IOTW: FBI to investigate Montenegro cyber-attacks

The US Federal Bureau of Investigation (FBI) has said it will deploy Cyber Action Teams (CAT) to Montenegro in the wake of a series of “persistent and ongoing” cyber-attacks against the country’s infrastructure. 

The country has been suffering a series of cyber-attacks targeted at critical infrastructure including transportation services, electricity and water supply systems and online portals that citizens use to access various state services.

Among those are 150 work stations in 10 state institutions that became infected with malware.  

The attacks have forced state-managed IT infrastructure offline and several power plants to switch to manual controls. In a security alert regarding the attacks, the Montenegrin government told citizens they may lead to “disruptions to the public utility, transportation (including border crossings and airport) and telecommunication sectors”.

Officials have described the attacks as “unprecedented” and are believed by Montenegro’s National Security Agency (ANB) to be linked to Russian cyber criminal group using Cuba ransomware. Montenegro’s public administration minister Mara Dukaj said on state television that the group had created a virus called Zerodate specifically for the attack.  

Dukaj confirmed that despite the ransomware attacks, the government had not yet been contacted for ransom regarding the compromised systems and documents.

Interested in gaining more insight from the cyber security community? Become a member of CS Hub today!

What is Cuba ransomware?

Cuba ransomware is a malware family that was originally discovered in February 2020. It is distributed via Hanticor malware, a remote access trojan (RAT) which gives hackers the ability to remotely interact with or control a compromised device. Cuba ransomware actors use legitimate Windows processes in order to execute malware remotely by utilizing Windows admin privileges.  

In November 2021, the FBI issued an official notice saying that Cuba ransomware actors had “compromised at least 49 entities in five critical infrastructure sectors, including but not limited to the financial, government, healthcare, manufacturing and information technology sectors”. They had “demanded at least US$74 mn and received at least US$43.9 mn in ransom payments”. 

Cuba ransomware resurges were noted in March and April 2022 by IT security company Trend Micro.

Other governmental infrastructure targeted by ransomware

This is not the first time this year that government systems have been directly targeted by cyber-attacks. In July of this year, the Albanian government suffered an “unprecedented and dangerous” cyber-attack which forced the temporary suspension of government sites.

Following the attack, the Albanian National Agency of the Information Society (AKSHI) worked with Microsoft, Jones Group International and information and communications technology teams within Albania in order to prevent the attack from compromising or damaging the systems.

The attacks were later linked to the Iranian government by threat intelligence firm Mandiant.