The Bulgarian police are investigating last week’s attack on the country’s tax systems. The suspect — who’s already in custody — is a member of the same hacking group that carried out the country’s most significant data breach in history.
Police said that one senior officer in the cybersecurity firm Tad Group had been taken into custody after the authorities searched the office of the organization and seized their computers.
“One senior manager has been taken in for questioning. He is being detained for 24 hours,” an interior ministry spokeswoman said. The official did not identify the man in custody, but she said that the police had done a thorough search of Tad Group’s offices last Tuesday.
One of Tad Group’s employee was earlier arrested under the suspicion of his participation in the cyberattack. The man, Kristian Boykov, is the only person, so far, charged concerning the data breach that has compromised the data of almost all Bulgarian adults. Boykov is now released from custody but is ordered to remain in the country as he awaits his trial.
The investigators and prosecutors believe that Boykov did not act alone, and they are now searching for his co-conspirators who possibly instigate the attack to the nation’s tax system. Boykov is accused as the man who posed as a Russian hacker and sent emails to members of the local media — offering stolen tax documents. The investigators also added that they had acquired sufficient evidence to believe that the attack originated locally, amidst what the attackers purport to be.
A week ago, the Bulgarian National Revenue Agency (NRA), a department of the Bulgarian Ministry of Finance, has been infiltrated by a threat actor, compromising the data of more than 70% of its population. The attackers sent 11 gigabytes of files to local media, which they claimed to be stolen from the NRA — affecting five million individuals. As context, Bulgaria currently has a population of around seven million.
The hackers sent 56 databases to the media in CSV file but bragged about stealing 110 databases in total, with the threat to release the rest in the coming days.
All in all, including the unsent databases, the hackers allegedly stole 21 gigabytes of data, which includes information such as names, personal identification numbers (PINs), home addresses, and financial earnings. While most of the database entries were old — dating back to 2007 — latest entries were also discovered to be inside the leaked databases.
Aside from information directly stolen from the NRA, the hackers were able to steal documents that were downloaded by the NRA from other government agencies including information extracted from the Department Civil Registration and Administrative Services (GRAO), a database that is described to be similar to “the Social Security Number (or similar) identification in other countries.”
“They are in CSV format and apparently are exported from databases – columns are named with code numbers or short explanations. Therefore, without decryption, there is no way to know what is behind them. However, there are indications of what’s inside.”
Officials confirmed that the hackers successfully compromised at least 3% of the databases stored in the NRA’s system.
As part of their MO, the hackers contacted Bulgarian news outlets with a quote from WikiLeaks founder Julian Assange, which translates from Bulgaria to “Your government is stupid. Your cybersecurity is a parody.”
Until now, the motive behind the attack that has shocked the entire nation of Bulgaria remains a puzzle, as none of the arrested suspects are cooperating with the police.
Because of the incident, the National Revenue Agency is facing a fine of up to €20mil (RM91.7mil). Furthermore, local politicians have been calling for the resignation of officials from the NRA, citing that they failed to protect people’s data.
Rightly after the news broke out in Bulgaria, many opposition politicians have called for the resignation of Finance Minister Vladislav Goranov.
“The job of the Minister of Finance is not just to be an accountant of the state but to prioritize sectors where there is an urgent need for important reforms,” reads the media position of Democratic Bulgaria, the political opposition in the country.
“Mr. Goranov actively blocks a number of such reforms, including e-government and cybersecurity […] it is time for Minister Goranov to bear political responsibility and to resign because of the risks his subordinate structures have left for thousands of citizens and their businesses to be exposed.”