PODGORICA – At the government headquarters in NATO-member Montenegro, the computers are unplugged, the internet is switched off and the state's main websites are down. The blackout comes amid a massive cyberattack against the small Balkan state which officials say bears the hallmark of pro-Russian hackers and its security services.
The coordinated attack that started around Aug. 20 crippled online government information platforms and put Montenegro's essential infrastructure, including banking, water and electricity power systems, at high risk.
The attack, described by experts as unprecedented in its intensity and the longest in the tiny nation’s recent history, capped a string of cyberattacks since Russia invaded Ukraine in which hackers targeted Montenegro and other European nations, most of them NATO members.
Sitting at his desk in Montenegro’s capital, Podgorica, in front of a blackened PC screen, Defense Minister Rasko Konjevic said government officials were advised by cyber experts, including a team of FBI investigators that was dispatched to the Balkan state, to go offline for security reasons.
“We have been faced with serious challenges related to the cyberattack for about 20 days, and the entire state system, the system of state administration, and the system of services to citizens are functioning at a rather restrictive level,” Konjevic told The Associated Press.
He said experts from several countries are trying to help restore the Montenegro government's computer system and find proof of who is behind the attack.
Montenegro officials said the attack that crippled the government’s digital infrastructure was likely carried out by a Russian-speaking ransomware gang that generally operates without Kremlin interference as long as it doesn’t target Russian allies. The gang, called Cuba ransomware, claimed responsibility for at least part of the Montenegro cyberattack, in which it created a special virus for the attack called Zerodate.
Montenegro’s Agency for National Security blamed the attack squarely on Russia.
Russia has a strong motive for such an attack because Montenegro, which it once considered a strong ally, joined NATO in 2017 despite the Kremlin's opposition. It has also joined Western sanctions against Moscow over the Ukraine invasion, which led Moscow to brand Montenegro an “enemy state” along with several other countries that joined the embargo.
“In such attacks, there are usually organizations that are a mask for state intelligence services,” Konjevic said, adding that the defense ministry's NATO-related data is protected “in a special way” while the other possible leaks “are being investigated.”
The cyberattack comes amid an apparent attempt by Moscow to destabilize the Balkan region that was at war in the 1990s through the Kremlin's Balkan ally Serbia, and thus at least partly shift the world's attention from the war in Ukraine.
Montenegro, which split from much larger Serbia in 2006, is currently run by an interim government that has lost parliamentary support because of Prime Minister Dritan Abazovic ’s shady deals with the influential Serbian Orthodox Church without the consent of the whole coalition that supported the government.
Montengro's roughly 620,000 people are deeply split between those who want the country to restore its close ties to Serbia and Russia and those who want it to continue on its path of the European Union membership.
“A real war is being waged in Ukraine, with bombs, a war of conquest by Russia,” political analyst Zlatko Vujovic said. “Something similar is happening in Montenegro. There are no bombs, but there is a huge tension, a huge hybrid conflict in which the interests of Russia and its and Serbian intelligence services are interconnected.”
Other Eastern European states deemed enemies of Russia have also faced cyberattacks, mostly nuisance-level denial-of-service campaigns that render websites unreachable by flooding them with junk data but don’t damage them. Targets have included networks in Moldova, Slovenia, Bulgaria, North Macedonia and Albania.
Last week, Albania severed diplomatic relations with Iran and kicked out its diplomats after a cyberattack in July that it blamed on the Islamic Republic.
“Montenegro remains a target within both the public and private sector, as well as many other countries in that region," said Patrick Flynn, head of the advanced programs group at Trellix, a U.S.-based cybersecurity company. “We have observed a blend of historically based nation state actors and well-known ransomware groups."
“This recent focus on NATO member countries reinforces the need for hyper vigilance within key businesses as well as government (and) critical infrastructure cyber security environments,” he said in an email to the AP.
AP writer Predrag Milic contributed.