October 12, 2022
Almakos: In the media space, there is an increasing amount of news about cyber-attacks. This has become particularly evident in the recent months. How do you rate this trend?
Musliu: In the countries of the region, there is an increase in the number, frequency and complexity of cyber-attacks. A similar trend has been noticed among our NATO allies and the EU member states. The Intelligence Agency has noticed this growing trend since 2021 and especially since the Russian aggression in Ukraine.
This is an organized activity, planned in advance, and carried out in the period when the executors consider it necessary to achieve their mainly political goals. There has been an increasing trend of state-sponsored cyber-attacks that have external political targets and are carried out systematically, mainly by intelligence services or state-sponsored hacker groups.
Almakos: What is happening in the region? Which countries have been attacked, by whom and for what purpose?
Musliu: During 2022, the countries of this region suffered the greatest damage, such as Albania and Montenegro, while Bosnia and Herzegovina and Kosovo were also attacked. Previously, Serbia, Croatia and Bulgaria faced cyber intrusions into the system of key state institutions. Great damage was also caused in countries such as Portugal and Hungary.
In Albania, several state institutions were targets of a cyber-attack. What is specific about this is the fact that cyber-attack was carried out in several phases over a period of more than a year, but became evident from July to September of this year. The perpetrators of the attack are state-sponsored actors from the Islamic Republic of Iran, with security-political targets. The attack contributed to the severance of diplomatic relations. The administration of the Civil Aviation Authority was also attacked.
In Montenegro, during August-September, state bodies completely shut down their systems as a result of a massive cyber-attack and are still repairing the damage caused by the Russian-linked ransomware. The group of hackers publicly announced that they had designed a virus specifically intended for the attack.
A specific activity has been observed in Serbia that shows that cyber-attacks should not always be seen as an attack on systems by a hacker group. During April-May, as well as these days, the country faced a frequent wave of false bomb threats, including educational, healthcare and religious facilities with the aim of causing fear and uncertainty among the population. In the meantime, cyber methods were also used to distribute messages, mainly via Internet, as part of a psychological operation on the population.
A similar phenomenon was noticed in Kosovo, where targets of false reports were educational institutions attended by children. Certain information indicates that such activities were carried out by third actors, who still have an interest in tensions in the region. In addition, at the end of the summer, an attack in the initial phase of execution was detected and prevented. Previously, at the beginning of the year, a state institution was attacked.
In Bulgaria, in April this year, the information system of "Bulgarian Post" was destroyed using cyber tools, viruses and malware of Russian origin. Croatia, which has been the target of attacks before, in May this year, publicly accused Russia of cyber-attacks on multiple institutions, including the Internal Revenue Service.
In early September, in Bosnia and Herzegovina, our colleagues from the security and intelligence agency publicly warned of an increase in the number of cyber-attacks in the country during the year, calling on state institutions and private companies to take tougher measures of informational and informative security.
Outside our region, there was a special case in Portugal where the General Staff of the Armed Forces was attacked, where classified NATO documents were stolen and then ended up being sold on the "Dark Web". Also in Hungary, hackers working for Russian intelligence services for nearly a decade, before it was discovered this year, had access to classified MFA data, using malware to compromise the internal network and cryptosystem of the Ministry and Diplomatic-Consular Representations. Since the beginning of the Russian invasion, Moldova, Estonia and Lithuania have also been targeted by Russian cyber-attacks.
Almakos: Are we under attack?
Musliu: The danger is dormant. We should not wait for a cyber-attack in order to protect ourselves. On many occasions, NATO has warned its allies about the risk of increased cyber-attacks. Our states, i.e. the institutions were the target of an attack that includes specific forms and methodology.
In 2021, we encountered a particular modus in which phone software from several locations from Africa and Asia was used to target users of electronic devices in key state institutions. This activity coincided with the holding of the 17+1 Initiative, which after the withdrawal of the Baltic States was reduced to 14+1.
The case when the system of a key institution in our country was attacked by contaminating the software of the information and communication system is prove that the attack is not always carried out by someone sitting behind a computer in remote countries and regions.
A similar case was registered in an ally country of NATO and EU. Previously, as is known to the public, the State Election Commission, the Ministry of Health and banks were attacked, and most recent case was the Ministry of Education.
Almakos: How should we perceive the cyber-attacks? Are they isolated acts or perhaps a tool as part of some hybrid strategy, some new way of waging war?
Musliu: The massive and frequent use of cyber-attacks, as part of the hybrid strategy that also develops activities of malicious actors, is a relatively new phenomenon. It has been used as a tool for unconventional warfare for a long time, although not as often and to that extent as today. Critical infrastructure in Europe has been the target of serious attacks on several occasions – electricity generation and transmission systems, hydro storage, mobile operator networks, etc.
The Russian aggression against Ukraine was preceded by a series of cyber-attacks, and during this period, Russia's military actions were accompanied by cyber operations. Since the attack, Ukraine has faced hundreds of cyber-attacks, of which about 40 had a destructive impact on critical infrastructure.
Cyber-attacks are also used in intelligence operations for various purposes, while the ultimate goals are political, most often it is the loss of citizens' trust in state institutions. They are often used as part of psychological operations on the population, as recent examples in the region have shown.
Almakos: What is the Intelligence Agency doing in this regard?
Musliu: The Intelligence Agency gives great importance to cyber security, as one of the priorities defined in the new law adopted last year. The Agency adopted a Strategy for cyber security, adapted to the National Strategy, which is established and based on the achievement of five objectives: cyber resilience, cyber culture, dealing with cybercrime, cyber defence and cooperation and information exchange.
Our vision is to create and maintain a secure, reliable and resilient digital environment. Within the planned budget framework, we are building systems and capacities for effective cyber security that will ensure a quality and technically developed institution that will face the challenges in cyber space efficiently and effectively. The NATO membership is definitely an excellent platform for the exchange of information and experiences, but in the context of increased engagement in the Western Balkans, the EU should pay more attention to such challenges, which the countries of the region are obviously facing.
In this regard, it may be necessary for the EU to invest in a regional centre for cyber security, and from several aspects, the Republic of North Macedonia would be the most suitable location.
The agency regularly tracks the current trends of cyber threats and issues early warnings. This topic is also part of the regular exchange of knowledge and information with partner services, with which the work of other competent institutions is supported through the Agency.
Almakos: How can we protect ourselves better?
Musliu: The role and education of the individual is crucial. Each individual must build his digital culture for his own digital tools and invest in knowledge for the correct use of communication-informational technologies and media. This is why it is recommended to use the benefits of technology carefully and vigilantly, and the best “antivirus” is the awareness of how the cyberspace is used and what for.
Although the term cyber security is more commonly used in public, cyber resilience is no less important. If cyber security refers to the methods and processes of protecting electronic data, cyber resilience is the ability of an institution to withstand or recover quickly from cyber events that disrupt established processes and operations.
There is no perfect solution to cyber security that is able to protect against every possible form of threat. The cyber security strategy is designed to reduce the risk of attacks, but when this happens, a response with built-in cyber resilience is needed to reduce the impact. Both aspects are equally important and should be equally invested in. The more prepared we are, the less consequences will we face.