts in recent years have also brought state interests "into the arena", the attacks not necessarily seeking to obtain sums of money, but rather to block and sabotage the adversary's activity, under the guise of a common law offence.
From viruses hidden on floppy disks to global online attacks: 35 years of ransomware evolution
The story of ransomware started in the second half of 1989, when 20,000 people around the world received by post a computer diskette containing, according to the label, a questionnaire that could be used to determine the likelihood of someone contracting the HIV virus. Because the recipients of the packages had attended a World Health Organization conference on AIDS a few weeks earlier, no one suspected anything, especially since computer viruses were virtually unknown to the general public at the time. A few days later, the victims realized they could no longer access their computers, and a message appeared on their monitor screens asking them to send an envelope containing $189 to a post office box in Panama if they wanted to change the situation. The virus hidden in the questionnaire file, later called the AIDS Trojan, led to the world's first commercial antivirus. Investigators eventually tracked down the sender of the floppy disks—Joseph Popp, a renowned Harvard graduate biologist who at the time was conducting a series of research on AIDS and treatment options for the disease. He justified his action by telling authorities that he had planned to donate the ransom money to AIDS research. Had he not been caught, Popp probably would have made little money from the scam anyway, given the cost of purchasing and shipping 20,000 floppy disks around the globe. But his idea would eventually grow into a multibillion-dollar industry and earn him the unofficial title of "father of ransomware."
Despite the shock caused by Popp's initiative, it took another 15 years for the next ransomware attack to occur, due to the relatively easy traceability of the recipient of the ransom money. With the advent of digital money and then cryptocurrencies, which increased the anonymity of attackers as well as the simplicity of financial transactions, the practice resurfaced in the early 2000s as the Internet became more widespread and used in households. Two of the most notable ransomware attacks since the dawn of the Internet era were GPCode in 2004 and Archievus in 2006. Revolutionary for the time they were released, the two are considered rudimentary by today's standards. Their creators focused on quantity rather than quality, attacking multiple targets at once and requiring small ransom fees of only $20. Fortunately for the victims, their effects were easily negated and their effectiveness was quite low.
However, the 2010s saw a sharp rise in ransomware attacks, and the scale of these attacks created a “cyber defense industry” that is now worth $8 trillion annually and is estimated to reach 14,000 billion dollars per year, in 2028. In the same way, the phenomenon also led to the emergence of a new type of business, Ransomware as a Service, or RaaS. This service gives even those with limited technical skills the ability to launch ransomware attacks, usually on individuals. The business model is very simple: the creator of the program makes it available to customers, who use it to block people's access to personal data. Afterwards, they pay the software creator either a fixed amount or a percentage of the money obtained from the victim. The model allows the malware creator to increase their revenue, but at the same time gives them the advantage of not being directly involved in the crime, taking on much less risk than if they launched the attacks themselves.
The targets of ransomware attacks, throughout their history, have been diverse, from ordinary people to companies in various fields, such as the famous 2021 attack on Ultimate Kronos Group, a workforce management software developer, with branches in over 100 countries. The attack affected customers around the world, generating negative effects for several years, as the data of tens of thousands of employees around the world was publicly exposed, and hundreds of companies experienced outages, delays and errors in the payment of salaries to their employees. The company's representatives did not make public the amount paid for regaining control over its own computer network, and the perpetrators of the attack were not found.
Russian hackers, cybercriminals tolerated by Moscow and its ideological agents
In 2021, another famous attack took place, the one on the American company Colonial Pipeline, the owner of a pipeline system that transports fuel from Texas to the East Coast of the United States. The attack targeted the computer systems that manage the pipelines and caused a major fuel crisis in the region, severely affecting people's daily lives as well as major fuel consumers such as airlines. The attack was deemed a national security threat, prompting President Joe Biden to declare a state of emergency. The FBI investigation identified a hacker group called DarkSide as responsible for the attack. What little information is available says the group is one of many of its kind operating from Russian territory without sanction from authorities, who allow them to operate as long as they attack only foreign targets. An argument in this regard is the fact that DarkSide, for example, never attacks targets in Russia and the countries part, at a given moment, of the Commonwealth of Independent States (the political structure that was intended to replace the USSR), nor from Syria, one of the most loyal allies of the Kremlin regime.
A year later, in 2022, hackers from DarkSide spinoff BlackCat targeted the servers of the Swiss airport operator Swissport in an attack that was said to have had a relatively low impact, delaying only a small number of flights before Swissport to restore control over its own computers. However, the ransomware group that claimed the attack also claimed to have not only encrypted the company's files, but also stolen 1.6TB of data, which it was trying to sell to interested parties.
But perhaps the most resounding attack launched from Russia, which paralyzed an entire country for several months, is the one perpetrated by the Conti group against the state of Costa Rica. The attack initially targeted 27 government organizations, and the damage was estimated at hundreds of millions of dollars. As a result of the hackers' actions, the government was forced to shut down several systems, which led to delays in government payments, slowing down and even halting trade, and curtailing several government-provided services. Incumbent President Carlos Alvarado refused to pay the $10 million ransom.
A second attack, about a month apart, targeted the computer systems of the Costa Rican Social Security Fund (CCSS), which organizes healthcare. The computers used by the institution were disconnected and that plunged the country's health system into a new type of disorder. Countless patients complained of delays in receiving treatment, and the CCSS warned parents whose children were undergoing medical procedures that they might have trouble locating their children. It was months before the systems were restored, but not before the country's newly elected president, Rodrigo Chaves Robles, declared a state of emergency.
At the same time, the attack by the Russians from Conti acquired political significance, when the group's website called on every citizen of Costa Rica to go and protest in front of the government headquarters. Another post, addressed to the state of Costa Rica and the "American terrorists (Biden and his administration)", read that "we are determined to overthrow the government with a cyber-attack". This aspect must be analyzed in the context in which the troops of the Russian army were already carrying out the "special military operation" in Ukraine, and the Conti hacker group had declared its support for the Russian invasion of Ukraine as early as February 25, 2022. At that time, Conti affirmed its "full support" for the Russian government and threatened to attack critical infrastructure belonging to anyone who dared to launch cyber-attacks against Russia. This is also the reason that, specialists suspect, led to the group's decay and, ultimately, its disappearance from the cyber terrorism scene.
Two days after the announcement about supporting Moscow in the conflict with Ukraine, more than 100,000 files containing information circulated on Conti's communication groups started being made public from an anonymous account on the x platform , with experts in the field speculating that the author of the disclosures was a Ukrainian computer scientist, a member of the group, who obviously did not share the opinion of the leaders of the organization. Days after the attack in Costa Rica, the group's website was shut down and the platform on which ransom negotiations took place was taken offline, while the rest of the infrastructure, from chat rooms to messaging apps and servers, was down for a massive reset.
Ransomware as Russia's Hybrid Warfare Tool
In recent years, ransomware attacks have been increasingly targeting public institutions of various countries or critical infrastructure elements, with a strong impact on daily life. They are overwhelmingly coordinated by other states, which often provide funding, protection and advice to hacker groups.
Coordinated state-level attacks on critical infrastructure, such as shipping, began as early as 2017, when the IT systems of the shipping giant A.P. Moller-Maersk were shot down for several days, causing losses of around $300 million. The attack blocked the company's access to the systems it used to operate shipping terminals around the world, and it took more than two weeks for the company to regain control of its own IT operations.
The attack on Maersk was the first in a series of coordinated attacks on IT infrastructure in around 60 countries, France, Germany and Ukraine being the most affected. The latter was that year the target of massive cyber operations that affected national IT systems and networks operated by private firms, such as banks, media or energy supply companies. The attacks shut down, for example, the radiation monitoring system around the Chernobyl nuclear power plant. At the same time, they blocked the operation of the Kyiv metro, railways and several airports.
The investigation by the Ukrainian security services concluded that agents of the Russian secret services were behind the attacks, and that the operation was part of the hybrid war that Moscow was waging in Ukraine at the time. The Russians’ goal was to cause as much damage as possible, the attack being disguised as ransomware. A 2018 CIA report attributed the operation to the secret service of the Russian Federation Army (GRU), a point of view also supported by Britain's Defense Secretary. In the same context, the press secretary of the White House said, in February 2018, attributing the attack to the Russian army, that it was "the most destructive and costly cyber-attack in history". The US president at the time was Donald Trump.
The 414 Liaison Office makes black money for the North Korean regime through online theft and ransomware attacks
However, Russia is not the only country that supports and finances such groups. In 2017, the UK's National Health Service was the victim of a ransomware attack that caused nearly $100 million in damage. The attack - which also targeted other institutions - blocked the operation of hospitals, doctors' surgeries and pharmacies in England and Scotland for several days. Further investigations revealed that the attack was linked to the so-called Lazarus Group, which the United States Department of Justice claims is involved in the North Korean government's operations to undermine global cyber security; at the same time, Lazarus generates illicit income for Pyongyang, bypassing Western sanctions.
A former North Korean secret agent, Kim Kuk-song, who defected in 2014, says the unit is known in Pyongyang as the “The 414 Liaison Office” ,possibly a reference to the "414 URL Too Long" error message displayed when loading a website in the browser becomes impossible due to the large size of the code that the server has to interpret. Over the years, the group has been identified as responsible for stealing hundreds of millions of dollars from banks all over the world, from Ecuador, Vietnam, Bangladesh, Taiwan, India, Poland or Mexico. Hundreds of millions of dollars have also been stolen by the North Korean group in cryptocurrencies and other financial products. The main target of Lazarus, however, remains South Korea, which is constantly under attack, either on the media, or on financial institutions or critical infrastructure, such as providers of communication services or energy.
In July 2022, the FBI, the US Cybersecurity and Infrastructure Security Agency, and the US Department of the Treasury issued a warning regarding “cyber actors sponsored by North Korea” launching ransomware attacks targeting cyber security mainly in the healthcare and public health sector. Incidentally, the US Cyber Security Agency also has a page dedicated to warnings about the danger that Pyongyang poses to the security of US IT systems, where it is stressed that "North Korea's cyber program represents a sophisticated and agile espionage threat and cyberattack, which continues to adapt to global trends in cybercrime.”
China's cyber offensive against the West
Late last month, the US Department of Justice announced that, by means of an operation authorized by the court as early as December 2023, it had destroyed a network of hundreds of personal or office routers infected with a "botnet" virus by hackers sponsored by the Chinese state. In an official statement, FBI Director Christopher Wray said that "China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if and when China decides the time has come to strike," This is the latest battle in a cyber war that China and the US have been waging for some time.
Since Xi Jinping's rise to the top of the Chinese Communist Party, the Ministry of State Security has gained more responsibility for cyber espionage than the military, and now it coordinates several hacker groups that operate across the country. Red Apollo, Numbered Panda, Deputy Dog, Zirconium, Periscope Group, Double Dragon, Tropic Trooper or Volt Typhoon are just some of these groups. The last on the list is also the one believed to be responsible for the failed attack at the end of last year against the USA. But hacker attacks funded, supported and coordinated by Beijing have also been reported in Australia, Canada, India, Japan, New Zealand, Taiwan, Britain and even the Vatican, when Chinese hackers breached the Holy See's computer network before a round of negotiations between China and the Vatican, in July 2020. Ukraine could obviously not be missing from the list of states attacked by Chinese hackers. In April 2022, The Times wrote that, a few days before the start of the Russian invasion, a unit of the Chinese army launched cyber-attacks against about six hundred Ukrainian state websites, including that of the Ministry of Defense in Kyiv.
According to the US Cybersecurity Agency, “China probably currently represents the broadest, most active and persistent cyber espionage threat to US Government and private sector networks”. “China almost certainly is capable of launching cyber-attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems."
Islamic Revolutionary Guard Corps cyber-attacks against Israel and the West
A few days ago, the United States imposed sanctions on six officials of Iran’s Islamic Revolutionary Guard Corps , which it says are responsible for cyber-attacks on several American water utilities late last year. The measure thus adds Iran to the list of states that support and finance cyber terrorism. Cyber Av3ngers is the name of the hacker group coordinated by Tehran, and it gained attention last fall when it claimed an attack on some Israeli technology companies. Later, using the information stolen from the Israeli files, the Cyber Av3ngers used basic techniques to scan the Internet and identify devices manufactured by the previously attacked Israeli companies. They then logged into these devices using their default credentials, which were never changed after installation, successfully blocking the operation of several water facilities in the US.
Among the attacks attributed to Iranian hacker groups, we should mention the one in 2017 on the British Parliament, which lasted for 12 hours and as a result of which the emails of 90 members of parliament were compromised, the large-scale attack against several websites of the Israeli government in 2022, which prompted Israel's National Cyber Directorate to declare a state of emergency and was said to be the largest cyber-attack ever launched against Israel, as well as the 2023 ransomware attack on the Israeli population.
Iran's efforts to become a force in the field of cyber warfare are considerable, even with notable results, as we saw earlier. However, the embargo imposed by Western states and the country's isolation from the international technological system prevent Iran from developing a cyber-attack capability with more technically sophisticated means. But the ever-closer alliance between Iran and Russia could accelerate the advance of Tehran's cyber capabilities and heighten threats to the West and Middle Eastern countries with which it is in conflict.
How Romania defends itself in the event of a large-scale cyber attack
Returning to Romania and the cyber-attacks on public institutions, we tried to find out, to the extent that this information is known and can be made public, the answer to a series of questions that we addressed to the two chambers of Parliament, the Government and the Presidency of Romania, but also the National Cyber Security Directorate, the Special Telecommunications Service and the Ministry of Research, Innovation and Digitization. The questions concerned information related to the investigation into the two cyber-attacks in January, whether there was a geographic location of the IPs from which they were launched, and whether there was any suspicion that the attacks had been orchestrated by a state actor hostile to Romania. We also wanted to find out which institutions have been targeted by the "200 daily cyber-attacks" mentioned by the Minister of Digitalization, who is in charge of the cyber security of the websites and databases of the Romanian Parliament, Government and Presidency and, especially, what impact would a cyber-attack of the size of the one on the state of Costa Rica in April - May 2022 would have on Romania.
By the time we are publishing these lines, our emails have remained unanswered, the only institution that contacted us being the National Cyber Security Directorate, which promised to answer our questions to the extent that they could provide such information, "as there is still an ongoing investigation."
Veridica will publish the answers of the contacted institutions as they are received.
UPDATE February 8: Based on the provisions of art. 12, paragraph (1), letter e, of Law no. 544/2001 regarding free access to information of public interest, the Media Communication and Image Communication Office of the Chamber of Deputies has informed us that it cannot disclose the "identity" of the public service/institution or department in charge of the security of the website and database of the lower chamber of Parliament, and can provide no data about the ongoing investigation (who is doing it/the stage of the proceedings, etc.). The cited article says that "information regarding the procedure during the criminal or disciplinary investigation, if the result of the investigation is jeopardized, confidential sources are revealed or the life, bodily integrity, health of a person is endangered as a result of the investigation carried out or in progress" are exempted from the free access of citizens, but does not specify anything about information related to a service paid from public money, more specifically ensuring the security of the website and database of one of the most important public institutions in the country.