After a year of preparation, the Arnes public institute establishes SI-CERT, the Slovenian Computer Emergency Response Team, and starts handling reports of security incidents.
Young Slovenian hackers start breaking into systems abroad. In Maribor a group forms which starts meeting in a popular cybercafé; they are employed part-time as system administrators in local companies, where they also cannot resist hacking. As a result, company owners and cybercafé managers have had quite a few problems for several years.
A student breaks into the account of the dean of one of the departments of the University of Ljubljana and sends a threatening email in his name to the department’s senate.
During the investigation of a breach of a system in Slovenia we discover a password database of users of a computer that belongs to the US Navy (navy.mil). We inform their ‘Information Warfare Center’.
Because SiOL bills calls to 0880 numbers to the registered user (and not the owner of the phone line), these user accounts become a subject of theft and resale, since they can be used to access the internet in someone else’s name (and at their expense). Lionheart finds a bug in SiOL’s system which allows them to intercept passwords in bulk and publish them; massive resale of passwords ensues. We start to investigate the matter together with the police and identify those involved.
We encounter the first denial-of-service attacks on targets in Slovenia.
Infections by the NetBus and BackOrifice Trojans released a year earlier erupt. They allow attackers to stealthily access a computer and take control of it. We set up a webpage which allows users to check if their computer is infected with a Trojan.
Tools for carrying out DDOS attacks become available on the internet: trin00, Tribal Flood Network and Stacheldraht.
The US military blocks access from Slovenia (among others) to the .mil domain before beginning bombardment of the Federal Republic of Yugoslavia.
We are kept busy with address space scanning and numerous denial of service attacks in Slovenia and abroad.
SI-CERT becomes a member of FIRST (Forum of Incident Response and Security Teams). SI-CERT boss Gorazd Božič is named president of the European response centres working group TF-CSIRT, which he then heads for eight years.
Media attention is captured by the “I love you” worm spreading through email. The Y2K problem at the start of the new millennium turns out to be an unnecessary panic.
Throughout the year internet worms automatically spreading through networks and computers are born. The most widespread of these is the Chinese Code Red virus, followed by Nimda, Sircam, Klez and Frethem. We handle the first web page defacements using rootkits. In one incident we find several hundred beached systems abroad.
SI-CERT hosts colleagues from European response centres united in the TF-CSIRT working group.
Foreigners send massive quantities of spam emails through unsecured proxy and SOCKS servers. The poor security of the NetBIOS in Windows computers is leveraged for numerous intrusions and infections.
A bug in the PINE mail program enabled access to a list of usernames of Arnes’s guest.arnes.si users. Fortunately, these are only limited copies without names and passwords in a closed (chroot) environment.
Microsoft IIS web servers are attacked by the Code Red II virus.
IRC wars – skirmishes between Slovenian hacking groups – culminate in an attack on SiOL DNS servers in November 2004, seriously affecting all SiOL users. Telekom Slovenije ends its policy of silence regarding incident reports from SI-CERT and starts cooperation, which will in the following years, result in a dramatic decrease of the number of abuses and network attacks in Slovenia.
After infecting their targets ‘Dialler’ viruses call expensive toll numbers abroad.
A new form of network abuse appears: phishing.
Dictionary attacks through the Secure Shell protocol proliferate as Slovenian hackers do their best to try to breach the largest number of computers abroad. After several months of collecting incident reports we send the data to the police who perform around 20 house searches.
Payable game servers for the Call of Duty game in Slovenia cause a series of mutual denial of service attacks between individuals who try to push each other out of the ‘market’.
The first phishing site abroad targets Slovenian banks’ clients.
In a series of denial of service attacks on websites of several US media houses, some Slovenian computers also participate in the botnet. SI-CERT performs an analysis of the malware, which allows the FBI to arrest Bruce Raisley, who is convicted several years later in a US court.
Before the May 1st holidays in Estonia, a monument to a soldier from Soviet times is removed, which results in massive network denial of service attacks on government infrastructure, banks and web media. The TF-CSIRT European response centre group establishes an ad-hoc assistance group, jointly headed by the Finnish CERT-FI and Slovenian SI-CERT.
Slovenia assumes the EU presidency and thus becomes more interesting as a target for attacks on government employees. We analyse the viruses being used in these attacks and the tracks point to China.
Dan Kaminsky finds a serious bug in the workings of the Internet’s DNS infrastructure. We notify 82 network administrators that they have server vulnerabilities that enable so-called ‘cache poisoning’.
We fight Conficker infections throughout the year. This advanced worm employs several distribution channels to spread and turns out to be a hardy opponent. Individual infections reappear even five years later.
The European Consumer Centre requests our assistance in the case of specialphones.eu which fraudulently attempts the fictitious sale of iPhones at half price. With the help of the Estonian CERT-EE, the site is quickly removed. In retrospect, 2009 turns out to be a turning point in the growth of internet fraud.
SI-CERT signs an agreement with the Ministry of Public Administration to take over the coordination of security incident handling in the public administrations’ network, and assist in establishing an independent government response centre for government infrastructure.
Spring sees the spread of a virus authored by a Slovenian among Slovenian Facebook users. In Maribor the police arrest Matjaž Škorjanc – ‘Iserdo’, who is the author of the Butterfly bot (the Mariposa case).
We start the ‘Safe on the internet national awareness programme’ in the field of information security. The public response is excellent and the programme is awarded several accolades over the next few years.
We determine that one of Slovenia’s electricity generating plants has a publicly accessible server through the web, and an embedded backdoor which could enable unauthorised entry and monitoring of the plant’s control systems. Numerous heating stations use default passwords on their web interfaces which also allow unauthorised modification of settings.
Recordings of closed sessions of the government of the Republic of Slovenia appear on YouTube. Google ignores our removal requests until we devise an alternative approach: the owner of the recordings is the government, so this represents a violation of its copyright. We send a DMCA request to a US lawyer and the issue is quickly resolved.
Because of the signing of ACTA Anonymous announces attacks on government infrastructure and other targets. We take over coordination, set up barriers to DOS attacks and alert providers to the expected attack types. Attacks on gov.si are unsuccessful, several other sites are defaced, but the Anonymous campaign is very prominent in the media.
A group of Middle Eastern hackers attack banks in the USA and, among others, uses 63 servers in Slovenia. DNS-reflection attacks use vulnerable DNS servers. There are nearly 9,000 of them in Slovenia. We start notifying administrators on a regular basis.
Slovenia participates in the pan-European Cyber Europe 2012 exercise – the scenario includes attacks on e-banks and network infrastructure; response centres have a key role in the exercise.
The number of handled incidents passes 1000.
Over 1500 servers belonging to small companies, schools and other institutions using the Joomla content management system are defaced. Along with continued notification of administrators we also prepare the ‘ABC of Security for Website Owners’ brochure.
Together with the police and the RS Office for money laundering prevention, we spend six months investigating attacks on small companies which have resulted in the theft of EUR 1.8 million. Analysis of the malware code by SI-CERT leads the police to its author, Sebastijan Mihelčič.
The ‘police virus’ also holds Slovenian users to ransom, but fortunately a quick unlock is available with which we help 300 individuals. At the POMP 2013 festival of content marketing, we receive the award for the best annual report, and unexpectedly also the grand prize for the project of the year in the field of content marketing.
The year is marked by the Heartbleed vulnerability in an OpenSSL library. Around 3% of web servers in Slovenian are vulnerable. Amplification attacks start on the NTP protocol. Ransomware becomes stronger and encrypts user data. They spread through fake accounts in Germany over email.
We participate at Cyber Europe 2014 and the NATO Cyber Coalition 14 exercise. We start training members of the Slovenian military on how to respond to cyber threats and incidents. We pass 2000 handled incidents.
In January, the longest so-called ‘phishing’ attack is launched, targeting the customers of six Slovenian banks. We estimate that approximately 100,000 false messages were sent and around 40 fake bank websites were set up. We fight the attackers for a week, before they give up and focus their efforts on other countries.
This autumn marks 20 years since the first incident was reported to SI-CERT.
The number of infections with ransomware reaches its peak with more than 40 reports to SI-CERT in just one month. The variations are numerous and SI-CERT becomes a partner on Europol’s project called nomoreransom.org. Cash registers in bars with the added function that enables issuing fiscal receipts are vulnerable, someone hacks them and starts sending spam messages.
The world is shaken by the WannaCry worm outbreak, which uses methods from the revealed arsenal of the American NSA. Many British hospitals are affected. Soon after NotPetya ‘strikes’. The initial vector of the infection is the exploited Ukrainian software for tax reports called M.E.Doc. The end of the year is marked by the hacking into the IT system of Slovenian company NiceHash, a platform provider for purchasing and selling computer power for cryptocurrency mining. Seventy million Euros worth of cryptocurrencies at the then-current rate were stolen. SI-CERT also handles hacking into servers with the intent of illegal currency mining.
Ransomware infections move from individual users to companies. The number of infections is smaller but the ransoms are substantially higher. These are targeted attacks where unprotected access via Windows Remote Desktop protocol is being used. Companies are also victims of CEO Fraud and Business Email Compromise (BEC).
After consolidating for many years and taking into consideration various scenarios on how to organise response to cyber threats in the country, the National Assembly unanimously adopted the Information Security Act which adapts the European NIS Directive. Based on this Act, SI-CERT becomes the national CSIRT group. The same year, General Data Protection Regulation comes into force.
Ryuk ransomware infects computers in the Lekarna Ljubljana network and causes serious interference in the operation of the subsidiaries. The management estimates the damage caused was over 2 million Euro. The employees in various banks in Slovenia are targets of the attack with malicious code. With the help of the European funds, SI-CERT upgrades its infrastructure and the lab for investigating malicious code.
In autumn, SI-CERT celebrates 25 years of its establishment and 10 years of its awareness raising programme Varni na internetu (Safety on the Internet). The year begins with the Ambasador zasebnosti (Ambassador of Privacy) award presented by the Information Commissioner Office. The presidency of the Council of the European Union is taken over by Germany, Portugal and Slovenia.