Russia’s Fancy Bear Hacks its Way Into Montenegro

The innocent sounding email reached an official of the Montenegrin Defence Ministry in early January 2017.

Entitled: “NATO_secretary_meeting.doc”, it sounded like a communiqué from the Western alliance that Montenegro was soon to join.

However, IT experts say the message was not sent by NATO to update Montenegro on useful information.

It came from a notorious Russian hacking group, which wanted to break into the government’s IT systems and steal state secrets.

Same in January, according to BIRN sources, the Podgorica government received two more similar emails.

The subject line of the first read: “Draft schedule for British army groups’ visit to Montenegro”.

The title of the other was: “Schedule for a European military transfer program”.

All are believed to have come from the same Russian hacker group, which experts say is linked to the Kremlin.

Three international IT security companies say the emails came from APT28, also known as Fancy Bear, which US intelligence services say is connected to the Russian military intelligence service, GRU.

European Union officials also believe that Montenegro suffered a serious cyber attack in June 2017.

Over the last two years, Montenegro authorities have recorded a sharp rise in the number of cyber attacks, mostly targeting state institutions and media outlets.

From only 22 such incidents in 2013, almost 400 were recorded in only nine months of 2017, official data obtained by BIRN show.

Not all are related to malware viruses or attacks on state institutions, and not all the attacks can be attributed to Fancy Bear.

But many of the attacks are believed to be linked to the tiny Adriatic country’s decision to join NATO, which infuriated the country’s old ally, Russia.

Montenegro has since tightened up cyber security defences. It has formed a specialised police taskforce to fight cyber crime.

But with only limited resources, the team greatly depends on the help of NATO and other Western countries.

“After serial attacks in early 2017 we sought help from NATO and the UK to help us fight back. We succeed in reducing the damage and repelled two attacks in late 2017,” a senior police officer told BIRN, declining to provide details of those actions.

BIRN’s investigation shows that the rise in cyber attacks coincided with the final phase of the country’s NATO accession negotiations in late 2016.

In addition, Montenegro's leaders say Russia tried to interfere in the country’s October 16, 2016 general elections, a charge that Moscow has denied.

The authorities and the ruling parties claim that Russia sponsored a coup attempt on the election day.

Several Western governments, including the UK, support that interpretation of events.

The government’s critics, however, insist the coup attempt was faked, and was staged to help the veteran pro-Western leader Milo Djukanovic stay in power.

Bear leaves its tracks:

Three prominent international security companies, Fire Eye, Trend Micro and ESET agree that Fancy Bear staged at least three separate attacks in January, February and June 2017.

So-called “lures” – spearphishing emails – are common tactics used by the group to target victims who are tempted to open messages mentioning specific topics relevant to them.

Targets are fooled into believing the email is legitimate. Then, by clicking on the link or attached document, they enable a virus to enter their computers.

Ben Read, from the US intelligence-led security company Fire Eye, told BIRN that the emails sent to the Montenegrin Defence Ministry in January 2017 were designed to cause chaos.

“If you opened [them], they would install the malware Game Fish on the victim’s system. That’s signature malware for APT28,” he explained.

He said experts from Fire Eye believed the hackers’ motive was Russia’s deep displeasure over Montenegro’s NATO accession, and the cyber attacks formed part of a broader plan to destabilise the country.

In January 2017, Fire Eye published a report claiming that Fancy Bear primarily targeted entities in the US, Europe, and the countries of the former Soviet Union, including government and military targets, along with defence departments, media outlets, and political dissidents or figures opposed to the Russian government.

“Russia is attacking these governments using both traditional means and as cyber-attacks,” Read added.

Before January 2017, on election day in October 2016, many websites in Montenegro were suddenly taken down by so-called DDoS attacks, in which multiple compromised computer systems attack a website and cause a denial of service for users.

However, the authorities never disclosed what actually happened on that day although they announced a detailed investigation, hinting at a Russian role in the large-scale internet incident.

Four days after the elections, on October 20, 2016, another phishing attack was launched against the parliament of Montenegro, most likely by Fancy Bear again, according to IT security specialists Trend Micro.

But, government sources told BIRN that this attack was less serious, as it targeted the “wrong location”, the parliament, which does not deal with confidential data.

“It was a blind shot,” said this official who insisted on remain anonymous.

A bigger attack, which the Montenegro government describes as more intense than the one in October 2016, started on February 15, 2017 and peaked over the following days, government sources told BIRN last year.

This time, websites of the government and state institutions, as well as some pro-government media, suffered a wave of cyber-attacks, officials in Podgorica told BIRN.

“The scope and diversity of the attacks, and the fact that they were being undertaken on a professional level, indicates that this was a synchronised action,” an official said.

The next attack, which a European official attributed to the same Russian source, happened in June 2017.

Pierluigi Paganini, member of the European Union’s Agency for Network and Information Security, ENISA, told BIRN that Montenegrin infrastructure was again targeted by APT28, or Fancy Bear.

“In June 2017, after Montenegro officially joined NATO, the attacks continued; experts at the security firm Fire Eye who analyzed them collected evidence that confirmed the involvement of Russia’s APT,” Paganini said.

He added that the evidence included artefacts, malware, bait documents and exploit codes.

He said that although attribution is always the most difficult part of a forensic investigation, in this case, the information gathered “points directly to the Russian APT28 group”.

BIRN asked the Russian Foreign Ministry about its connections to the group and to its attacks on Montenegro.

It refused to respond specifically, noting only that “the mentioned issues were repeatedly commented on by the Russian Foreign Ministry”.

Russia strongly denies that its state plays any role in hacking governments, media or elections across the globe.

Russian President Vladimir Putin told reporters in June 2017 that hacking groups, like artists, do their own bidding.

“Hackers are like artists who choose their targets, depending how they feel when they wake up in the morning. No such attacks could alter the result of elections in Europe, America or elsewhere,” Putin told reporters.

Cheap way of collecting intelligence:

America disagrees. In a report, published on December 29, 2016, the US Department of Homeland Security, DHS, and the FBI insisted that the Kremlin sponsored Fancy Bear.

Fancy Bear has targeted many important international groups and individuals.

They include Germany’s ruling Christian Democratic Union, CDU, the German Bundestag, NATO, the World Anti-Doping Agency, the US Democratic National Committee, the former White House senior official John Podesta, the US Democratic Congressional Campaign Committee, and others.

https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf

Christopher Bing, Associate Editor of CyberScoop, a US cybersecurity website that has followed the attacks in Montenegro, agreed that Fancy Bear has subjected the Balkans to an intensive campaign of cyber-espionage. https://www.cyberscoop.com/apt28-targeted-montenegros-government-joined-nato-researchers-say/

“These activities largely serve as a cheap and effective way to collect intelligence remotely and covertly – without getting caught,” he told BIRN.

Bing explained that APT28 is a politically motivated threat group that is known to target geopolitical rivals of the Kremlin.

“APT28 is known to target military, governmental and civil society groups that are commonly of interest to the Russian state.

“As part of this targeting pattern, the Balkans represents a territory where Russia remains interested in controlling and asserting its dominance,” Bing explained.

The IT company ESET, known for its anti-virus and firewall products, also confirmed to BIRN that Fancy Bear was on active manoeuvres in the Balkans during summer 2017.

Not all cyber attacks are Russian:

New analysis by the Public Administration Ministry on cyber threat to Montenegro showed the number of hacking attacks rose in 2017. The attacks were also “much more serious and sophisticated,” it said.

Over 380 attacks on websites, state institutions, online fraud and misuse of personal accounts were reported in 2017. That compared with just six in 2012. The authorities promised to investigate the background to all those attacks.

“The severity and sophistication of cyber-attacks affecting Montenegro during 2017 were reflected in the increased number of identified attacks on infrastructure and cyber espionage cases, as well as through phishing campaigns that targeted civil servants,” the ministry report said.

These attacks caught Montenegro on the hop, as its small cyber security team had no experience of dealing with attacks on this scale. It has only a dozen employees, who are being trained by US and UK cyber experts.

Amid reports that Russian hackers played a role in downing several websites on election day in Montenegro, the government in December adopted new measures to tighten cyber security.

It said it would strengthen the capacity of the police and intelligence services to prevent hacking, after the attacks on election day had highlighted the vulnerability of the entire system.

“It not just Russian hackers that they are dealing with. The small, under-equipped team is also dealing with the increase in online bank frauds and other attacks that do not have political background,” a government official told BIRN.

Upsurge feared ahead of election:

Ahead of this April’s presidential election in Montenegro, experts warn that the country may experience more cyber threats.

On April 15, citizens will elect anew president, as Filip Vujanovic, is completing his final term and cannot be re-elected.

“Russia has strongly opposed Montenegro’s NATO accession process, so it is likely to continue using cyber capabilities to undermine Montenegro’s role in the alliance,” Pierluigi Paganini, from ENISA, warned.

Attacks disrupted Facebook services:

Major cyber disruption was noted in Montenegro on election day, on October 16, 2016, when people in Montenegro were unable to use Facebook services such as Viber and WhatsApp.

The government had to obtain permission from the Higher Court in Podgorica to temporarily block these applications for two hours on the election day and request a thorough investigation of the cyber attack.

Facebook detected this incident in its Transparency report under the title “Internet Disruptions”.

“We are aware of a disruption affecting access to Facebook products and services in Montenegro that took place during October 2016. This disruption impacted messaging services and coincided with the country's parliamentary elections,” it said.