Montenegro Is the Victim of a Cyberattack

Details are few, but Montenegro has suffered a cyberattack:

A combination of ransomware and distributed denial-of-service attacks, the onslaught disrupted government services and prompted the country’s electrical utility to switch to manual control.

[…]

But the attack against Montenegro’s infrastructure seemed more sustained and extensive, with targets including water supply systems, transportation services and online government services, among many others.

Government officials in the country of just over 600,000 people said certain government services remained temporarily disabled for security reasons and that the data of citizens and businesses were not endangered.

The Director of the Directorate for Information Security, Dusan Polovic, said 150 computers were infected with malware at a dozen state institutions and that the data of the Ministry of Public Administration was not permanently damaged. Polovic said some retail tax collection was affected.

Russia is being blamed, but I haven’t seen any evidence other than “they’re the obvious perpetrator.”

EDITED TO ADD (9/12): The Montenegro government is hedging on that Russia attribution. It seems to be a regular criminal ransomware attack. The Cuba Ransomware gang has Russian members, but that’s not the same thing as the government.

Tags: , , , ,

Posted on September 2, 2022 at 8:18 AM12 Comments

Comments

Clive Robinson September 2, 2022 9:46 AM

@ Bruce, ALL,

Russia is being blamed, but I haven’t seen any evidence other than “they’re the obvious perpetrator.”

Have a look at a regional map and consider that one objective of Russia is to stop food export…

Yes Montenegro is tiny but also not in the EuroZone, both of which are to Russia’s advantage, but it also has ports into the Mediterranean just a short distance from Eastetn Italy, and two country hops from the Ukraine.

I can see reasons why “the panty poisoner” would consider it a target to try and bolster some status.

After all if you are a very vain and narcissistic adult who is angry because they’ve been kicked back by a six year old in a playground, you are going to go “kicking cradles” to prove you are a man…

Winter September 2, 2022 11:02 AM

@Clive, Bruce

Have a look at a regional map and consider that one objective of Russia is to stop food export…

Russia was involved in a failed coup attempt in Montenegro. Just Russia revenge for stopping their crimes.

‘https://www.theguardian.com/world/2017/feb/20/russian-state-bodies-attempted-a-coup-in-montenegro-says-prosecutor

MarkH September 2, 2022 11:50 AM

Montenegro became a full member of NATO in 2017, to the Kremlin’s public fury.

Meanwhile, “Russian gravity” continues to function: the Chairman of petroleum export giant Lukoil just died after falling from the 6th floor of a Moscow hospital. Perfectly normal, no doubt.

He became the 8th high-ranking Russian energy company officer to die this year from other extraordinary causes. Two of those gentlemen were found alongside the corpses of their wives and daughters. Perfectly normal, no doubt.

Winter September 2, 2022 12:40 PM

@MarkH

Perfectly normal, no doubt.

Not just the rich ones die:

‘https://www.newsweek.com/russia-zimin-fsb-putin-official-shot-1718844

Zimin had previously been a colonel with Russia’s main security agency, the Federal Security Service (FSB), and has been pictured with Putin while carrying the president’s nuclear codes briefcase. He was first tasked with carrying the briefcase under President Boris Yeltsin.

Being close to Putin is a bit like being close to Stalin.

Clive Robinson September 2, 2022 2:21 PM

@ Winter, MarkH,

“Being close to Putin is a bit like being close to Stalin”

Or trying to barbeque a whole pig on an active volcano in a Luau pit…

You know it’s going to blow, you just do not know when or how, you just hope you “get to fill your boots” and make a strategic exit before the rocks become ash falling from above.

The thing is the panty poisoner can only keep cutting back on top manpower like he’s been doing for so long… Before some will realise they will all be better off without him and remove their immedeate threat out of self defence. Then the real problems will start, such power struggles rarely go quietly, especially when street thug machismo is more prevalent than rational educated thought.

It will be of mild interest to see how many of the 6000 survive the comming storm.

Ted September 2, 2022 5:32 PM

Yep. Montenegro has backed away from saying “it was Russia.” They’re now thinking it’s the Cuba Ransomware group – a cybercriminal group that may have Russian members.

Not only has the group been researched by the Israeli security firms Security Joes and Profero, they’ve also had some write-ups by the FBI and Mandiant.

According to CyberScoop, experts from NATO as well as NATO allies are providing support.

The Hill says US Cyber Command’s “hunt forward” team has additionally been helping allies secure their cyber defenses and collect info on adversaries’ cyber activities.

The team has so far conducted 35 operations in 18 countries, including Croatia, Estonia, Lithuania, Montenegro, North Macedonia and Ukraine.

https://www.cyberscoop.com/montenegro-ransomware-attack/

Clive Robinson September 3, 2022 4:49 PM

@ Ted,

“They’re now thinking it’s the Cuba Ransomware group – a cybercriminal group that may have Russian members.”

You need to dig a little deeper into the relationship between Cuba and Russia.

Russia was at one point “renting” a lot of Cuba, for the likes of “Numbers Stations” etc, and thus sourced Cuba a lot of it’s foreign hard currency.

Russia did a nose dive economy wise and stopped “renting”. Well in recent years the “renting” has started up again.

So I would suspect the “Cuba Ransomware group” is just using an “accommodation address” maybe set up as a few “Dachas”[1] and the like, for certain “factory” people to ease a Petergrad winter out of their bones etc, maybe even a training school[2].

[1] Dacha actually means “to give” and from the mid 1800’s became associated with the Aristocracy holding entertainments and the like at “homes away from homes” like hunting lodges and larger. The term carried over into the supposed Communist era and was used for “holiday camps” for notable workers and their families. As well as being actual holiday homes “given” by the State to leaders and other notables. Which is why people sometimrs think Dacha means “holiday home”, something a number of Spy Novels alluded to.

[2] The KGB had a lot of such “training schools” around the world where those who showed the right sort of promise were sent to “learn the culture” etc so they could later fit in. Both Cuba and Brazil were good places to start learning the culture that is common in South West Europe. Thus give an effective back story when in other parts of Europe, picking up more culture as it were. Including “British” and “German” from holiday makers.

Ted September 3, 2022 8:10 PM

@Clive

Re: Cuba ransomware

Sorry for any confusion. It looks like this particular strain of ransomware was named “Cuba ransomware” because of its themed characteristics. I don’t know that it’s based on the actor’s location of origin per se.

Encrypted files are prepended with the header FIDEL.CA, likely in reference to Fidel Castro. They also receive the file extension .cuba. Their leak website reads “Cuba Ransomware welcomes you.”

The group is alternately known as Tropical Scorpius by Palo Alto Network’s Unit 42 and as UNC2596 by Mandiant who also calls the ransomware COLDDRAW.

Activity from this group was first noticed around 2019. According to Mandiant’s early 2022 post, 80% of affected organizations have been based in North America.

One thing Israeli researchers noticed was that the word “north” was used oddly in a message pertaining to exfiltrated files and encrypted servers.

Coincidently the words “north” and “server” are similar in Russian – respectively “север” and “сервер.” Perhaps, they thought, there was a typo in the original text prior to translation.

Clive Robinson September 4, 2022 1:49 AM

@ Ted,

Re : Cuba Ransomware

It has a history going back to 2019 atleast.

An important point it had was the “Don’t upset Putin” look for a Russian Keyboard and if found die code.

But also the areas it was focussed on of Latin America, North America[1], Spain, Germany, and other European countries,

”’ps://lab52.io/blog/cuba-ransomware-analysis/

Also the attacks appear to be seasonal not continuous, which suggests that the attackers are modal for some reason and may be running campaigns for others

”’ps://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html

There is other info out there, but as always attribution based just on captured software can be hard.

[1] The most prominent North American attack to hit the news was on the “Automatic Funds Transfer Services”(AFTS) based in Seattle. They did not pay the ransom asked for on their exfiltrated data. Which resulted in it appearing on the ransomware operators Dark Web servers where it was traded. As a payment processing service aimed at the likes of state government, municipal and similar entities in Washington and throughout the United States, AFTS hold a lot of Private Personal Information”(PPI). With respect to PPI the ransomware operators also aquired he details of probably 38 million people from the California Department of Motor Vehicles. Which also turned up being Dark Web traded, presumably to be used for identity theft and similar purposes. One of which as the data obtained where the names, addresses, phone numbers, credit card information, and similar could be to build a data base of persons of interest to target for various reasons. Of the fifty or so known organisations attacked they have been mainly the government, financial, manufacturing, healthcare, and ICT industries. Which have been the traditional and more recent targets for Russian State or state aligned attackers.

Max September 6, 2022 11:54 PM

@ALL,

So, Bruce said that

Russia is being blamed, but I haven’t seen any evidence other than “they’re the obvious perpetrator.”

And you all promptly replied by doing just that – blaming Russia on the very basis of “they’re the obvious perpetrator” with no further evidence.

Good job, team. 🙂

Clive Robinson September 7, 2022 12:37 AM

@ Max,

Re : Russia to blaim.

“blaming Russia on the very basis of “they’re the obvious perpetrator” with no further evidence.”

There is more than circumstantial evidence, which is the point some of us have been making.

Trying to get attribution by “tiny tells” in reverse engineered code whilst not entirely a fools errand is not just highly subjective but easy to fake. Thus on code alone “attribution is hard”. And it would be wise to say as far as that is concerned there is little evidence.

However when it comes to other socio-political “tells” it is far easier to find evidence of who is yanking who’s chain.

Something I suspect you are all to familiar with.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.