FBI and French officials arrive in Montenegro to investigate ransomware attack
Officials from the FBI and French government are in Montenegro to help the country as it recovers from a wide-ranging ransomware attack perpetrated last week.
The attacks, which were carried out Friday and Saturday, crippled government-run transportation services and online platforms for information, as well as water and electricity systems.
According to Public Administration Minister Maras Dukaj, 150 devices within 10 government agencies were infected, and many government websites are still down.
“Our allies from NATO are helping us overcome the most serious challenge that Montenegro has faced in the cyberspace so far,” Dukaj said during a press conference on Wednesday.
He noted that the attack on several government ministries is still ongoing and could not provide a timeline for when services would be restored.
Experts from the French Agency for Information Systems Security (ANSSI) and members of a FBI Cyber Action Team (CAT) have been deployed to the country.
Michael McPherson, a former special agent in charge of the Tampa Field Office at the FBI, told The Record that the attack on Montenegro involved a combination of ransomware and denial of service against critical infrastructure and government entities.
“Although the deployment of the FBI’s Cyber Action Team is not uncommon, it does demonstrate the breadth and depth of this attack. CAT team deployments are generally reserved for complex situations which require additional manpower and technical expertise,” said McPherson, who is now a senior vice president at the cybersecurity company ReliaQuest.
“Dating back to at least 2018, the U.S. military has been working with the government of Montenegro on cybersecurity cooperation, training, and resiliency.”
Montenegro officials had initially accused the Russian government of the attacks, saying they were retaliation for the country’s support for Ukraine. In recent days, they have attributed it to the criminal group behind the Cuba ransomware.
On Twitter and state television broadcasts this week, Dukaj explained that the Cuba ransomware group had added the country’s parliament to its leak site.
Despite the Cuba ransomware name, several experts have said that the group probably has no connection to the island nation.
“Cuba is unlikely to be Cuban. Certain linguistic characteristics point to the group likely being Russian or, at least, having Russian speakers on its team,” Emsisoft threat analyst Brett Callow told The Record.
On its leak site, the ransomware group claimed it had stolen “financial documents, correspondence with bank employees, account movements, balance sheets, tax documents.”
There was some confusion over whether a ransom was issued for the stolen data, with some news outlets reporting the group had sent out a $10 million ransom demand, while officials told the Associated Press that none was received. Dukaj, meanwhile, claimed on Twitter that the exploit used to attack the country’s systems “cost $10 million.” The Montenegro government did not respond to requests for clarification.
“A huge amount of money was invested in the attack on our system,” Dukaj said.
According to the FBI, the operators of the Cuba ransomware earned at least $43.9 million from ransom payments following attacks in 2021 and “compromised at least 49 entities in five critical infrastructure sectors, including but not limited to the financial, government, healthcare, manufacturing, and information technology sectors.”