The tale of a nation that got 5 million people hacked in the middle of 2019

Georgi Spasov
23 Jul 2019
data

Every July in Bulgaria hides its own secrets. Last year, there was a major operation against child molesters and this year… Well, this year was marked by the marvelous deeds of some people (and the lack of security built into the applications that got cracked, but more of that below).

July was a fruitful month. Several hacking stories made the first pages in just a couple of weeks. And since I hate spreading rumors and I started hating pointing my finger at people for no particular reason, here is a short summary of what happened:

Firstly, a ‘hacker’ from Stara Zagora published a video that was shared in the Bulgarian developers’ community (well, mainly in Facebook that is). He pointed out that he might have gotten access to the personal data of some citizens from his home town. There was also a POC GitHub repository, containing a Node application that generated valid personal identification numbers (or EGN), then the app fired those EGNs to the backend of the Stara Zagora municipality service that handled child subscriptions to kindergartens and schools. By making a crafted query, a person could be able to obtain personal data of approx 235000 people.

Petko Petkov's public facebook profile

The photo is taken from Petko Petkov's public facebook profile

Since pointing out the evident was basically a crime, according to the Prosecutors office, he got locked away by the local police department for 24hrs and set free after. The Prosecutors Office started working on building evidence against unknown perpetrator that ‘illegally’ (mind the quotes) gained access to personal data — a computer crime according to Article 319a of the Bulgarian Penal Code, but finally dropped the case.

Next, just two weeks after the previous ‘incident’, in mid-July we had a case of an unknown perpetrator that sent and email from the Russian platform Yandex to several Bulgarian mass-medias. The email stated that the cyber security state of Bulgaria is laughable, and it contained a link to the anonymous file sharing platform, that lead to a .zip file, containing over 11GB of Bularian citizens’ personal data.

Investigators held responsive a 20-year old teenager that supposedly stole the information from several National Revenue Agency databases. Officials demanded that the stolen data was returned in one piece (they did not get the concept of ‘stealing’).

So, this, 20-year old ‘hacked’ his way into the database by using an SQL-injection — or at least that’s what was circulating in the media recently.

Alleged Hacker

The teenager that ‘hacks’ — according to mass media — photo from btv.bg

Fortunately, he’s sound and safe, working from home, after a wee less than 72hrs behind bars. His personal laptops and his work laptop were seized, and later it was found out that they are encrypted. Aaaand that’s it, no harm done. The Revenue Agency stated that the data of 5 MILLION PEOPLE WAS NOT A PART OF THEIR CRITICAL INFRASTRUCTURE (well then, if the personal data of 5 million is not critical enough…). And the boy was set free. Of course, the teenager and his employer mind their own business, and refuse to share data on the case with government officials, referring to ISO 27001, stressing the fact that they hold crucially important information about their contractors and partners.

The leaked data includes personal information such as identification numbers (those EGNs we were talking about just above), names, addresses, tax and revenue data, parking tickets and penalties… Well the last two are off the list, but you get the idea. Any smart enough criminal could utilize this treasure to do damage or will try to gain something from them.

The grumpy person in me states and demands justice for all harm done! No one should go unpunished…

Yeah, but try decrypting a LUKS partition with some random or pseudo random password. I bet it will take the police a few decades to see what truly is going on (and that is if they use a few super servers). Heck, even my Fedora needs to cool the steam when I try to unlock it unsuccessfully several times.

We had some cyber businessmen talking about how real hackers used Linux, and that the traces left behind were from a Windows machine (well, obviously someone has not heard of VMware Workstation… 21 Century’s knocking on the door — Wakey wakey!). Leaving behind the humorous people that tend to stick their noses in places where they don’t belong is a great idea. But the ferocious public wants more. Every day numerous posts find their way to the top of the Facebook developer community list, pointing out different thought-up facts about the investigation. Well, that could prove useful for the investigators. I mean, people need a good laugh from time to time.

So, eventually, as I see things, that teenager is going to be cleared of all charges, with a decent story to tell his children… or ladies. Either way, after a week everyone will have forgotten. Or, if the Police and prosecutors office do indeed find data regarding any illegal activity, he might face some serious jail time. Either way, time will tell.

One thing is certain, though. Bulgarian citizens data will not be safe any time soon... Now all we need is a platform that will allow us to see just how much lateral damage we have to handle. :) I doubt that there will be any cyber-specific initiatives, having in mind the poor state of the Penal code and all the problems Bulgarian police officers suffer.

Despite all that, we keep our spirits high, quoting some random minister’s shower thoughts, shared publically: “The data breach is not that harmful! The most important thing is to be alive and healthy!”

Well, cheers to that!


Georgi Spasov

Georgi Spasov

Georgi was the Bulgarian POC for high-tech crimes during his work as a cybercrime forensic investigator. Now, as a fullstack developer, he contributes with his knowledge in building highly available software solutions.

comments powered by Disqus

PhaaS Request Submission