There are several main reasons for the collapse of the Bulgarian Post's systems after the cyber attack. On the one hand, despite the state-owned company's modern system in some respects, it was in some respects poorly protected against hacker attacks. On the other hand, there has been too long a period of time for cybercriminals to access servers. Six hours passed between the beginning of their attack and the moment when the servers were turned off and the system's connection to the Internet was cut off. During this time, hackers had access to the entire database and were able to encrypt or even delete archives.
This became clear during a joint press conference of Deputy Prime Minister for Effective Governance Kalina Konstantinova, IT expert and advisor to Konstantinova's cabinet Vasil Velichkov and SANS Chairman Plamen Tonchev. The latter highlighted another problem that indirectly helped the cyber attack against Bulgarian Posts - the fact that the company is not included in the list of strategic sites that are part of national security. Therefore, SANS could neither work preventively with him to prevent such situations, nor to intervene during the attack itself. In this regard, Tonchev called for the post offices to be included in this list set by the Council of Ministers.
The restoration of the activities and services of Bulgarian Posts is already underway and some of them are working. For others, however, there will be a delay in recovery, Vasil Velichkov explained. He pointed out that among the recovered are the payment of pensions and international shipments. At the same time, however, it is still impossible to pay bills at post offices. The reason is that all computers in all branches will have to be reinstalled so that there is no doubt that even some of the malware used in the cyber attack did not remain in any of them. "Otherwise, we can return to the starting position in just one day," Velichkov said. He warned that for some of the 26 services of Bulgarian Posts, the recovery may take 2-3 or even 5 weeks. And he doesn't commit to a deadline.
From tomorrow the post offices will have a new temporary management, said Kalina Konstantinova. The team is composed of young people with high knowledge in the management of large companies with many employees and difficult processes, with extensive international experience and experience in digitalization, including a focus on cybersecurity. It became clear from her words that the cyber attack was only one of the reasons why the executive director and the entire Board of Directors of the state company were fired.
From the words of Velichkov and Tonchev it also became clear that the preparations for the cyber attack against "Bulgarian Posts" began earlier than its implementation. The attack itself was detected on April 16, but after the initial analysis and examination of all traces, penetration was found, a malicious code, etc. as early as April 4, Velichkov explained. He added that hackers have carefully scanned the entire network, all servers and installed additional tools to facilitate the spread of malicious code that reaches the maximum number of parts of the infrastructure. Tests were conducted on April 5 to see if everything the hackers had entered worked. After that there was no activity on their part and no contact with the so-called command and control servers. This lasted until April 16. "It is expected to be a day off and at the same time the payment of the pensioners' allowances for Easter is forthcoming. That's when data encryption began. There is also a risk of data leakage throughout the process, for which there are no traces so far. The Commission for Personal Data Protection was immediately notified, "Velichkov explained.
Plamen Tonchev, for his part, noted that SANS was officially notified of the cyber attack by Bulgarian Post employees on April 16. The agency had this information 10-12 hours earlier, which it informed the post offices about, but the company itself initially refused help on the grounds that it would handle it alone. After that, together with the Ministry of Electronic Government (MEU) and the Ministry of Interior, SANS took action to restore the main functions of Bulgarian Posts as soon as possible and clarify the reasons that led to the incident. "The efforts of SANS employees are mainly aimed at reducing the negative effect on society and preventing the development of negative social processes," Tonchev said.
He also informed that some of the reasons that led to the accident have already been identified, and they can be defined as external and internal. The outsiders are the uncertain international environment with clear confrontational sentiments. Since the beginning of the escalation of the war in Ukraine a large number of tools for cyberattacks are provided freely in forums and platforms along with instructions for their use. "They are being used and this will continue, both by the supporters of both sides in the conflict and by criminal elements," said the chairman of SANS.
According to him, the internal reasons are the delays in the introduction of modern mechanisms for cybersecurity and monitoring in the infrastructure of Bulgarian Posts. Many deviations in good practices in the field of cybersecurity have been identified. The formed environment has created poor predictability and controllability of the processes. All these shortcomings lead to delays in the recovery of the company's services.
Tonchev also said that there were data on cyber attacks on other state institutions in our country, but they were not successful. However, he could not provide more information.
There was a delayed reaction after the cyberattack began in its main part on April 16, Velichkov added. 6 hours have passed from the moment of the attack to the shutdown of the servers and their disconnection from the Internet. Due to this delay, the attackers were able to encrypt previously archived data. As a result, the so-called cryptovirus has managed to cause very serious damage. Much of the data is likely to be irretrievably lost, Velichkov said.
The expert denied the information spread among the public that the rackers had demanded a ransom in order to restore the systems and return control of the digital infrastructure of Bulgarian Posts. He also stressed that even if one was requested, the government "will not negotiate with terrorists". He also explained that the payment of ransoms to hackers largely does not lead to the recovery of the attacked systems. According to statistics, for last year 36% of organizations affected by cryptoviruses have agreed to pay a ransom, which means thousands worldwide. But only 8% of ransom payers received a key to recover their data. Also, in half of these cases, the key did not work.
Velichkov also explained that the cyber attack is very likely to be linked to Russia. According to him, it is very likely that there is a Russian connection in the cyber attack, although this is not 100% certain. He explained that the malware has an automatic lock so that it is not released if it is inserted into systems by the Russian Federation or the former Soviet republics. Also, all the tools used to bypass anti-virus protection, to penetrate servers, which were installed after the initial breakthrough of the systems of "Bulgarian Posts", were developed and compiled with very old technological software, which 99% is used today from consumers who are concentrated in the Russian Federation. However, Velichkov stressed that this by no means means that Russian services are necessarily involved in the hacker attack. But comparing this data with the information that is exchanged with partner countries and their services, things point in that direction. The expert added that in the last two months there have been similar cyber attacks on Greek and Dutch post offices, as well as other organizations. Also, the attacks are organized in moments that will cause maximum public response. The handwriting is the same and all this suggests a Russian connection.
The rehabilitation, modernization and development of Bulgarian Posts has been a priority of the current government since the very beginning, said Kalina Konstantinova. In this regard, a draft of the Recovery and Sustainability Plan for a little over BGN 101 million has been prepared and has already been approved. A little over BGN 68 million of them, or two thirds, are planned to be for digital transformation, including cyber defense, the Deputy Prime Minister added.
She also noted that before the current government, no one had included Bulgarian Posts in the Recovery Plan. "The company is an invaluable state capital and in many places is the only face of the state for the people. "Everywhere in developed countries and economies, such a state network and built infrastructure is a wealth that is used and developed, not destroyed and destroyed, which happened purposefully," said Konstantinova.
According to her, the company receives state funding of BGN 80 million for its main activities - payment of pensions, universal postal service and distribution of stamps. However, it is a commercial company and has also provided market services - courier. Despite its huge network of 2,973 stations in over 2,300 settlements and 9,000 employees, the market share of Bulgarian Posts in courier services is below 2%, although this market is growing by 30% per year. At the same time, Bulgarian Posts has a 6 times larger branch network than the leader in this segment, Konstantinova added.
Asked by a journalist how he would comment on the fact that the courier company connected with the Minister of Transport and Communications Nikolay Sabev has extended its working hours and increased its activity against the background of the cyber attack against Bulgarian Posts, the Deputy Prime Minister said that making such connections is ridiculous. Moreover, in courier services the market share of Bulgarian Posts is below 2%, which is even within the statistical error.