Investigation shows the attack on Czech Ministry of Foreign Affairs was larger and lasted longer than previously reported, but it is still enveloped in extreme secrecy.
On that day, he was travelling light. The other passengers on the flight to the Estonian capital, Tallinn, had no idea that his cabin luggage contains the secret of who has broken into the servers of the EU and NATO country’s foreign office and stolen hundreds of the private emails of Czech diplomats, including the foreign minister himself.
The officer of the Czech secret service was going to Estonia, equipped with the files downloaded from Ministry of Foreign Affairs (MFA) servers, for help. A tiny Baltic nation which in 2007 faced the first massive Russian cyber attack on its government institutions, banks and media, is recognized as having excellent expertise in the field. The cooperation with Tallinn and other EU capitals ultimately helped Prague to reveal the identity of the hackers. But the story turned out more complicated than expected.
After transferring the files, Czech agent left Tallinn. When he came back for the second visit, the surprise was waiting. Estonian help allowed the Czechs to better identify the hackers. Evidence grew that they were from Russia, and, apparently, some were connected to military intelligence service (GRU). But it also turned out that Chinese hackers had broken in there first, one governmental source and two sources familiar with the investigation confirmed to Re:Baltica. Sources asked to remain anonymous as some of the information about the investigation is treated as a secret by the Czech laws and it is still ongoing. In fact, the investigation is so secretive that even dates when the Czechs travelled to Estonia are not disclosed. Estonian counter-intelligence service KAPO declined from giving comments on the issue.
Russia and China did not act in a coordinated manner. However, as the Czech investigation has established, they knew about each other, did not move against one other, monitored their illegal activity, and tolerated the other’s presence. The attacks at the time were directed against several EU countries, a source related to country’s intelligence service said to Re:Baltica.
“Russian behaviour in cyberspace has been different from that of other cyber powers on two different accounts. One is related to how Russia has been feeding the fruits of cyber-espionage into disinformation campaigns. It is quite possible that China has even more access to sensitive political, security, technical or business information from the entire world, and is quietly passing what is relevant to its companies, manufacturers, or the military. But China has been doing it quietly, relatively under the radar, and has kept this information mostly to itself, “ Nicu Popescu, head of Wider Europe programme in European Council of Foreign Relations, recently wrote. “Russia also hoards significant amounts of information, to be sure, but in addition has been releasing it on a massive scale in its attempts to shape North American or European politics.”
Sharing is caring
Until recently, Europeans and US used to share the evidence of GRU hacking-activities behind closed doors, informing each other when the sensitive material was stolen. The attacks were not discussed publicly as that would reveal how much – or little – they knew or would be able to find out about the hackers’ modus operandi.
With the tensions between Russia and West rising since the military conflict in Ukraine and hacking of Democratic National Committee emails before US presidential elections in 2016, EU and NATO countries are starting to publicize the evidence of the cyber attacks which Kremlin has allegedly perpetrated against the allies.
In the beginning of October 2018, US and Dutch authorities published detailed accounts how GRU hackers attempted to break in the network of international organization which has been aiding Britain in finding perpetrators of the poisoning of former Russian spy Sergei Skripal and his daughter via the dangerous chemical agent.
US unveiled charges against the GRU hackers who hacked and published the medical records of almost 250 athletes from 30 countries after the doping scandal which led to Russian teams being banned from the Olympic games.
UK’s Foreign Office listed six attacks for which it holds GRU responsible. “Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability,” said UK Foreign Secretary Jeremy Hunt.
However, the one was not on the list – attack on the Czech Ministry of Foreign Affairs (MFA), from which it still has not recovered. A investigation by Czech newspaper Respect, conducted with a support of EU partners, reveals the unknown details of the story, including the fact that hack was much longer and wider than reported.
Started in 2014, not 2016
To this day, it is still unclear how the Czech Republic found out about the attack, but no one was aware of it for a long time. It was first announced publicly in the winter of 2017 when then foreign minister, Lubomír Zaorálek, said the hack had not lasted long and only few email addresses have been affected. Data downloads occurred most frequently in the morning hours when the web traffic becomes more heavy with people arriving to work and the downloading looks less suspicious.
Now, Respect/Re:Baltica has found out that attack in fact started in 2014, not 2016 as thought before. After the public announcement the case somehow faded in the background, but since then it has been discussed in the National Security Council (NSC), the highest security body of the state, several times.
NSC, led by Prime Minister, gradually began to hear from security experts investigating the breach that the attackers have acquired large quantities of emails that diplomats had sent among themselves between 2014 and 2016. Inboxes of all the MFA employees with the domain mzv.cz were invaded, three sources familiar with an investigation said to Re:Baltica.
Czech diplomats fear that stolen emails may contain the details about their private lives – lovers, their past, alcohol and other vices of theirs or their colleagues – which would make people prone to blackmail. The others describe the sensitive negotiating positions with EU and NATO partners, the meetings and motives of the information sources who are residents of the other countries and are in contact with embassies, or Czech companies which are interested in specific contracts and tenders abroad (Respect/Re:Baltica has not been able to read the actual emails independently).
The communications system of the Ministry of Foreign Affairs is in ruins to this day. “It is serious problem. Lots of emails disappeared, there should be many sensibly information . Its threat for national security,” says MP Jan Lipavský (Pirate party).
Ministry of Foreign Affairs has not been the only victim among the Czech state institutions. Two years ago Russian hackers gained access to emails of Czech soldiers serving in a mission in Mali. A year ago, hackers- allegedly unsuccessfully – tried to access the correspondence between selected group officers of the Czech army.
“This is common today—phishing attacks are common on ministries of foreign affairs of most of our allies. Suspicions of attacks on other nations have been widely debated in foreign media,” says Jan Hamáček, Czech minister of interior.
He did not confirm nor deny that Russia and China were the perpetrators behind the Czech attack, saying only that the details about the specific incidents could complicate the security measures. He claimed that the network which is meant for exchange of the classified information was not damaged in the hack, but it cannot be verified.
Meanwhile, Czech diplomatic service has tried, but failed to clear it’s IT system from sleeping viruses and the inflicted damage. National Security Council has discussed the option of a complete rebuilding of the system. The cost of that could be in the hundreds of millions, possibly in lower billions in Czech crowns.
Meanwhile, eight EU member states – the Baltics, Denmark, Finland, Netherlands, Romania and UK – are pushing the block to adopt the legal framework to hit the hackers before it becomes too late.
INDEPENDENT JOURNALISM NEEDS INDEPENDENT FINANCING
If you like our work, support us!
This story is the part of the series supported by the first EU-financed fund for investigative journalism IJ4EU and jointly developed by Re:Baltica, Postimees, Direkt36, 15min.lt and Respekt.cz Financing was given as a result of the open call, managed by International Press Institute.
Written by Ondřej Kundra, Respekt.Cz
Edited by Sanita Jemberga, Re:Baltica
Drawings by Artur Kuus
Infographics by Lote Lārmane, Re:Baltica