Deputy ministers, directors and diplomats have entered their passwords on a fake hacker page

Serious Cyber Attack against Bulgaria’s Foreign Ministry. Country’s Services Are in the Dark!

Dozens of internet addresses of the Bulgarian Ministry of Foreign Affairs (MFA) have been subjected to a serious phishing attack on Wednesday, April 25, 2018. Accounts of MFA bosses and diplomats have been compromised, possibly affecting national security. However, the “Information Service” had not informed the National Computer Security Incidents Response Team (CERT Bulgaria) in time.

For 24 hours now, the body tasked with protecting the cyber-security of State institutions, does not know about a well-organized phishing attack on the Foreign Ministry, Bivol’s check established, after receiving a tipoff about a very serious and carefully planned hacker operation.

On Wednesday afternoon, a large number of MFA office internet addresses have received an e-mail with the title URGENT!!!, claiming to have been sent by Victor Rosnev, a former MFA employee who left two years ago.

The message contains a link to a government-like domain, however, it is registered in India.


The link, sent in a phishing email to MFA staff, leads to a page that mimics the government domain and the MS Exchange-based information system /Documents.jsp?PageName=NEWME

The page was still active at the time Bivol’s article was published. It is a copy of the MFA home page to its integrated with MS Exchange internal information system.

The exact size of damage is not yet known, but according to Bivol sources, at least 30 people in high positions in the MFA – directors, deputy ministers and ambassadors – are affected and have entered their passwords on the fake page. For sure, anyone who has entered a login and password on the fake page has compromised their account and has enabled hackers to download all of its data.

There is no clarity as to what information the attackers have accessed and whether national security had been compromised through access to classified information.

The attack appears to be carefully planned, targeting specific employees whose addresses have been purposely collected. The fake domain had been registered on April 23, just two days ago. Bivol’s check in the “whois” system showed that Maxim Kotov had been listed as a point of contact for the registration, the listed address is that of a popular coffee shop in Bucharest, while the e-mail of said Maxim Kotov is in the anonymous email system

Perhaps, a timely and discreet reaction could have led to the gathering of more information about the source of the attack, but 24 hours later, the services in charge had not known anything about this dangerous incident, Bivol found.

We approached CERT Bulgaria by phone at 12 pm on Thursday, April 26. However, they told us that they did not know about such a phishing attack and had not been informed by the MFA.

After an inquiry to the MFA at 3 pm on April 26, the following answer was received: “In connection with your inquiry, we inform you that there is such a phishing attack. The necessary measures have been taken immediately. The relevant authorities are informed.”

The Ministry, however, did not answer the question of how many employees have been affected, when the authorities had been informed and what measures had been taken.

The company that takes care of the Cyber Security of the Foreign Ministry is the State-owned “Information Service”. Only months ago, it won a public procurement contract for almost BGN 1 million (excluding VAT), for “Monitoring and Managing the Information and Communication Infrastructure of the Ministry of Foreign Affairs”.

All this is happening against the backdrop of the recently released report by the State Intelligence Agency (SIA), which states that Bulgaria is subject to hybrid and cyber attacks: “As part of the information war to influence public opinion, a number of countries continued to use cyber-attacks in 2017 to accomplish political, economic and intelligence tasks in favor of their own interests, including in our country.”

As a way of being carried out, the hacker’s operation against the MFA is very similar to the phishing attack against the US Democratic Party, where a huge amount of information was downloaded illegally. It was used during the election campaign precisely to influence public opinion, or as SIA says: “to accomplish political tasks”



If you find this article useful, support our work with a small donation.

Pay a Bivol Tax!

We will highly appreciate if you decide to support us with monthly donations keeping the option Make this donation monthly.

Select Payment Method
Personal Info

Credit Card Info
This is a secure SSL encrypted payment.

Donation Total: 5€

Извършвайки плащане Вие се съгласявате с Общите условия, които предварително сте прочели тук.

Биволъ не записва и не съхранява номера на Вашата банкова карта. Плащанията се обработват през системата Stripe. Даренията за Биволъ с банкови карти се управляват от френската неправителствена организация Data for Reporters Journalists and Investigations - DRJI.

This post is also available in: Bulgarian