Hacking Attacks against Government Institutions

Good morning. My name is Vasile Klichkov. For those who know me, I am 48 years old. I have been working in IT for 14 years. I started as a software programmer for an embedded system company, for software management in the industry. Then I went through various periods. IT director of a bank, private business related to information technology, infrastructure, data center, networks and so on. Currently I have software for a company that works with foreign products. My achievements with government work are related to the fact that since 2010, in different periods, I have been a co-chairman of various ministers and vice-premiers. Trajcho Trajko in 2010 and 2011. Then Iliana Canova, the service cabinet, then Lumiana Vachvarova. Today these microphones are getting more and

more deaf. They are getting more and more deaf. You are very good. And the last one was in the previous office, Kalina Konstantinova, vice-premier of the... We will pass to the good old microphone. Now, how do we hear each other? I'm sorry for the technical problems. Since you will hear a lot of presentations related to technology, regulations, and cyber security, I decided that it is better to talk about another element, which is related to people. First I will give a context about what is government and what is public sector and how big it is in our country. Then I would like to give an example about human stupidity, because in the end everything is up to the people, at least still. Then I will give

some examples about criminal negligence or gross negligence. Then I will talk about specific attacks, as I have chosen two as there is an opportunity to ask questions about the more known attacks that have happened and are clear in the last few years. First, for those who are not familiar with what the public sector represents, there are 708 administrations in the executive office in Bulgaria alone. These are separate structures with separate IT, so to speak, with totally different and separate practices. Often these structures are so apocryphal that no one knows where they are and what they do. The court has 311 structures. This is courts, prosecutors, district, district, administrative. The court is a separate province. It is a separate constitution

and a separate province, including in relation to information technology and security. But the most interesting number is What is the number of legal entities in the public sector? These are legal entities that are linked under one or another legal form as property with the state. That is, there is state property in them with the prevailing participation. Here we are talking about 14,000 legal entities for the past year. This includes all municipal companies, all municipal agencies that are outside those that are registered in the Administrative Register 708. You can imagine the scale. The infrastructure of the country is located in various cellars, in various villages, palanquins and buildings. There are over 2300 servers in the country. We don't know about computers. And since I

said that the presentation will be related to the people, because in the end the most common problem is the steering wheel or the problem between and what technologies we apply, what procedures and rules we write, what laws and regulations we come up with, at least at this stage, things always come to the fore and the narrowest place or the most expensive place are the people. And as Einstein said, there are two endless things - the universe and human stupidity, but I'm not sure about the universe. Even if chat GPT or GPTXX take over or Skynet take over, we will continue to depend on human actions or actions without actions, they have consequences. In this presentation I will cover the stupidity and the stupidity and the result of this

in the form of what happened in some specific attacks. Otherwise there are more aspects. There is the aspect with incompetence. which is not necessarily related to the lack of education opportunities, but rather to the desire of the person to be educated and to develop throughout his life. Corruption, as corruption, is not only about when you buy technology or when you buy things, but also corruption in relation to what you are prone to do against money. Because too much attention is paid to the protection of the outside, There are the main efforts, the main means, but it is actually much cheaper and easier to find an internal person to do your job. Either to take some information or documents, or to make a

BLA, or to install a back door for you to enter and walk on a network. Also, there are special interests at the moment, which is an euphemism for espionage or for controlled information collection when there is a need to organize a political campaign or a smear campaign. Of course, there are moments of sabotage and remittance. There are a few examples in our country of administration where someone who has been on the streets or has been threatened or even fired has made a mistake very consciously in order to remit himself. Let's start with the stupidity. I will give a very specific example. I have already I will explain publicly. What is the connection between Flamen Orsarski and Kevin Mitnik? I mean, is there anyone who doesn't know who Kevin

Mitnik is? Because I am a big wuss and maybe there are people who don't know who Kevin Mitnik is. Okay, I will say that Kevin Mitnik is a very famous, convicted hacker who has never hacked anything in his life. He has never used any technological means to hack a computer network or to penetrate into a mainframe, because he operated during the time when the mainframes were still massive. massive phenomenon. He managed to get into the networks of one and two banks, services in the states and so on. And he used phishing, the first form of phishing, without phishing emails, just with phone calls and with suitable psychological tricks, he got rid of passwords, codes and so on from useless and useful idiots. Whether it was the

manager or the IT. What is the common between him and Plamen Rasharski? Plamen Rasharski, as we all know, is a former Bulgarian prime minister, who never actually governs by himself. And here we have a question about a wonderful practice, which I learned for the first time in 2010 and in my last role I managed to stop it in 2022. And this practice is how consumer accounts are created, with what initial passwords they are created. And what is the process? In the Ministry of Finance for these 12 years, IT companies, which are no longer there, most of them, maybe they have returned, created passwords consisting of the initials of the respective consumer and four digits. Do you know which are the digits? 1, 2, 3, 4, of

course. I had the feeling that it was something more complicated. Now, the most interesting thing is that I learned this by chance from colleagues in 2010, when I was a secretary of the Ministry of Economy. But when I became a consultant for Romiana Vachvarova in 2014, at some point she asked me to make an account for the Ministry of the Ministry of the Interior and what was my surprise when my initial test was VNO 234. But the most interesting thing is that in the actual directory I started to look and see what other accounts there are and I see that there are half-final accounts, like Gabramon BG, and many other famous people from the executive power. And it turned out that the account was neither disabled nor the

password was changed. The postal code was empty, which may be because the person has given the fee and has stolen it, maybe because he never received an email, or maybe the instructors who sent it to him did not send it to him by mail, maybe by postal codes on a flash drive and so on. But this was a sustainable practice, as it turned out. We couldn't fight back then, because the Ministry of the Interior thinks that someone like the Vice-Premier has a lot of power. That's not true. There was an administration that was governed by some chief secretaries. The chief secretary is the "white cardinal" in every administration. The chief secretaries are the most important persons in the administration, because everything related to operations and the

administration itself depends on them. and you can be a minister, a vice-president, but the head secretary has a back and is arrogant, he can do whatever he wants. This is the reality. I am not politically correct, I am not a politician, I speak the right text. The head secretary is the well-known Veso Dakov in the Ministry Council, a man who was involved in, who lured a lot of people to transport black drops with the help of syringes, this became publicly known last year, This man has not been changed for many years. The word was not to be said, something to be changed, something to be punished, something to be changed in the procedures, until finally

he was no longer the chief secretary. This problem could have been solved 12 years later, although I am not sure, because he returned, not as a chief secretary, but now he was returned to an important position, the head of the office. In the end, things affect people. Whatever technology, whatever knowledge we have, even knowing that the door is open, sometimes it is not so easy to close. Let's move on to the topic of negligence. Is this a cliché? Someone to forget the keys in the car and to lock the door and to have no other choice but to break the car and take them out or to call the key store, but if you are far away, Maybe you can't find a

key, I broke my car window. I ended up on a beach, far from any civilization, my phone and keys were inside. It wasn't that hard to take a stone, break your car window, then of course tell the police that you broke your car window on a parking lot and to remove your keys. But we're not talking about such a trivial case, we're talking about something else, unfortunately it's very small to be seen. But here is something, I will not mention the place, because there is still an investigation. But it is about the following thing. An organization with many servers, which has many domain-administrator accounts and the Active Directory. And for the convenience of the administrators, the passwords of each

domain-administrator account, which are different, nice and complex passwords, are written in the description attribute in the Active Directory. and you just need to be an authenticated user, even in some cases you don't need to be an authenticated user to create a query to the Active Directory and to extract the user list. The description name and some other attributes are mandatory public, that is, everyone can read them. Of course, this organization, without any doubt, has on Firewall an exception for TCP port 3389, RMP, Remove Desktop, It's very convenient, especially in COVID, because you sit at home and manage the servers. We all know how safe this is, right? How can you mess up? When this is a practice that is called

in every lesson, in every course, in every conversation on the topic of security, every student says that this is not done. This is a practice. And this practice is not only in this organization. I have seen it in one place, especially for the passwords in the description field. But, tomorrow there will be a lecture and Bozhedar Bozhanov will be able to tell exactly how many government organizations had such exceptions, had open RDP ports and in six months we managed to force half of them to close them. You could have installed the most brutal firewalls, intrusion prevention systems, SEC-VCM and so on. Here we are talking about absolutely legitimate access, where an administrator can enter from his home

computer and do something on the network. Nobody knows what he is doing on his home computer, how much porn he is watching, what malware he has installed and so on. So we are talking to people again.

Another thing we all know about the state administration is that many of its computers are still with Windows XP Service Pack 3. Some of them are not even with Service Pack 3. But this is not the topic of this example. Just a few pictures in the field and a slightly broken Windows XP patch. In fact, we are talking about another crazy case. Wifi network, hidden SSID, WPA pre-shared key, security, firmware that is not updated for 10 years, 40% of the signal strength through the street, from the building of a very important administration, one of the most important in Bulgaria, in whose network there is no segmentation, there are no VLANs, everything is in one network. The computers, yes,

there is also XP, there is and all sorts, they are not patched, of course, for a long time. This can be confused and whether it is a matter of ignorance or for some specific purpose. I haven't written it in the presentation, I will mention it. It turned out to be a little bit more there, of course this nonsense was closed quickly, but it turned out that right in the street, in the opposite building, the office has an interesting company. Russian Telecom. Russian Telecom, whose business is strange, because they actually operate a virtual mobile operator in Montenegro. somehow traffic is terminated in Bulgaria, although in Bulgaria, you know, we don't have virtual mobile operators and in general they deal with

very unclear things. But this network allowed a person to sit in the car on the street and to hook up to it. The process was not particularly complicated, although it is not necessary to be very complicated, because we are talking about WPA, not even WPA2, or Enterprise or 3, and to do what you want. The interesting thing was that some monitoring systems were being built in this organization. Because they were accessible through a web interface without a password. Sometimes in Bulgaria we always wonder what the issue is. Incompetence, lack of knowledge, sabotage, corruption. Usually it's less or more than any of these things.

And now let's move on to the specific examples of hacker attacks. I chose two hacker attacks that I have been dealing with for the past year. They are very sensitive things, so I will have to read them as much as possible and tell them. Bulgarian Posts. We all know that Bulgarian Posts is an organization that we also have some sentiments towards, it also performs an important social function, at least in Bulgaria. But it can't be restructured and optimized that easily because the unions say you can't hire people, you can't cut offices. In the end, Bulgarian Post keeps offices in 2700 inhabited places. The closest network of physical offices, private or state, is in Mevera. Repo-Uta has 306 inhabited places. This network is about 10 times

bigger. In the Bursa Post there are 9000 computers, 13000 people, only time is visible, we see each other well by the graphics. And 2300 of them are connected with Linux, HXP, Service Pack 3. Most of the infrastructure is centralized, virtual servers, there is backup, Cheat-of-Data Center are the things, but HXP is the fifth. But some older servers, which had bought anti-virus software licenses, even though they would have helped in this case, were not even installed. What happened? A crypto attack was quite successful, which managed to destroy absolutely everything in the electronic form in Bulgarian post offices. All their systems, database, post office, file servers and not only in Sofia, where are the networks? The analysis showed that, I won't

go into the details, because our prosecutor's office is still investigating. Maybe in the next 10 years we can learn something. But it turned out that the network was actually completed about two weeks before the attack itself. The moment of activating the crypto virus was chosen very well, the weekend before the distribution of the Veliginian pensions. This in itself wouldn't be a very strange fact if it were different if at that moment there hadn't been other crypto attacks and other attacks experiences, which I will mention later. Of course in the context of the war in Ukraine, in the context of the frequent attacks and so on, this can't be suspicious. In the end it turned out that People have downloaded various interesting tools, instruments, deployed them

on various servers. I found out that these tools are written by Pascal, who knows me. Pascal continues to be popular in Russia. Also, the crypto virus itself was used as a standard, some kind of old crypto virus, boilerplate, slightly modified, which had interesting logic. It didn't start with "if", The original settings of the machine are in the list of countries and the list of the common interests of the countries of the former Soviet Union. So, basically there is such a lie that if it looks like a stick, the leg is like a stick and the butt is like a stick, it is probably a stick. I'm not saying it's a stick, it looks like that.

What happened during the attack? Actually, I learned about the attack when I was in the 8th district. What happened here? At the moment, services, dance, SERT center, Peshvadov, etc. were involved. More interesting questions, however, it turns out that Bulgarian post offices at some point were removed from the list of critical infrastructure facilities. And in fact no one is responsible for them. They are not a critical infrastructure. What a big deal are the Bulgarian Posts. And in fact no one has jurisdiction over them. No one can do anything. Because if they are in the power and the Bulgarian Posts are on the list, they can issue mandatory orders. If they are not, they can't. So it turns

out that our regulatory order works. From the 6:00 p.m. when the Bulgarian Posts leadership finally hears what is being said to them, to stop access to the internet and servers. During this time, the backup, which was alive and sound for 9 pages, was also encrypted. So, 6 hours of monitoring, what will happen if we stop them, what are the consequences, everything is on paper. The paper has a useful side, because the Bulgarian Posts, not by chance, until today, employees who write in their notebooks, in any case. To be honest, because many of the things in their life are restored from the paper, as processes. Not all the bases were lost, because it turned out that some of the systems work

in a hybrid mode, that is, third-party cloud software for service systems, especially those for logistics, for international transactions, etc., which have a local base, that is, this saved at least international transactions. And as an anecdote, right at that moment I ordered something from abroad with courier, a very expensive boat and my wife ordered the same thing, a bus with Bulgarian post office. A month later the courier boat was not arrived yet, the Bulgarian post office in the heat of the whole mess, they brought it from England in three days. I don't know how this happened, I still don't have the answer. Wonders happen. By the way, the pictures, I don't know if you can see them very well, this is the face of Central

Post, and this is the back of Central Post, the second picture, from where you enter the service areas, and by the way, you enter and... Aha, aha, don't move your fingers. I went in there and walked around before someone to ask me what I was like. The more interesting thing is that actually, at least in the first two-three months, no one was proactively asking for a discount. Of course, when there is a crypto attack, the money from the servers is always exchanged with a screen. Some text that says "Send us bitcoins at this address and we will send you a key". You know that only about 105% of people actually pay and get a key

and more than 3-4% of those who have suffered are crying, so the percentage is actually very low. There were calls from experts and specialists, why the state doesn't pay and so on. There were all sorts of doubts. So, about the Bulgarian post office. But at the same time two more crypto attacks happened. One was against Kevr. What a surprise. Because Kevr in the end there is a lot of trouble for electricity, gas, etc. and against the refugee agencies, which at that time had to develop a cruel campaign for the registration of Ukrainian refugees for temporary confinement. Since they had to use their status - faces under temporary confinement, faces exiled from Ukraine during the war, they had to be registered. If they weren't registered, we can't help them, we

can't stop them. At the end of the day, Bulgaria was the first country in Europe that managed to achieve 100% registration. For this purpose, the system of The Agency for the Disabled, which was written 20 years ago, Kaka Rada is a woman who will retire next year, but she is a good programmer and her colleagues and in the end this system continues to be alive and to work. It works in the air gap network and in fact the crypto attack against the Agency for the Disabled Of course, the administration was in charge. The operating system, the mail server, the file servers and so on. It was successful, but the Bulgarians were unable to deal with the backups. The difference for the Bulgarian Post is that the

IT, although much younger and inexperienced, but at least obedient, takes 15 minutes to pull the technical shutter. Why pulling the shutter? Because when you don't have other tools for reaction, it's best to pull the button. Not that it always helps, it doesn't help 6 times, but it's better. In the end, the registration system was not involved. Besides, the registration system contains a lot of sensitive information. Personal data, especially for refugees who are fleeing from war, health information, family ties, very delicate things that are dangerous for the safety of these people. So, thank God, there was no problem there. On the one hand, because by design things are done like people, First, because of the registration system and second, because of the rapid response. The

difference was that if we had lost this database registration, a humanitarian crisis would have occurred. Bulgarian Posts, if they hadn't managed to restore the work of the pension distribution, would also create a humanitarian crisis for Bulgarian pensioners. People may appreciate this, to be seen as insignificant or peripheral systems, can lead to purely human tragedies. Someone can't have something to eat, can't pay the bill, at first glance it looks like a big job, will be met by some friends. Yes, but if you are a pensioner in the village of Sorleo and you expect the postman to bring you the pension, because the Bulgarian post office has carried the post office on hand during the COVID-19 of 600,000 Bulgarian pensioners. I can't imagine them as postmen, with

the cash bag, how they walk around the village and distribute but this has happened. In the same way, when it comes to mothers with children, who have been in the war and who, contrary to the propaganda, how many jeeps with, how do you call them, and there are of course 40 million, there are a certain number of rich people, but most of the people were people in need, people who have nothing left from their homes. And if these people remain without shelter and food with their children, what do we do? Humanitarian crisis. I can mention many other misdeeds that I have observed and that we have tried to do. I don't know exactly what Bojidar will present, but we initiated some successful measures, which I can't

go into details at the moment, which are being implemented and which raised the security of the critical administrations DOS in the last year, because they are related to the protection of DDoS attacks and not with Cloudflare by domain name. We are talking about true DDoS protection with CRB centers, service abroad, management through BGP and so on. Also in terms of systems that protect the admins, that is, the administrative access of the admins to be able to be controlled, because in the end who is guarding the police? And why did I direct the presentation in this direction? Because here in the hall there are a lot of people who deal with cybersecurity, but I don't know how many of you have this experience with the human

factor, because in the private sector the human factor exists again, it is a problem, but it is not as dramatically expressed as in the public sector. And my advice is to light a red lamp for you and next time you think about security architecture or information security measures, simply not to underestimate the human factor, not to underestimate the useful idiots, not to underestimate the simple idiots, not to underestimate the uninterestability and the ignorance of people. Because whatever you do as a technology, in the end someone records the data on the monitor or launches a Wi-Fi access point and uploads it to the air gap network. I wish you a good weekend and good luck.