Cuba Ransomware Gang Takes Credit for Attacking Montenegro

Defense Minister Had Said Russian Government Was Likely Suspect Behind Disruptions
Cuba Ransomware Gang Takes Credit for Attacking Montenegro
The Cuba ransomware gang's data leak site lists the Montenegro Parliament as a victim.

The Cuba ransomware gang is taking credit for attacking the government of Montenegro, which took offline multiple government websites and services amid what officials characterize as a targeted cyberattack.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Government officials in the Western Balkan nation -which has a population of 620,000 - on Friday acknowledged disruptions to online government infrastructure.

"Since late last night, Montenegro has been exposed to a new series of organized cyberattacks on the government's IT infrastructure. The primary target is the structure of state authorities," Minister of Administration Marash Dukaj tweeted Friday.

"Although certain services are currently temporarily disabled for security reasons, the security of the accounts of citizens and business entities and their data are not in any way endangered," he added. He said the country, which in June 2017 became the 29th member of NATO, was working with its allies to respond.

Montenegro has publicly thanked the government of France for assistance with recovering from the online attack. The French government said it dispatched experts from the National Agency for the Security of Information Systems, or ANSSI, to assist.

The Cuba ransomware gang lists the Parliament of Montenegro, known as the Skupština, on its dedicated, Tor-based data-leak site. The Cuba gang claims that on Aug. 19 it stole files as part of the attack, saying the exfiltrated data includes "financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation, source code." Those claims could not be verified.

At least one senior Montenegro government official fingered the Russian government as likely responsible for the online attack. Despite its name, the Cuba ransomware gang appears unaffiliated with Havana. Analysis from McAfee finds malware deployed by the gang can check for installed language, such as Russian, while separate analysis from Israeli cybersecurity firms Security Joes and Profero concluded that operators of the ransomware are Russian speakers.

This incident is the second series of attacks to have hit the country since the Parliament on Aug. 19 passed a no-confidence motion on the cabinet proposed by Prime Minister Dritan Abazović, toppling the coalition government. It was the second such no-confidence motion to pass this year.

While the Parliament's website was accessible Tuesday, multiple government websites, including, remained inaccessible.

Recovery Continues

The U.S. Embassy in Montenegro on Friday issued a security alert for Americans, warning that "a persistent and ongoing cyberattack is in process in Montenegro" which could result in "disruptions to the public utility, transportation (including border crossings and airport) and telecommunication sectors."

As of Tuesday, recovery appeared to be ongoing, and security researchers say that the country's domain name servers remain offline.

Montenegro Defense Minister Raško Konjević said he suspected Russia is responsible. "Who could have some kind of political interest in inflicting such damage on Montenegro?" he said on state television, the Euractiv media network reported Sunday.

Montenegro appears on a list of "unfriendly countries" drawn up by Moscow in March, in response to multiple governments backing sanctions against the Russian government over its invasion of Ukraine.

"Ransomware crews targeting governments is not unprecedented, and presumably, Montenegro is fair game now that Putin has put them on his 'you're not my friend no more' list," the operational security expert known as the grugq writes in a Substack post.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.