Czech Republic blames Russia for multiple government network hacks

Czech intelligence service says two Russian cyber-espionage groups hacked Ministry of Foreign Affairs, Ministry of Defense, and members of the Czech Army.

Two Russian-linked cyber-espionage groups have hacked into the Czech Republic's government networks, the country's intelligence agency revealed today in an annual report.

The Czech Security Intelligence Service (BIS) blamed two cyber-espionage groups --known as Turla and APT28 (Sofacy or Fancy Bear)-- for hacks of the Ministry of Foreign Affairs (MFA), Ministry of Defense, and the Army of the Czech Republic. The hacks took place in different campaigns across 2016 and 2017.

Ministry of Foreign Affairs hacks

BIS officials said "the MFA electronic communication system had been compromised at least since the beginning of 2016 when the attackers accessed more than 150 mailboxes of the MFA staff and copied emails, including attachments."

The hack remained under the radar for almost a year, officials said today, until the beginning of 2017, when BIS investigators discovered the compromise.

They said "the attackers focused mostly on mailboxes of top ministry representatives," which they accessed "in a repeated, long-term and irregular manner."

Other email inboxes were also accessed, and BIS said hackers got "a list of potential targets in virtually all the important state institutions," information that "may be used for future attacks."

"The case of mailboxes compromise in numerous key aspects corresponds to similar cases of cyberespionage, which took place in other European states over the same period," BIS also said.

Earlier this year in August, a ZDNet article detailed the findings of an ESET report that described Turla attacks on European government foreign offices, which fits the attacks described by BIS.

But this wasn't the only attack against the Czech Ministry of Foreign Affairs. BSI says there was a second attack took place in December 2016, different from the first.

"Attackers strived to guess the login details of mailboxes by brute force (the so-called brute force attack), and made thus efforts to compromise several hundred mailboxes," officials said.

BIS didn't attribute these attacks to one group alone, but two. Of note, BSI officials publicly linked the two cyber-espionage groups to the Russian state, something they have not done before, adhering to a new strategy of naming and shaming that the US has started to promote among allied states.

All the findings make it clear that it was the Turla cyberespionage campaign, originating from the FSB, a Russian intelligence service, and APT28/Sofacy, which is credited to the Russian military intelligence, the GRU.

Turla is one of Russia's oldest and most sophisticated state-sponsored hacking group. But while Turla is generally unknown outside infosec circles, APT28 is far more famous. This is known to be one of the two groups behind the hack of the Democratic National Committee server back in 2016, ahead of the US Presidential Election.

Military hacks

BSI said that besides attacks on the Ministry of Foreign Affairs, APT28 was also behind other attacks against the central European state.

"The BIS detected several attacks against Czech military targets," officials said. "The wave of spearphishing emails targeted mainly people from military diplomacy deployed in Europe. [...] A similar spearphishing attack targeted also European arms companies and a border guard of a European state."

"The most serious included compromising of several private email accounts of people linked to the Ministry of Defense and the Army of the Czech Republic and compromising of an IP address belonging

to the Ministry of Defense/Czech Army by a malware known as X-Agent," Czech intelligence officials added.

They said hackers didn't manage to steal any classified information, but just like in the MFA attacks, they did get their hands on "personal information and sensitive data that may be used for further attacks and illegitimate activities."

The BSI 2017 Annual Report also mentions that BSI operatives also discovered an SQL injection vulnerability in the website of an unnamed Czech ministry, which they reported and was later fixed.

The BIS also shut down a Hezbollah hacking operation earlier this year, in 2018.

More security coverage: