Bulgaria will seek extradition of the alleged perpetrator of the hacking attacks on institutions' websites

One of the perpetrators of the hacker attack on the websites of institutions, media, telecommunications companies, airports and banks in Bulgaria, which was carried out on October 15, 2022, has been identified. According to the Head of the National Investigation Service, Borislav Sarafov, an attempt was made to block access to more than 10 websites, and the hit was more than six times more massive than known DDoS attacks to date.

Russian hackers attacked the websites of Bulgarian institutions, media and companies

The perpetrator is from Russia, based in the territory of the Russian Federation and the investigators know all the data about him - names, address, location. It is not yet clear exactly how many of his accomplices are, but it should be borne in mind that on October 15, at about 8:30 in the morning, when the attack started, it affected more than 1 million and 800 thousand computers, simultaneously sending requests for access to the attacked sites in the country.

In this type of attack, traffic usually jumps up to 6 gigabits per second. At the time of the attack in Bulgaria, there were moments when traffic jumped up to 40 gigabits per second, which is more than 6.6 times more. In recent months, the KILLNET group has carried out similar hacking attacks on countries such as the Czech Republic, the United States, Romania, Italy, Moldova, and Japan, and investigators from these countries will be sharing information to reach each of the hackers.

The hacking attack on Bulgaria began shortly after 8:30 a.m. and several sites with traffic between 6 and 8 gigabits per second were initially attacked, but the result was only a minor delay in loading. Cybersecurity systems detected the attack, but KILLNET were also activated and boosted traffic to 20 gigabits per second. This briefly managed to block access to several institutional sites around noon, but within minutes normal operation was restored.

At this point, however, the hackers' attack was monitored by cybercrime investigators at the Chief Directorate for Combatting Organised Crime (CDCOC), State Agency for National Security (SANS) and the National Investigation Service. They found that it came from the Russian city of Magnitogorsk, even the specific device used to coordinate the submission of the addresses of the sites to which the traffic was being directed. It went up to 40 gigabits per second at peak times.

"In the course of the investigation, which, as you said, is literally within hours, we have also identified one of the individuals involved in this attack with his full name, details and address," said Borislav Sapafov, deputy director of the National Investigation Service and deputy Chief Prosecutor.

From the data gathered so far, criminal proceedings are likely to be initiated and Bulgaria will seek the suspect's extradition from the Russian Federation.

"If we do not get cooperation from the Russian authorities, we will bring charges in absentia and bring the person to court in absentia," Sarafov said.

The person was found to be part of the KILLNET coordinating group, which was formed in February, days before the war in Ukraine began.

"The KILLNET group itself is made up of quite a large number of individuals. Several dozen, even over a hundred individuals. How many of them are involved in this particular attack, we are yet to find out," Borislav Sarafov said.

In recent months, KILLNET has carried out similar attacks in Japan, the Czech Republic, the United States, Romania, Moldova, Norway, Lithuania, Latvia. Investigators in these countries will share information to get to everyone involved.

"If we have identified one person, our colleagues in the Czech Republic may have identified another, and in fact we can all together identify the full range of individuals involved in this attack. They would be charged under our law and our case," the chief of the investigation service explained.

According to several intelligence sources, KILLNET allegedly was also behind the attempt to block the Eurovision website during the performance of the Ukrainian group that won the contest. It has been reported that the attack was then coordinated by the son of a senior Kremlin administration official. The Eurovision website withstood the extra traffic of about 20 gigabits per second, without collapsing, as did most of the sites attacked in the country yesterday.

"The attack was superficial. It only affects the login and access to certain websites of certain institutions, but it does not affect in depth the information that is in these institutions. No data has been leaked, no malware has been used to block the content of the information. I.e., only the access to the websites of certain institutions in Bulgaria was hindered," Borislav Sarafov said.

After 19 hours, the attack gradually stopped and investigators detected that the activity of the devices based in Magnitogorsk also significantly decreased.

The efforts of the services of the affected countries to identify all of them and collect evidence may lead to their tracing through Interpol. This would block the ability of these people to leave Russia, as they could be detained in any country outside it.

Чуйте последните новини, където и да сте!
Последвайте ни във Facebook и Instagram
Следете и канала на БНТ в YouTube
Вече може да ни гледате и в TikTok
Намерете ни в Google News