As a member of the socially responsible professional community, Black Cell would like to raise awareness on best practices to improve an organization’s overall compliance posture with a case study from Hungary on the occasion of World Data Protection Day.

On 7 November 2022. an article revealed, that the Hungarian ‘KRÉTA’ – the administration system for public education, that is mandatory in every institution used by the teachers, students, and their parents – had suffered a breach caused by a spear phishing attack on 18 September. The attackers, invoking the data they had obtained, demanded from the developer company, eKRÉTA Informatikai Zrt. to remediate the uncovered vulnerabilities of the KRÉTA system. Suspicions have been raised in the press, despite the events, the developer company had not released any information to the persons concerned nor notified the authority in a timely manner, until the attackers informed the news outletTelex about the breach. Although the case is still open and active, and some details may never be made public, it still provides some lessons on handling data security incidents and crisis communication. If it’s proven, this could be Hungary’s biggest and most serious data breach of all time. To this day the authority that is responsible for data protection – NAIH, and the police are still investigating.

Overview

The attackers, who were calling themselves the Sawarim group, claimed to have obtained data from KRÉTA’s various modules like e-diary, e-markbook and institutional administration systems. Data theft on such a scale not only would have concerned the (sensitive) personal data of students and their parents or guardian, but all employees of public education system in relation to HR or management related information. Even more serious, KRÉTA system processes pupils’ health condition, in the range of special catering requirements to disabilities or serious illness and may contain information on disadvantaged social status. Briefly, in the first month of the case, there was a risk that personal data falling under the special category of GDPR was compromised.

The press was told Sawarim group was able to deploy a RAT (remote access trojan) developed by them, which allowed the phishing email to be distributed. Trough the account of the phished project manager, who also provided support tasks, they might have taken control over a technical account which leads to us the questionable managed SoD (see below). This step allowed to compromise project management systems like Jira and Confluence, and gain access to various software management and monitoring tools for developers such as Octopus, Kibana and Azure DevOps, as well as communication platforms like Outlook and Slack. Furthermore, some source code elements of KRÉTA were stolen, which were later posted on their Telegram channel along with burdening internal conversations as an attempt to retaliate against the developer company.

Sawarim may have been ‘whistleblowers’ or ‘hacktivists’, but they did more damage than they were aspiring

While understanding the importance of such incident, one of the most important factors is the combinability of the potentially affected comprehensive datasets. As this may expose any concerned person in vulnerable psychological, financial, and social situations form any stratum of society. Possession of such information can be used for blackmailing any student or parent, however it can be used by organized crime groups to select potential victims of any kind of criminal acts from impersonating to sex crimes or even human trafficking. Secondly, the information can be used up at any stage of the concerned persons lives, even years later.

Once the case came to light Hungarian cybersecurity experts concluded that, the behavior of the attackers resembled to ‘whistleblowers’ or ‘hacktivists’. The theory is underpinned by the fact that attackers stated they keep the obtained personal data in confidence, as the goal was not to cause damage by publicizing or gain property by selling. Despite of that, the risk that the valuable database could be stolen even from the attackers before the investigating authority seizes their assets is high. By releasing the ‘claimed’ test environment’s source code on their Telegram channel and reposted by many users to the most viewed Reddit channel of Hungary the attackers undermined their stated goal of forcing a patch to the KRÉTA system. On one hand, it would give other sophisticated attackers the opportunity to dig for other technical vulnerabilities, unlike a spear phishing attack. Since the test environment is almost identical with the production one, its weaknesses could be similar, worse, or the same. In addition, the errors revealed in the published source code are available and discussed in forums of the Hungarian professional and semi-professional communities. The case is aggravated by the peculiar fact that KRÉTA was developed on the basis of the source code elements of NEPTUN – the Hungarian electronic education management systems mandatory for higher education. It processes financial data in line with student loans, income statements and aid requests, just as health records for welfare and social support applications or dormitory accommodation.

In mid-December, the Hungarian National Bureau of Investigation, Cybercrime Prevention Department conducted a search in two juveniles’ homes, a 13 and a 15-year-old, on suspicion of breaching the internal systems the of eKRÉTA Informatikai Zrt. Computer equipment and storage media, even malware was seized from the youth, but because of their age, only the 15-year-old could be suspected, meanwhile the younger alleged perpetrator may call in as a witness. According to the official statement, they might have gain limited access to the mailing system and database via stolen credentials and were able to download source code elements of e-diary (eNaplo) and other data. They presumably accessed the development company’s system at least 20 times, infecting several workstations with malware, but they did not retrieve the student’s personal data. The Authority released the youth have also been linked to several school bomb threats. These are examples for the so-called swatting, that seeks to create a threatening effect by unnecessarily deploying the forces of the authority. The 15-year-old suspect is being prosecuted on suspicion of attempted threats against a fellow student of the same age. It is worth mentioning Sawarim group denied any involvement of the 13-years-old and partially admitted the involvement of the 15-years-old being in the group or committed any of the hacking.

An example for the failure of crisis communication and what we can learn from the case

Both parties – the breached developer company and the hacktivists – have made several communication errors, even failed in their notification duty regarding the incident. Rather than going into these in detail, we set out cornerstones for proper disclosures and provide our readers with advice from compliance perspectives.

1. Compliance with Article 33 and 34 of GDPR means the obligation of communicating the personal data breach to the national authority (NAIH) and data subject. CEOs must ensure that the incident is reported to the authorities – either by themselves or through the CISO and Data Protection Officer – but under no circumstances prohibit or unduly delay managers from doing so. Even an unjustified delay of 72 hours from the time of becoming aware of the incident could result in a fine following an investigation by the Hungarian authority responsible for data protection (NAIH), based on its supervisory rights under Act CL of 2016 on the General Administrative Procedure.
2. While the investigation of the Authority is ongoing, the organizations are not required to make any further press statements. However, voluntary disclosure can help to mitigate the damage to the organization’s reputation and, by providing fair technical information, the suppliers and professional community may also take a different view of the incident. Firstly, a credible person shall be authorized to provide information to for the public, to avoid information leakage or overspilling. By publishing the incident report in full or with limited content, one can show that the vulnerability has been addressed and support the industry to prepare for similar incidents at the same time. The ISO 27001 standard family, of which a new edition was published in 2022, requires the integration of industry best practices into the information security management system. This intention can also be highlighted in corporate communications.
3. Countering targeted phishing attacks requires maintaining a high level of information security awareness. It could be achieved by practical experience gained through simulation campaigns and promoting an attitude where all users are suspicious. Given our case study as a starting point, by creating multiple layers of protection, a high-level endpoint protection and content filtering could have scanned for malicious content while download was still in progress.
4. Separation of data in our internal systems, especially in testing and production environments should be achieved by as many logical and technical means as possible. For example, the introduction of MFA (multi factor authentication) prevents attackers from gaining additional privileges from a project manager account, by horizontal movement. Systems that do not comply with secure access and password management solutions shall be rolled out. Risk arising from the combination of entitlements could be avoided by building in the least privilege principle for each work role and introducing regular account review into the access management procedure. Segregation of duties (SoD) is important for every stakeholder to prevent the systems from attacks when a privileged user account had been compromised. Due to the fact of the project manager had a privileged user account led to the high amount of data accessed by hackers such as source codes but data of prod systems. With well-defined roles and configured RBAC (groups) these kind of an unintentional insider attacks could be avoided easily.

Make sure to separate roles of the requester, approver and implementer and track, save and preserve each change in privileges in a transparent manner. Thereby, a properly designed procedure allows partial or complete shutdown of systems or accounts in response to a security event.

5. Finally, it is the organisation1s responsibility, albeit shared, to avoid malicious hacking attempts. Make sure to provide either open bug bounty program, vulnerability management, or incident and fault reporting opportunity with well-defined ticket management and SLAs. Collecting the digital forensics capabilities of your organizations’ monitoring tools and incident management systems is a good practice. It is recommended to summarize these options in steps for internal guidance as part of continuous preparation for incident response activity.

Beyond the listed core recommendations, let us demonstrate how Microsoft Purview lets you explore the organization’s data and track its flows, filtering out risky user activity. The solution also supports building technical settings and compliance measures in cloud infrastructure that may be required by industry standards and regulations specific to your organization.

Works Cited

1. Bolcsó, Dániel (2022). A fejlesztőcég megpróbálta elhallgatni a KRÉTA feltörését. telex. Source.
2. Bolcsó, Dániel (2022). Feltörhették a KRÉTA-t, a diákok adatai is kiszivároghattak. telex. Source.
3. Bolcsó, Dániel (2022). KRÉTA-ügy: Aggasztó a kiszivárgott forráskód, de arra utal, hogy a hekkerek nem mindenhez fértek hozzá, telex. Source.
4. Hack és Lángos podcast, broadcast 253.
5. Készenléti Rendőrség Nemzeti Nyomozó Iroda, Azonosított hackerek, 2022. Source.
6. Módly, Márk (2022). Mit tanulhatunk a KRÉTA feltöréséből? Source.