Cuba Ransomware Gang Takes Credit for Attacking MontenegroDefense Minister Had Said Russian Government Was Likely Suspect Behind Disruptions
The Cuba ransomware gang is taking credit for attacking the government of Montenegro, which took offline multiple government websites and services amid what officials characterize as a targeted cyberattack.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Government officials in the Western Balkan nation -which has a population of 620,000 - on Friday acknowledged disruptions to online government infrastructure.
"Since late last night, Montenegro has been exposed to a new series of organized cyberattacks on the government's IT infrastructure. The primary target is the structure of state authorities," Minister of Administration Marash Dukaj tweeted Friday.
"Although certain services are currently temporarily disabled for security reasons, the security of the accounts of citizens and business entities and their data are not in any way endangered," he added. He said the country, which in June 2017 became the 29th member of NATO, was working with its allies to respond.
Montenegro has publicly thanked the government of France for assistance with recovering from the online attack. The French government said it dispatched experts from the National Agency for the Security of Information Systems, or ANSSI, to assist.
The Cuba ransomware gang lists the Parliament of Montenegro, known as the Skupština, on its dedicated, Tor-based data-leak site. The Cuba gang claims that on Aug. 19 it stole files as part of the attack, saying the exfiltrated data includes "financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation, source code." Those claims could not be verified.
At least one senior Montenegro government official fingered the Russian government as likely responsible for the online attack. Despite its name, the Cuba ransomware gang appears unaffiliated with Havana. Analysis from McAfee finds malware deployed by the gang can check for installed language, such as Russian, while separate analysis from Israeli cybersecurity firms Security Joes and Profero concluded that operators of the ransomware are Russian speakers.
This incident is the second series of attacks to have hit the country since the Parliament on Aug. 19 passed a no-confidence motion on the cabinet proposed by Prime Minister Dritan Abazović, toppling the coalition government. It was the second such no-confidence motion to pass this year.
While the Parliament's website was accessible Tuesday, multiple government websites, including
http://www.gov.me/, remained inaccessible.
The U.S. Embassy in Montenegro on Friday issued a security alert for Americans, warning that "a persistent and ongoing cyberattack is in process in Montenegro" which could result in "disruptions to the public utility, transportation (including border crossings and airport) and telecommunication sectors."
As of Tuesday, recovery appeared to be ongoing, and security researchers say that the country's domain name servers remain offline.
https://t.co/Bk4eYrH10c nameservers are still down....
Montonegro Cyber Incident is probably really quite bad, it's a small country and having ur gov namespace DNS servers down isn't "normal" pic.twitter.com/TLmZwKHcp0— mRr3b00t #StandWithUkraine #DefendAsOne (@UK_Daniel_Card) August 30, 2022
Montenegro Defense Minister Raško Konjević said he suspected Russia is responsible. "Who could have some kind of political interest in inflicting such damage on Montenegro?" he said on state television, the Euractiv media network reported Sunday.
Montenegro appears on a list of "unfriendly countries" drawn up by Moscow in March, in response to multiple governments backing sanctions against the Russian government over its invasion of Ukraine.
"Ransomware crews targeting governments is not unprecedented, and presumably, Montenegro is fair game now that Putin has put them on his 'you're not my friend no more' list," the operational security expert known as the grugq writes in a Substack post.