Once maligned as a hotbed of hacking, Romania is now at the cutting edge of cybersecurity.
By Marcel Gascón Barberá
First there was Guccifer, real name Marcel Lazar Lehel, who hacked the email accounts of the Bush family in the United States; then came Hackerville, the moniker given to the town of Ramnicu Valcea due to the international cybergangs it was home to.
Fairly or not, hackers put Romania on the global online map, honing their skills to strike Internet users and companies in the West, particularly the US.
But today, 30 years since the fall of communism, IT and cybersecurity firms are looking to tap the same rich vein of ambition, ingenuity and education that made Romanian hackers so feared and famous.
“Romania is currently one of the largest pools of talent in the IT&C space,” said Bogdan Botezatu, senior e-threats analyst at Romanian antivirus and cybersecurity giant Bitdefender.
“Based on our tradition in STEM – Science, Technology, Engineering and Mathematics and research, universities deliver engineers, reverse engineers, people who are highly skilled in IT.”
Romania, he said, is already internationally recognised in the field of cybersecurity, and has the potential to play an even greater role.
Made in Romania – a global leader in cybersecurity
Bitdefender is one of the global leaders in cybersecurity, with more than 500 million customers worldwide and a network of research labs in Romania – the largest such network in Europe – to combat online threats.
Some 40 per cent of the antivirus and digital security companies on the market currently use at least one technology developed by Bitdefender. Such success is unparalleled in Romania, a European Union member state where almost no other company has a significant international footprint.
From Bucharest and other Romanian cities, Bitdefender’s experts have led or participated in operations to halt some of the most damaging cyber attacks the world has seen in recent years.
In 2018, Bitdefender partnered with Europol, Interpol, the FBI and police in a number of EU countries to take down a group of hackers – believed to be from Russia – behind a ransomware called GandCrab. The inventors of the malware sold it on to other hackers who used it against private and corporate users.
“It became such a large phenomenon that half of the ransomware attacks happening at that moment were caused by GandCrab,” Botezatu told BIRN.
“We managed to decrypt [the computers of] 60,000 victims, saving the victims around 70 million dollars.”
Despite its unusual level of sophistication, GandCrab was created as a way for the private individuals behind it to steal other people’s money.
Another type of cyberthreat, however, is state-sponsored and is known among experts as Advanced Persistent Threats, or APTs.
The goal in this case is to undermine the functioning of key strategic foreign infrastructures or steal secret information from other states. That was the purpose of NotPetya, or GoldenEye, which emerged in 2017 as the work of hackers suspected to have been working for the Kremlin.
These hackers infected the update servers of an accountancy product widely used in the Ukrainian state administration. Everytime a Ukrainian public servant updated the program, the virus entered his or her computer and encrypted all its files.
The virus had a worm component and quickly contaminated the entire networks to which infected computers were connected, bringing, for example, the Kiev metro to a halt and shutting down at least one airport, several banks and the radiation monitoring system at Chernobyl.
It spread globally, including to Romania, where Bitdefender took charge of the preliminary investigation that led to the identification of the virus after its researchers identified a pattern in the threats suffered by many users of their antivirus products.
‘You can’t trace them back’
Like the rest of the former Soviet bloc, Romania spent more than four decades under communism, when education placed a premium on scientific and technological training.
That expertise – and a resourcefulness developed under communism and during the painful transition to capitalism and democracy after 1989 – is now at the disposal of the EU and NATO as they try to combat cyber threats from Russia and other countries vying for a geopolitical upper hand.
And the Romanian state is doing its bit too, via bodies like the Romanian Information Service, SRI, an intelligence agency that took part in investigations that led to the 2018 exposure of Russian state involvement in a cyber espionage and warfare group called Fancy Bear.
Also known as Sofacy or APT28, Fancy Bear targeted governments and civil society organisations in countries including the Netherlands, Britain, Germany, Romania and the US.
Botezatu said the fact that the infections happened between 9 a.m. and 5 p.m. Moscow Standard Time led investigators to conclude they were being launched from government offices, said Botezatu of Bitdefender, which uncovered the campaign in 2015.
“Behind these kinds of attacks there is a country, and particularly the intelligence community of that country,” said General Anton Rog, head of SRI’s Cyberint centre.
“Of course, governments don’t act directly; through their intelligence services, they infiltrate or create these cybercrimes groups in a way that you can’t trace them back to say that they work with an information service.”
Most APT attacks, Rog told BIRN, are mounted in order to steal sensitive information. “It is a modality of espionage,” he said, “but through cables and cybernetic tools.”
SRI’s Cyberint centre relies on tip-offs from foreign agencies, technology that recognises abnormal online activity and cyber informers.
Sometimes the dividing line between financial-motivated attacks and APTs becomes blurred, as in the case of the malware family known as Cobalt Strike.
Cobalt Strike was used by the so-called Carbanak group from Russia and Ukraine to extract more than one billion euros from around 100 banks in over 40 countries, including Romania.
“The technology used is [characteristic of an] APT, but the motivation is strictly financial,” said Botezatu.
Bitdefender conducted ‘post-mortems’ at two of the affected banks. Botezatu said the malware was “extremely sophisticated”, managing even to access the banks’ payment systems.
“With that level of access, the nefarious individuals authorise fraudulent bank transfers, raise the balance of mule accounts or command affected ATMs to spit out the money for them,” Europol said in a statement on the arrest in Spain of alleged Carbanak leader ‘Denis K’ in a 2018 operation that Romania took part in.
“Our suspicion is that… these attacks are used to make money to sponsor strategic attacks,” said SRI’s Rog. “In our evaluation, we take into account the fact that these groups have members who are in contact with governments or information communities,” he told BIRN, noting the costs and human and technical resources needed to develop malware like Cobalt Strike.
“They [governments] don’t want to spend money from their budget, they want to steal money from other countries and sponsor strategic attacks with it,” Rog said.
Strong cybersecurity “ecosystem”
To strengthen security at home and boost Romania’s role in the global cybersecurity game, SRI’s Cyberint centre says it is trying to create “an ecosystem” already being nurtured by courses offered by Cyberint at several universities across the country.
Likewise, Bitdefender partners with universities and high schools in training the next generation.
They may be people like Alexandru Coltuneac, a White Hat Hacker so called because of his transition from developing an Internet virus as a teenager to using his self-taught skills to help giants like Google, Facebook, PayPal, Microsoft and Adobe test their product security.
“I have set myself a target,” Coltuneac told BIRN. “I want to find at least one vulnerability in a product of each big company.”
Called LooseByte, the firm offers businesses cybersecurity tests and services to improve their protection levels.
Coltuneac said he finds pleasure in outsmarting the world’s best professionals.
“It’s a way of doing hacking without harming anyone,” he said.