Eloquent details lead to hackers who leaked MFA data – the asking price is impressive

The Presidency and the Minister of National Defense Arvydas Anušauskas were criticized for confirming that, in fact, sensitive information had been leaked from the Ministry of Foreign Affairs, thus legitimizing such data.

Darius Kuliešius, the president’s senior adviser on national security, explained on the Delfi theme show that the tactic was chosen to proactively warn the public and allies about the possibility of misinformation.

“Naturally, in the event of a cyber incident, there are many operational algorithms on how to react. One of the operational algorithms is not to provide information, not to comment on the incident that occurred. Other operation algorithms are partially commented, providing information without detailed data. They exist. other operation algorithms.

In the event of a more serious cyber incident, which at any moment could turn into an information attack in which cyber data can be used to misinform, one of the goals is to try to prevent it simply by warning the public, the Allies, not to believe in a possible misinformation “- explained D. Kuliešius.

The president’s senior adviser explained that, in general, information disclosure distorts the content of misappropriation during a cyberattack by inserting incorrect information.

As a result, both the Minister of National Defense and the President said it is important not to believe, it is important to prepare and proactively warn that if sensitive data is used, its content is likely to be distorted all the time, “Kuliešius said.

It is possible that this is one of the stages in the operation of a hostile scenario

While the investigation is ongoing, a representative of the Presidency does not comment further on the data. He states that he has not heard any deliberation in Lithuania, for the country itself to redeem this data.

In addition, D. Kuliešius did not speculate on who could work on this, but did not rule out that “this could be one of the stages of a hybrid and hostile scenario, that is, using the information collected during a cyberattack”. for an information attack. “

The Chief Adviser to the President assured that cooperation is being carried out with the Ministry of Foreign Affairs, but at the same time explained that in a period in which there are many crises, serious incidents, objective circumstances can hinder a perfect result.

“But that goal is being pursued and working on those principles: maximum cooperation,” said D. Kuliešius.

Suggestions on where to look for culprits

Cybersecurity expert Marius Pareščius, who participated in the program, explained that the hacking itself took place at the end of November last year.

“I think it was an event that happened on November 25 or 26. Because the last messages are floating in the public space about the fact that the last letters were on those dates ”, said M. Pareščius.

According to the interlocutor, the evidence in the public domain gives the impression that the people who disseminate this information are those who have Microsoft Windows with a Russian keyboard, with texts in Russian. They are Russian-speaking people.

“Because if you look at some screenshots, you will see that when you open messages that are written in Lithuanian, the date and time of those messages are formatted in Russian; both the order and, for example, Microsoft Windows uses one or two characters named by the day.

As an example, the Russian “č”, which is the inverted letter “L”, appears as an identifier for Thursday in some letters. It means that they are Russian speakers, ”taught M. Pareščius.

The cybersecurity expert also pointed out the peculiarities of writing for those people in public space: although they write in English, some of the sticks (sometimes in jargon called “spikes”) they use are also Russian.

“It is difficult to identify if they are in Lithuania, Russia, Ukraine or another country where Russian is spoken, because we cannot yet trace IP addresses,” said M. Pareščius.

Request an impressive amount of data

The cybersecurity expert gave the impression from the way those people interacted that their main goal is to get as much of that data as possible.

“There is talk that there is a price today, another price will be tomorrow. There is talk that there are a few who want to buy, but the price may be too high, so” because there are a few who want, we could do an auction or such instead raise the price. ”In this situation, we can say that the data holder to this day is the one who is trying to obtain the greatest possible economic benefit,” taught M. Pareščius.

And the amount requested is impressive. According to the expert, “the price of the entire data matrix is ​​said to be 10-20 bitcoins.” Taking into account that one bitcoin is 38 thousand. euros, receives a total of about 400-800 thousand. euros.

“If we look at the fact that a long time has elapsed between data theft and data sale, it may be that the person exchanging the data is not the one who broke it. In the world of hackers, it happens that whoever hacked, on the black market, in a closed group, you offer to buy data, someone buys it and then exchanges that data. In this case, the seller looks more like a person than a breaker, “said M. Pareščius.

Not necessarily to sell to others

A cybersecurity specialist explained why the option to redeem the data so that it is not disseminated further would be risky.

“The problem with hackers is that there is no guarantee that, even after redemption, they will not sell that data to the second, third, fifth, tenth. The second problem is that sometimes, out of anger, even after selling the data, they make it public, in this situation the dissemination of information is no longer controlled.

In individual cases, they lower the price and sell to five buyers, so the price can be three, five, and even one bitcoin, but the information will be shared by foreign states, media, and private commercial institutions that can afford to spend. so much money in data. “, M. Pareščius explained.

The expert confirmed that the leaked data is critical.

“The data is from certain mailboxes, MFA officials, including the former minister. The retention period for leaking data leaks is ten years. Imagine: ten years of archive of correspondence from the Ministry of Foreign Affairs,” said M Pareščius.

The data could have been leaked in two ways

The specialist sees two ways the data could have been leaked.

“One of them is more likely: For several years, there have been software holes in Microsoft Exchange (there is software used for email, including MFA) through which information could be stolen. Not a single state has been affected by this way, not even many electoral bodies. We did not look down, we did not organize, we did not stop. The qualification of the employees is to blame, the audits are not carried out daily, the institutions that supervised them are to blame, “he taught. M. Pareščius.

According to him, in the future this should be fought by raising the qualification of employees, paying higher salaries, buying specific software that protects against all this.

“The second case is less likely: the backup copies of this data were stored and the backup copies were stolen,” said M. Pareščius.

According to him, only those who broke in can answer whether this was the first or the second case.

“The amount of data is large, almost 300 gigabytes. How much of it can be critical for Lithuania? At least on the reputation side, I think, for the most part,” said M. Pareščius.

Theft and disclosure in and of themselves are not necessarily related things

Signatory Albinas Januška pointed out that talking about the information for sale being taken in November last year was just a hypothesis.

“It could have been taken at any time before, and we cannot rule out the possibility that those hackers are still spying,” Januška said.

According to him, it is also unclear what the true goals of the hackers are.

“The expert said maybe it’s some kind of traders, maybe. But maybe it’s a Russian strategy or something to attract as much attention as possible, part of a hybrid attack on Lithuania,” said A. Januška.

He also noted that hacking and data disclosure themselves are not necessarily related.

“The expert says that these documents are from the Ministry of Foreign Affairs. So far, we only know that small part of the embassy in Georgia and something else that has been made public. (…) The Ministry of Foreign Affairs will not comment on the content of these documents, ”said A. Januška.

According to the interlocutor, if we do not want further damage to Lithuania, “we must not confirm in any way that these documents are original documents of the Ministry of Foreign Affairs.”

Offers to use US practice

Januška, the former WikiLeaks hero, says this situation is not new.

“There was WikiLeaks. I personally was a” WikiLeaks hero. I never commented, and I didn’t know if it was real or if it was fake. If you had asked the US State Department about those documents, they would have said: “And what is it? What are you talking about?” That is the policy to reduce the damage, these documents are not officially commented ”, said the interlocutor.

He also pointed out that some of those documents that could be leaked to the public could be falsified.

“We already have Lithuania’s experience with advertising, we had recorded conversations with two diplomats, one of whom is no longer alive, and it turns out that those conversations were also edited and adapted for a specific purpose,” said A. Januška.

You didn’t guess if someone would buy those documents.

“The price is actually half a million,” is what he wonders. It can only be a game. Let us not rule out that, in any case, those documents, whatever they may be, are made public, ”said A. Januška.