The Belgrade Center for Security Policy became a victim ruskih hacker groups, the forensic analysis established that for this Serbian non-governmental organization done by one of the largest IT companies in the world.
It is about hacker groups that governments of the United States of America and Great Britain have long been associated with the intelligence and security structures of Russia.
During the attack, hackers accessed part of the archive and read more than 28 e-mail correspondence of a Serbian organization that has been following reforms in the security sector for almost 25 years and is actively involved in communication with numerous European institutions.
"Our mailing list of international and domestic partners is very large," Igor Bandović, director of the Belgrade Center for Security Policy (BCBP), told Radio Free Europe.
Hackers linked to Russian intelligence services
He also states that the accounts of BCBP employees were used in further expansion hacker operations of two Russian groups.
One is connected to the Foreign Intelligence Service of Russia (SVR), and the other to the Russian Military Intelligence Service (GRU).
Both groups, according to Microsoft's website, target governments, diplomatic institutions, non-governmental organizations and IT companies around the world.
"Attackers use all possible methods to gain access to sensitive emails, files and messages," said Steven Adair, director of the American cyber security company Volexity, who was also involved in the BCBP attack, for RSE.
He adds that civil society organizations in Serbia "will almost certainly continue to be targets because of their work and expertise in areas related to Russia, Ukraine and security efforts in Europe".
How did the attack happen?
"The message that reached me did not look suspicious in any way," BCBP Director Igor Bandović recalled for RFE/RL.
He says that in July of last year he was contacted by a message from a person who introduced himself as Belarusian opposition politician Sergej Tikhanovsky, the husband of exiled oppositionist Svetlana Tikhanovska.
"He suggested that we schedule a video call to discuss the political situation in Southeast Europe," adds Bandović.
This message, as it turned out in the later forensic analysis, was one of the key entry points through which the operation of Russian hackers took place with the intention of taking over the infrastructure of a Belgrade non-governmental organization, but also to expand their activities further.
Igor Bandović says that he asked the interlocutor through whom he got his contact. When it was explained to him that it was a colleague from Romania, Bandovic explains that he had no reason to question the authenticity of the conversation too much.
Communication took place through the Signal messaging application, which is characterized by privacy protection and encrypted (protected) information transmission, where users can connect via phone numbers or usernames.
Open door to hackers
A video call link was sent with the message.
At the time of the scheduled meeting, Bandović copied the link into the internet browser.
The video call was not activated, but it opened the door for hackers to almost the entire communication of BCBP employees.
In this way, Bandović became a victim of so-called spear phishing (spear phishing), that is, targeted messaging in which the attacker customizes the message to appear as if it is coming from a trusted person or organization, often using the victim's personal information.
The goal is to trick the victim into revealing confidential information, downloading a malicious file, or providing access to systems.
Four months later, in November last year, Microsoft Threat Intelligence Center, a specialized team from Microsoft that investigates the digital security of users of the company's software packages, warned BCBP that it was the victim of a hacker attack.
One of the largest IT companies in the world, which requested anonymity, and whose identity is known to RSE, performed a forensic analysis for the BCBP and identified two hacker groups - Midnight blizzard (Midnight Blizzard) and Forest Blizzard (Forest Blizzard) as the organizations behind these attacks.
Source: Radio Free Europe
