Attack on Montenegro Further Evidence of Nation-State and Cybercriminal Crossover

A reported cyberattack against the country of Montenegro has prompted the US to send a rapid deployment from the FBI to investigate what is being characterized as a coordinated attack on the Balkan nation’s key infrastructure the country’s Ministry of Internal Affairs announced, according to the AP.

The attacks targeted Montenegro’s government websites including ministries for defense, finance, and the interior, according to the reports, which Montenegro’s Agency for National Security is accusing Russia of coordinating. The attacks employed both ransomware and distributed denial-of-service attacks (DDoS) techniques.

“Our allies from NATO are helping us overcome the most serious challenge that Montenegro has faced in cyberspace,” Maras Dukaj, the country’s minister of public administration, said on Twitter.

It should shock no one that Montenegro has been targeted in all likelihood by Russian cybercrime gangs, given the recent attacks on not only critical infrastructure providers in the UK, Greece and Luxembourg, but governments in Costa Rica and Taiwan. In Greece, last week the country’s largest natural gas provider came under attack from the Ragnar Locker ransomware gang.

In the case of Costa Rica, the President declared war on the ransomware gangs and refused to meet their extortion demands. In Taiwan, a massive DDoS attack surfaced because it's a fast and go-to tool for quick results and normal ingredients that could accompany more serious and invested attacks. Cyber terrorists and extortion gangs are hitting these countries and critical infrastructure operators because they deem them vulnerable.

Given the reckless attacks on Montenegro, all nations should be on high alert regardless of how close they are geographically or politically to the Ukrainian-Russian conflict. Why else would reports surface that the FBI rushed a team of cybersecurity experts to Montenegro if there wasn't a clear indication of Russian involvement? There is the possibility of the repercussions being felt in the U.S. and other regions.

In general, stat-ignored criminal organizations such as Conti Group, REvil, Lockbit and Cl0p and many others are privateers, but in a time of war there's no such thing as plausible deniability. Warning to the ransomware gangs and their ilk: watch out who you target in your pursuit of cash. Some of those targets have more power than you think.

To protect against DDoS and ransomware attacks, both public and private sector organizations should prepare in peacetime and ensure redundancy in network connectivity and have mitigation strategies ready. And don't just prepare for volumetric attacks (there are more kinds of DDoS than simple floods) but also practice good security hygiene and regularly update and patch operating systems and other software. 

Also, conduct periodic table-top exercises and drills including people beyond the security team all the way to the Executive Suite. Organizations should also ensure clear isolation practices are in place to stop ingress on the network and the spreading of ransomware. And also evaluate locking down critical accounts when possible. 

The path attackers often take in propagating ransomware across a network is to escalate privileges to the admin domain-level and then deploy the ransomware.

Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about Cybereason AI-driven  XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Sam Curry
About the Author

Sam Curry

Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.

All Posts by Sam Curry