Cuba ransomware group claims attack on Montenegro government

The Cuba ransomware group has claimed an attack on Montenegro’s government which reported last week that it was facing Russia-linked cyber attacks.

It claimed to have received the files belonging to the Montenegrin government’s Department for Public Relations on 19 August 2022.

The files allegedly contained information such as financial documents, correspondence with bank employees, balance sheets, tax documents, compensation, and source code.

IT Pro has not been able to verify the legitimacy of the files since Cuba’s download link appears to be broken at the time of writing.

Montenegro’s Agency for National Security (ANB) said on Saturday that it was “under a hybrid war at the moment” days after its public administration minister tweeted that “certain services” had been taken offline amid ‘multiple’ cyber attacks.

The minister, Maras Dukaj, on Thursday also likened the “series of cyber attacks” to those sustained in 2015 and 2016 in the country.

Dukaj did not explicitly define which attacks he was referring to, but he may have been referring to the Russia-linked cyber attacks targeting the nation before it joined NATO in 2017.

The Montenegrin ANB website is also currently unreachable at the time of writing, as is the website for the Department for Public Relations which Cuba has claimed to have successfully breached.

Montenegro was once considered a pro-Russia ally but since it joined NATO in 2017, it has been considered an enemy of the country that’s now invading Ukraine.

Russia also added Montenegro to its list of ‘enemy states’ alongside other Western allies such as the UK and other nations that publicly oppose the Kremlin’s goals.

Coordinated Russian services are behind the cyber attack,” the ANB said in a statement to Associated Press. “This kind of attack was carried out for the first time in Montenegro and it has been prepared for a long period of time.”

Government official Dusan Polovic said, “I can say with certainty that this attack that Montenegro is experiencing these days comes directly from Russia.”

The cyber attacks appear to be targeting a broad selection of public entities in the country, including government services, and transportation and telecommunications sectors, its government said.

A number of the government’s servers have been targeted but the attacks so far have not resulted in any damage or data loss.

Who is behind the Cuba ransomware gang?

Very few cyber security companies have been confident enough to attribute the ransomware organisation to a specific country, however, Profero is one to have linked it to Russia.

The company said it has observed the Russian language on its website and during its negotiations with victims.

Cuba’s current ransomware leak site is written entirely in English, although some minor spelling and grammar issues can be observed.

The US Federal Bureau of Investigation (FBI) said in a 2021 report that the group had compromised at least 49 organisations, including target operating critical infrastructure, netting nearly $50 million (£43 million) in revenue.

The double extortion ransomware group is thought to have targeted organisations in Europe, North and South America, and Asia in the past and experienced a resurgence between March and April 2022, according to Trend Micro.

Cuba ransomware is often delivered as a final-stage payload in cyber attacks involving the Hancitor malware downloader in email-based attack campaigns.

Additional tools often associated with these attacks are the use of the Mimikatz credential-stealing malware and the oft-abused Cobalt Strike penetration testing toolkit.