For a well-trained hacker, an attack on most independent media in Serbia would not be unfeasible. What the consequences could be depends not only on the ability of the attacker, but also on the digital hygiene of the media.
Author: Filip Mirilović / Photo: Pixabay
As the media is becoming increasingly digitized today, so is their security – physical security threats have not disappeared, but the ratio between them and cyber-threats is increasingly changing in favor of the latter. According to monitoring carried out by Share Foundation, in the past eight years around seventy attacks on media infrastructure were reported in Serbia with the aim of disabling it, intercepting communications or causing leakage of private data.
The Association of Journalists of Serbia and the Independent Association of Journalists of Serbia do not have information on how the responsible institutions – that is, the relevant Prosecutor’s Office for High-Tech Crime (VTK) – conduct investigations and prosecute those responsible. A lawyer specializing in IT, Uroš Nedeljković, says that the VTK has “qualified individuals”, as well as the “ability to obtain a lot of information”, but that due to increasing digitalization, “a lot more needs to be invested“ in this institution.
A Share Foundation researcher, Bojan Perkov, also believes that the VTK has the know-how to deal with cyber-threats, but he is not sure if it can physically cover all cases, given that it is responsible for all of Serbia and that the number of cyber problems is rising.
For the purposes of this article, good practices and digital vulnerabilities were discussed with representatives of nine media outlets, whose previous work has shown that they fall in the category of media that report in accordance with the codes of the profession, which may make them targets of cyber-attacks. For their safety, they will remain anonymous.
More than half of the media outlets with which we talked were hacked in some way – whether someone had insight into confidential data, communications, or something that no one had written was published, or something similar. Also, more than half of the newsrooms get phishing attacks, but a considerable number of them did not even know what that was. In two-thirds of the newsrooms, employees have no restrictions when installing something on computers, while almost half of the media do not invest in IT.
The website of the Vreme weekly was attacked a few years ago, when someone from the outside posted an advertising article for Megatrend University and as its author signed a journalist who later turned out to have never written anything like that. Essentially, someone hacked the website, that is, “broke into” the portal’s content management system.
In mid-April, the daily Danas announced that their portal had suffered a cyber-attack, which was first manifested in the inability to enter the “Wordpress” platform through which articles are published, and later in difficulty using it. It took ten or so days for everything to normalize.
How does an attack occur?
Most of the surveyed newsrooms lack protections or they are insufficient, as a result of which omissions often occur. Downloading anything and everything from the Internet, combined with poor protection, can, for example, open the door to “ransomware” – a malicious program that locks important data from the computer and demands a certain amount of money in exchange for the key. This happened to one of the surveyed newsrooms; the Republic Geodetic Institute was also affected by this malady in mid-June.
An IT expert in digital security, who primarily works with the civil sector, Robert Todoroski, agrees that ransomware is one of the worst threats in this case and adds that if one computer is infected, this malicious program can move to other computers from the same network, if they are not protected either.
If media outlets have backed up data on an external device, then it cannot cause so much damage – however, not many newsrooms store everything, nor do many of them regularly back up, which can lead to complete and permanent loss of some data.
What does it look like?
Another real and serious threat to digital security is phishing. If media employees have not heard of this term, or they do not know exactly what it represents – it can be very problematic, which is the case with five newsrooms. Even some who did know said “we are not so naive about it”. Such thinking diminishes the perception of danger, but not the danger itself. Phishing can be defined as a cyber criminal act that uses deceptive email, website or text message content to steal confidential personal or corporate information.
Todoroski believes that phishing is the most dangerous technique of social engineering and says that various statistics show that in the last two years the number of these attacks “increased by 520 percent”. The problem is that a lot of people do not understand that this does not seem as naive as it once was – especially if someone consciously targets someone, which is then called “spear phishing”. In that case, the attacker will make an effort to find what is characteristic of that person, what they might “fall” for.
Todoroski believes that the best defense against phishing is education. According to the conducted survey, only four newsrooms specifically focused on phishing during training.
As part of the survey, the author of this article sent media representatives a Google poll, which was created using a form of social engineering. Twelve questions were asked in the questionnaire, but only five were marked with an asterisk, i.e. mandatory. Based on the other questions, which people filled in generically, their data could be collected – in the form of e-mail addresses, social networks they use, date of birth which can be useful for hackers to “guess” passwords, but also the communication applications they use. Of those who filled it out, only one person did not “take the bait”.
Two-thirds of the mentioned newsrooms encountered DDoS attacks, which are the most common type of attack on media websites in Serbia, and aim to temporarily bring down the website, that is, prevent the public from accessing it. Every server on which websites are hosted has a limited amount of internet traffic that it can receive. In this cyber-attack, the attacker redirects fake traffic to the server or servers that host the site and thus basically overloads it to the point that it becomes unavailable for a period of time. Most had their sites taken down, while only two managed to defend themselves every time. Those media that have proven to be a tough nut to crack for these attacks usually host their sites on multiple servers, which makes congestion difficult. DDoS attacks mostly occurred after reports on government affairs or events that the government tried to relativize or downplay, such as protests.
The Beta news agency suffered one such attack in April of this year and the site was unavailable for some time.
Robert Todoroski emphasizes that one should bear in mind that DDoS attacks can sometimes serve as a cover, or a distraction from another attack, such as an unauthorized server intrusion or theft of intellectual property. “When hackers use DDoS attacks as a cover, they usually use low-volume, short-duration attacks that are designed not to deny service, but to distract from their alternative motives,” he explains, adding that these attacks allow cyber criminals to “test vulnerabilities within the cyber network”.
On unfamiliar terms with IT
Six out of nine media representatives said that they invest in the IT sector, but that number is lower when they are asked whether they also invest in information security. An affirmative answer to this question came from only four newsrooms – and of course there are big differences in the volume of investment. For some, investing in this type of service is normal, inseparable from investing in young journalists, but for others IT is still a distant future. The media is quite polarized on this issue. Perkov believes that the “capacity of small, local media outlets to defend against cyber-attacks is at a fairly low level”, because, as he says, given the difficult and uncertain financial situation they are in, “digital security is not high on their list of priorities, at least not until they suffer some kind of technical attack”.
Todoroski believes that this type of investment gives the media “security, reliability and later also greater productivity”, while on the other hand, the consequences of not investing in the event of an attack may be interruption of work for a “certain or even indefinite period”. The problem is that IT consultants are very costly, so much so that they can generally be covered only from project funding.
Nedeljković adds that sometimes it is not easy to distinguish whether a media website is attacked because of its reporting or just because it is vulnerable in itself. As he says, “many media used to receive ready-made content management systems (CMS) through grants”, but “there was no further support for software solutions”, which, he adds, “did the media a disservice”.
In order for journalists, editors or managers to understand that they are threatened in cyberspace, it would be best if they imagined what their worst-case scenario would be in the event of an attack. For some, it would be Pegasus, an advanced spyware that primarily targets mobile devices. Although there is no evidence that it has been used in Serbia, Bojan Perkov explains that several analyses “point to the implications that Serbia is one of the countries that has the capacity to use Predator” – software that functions in a similar way. For some, an inconvenient scenario is potential loss of website access, and for some, on the other hand, it is leakage of private data. Now, whose private data? In addition to employees, there could also be those who should not be at all – for example, confidential information about sources. At that point, the problems go beyond journalists. Digital security takes various forms and neglecting it can have drastic consequences.
This text was created as part of the mentoring programme Solutions and Innovations in Media, which is implemented by Mediacentar Sarajevo and the Association Zašto ne, with the financial support of the embassies of the Kingdom of the Netherlands in the Western Balkans region.
Translation: Kanita Halilovic