Last weekend, several websites - most notably, that of the Presidency and of the Ministry of Defense - sustained a massive DDoS attack, later attributed to the government-linked Russian hacker group that goes by the name of KillNet.
The attack does not appear to have had substantial impact - apart from slowing down access to the institutions' websites for some hours, but might be interpreted as another attempt by the Kremlin to poke NATO's flank precisely where it is most vulnerable. Given the precarious state of Bulgarian politics at the moment, no stable government in sight and a tough winter ahead, these sorts of attacks might intensify, experts claim, and even get more dangerous.
What was it all about?
The first information about an ongoing attack came from the press secretariat of the Presidency on Saturday morning, and later the Ministry of e-Government confirmed that there had been an attack. It had started at the beginning of the day and teams of the ministry, the Ministry of Interior, the State Agency for Information Services, as well as the IT teams of the state administrations had started working on it urgently. Shortly before 4 pm, all institutional websites were working normally.
At no point was there an attack on the content of the site, only a hindrance to accessing it, the Presidency said. This is typical for a so-called denial-of-service (DDoS) attack, which consists of generating so much traffic that it blocks a site. "The cybersecurity system responded, defenses worked, and difficulty in accessing the attacked sites was minimal. No information or data was attacked or compromised," the Deputy Prosecutor General Borislav Sarafov said.
Who did it?
At a briefing in front of journalists, Prosecutor General Ivan Geshev announced that the attack came from the Russian city of Magnitogorsk. He described it as a problem for national security. While the attack was still ongoing, Russian hacking group KillNet, which is based in the city in the Urals, took responsibility for the attack on its official "Telegram" channel, specifying that they had also hit the websites of a number of ministries.
The attackers did not specify why exactly they targeted the said institutional websites, and the purpose. KillNet is a motley group of hackers identifying as pro-Kremlin patriots attacking European governments, infrastructure and even the organizers of the Eurovision song contest (after Russia was kicked out of the latest edition following its invasion of Ukraine).
Cybersecurity experts describe it as creating more of a nuisance than a threat, as Politico-Europe reported a month ago. Rather, they are noisy agitators and disinformers, especially if they manage to block access to certain sites. Also described as a "hacktivist" group, KillNet has said it wants to cooperate with authorities in Russia, but there is no indication that the state or its officials have direct control over its activities.
More likely to come
While there is little evidence that the Kremlin itself was involved in the attack, it caused reverberations within Bulgaria's ruling circles - and many experts believe it's unlikely to be the last. On Sunday Defense Minister Dimitar Stoyanov said that, in his opinion, the reason for the attack was the alleged "Bulgarian link" in the Kerch strait bridge attack.
In the same interview, Stoyanov once again reiterated his long-held position that Bulgaria has no adequate weapons to donate to Ukraine. The topic of sending military aid to Ukraine, which resurfaced last week as Democratic Bulgaria promised to immediately file a bill to that effect when it enters parliament, might ignite further attacks, former minister of e-Governance Bozhidar Bojanov told bTV on Monday.
"We can expect another hacker attack on the websites of state institutions, most likely related to the debate on whether the National Assembly should take a decision on giving weapons to Ukraine," he said. Mr Bozhanov added that the weekend attack indeed looked much more like a test than a full-fledged attempt to cripple certain institutions, as was the case with the springtime attack on the servers of the Bulgarian Postal service. "Saturday morning is not a time when this type of attack is done, so we can expect another attack," Mr Bozhanov said.
"In recent months, we have raised the base level of protection [of our e-government]. There is never 100 percent certainty, but the level continues to rise and I think it will be quite difficult in the short term for assailants to achieve significant breakthroughs," Bozhanov stressed.
Yet, it should not come as a surprise if they try, and next time they might not only be restricted to digital space. Bulgaria is in the most difficult spot it has been for years, with mounting inflation, rising energy prices and a stymied political process. The traditionally weak link in NATO's Southeastern flank has rarely been a better target - and if Russia indeed tries to escalate the war in the coming months, this might cause more hybrid problems for the country.