FBI and French officials arrive in Montenegro to investigate ransomware attack

Officials from the FBI and French government are in Montenegro to help the country as it recovers from a wide-ranging ransomware attack perpetrated last week.

The attacks, which were carried out Friday and Saturday, crippled government-run transportation services and online platforms for information, as well as water and electricity systems. 

According to Public Administration Minister Maras Dukaj, 150 devices within 10 government agencies were infected, and many government websites are still down. 

“Our allies from NATO are helping us overcome the most serious challenge that Montenegro has faced in the cyberspace so far,” Dukaj said during a press conference on Wednesday. 

Na moju inicijativu i poziv, naši međunarodni partneri iz FBI su već na terenu i pomažu da se prevaziđe jedan od najsloženijih napada na digitalnu infrastrukturu neke države u istoriji.
Zahvaljujem se @USAmbMNE na podršci koju Vlada pruža u ovim teškim trenucima! pic.twitter.com/l0c0t77YRs

— Marash Dukaj (@mdukaj1) September 1, 2022

He noted that the attack on several government ministries is still ongoing and could not provide a timeline for when services would be restored.

Experts from the French Agency for Information Systems Security (ANSSI) and members of a FBI Cyber Action Team (CAT) have been deployed to the country. 

Michael McPherson, a former special agent in charge of the Tampa Field Office at the FBI, told The Record that the attack on Montenegro involved a combination of ransomware and denial of service against critical infrastructure and government entities.

“Although the deployment of the FBI’s Cyber Action Team is not uncommon, it does demonstrate the breadth and depth of this attack. CAT team deployments are generally reserved for complex situations which require additional manpower and technical expertise,” said McPherson, who is now a senior vice president at the cybersecurity company ReliaQuest. 

“Dating back to at least 2018, the U.S. military has been working with the government of Montenegro on cybersecurity cooperation, training, and resiliency.”

U.S. Cyber Command has previously sent defensive cyber operators to Montenegro as part of hunt forward operations and an effort to protect the 2018 midterm elections from foreign interference. 

Russia accusations

Montenegro officials had initially accused the Russian government of the attacks, saying they were retaliation for the country's support for Ukraine. In recent days, they have attributed it to the criminal group behind the Cuba ransomware. 

On Twitter and state television broadcasts this week, Dukaj explained that the Cuba ransomware group had added the country’s parliament to its leak site. 

Ministar @mdukaj1, Dnevnik II @RTCGme: Ne smijemo licitirati konkretnim datumima ponovnog uspostavljanja svih servisa. Postupaćemo u skladu sa preporukama naših partnera. Važno je da u ovoj situaciji sačuvamo zajedništvo.
Hvala medijima i crnogorskom IT sektoru. pic.twitter.com/iWB46AZPKT

— Ministarstvo javne uprave (@javnaupravamne) August 31, 2022

Despite the Cuba ransomware name, several experts have said that the group probably has no connection to the island nation.

“Cuba is unlikely to be Cuban. Certain linguistic characteristics point to the group likely being Russian or, at least, having Russian speakers on its team,” Emsisoft threat analyst Brett Callow told The Record. 

On its leak site, the ransomware group claimed it had stolen "financial documents, correspondence with bank employees, account movements, balance sheets, tax documents.”

There was some confusion over whether a ransom was issued for the stolen data, with some news outlets reporting the group had sent out a $10 million ransom demand, while officials told the Associated Press that none was received. Dukaj, meanwhile, claimed on Twitter that the exploit used to attack the country’s systems "cost $10 million." The Montenegro government did not respond to requests for clarification.

“A huge amount of money was invested in the attack on our system,” Dukaj said. 

Cuba ransomware group has taken credit for conducting cyber attacks against Montenegro's government and/or critical infrastructure.

This contradicts Montenegro's alert that the Russian Federation was conducting the attack... or Cuba ransomware group is state sponsored. pic.twitter.com/aUtJReCDQv

— vx-underground (@vxunderground) August 30, 2022

According to the FBI, the operators of the Cuba ransomware earned at least $43.9 million from ransom payments following attacks in 2021 and “compromised at least 49 entities in five critical infrastructure sectors, including but not limited to the financial, government, healthcare, manufacturing, and information technology sectors.”