Montenegro struggles to recover from cyberattack that officials blame on Russia

Montenegro’s government is struggling to deal with a wide-ranging cyberattack targeting several ministries and agencies, while laying the blame for the damage on Russian state hackers.

Minister of Administration Maras Dukaj told several news outlets on Saturday that the country had never before seen a cyberattack of this magnitude, noting that it not only targeted the Ministry of Finance but also several critical infrastructure organizations.

The attacks, which were carried out Friday and Saturday, crippled government-run transportation services and online platforms for information, as well as water and electricity systems. As of Monday afternoon Eastern Standard Time, several government websites were still unreachable.

“Since late last night, Montenegro has been exposed to a new series of organized cyber attacks on the government's IT infrastructure. The primary target is the structure of state authorities,” Dukaj said on Twitter. 

Crna Gora je od kasno sinoć izložena novoj seriji organizovanih cyber napada na Vladinu informatičku infrastrukturu. Primarna meta je struktura državnih organa.

Stručnjaci MJU su pravovremeno preduzeli odbrambene mjere.@javnaupravamne @VladaCG @defence_mne #MJU

— Marash Dukaj (@mdukaj1) August 26, 2022

Dukaj said IT systems were not permanently damaged and denied that any data was stolen during the attack. Several power companies were forced to revert to manual processes after the attack, according to Reuters. 

The U.S. Embassy in Montenegro published its own notice on its website, writing that the government was facing a “persistent and ongoing cyberattack.”

“The attack may include disruptions to the public utility, transportation (including border crossings and airport), and telecommunication sectors,” the embassy said. 

This weekend's cyberattack was the second in recent weeks as the country struggles with a political crisis over its ties to Russia. The current government of Prime Minister Dritan Abazović was effectively removed from office by a no-confidence vote ten days ago and the country is facing the prospect of snap elections. 

France said it is sending members of its National Agency for the Security of Information Systems (ANSSI) to assist Montenegro in recovery efforts following a request for help from Abazović.

ANSSI plans to “support and assist in the detention, analysis and cybersecurity remediation,” Jean-Noël Barrot, the French minister delegate in charge of the digital transition and telecommunications, and Minister of Foreign Affairs Catherine Colonna told BFM TV on Saturday. 

Pro-Russia attacks on European nations

On state television this weekend, Defense Minister Raško Konjević blamed Russia, questioning who else would have a motive to target state IT systems.

“Who could have some kind of political interest in inflicting such damage on Montenegro? I think there is enough to suspect that Russia is behind the attack,” Konjević said.

The National Security Agency of Montenegro doubled down on that assessment, telling local news outlets in a media briefing that they had evidence showing multiple Russian agencies were involved in the attack. 

“It's a very serious matter, and this is a very serious attack. We are monitoring the situation, the National Security Agency, the Police Directorate, the Ministry of Defense are also involved. In my opinion, this is a politically-motivated attack," Abazović told reporters this weekend.

Montenegro has repeatedly expressed support for Ukraine since Russia invaded its neighbor in February, and the country joined Albania and North Macedonia in backing Ukraine’s bid for European Union membership. 

Russia allegedly added Montenegro to its list of “enemy states” after its support for Ukraine was publicized.

The attack on Montenegro caps months of cyber incidents involving European nations. Romania, Italy, Lithuania, Norway, Poland, Finland and Latvia have been attacked by pro-Russian hacking groups since the invasion of Ukraine in February. 

Slovenia was attacked on August 19 and last Thursday, Moldova’s cybersecurity agency said it stopped a wide-ranging attack on about 80 different information systems connected to the government. 

UPDATE: Multiple cybersecurity experts and companies reported on Tuesday that the Cuba ransomware group took credit for at least one attack on Montenegro's government.

The group added Montenegro's parliament to its list of victims, claiming to have stolen financial documents and more.

Cuba ransomware group has taken credit for conducting cyber attacks against Montenegro's government and/or critical infrastructure.

This contradicts Montenegro's alert that the Russian Federation was conducting the attack... or Cuba ransomware group is state sponsored. pic.twitter.com/aUtJReCDQv

— vx-underground (@vxunderground) August 30, 2022

Last year, the FBI said the operators of the Cuba ransomware earned at least $43.9 million from ransom payments following attacks carried out in 2021.

The FBI said last year that the ransomware group “compromised at least 49 entities in five critical infrastructure sectors, including but not limited to the financial, government, healthcare, manufacturing, and information technology sectors.”