Deputy ministers, directors and diplomats have entered their passwords on a fake hacker page

Serious Cyber Attack against Bulgaria’s Foreign Ministry. Country’s Services Are in the Dark!

Dozens of internet addresses of the Bulgarian Ministry of Foreign Affairs (MFA) have been subjected to a serious phishing attack on Wednesday, April 25, 2018. Accounts of MFA bosses and diplomats have been compromised, possibly affecting national security. However, the “Information Service” had not informed the National Computer Security Incidents Response Team (CERT Bulgaria) in time.

For 24 hours now, the body tasked with protecting the cyber-security of State institutions, does not know about a well-organized phishing attack on the Foreign Ministry, Bivol’s check established, after receiving a tipoff about a very serious and carefully planned hacker operation.

On Wednesday afternoon, a large number of MFA office internet addresses have received an e-mail with the title URGENT!!!, claiming to have been sent by Victor Rosnev, a former MFA employee who left two years ago.

The message contains a link to a government-like domain, however, it is registered in India.

 

The link, sent in a phishing email to MFA staff, leads to a page that mimics the government domain and the MS Exchange-based information system https://eventis.mfa.government-bg.in/DOCUMENT.php?id=2092230&PageName=NEWME&Keyword=&URLToGo= /Documents.jsp?PageName=NEWME

The page was still active at the time Bivol’s article was published. It is a copy of the MFA home page to its integrated with MS Exchange internal information system.

The exact size of damage is not yet known, but according to Bivol sources, at least 30 people in high positions in the MFA – directors, deputy ministers and ambassadors – are affected and have entered their passwords on the fake page. For sure, anyone who has entered a login and password on the fake page has compromised their account and has enabled hackers to download all of its data.

There is no clarity as to what information the attackers have accessed and whether national security had been compromised through access to classified information.

The attack appears to be carefully planned, targeting specific employees whose addresses have been purposely collected. The fake domain had been registered on April 23, just two days ago. Bivol’s check in the “whois” system showed that Maxim Kotov had been listed as a point of contact for the registration, the listed address is that of a popular coffee shop in Bucharest, while the e-mail of said Maxim Kotov is in the anonymous email system tutanova.com.

Perhaps, a timely and discreet reaction could have led to the gathering of more information about the source of the attack, but 24 hours later, the services in charge had not known anything about this dangerous incident, Bivol found.

We approached CERT Bulgaria by phone at 12 pm on Thursday, April 26. However, they told us that they did not know about such a phishing attack and had not been informed by the MFA.

After an inquiry to the MFA at 3 pm on April 26, the following answer was received: “In connection with your inquiry, we inform you that there is such a phishing attack. The necessary measures have been taken immediately. The relevant authorities are informed.”

The Ministry, however, did not answer the question of how many employees have been affected, when the authorities had been informed and what measures had been taken.

The company that takes care of the Cyber Security of the Foreign Ministry is the State-owned “Information Service”. Only months ago, it won a public procurement contract for almost BGN 1 million (excluding VAT), for “Monitoring and Managing the Information and Communication Infrastructure of the Ministry of Foreign Affairs”.

All this is happening against the backdrop of the recently released report by the State Intelligence Agency (SIA), which states that Bulgaria is subject to hybrid and cyber attacks: “As part of the information war to influence public opinion, a number of countries continued to use cyber-attacks in 2017 to accomplish political, economic and intelligence tasks in favor of their own interests, including in our country.”

As a way of being carried out, the hacker’s operation against the MFA is very similar to the phishing attack against the US Democratic Party, where a huge amount of information was downloaded illegally. It was used during the election campaign precisely to influence public opinion, or as SIA says: “to accomplish political tasks”

 

***

If you find this article useful, support our work with a small donation.

Pay a Bivol Tax!

We will highly appreciate if you decide to support us with monthly donations keeping the option Monthly

You have chosen to donate 10.00€ monthly.

Select Payment Method
Log In to Your Account (optional)

Credit Card Info
This is a secure SSL encrypted payment.

Donation Total: 10.00€ Monthly

Извършвайки плащане Вие се съгласявате с Общите условия, които предварително сте прочели тук.

Please, read our Terms and conditions here.

Биволъ не записва и не съхранява номера на Вашата банкова карта. Плащанията се обработват през системата Stripe. Даренията за Биволъ с банкови карти се управляват от френската неправителствена организация Data for Reporters Journalists and Investigations - DRJI.

Bivol is not recording the number of your bank card. The card payments go through Stripe. Card donations for Bivol are managed by the French NGO Data for Reporters Journalists and Investigations - DRJI.

Select Payment Method
Log In to Your Account (optional)

Credit Card Info
This is a secure SSL encrypted payment.

Donation Total: 5.00€

Извършвайки плащане Вие се съгласявате с Общите условия, които предварително сте прочели тук.

Please, read our Terms and conditions here.

Биволъ не записва и не съхранява номера на Вашата банкова карта. Плащанията се обработват през системата Stripe. Даренията за Биволъ с банкови карти се управляват от френската неправителствена организация Data for Reporters Journalists and Investigations - DRJI.

Bivol is not recording the number of your bank card. The card payments go through Stripe. Card donations for Bivol are managed by the French NGO Data for Reporters Journalists and Investigations - DRJI.

IBAN: BG27 ESPY 4004 0065 0626 02
BIC: ESPYBGS1
Титуляр/Account Holder: Bivol EOOD

лв.
 
The current exchange rate is 1.00 EUR equals 0 BGN.
Select Payment Method
Log In to Your Account (optional)

Внимание: с този метод сумата ще е в лева, а не в евро. Можете да изпратите "Данъкъ Биволъ" електронно през Epay.bg или с банков превод. От територията на България можете също да изпратите пари в брой през EasyPay, или да направите превод през банкомат, поддържащ услугата B-Pay.    

Donation Total: 5,00 лв.

Извършвайки плащане Вие се съгласявате с Общите условия, които предварително сте прочели тук.

Биволъ не записва и не съхранява номера на Вашата банкова карта. Плащанията се обработват през системата Stripe. Даренията за Биволъ с банкови карти се управляват от френската неправителствена организация Data for Reporters Journalists and Investigations - DRJI.

SMS код BIVOL

За да подкрепите с малка сума нашите разследвания и автори, можете да изпратите SMS на кратък номер. Ще получите с обратен SMS линк към нашия архив.

  • Изпрати 1,2 лв. на номер 1851 с код BIVOL и получи достъп до Архивите на Биволъ
  • Изпрати 2,4 лв. на номер 1092 с код BIVOL и получи достъп до Архивите на Биволъ
  • Изпрати 4,8 лв. на номер 1094 с код BIVOL и получи достъп до Архивите на Биволъ
  • Изпрати 12 лв. с два смс-а на номер 1096 с код BIVOL и получи достъп до Архивите на Биволъ

Сумите са с включен ДДС. Моля, имайте предвид, че това е най-неефективният начин да подпомогнете Биволъ, тъй като комисионната на мобилните оператори достига 60%. Ако имате възможност, използвайте някой от другите методи на плащане.

Криптовалути

За да ни изпратите биткойни сканирайте QR кода или използвайте един от двата адреса: Standard: 1EY3iwkPXiby6XFsyCcVPGZPYCGPbPeVcb
Segwit: bc1ql28g7qnvdmenrzhhc7rtk0zk67gg4wd9x9jmmc

 

 

This post is also available in: Bulgarian

%d bloggers like this: