CYBER INTELLIGENCE REPORT
Actor Type: I-IV
Serial: IR-18-057-001
Countries: BA, RS, US, GE
Report Date: 20180228
Industries: GEO-Pol, Financial
Bosnia and Herzegovina Cyber Profile
Summary
Bosnia and Herzegovina is a country in Southeastern Europe formerly under the Republic of Yugoslavia. After the dissolution of Yugoslavia, Bosnia and Herzegovina has experienced infighting of ethnically and religiously motivated hacktivist groups, as well as commercially motivated hackers. Current cyberlaws are not fully enacted, yet the country completely cooperates to fight cybercrime. Bosnian hackers use Bosnian, Serbian, German, English, and other languages to communicate. Due to recent international arrests, many Bosnia groups have been driven underground. The current Western threat of Bosnian hackers is low, based on our current data.
Croatian / Bosnian Cyber Threat Keywords
Bosnia and Herzegovina has three official languages: Bosnian, Croatian and Serbian. For the purpose of searching for cyber terms, Bosnian and Croatian are basically the same (Table 1). Some other Slavic languages in the region, such as Czech, have matching terms with Bosnian too.
Table 1. Croatian/Bosnian cyber threat keywords translated to English
English |
Croatian/Bosnian |
Serbian |
Bot |
Bot |
Бот |
Botnet |
Bot mreža |
Бот мрежа |
Malware |
Malver |
Mалвер |
Virus |
Virus |
Вирус |
Worm |
Crv |
Црв |
Ransomware |
Ransomware |
Рансомваре |
Trojan |
Trojan |
Тројан |
Cryptor/Crypter |
Cryptor |
Криптор |
DDos |
DDos |
ДДос |
SQL injection |
SQL injekcija |
СКЛ ињецтион |
Vulnerabilities |
Ranljivosti |
Ранљивости |
Hacker |
Haker |
Хакер |
Hacking |
Hakovanje |
Хаковање |
Carding |
Carding |
Цардинг |
Credit Card |
Kreditna kartica |
Кредитна картица |
BIN |
BIN |
БИН |
CVV |
CVV |
ЦВВ |
Epošta |
Епошта |
|
Jabber |
Jabber |
Јаббер |
Social engineering |
Socijalni inženjering |
Социјални инжењеринг |
Phishing |
Phishing |
Пхисхинг |
Spoofing |
Prevar/Spoofing |
Превара/ Споофинг |
Shell |
Ljuska |
Љуска |
Some Bosnian words are used to name files, functions, or domains. For example, in the Ljuska forum, criminal offerings are presented (Figure 1). The word “ljuska” in the forum name is Bosnian for “shell” (Table 1).
Figure 1. Credit card data seller on Ljuska, Bosnian programming forum
For international communication, Bosnian hackers use English and German. Some may communicate in Arabic, Turkish or Russian.
Details
Bosnia and Herzegovina (BIH, often known informally as Bosnia) is a country in Southeastern Europe located on the Balkan Peninsula. Following the dissolution of Yugoslavia, the republic proclaimed independence in 1992, which was followed by the Bosnian War, lasting until late 1995. It has a high unemployment rate of 20.5% (2017 est.), which presents a concern many work in the gray economy.
Bosnia and Herzegovina: Cyber Crime
Figure 2. Bosnia and Herzegovina
Bosnia and Herzegovina has Internet coverage in over 86%. This presents hacking and other cybercrime related incidents. Bosnia and Herzegovina increasingly serve as a transit point for heroin being trafficked to Western Europe. The area is also a minor transit point for marijuana and remains highly vulnerable to money-laundering activity given a primarily cash-based and unregulated economy, weak law enforcement, and instances of public corruption. These criminal acts often factor into many illicit cyber activities.
Even though Bosnia and Herzegovina lack in cyber laws, they cooperated in numerous arrests. For example, On 12 December 2012, 31 year old Vladimir Cicovic, Pale, Bosnia and Herzegovina, was arrested in a large international cyber operation by the Republika Srpska MUP, US FBI and various international police agencies. Cicovic was arrested on suspicion of being a member of a hacker group who conducted illegal withdrawals from bank accounts around the world. Cicovic allegedly stole a total of $850 million US dollars using "Yahos" and "Butterfly" botnets.[1]
Figure 3. Political subdivisions of Bosnia and Herzegovina: Federation of Bosnia and Herzegovina, Republika Srpska, and Brcko District
On 30 June 2012, Dragan Plavsic, age 21 from Banja Luka, Bosnia and Herzegovina was arrested. His arrest was the result of regional police agencies and FBI jointly conducting several actions to break various cybercrime networks. Plavsic built a botnet that had hacked thousands of computers.[2]
Hackers Groups from Bosnia and Herzegovina: DD4BC
The infamous DD4BC DDoS extortionist group had elements of Bosnian leadership.[3] On 12 January 2016, Predrag Timotic, professor of Philosophy from Banja Luka, was arrested. He presented himself to his victims as “hacker in love” and group member of "DD4BC." Bosnian Republika Srbska state police officers arrested Timotic and another person under suspicion of the criminal offenses of “Extortion” related to the criminal offence of “Preventing and Limiting Access to Public Computer.” Timotic is suspected of performing DDOS attacks in the Republika Srpska during 2014 and 2015 (Figure 3).[4]
United Bosnian Hackers
The United Bosnian are known DDoS hackers responsibly for attacks on the region’s .gov websites; this during veterans’ protests.[5] This group was the most active from mid-year 2013 to early 2014. But in August 2014, it became inactive on social networks after two members were arrested. At least 33 hacker aliases/personas were identified among United Bosnian Hackers members (Appendix A). Their group on Facebook attracted 1,970 followers.[6] United Bosnian Hackers has worked close together with Kosova Warriors Group and Croatian Revolution Hackers.
Bosnian Cyber Army
The Cyber Bosnian Army is known for exploiting vulnerabilities, DDoS, SQL Injections and defacements of government and local propaganda news websites.[7] The group was active publicly in 2014-2015.
United Bosnian Electronic Army
The United Bosnian Electronic Army was posting publicly in 2014-2015.[8]
Figure 4. United Bosnian Electronic Army showcasing its homemade malware control panel
United Bosnian Electronic Army was often seen calling itself DarkPoison, which could be a name for the whole group, or for its most important member(s). United Bosnian Electronic Army was showcasing its homemade control panels that were unique but not sophisticated (Figure 4). They explain their software both in Bosnian and in English.
Bosnian Electronic Army (BEA)
Bosnian Electronic Army (BEA) was a hacker group with public posts and defacements dating back to 2014 (Figure 5).[9]
Figure 5. Bosnian Electronic Army posts greetings to local hacker groups on a defaced website
Anonymous Bosnia
Figure 6. Anonymous Bosnia 2014 defacement
Many cyberattacks in the region of former Yugoslavia are ethnically or politically motivated, attacks on government websites are not uncommon. For example, the site for Bosnian Special Police Units, fup.gov.ba, was attacked both in 2014, and in 2017. The last time by the “Anonymous Bosnia”.[10] Most former Yugoslavia countries have a branch of Anonymous. Anonymous Bosnia is not the only Bosnian group that uses Anonymous signs and TTPs.
Neighboring Hacker Groups
Political, ethnical, and religious tensions cause hacktivists in neighboring ex-Yugoslavian countries to form groups in support of their causes. Following known hacker groups in the immediate regions outside Bosnia and Herzegovina are influenced by the Bosnian cyber underground:
- Albanian Hackers Zone,
- Albanian Cyber Army,
- Anonymous – is in each former Yugoslavia country,
- Black Hand – Serbian Hackers Group,
- Croatian Revolution Hackers.
- KHG – Kosovo Hackers Group,
- KHS – Kosovo Hackers Security,
- KWG – Kosova Warriors Group,
- SHG – Serbian Hackers Group,
- TeslaTeam – Serbian Hackers Group.
Bosnia and Herzegovina: Cyber Laws and Extradition Treaties
Bosnia and Herzegovina has not adequately progressed in the cyber security field, or has it harmonized its legislation accordingly. They still lack a comprehensive overall strategic approach to address the issue of cybercrime and cyber security threats.[11] Namely, just as it is the case with the security management structure in Bosnia and Herzegovina, the legislation in the country reflect the complex and decentralized organization of the country. The existing legislation on the state level which may be related to cyber security only, scarcely and partially address relevant issues and has not fully implemented the provisions of the international framework it adheres to; such as the Convention on Cybercrime.[12]
Bosnia and Herzegovina does not have a state-level law on information security. Their Republika Srpska has adopted the Law on Information Security (Figure 3). This is the only document on the state level that directly addresses cyber security issues, yet was used to create the Strategy for Establishment of a CERT in Bosnia and Herzegovina.[13] This plan was adopted in 2011, yet it still does not exist and the Action Plan draft is still pending legal adoption due to political reasons.[14] But, the Department for Information Security within the Agency for Information Society of the Republika Srpska became operational in June 2015.
As for the possibilities in cyber education, Bosnia and Herzegovina hosts the South-East Europe Cyber Security Centre (SEECSC), a research and development unit at the American University in Bosnia and Herzegovina. The university offers cyber security education (both on a professional and academic level – through MA and PhD courses) and cooperates with security, intelligence and defense institutions in Bosnia and Herzegovina.
Wapack Labs CTAC Hits for Bosnia and Herzegovina
Wapack Labs Cyber Threat Analysis Center (CTAC) has thousands of hits indicating Bosnia and Herzegovina-related attackers and victims. As an attacker example, we utilized search for the Bosnian forum, ljuska.org (Figure 7).
Figure 7. Ljuska.org hits in CTAC
CTAC results for Ljuska represent this domain being known to cyber threat trackers, as well as being shared in a list on Pastebin. This together with other hacker and carder forums (Figure 7,8).
Figure 8. Bosnian forum Ljuska in a hacking and carding list on Pastebin
On a victim side, CTAC search for sinkhole traffic reveals over 27,000 hits for .BA top level domain (TLD), indicating a large number of infected computers in 2016-2017 (Figure 9).
Figure 9. Bosnian victims in CTAC sinkhole traffic
Over 1,000 hits recorded for .BA TLD in keylogger collection, indicating important credential compromise (Figure 10).
Figure 10. Bosnian victims in CTAC keylogger data
Searching Wapack Labs CTAC for the government network using subdomains at .gov.ba domain, several incidents were discovered dating back to 2015-2016 (Figure 11).
Figure 11. Bosnian government network victimization data in CTAC
The above CTAC hits cover the following government agencies: Export Credit Agency (iga.gov.ba), Federal Employment Agency (fuzip.gov.ba), Ministry of Civil Affairs (mcp.gov.ba), Ministry of Foreign Affairs (mvp.gov.ba), Ministry of Justice (kpzzt.gov.ba), and Zenica Regional Government (ks.gov.ba). The use of gov.ba domains to send malware and in another case, to receive C2 communication, are of a special concern (Figure 11).
Conclusion
The government of Bosnia and Herzegovina freely cooperates with the international community to fight cybercrime. The main concerns are post-civil war hacktivist groups and financially-motivated hackers. After 2014, several Bosnian hacker groups in clear web became inactive indicating growing law enforcement pressure. This may have driven these groups underground. Wapack Labs CTAC data include concerning levels of compromise in Bosnia for 2016 to 2018. Based upon this data, the threats and vulnerabilities to our members are low.
For questions or comments regarding this report, please contact the lab directly at 603-606-1246 or feedback@wapacklabs.com
Prepared: Samir Livadic and Yury Polozov
Reviewed: B. Schenkelberg
Approved: J. Stutzman
Appendix A. United Bosnian Hackers Members
United Bosnian Hackers members hacker aliases:
PriNc RooT SwaBo Mr.X Haxor-Waha CYBERGIRL Ajagure |
X-Anoun Kisobran NRN n0x3z Marijo Jennifer Axell |
Twins Neuer LAMER RadovaN1337 moke1337 xCvl1337 _LooLa_ |
SwaBo1337 Kasper1337 Casper moke1337 Ace1337 Dz0n1337 antraxRTF |
Foward VistA Pr3d4ToR ArRg0n deXter
|
Appendix B. Bosnian Hackers on Social Networks
Figure 12. Bosnian Electronic Army Facebook presence
[1] www.nezavisne.com/novosti/hronika/U-akciji-FBI-ja-uhapsen-haker-Vladimir-Cicovic/171278
[2] www.eurasiareview.com/26122012-southeast-europe-police-fight-regional-cybercrime/
[3] www.europol.europa.eu/newsroom/news/international-action-against-dd4bc-cybercriminal-group
[4] www.balkaneu.com/hacker-love-arrested/
[5] bosnian-hackers.weebly.com
and united-bosnian-hackers.blogspot.is
[6] facebook.com/United.Bosnian.Hackers
[7] facebook.com/BosnianCyberArmy/
[8] facebook.com/United-Bosnian-Electronic-Army-475183789290650/
[9] facebook.com/BosnianElectronicArmy/
[10] avaz.ba/vijesti/272217/anonymous-bosnia-hakovala-web-stranica-fup-a
[11] European Commission, “Bosnia and Herzegovina 2015 Report”, page 63, available at: http://ec.europa.eu/enlargement/pdf/key_documents/2015/20151110_report_bosnia_and_herzegovina.pdf
[12] S. Barakovic and J. Barakovic Husic: “’We have Problems for Solutions’: The State of Cyber security in Bosnia and Herzegovina”, Information & Security: An International Journal, vol. 32, 2015, https://procon.bg/system/files/3205_bih_barakovic.pdf
[13] Unlike the EU practice, which looks at adopting the generic law on information security through which the operational bodies are also defined, here the strategic level document is used to establish the operational body. The document is available at: www.msb.gov.ba/docs/Strategija_za_CERT.doc.
[14] BIH-CERT is stipulated to be an expert body of an advisory and coordinating nature.
Comments