The APT35 group suspects that its hackers completely shut down the district office in a fortnight.
Investigations have usually attributed known cyberattacks on Czech authorities – such as the systems of the Ministry of Foreign Affairs – to Russian hacker groups. However, according to Neovlivní.cz, the search for the perpetrators of the April cyberattack on the Prague 5 municipal office yielded surprising clues: experts suspect that hackers from APT35, one of Iran’s most active cyberespionage groups, were involved in the action.
“Each attacker leaves certain traces that are characteristic of him. And in this case, the fingerprints of the APT35 group, which is sponsored by the Iranian government and subject to the Revolutionary Guards, were found,” a highly trusted source from the security community, who has detailed information about the investigation into the attack, told Neovlivní.cz.
The APT35 group is also known by a number of nicknames, such as Charming Kitten or Phosphorus, and its intense activity dates back to 2019. Its hackers usually target the military, diplomatic and government personnel, mainly in the US and Middle Eastern countries , political activists and the media. In 2020, experts found traces of APT35 in a cyberattack against the pharmaceutical company Gilead Sciences, which is engaged in research into the disease Covid-19.
And why would Iranian espionage be interested in such a local target as the municipal office of a central European city? The answers may lie in a list of buildings that are of high interest to Iran.
Prague 5 is home to several embassies, for example the Lithuanian, Cuban and Austrian embassies. But one of the buildings was inhabited for years by people from the embassy of Saudi Arabia, as the main rival of Iran.
READ ALSO: Who destroyed the tracks? An inspection was reported at the ŘSD and someone encrypted the accounting
And in addition to diplomats, a number of Czech security agencies are also based here. For example, the civilian intelligence agency ÚZSI or one of the workplaces of military intelligence.
Anyone who got into the systems of Prague 5 and completely disabled them could have assumed that, among other things, they would find building plans in digitized form. So, valuable information for someone who wants to mount a listening device to it.
Considering the pace of digitization of the entire Czech Republic, but this time the authorities were lucky. “The building archive in Prague 5 has not yet been digitized. So if someone was looking for plans of buildings, they only got their textual description. It is already digitized,” added the already quoted source.
However, according to the findings of Neovlivní.cz, the investigation shows that hackers (and apparently not only those from Iran) downloaded data from the city district for four to five years. They had access practically everywhere. Experts compared office security to an unlocked car on the street.
Iranian diplomacy strictly rejects all connections with cyber attacks. Most recently, the year before last, the then spokesman of the Iranian diplomatic mission to the UN, Alireza Miryousefi, declared: “The Iranian government is not involved in cyber war. The cyber activities that Iran engages in are purely defensive and serve to protect against further attacks on Iran’s infrastructure.”
The office of the municipal district of Prague 5 does not comment on the investigation. The mayor only announced that she already filed a criminal complaint in March, when the office’s systems collapsed. “Due to the police investigation, it is not possible to provide more information,” the town hall’s statement reads.
But Prague 5 is not the only one.
What did Babiš and Fial’s government do to protect our data at the authorities? How easy will it be for China to “shut down” the Czech Republic if it so chooses? Read Sabina Slonková’s investigation in the September magazine Neovlivní.cz, which you can order now in the section SUBSCRIPTION.
Preview photo source: Shutterstock.com