1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites
ConflictsBulgaria

Bulgarian cyberattack: Sabotage as a cover for spying?

Christopher Nehring
October 19, 2022

The Russian hacker group Killnet has attacked various Bulgarian government websites. Some experts believe hackers were looking to steal data from Bulgaria — a member of both the EU and NATO.

Screenshot of Killnet's October 16, 2022 Telegram post
Killnet had a special message for Bulgaria's top law enforcement agent: 'GO F*CK YOURSELF Bulgarian Chief Prosecutor — Ivan Geshev' Image: Telegram

It started on Saturday, October 15, 2022: First the homepage of Bulgaria's President Rumen Radev was unavailable. Then the websites of numerous Bulgarian ministries crashed.

Bulgarian administrations later announced that one single attack had been responsible for the breakdowns, adding that the issues had been resolved just hours later.

The next day, Russian hacker group Killnet claimed responsibility for the attack with an announcement on its Telegram page — emblazoned with a rather personal message directed at Bulgarian Chief Prosecutor Ivan Geshev: "GO F*CK YOURSELF."

Just last week, the Russian government and intelligence services sought to draw a link between the October 8 explosion that destroyed the Kerch Strait Bridge — which connects Russia and Crimea — to EU and NATO member state Bulgaria.

The move was quickly shown to be a blatant propaganda exercise. Now, with Saturday's cyberattack, it appears that Moscow is escalating yet again.

Russia sought to pin at least partial blame for the explosion that destroyed the Kerch Strait on BulgariaImage: Moya Feodosiya/Tass/IMAGO

Who is Killnet?

"Killnet is an extremely aggressive group of hackers with ties to Russia's FSB intelligence services," explained Ruslan Trad, a security expert with the Atlantic Council, to DW.

The group was formed directly after Russia's February 24 invasion of Ukraine and is currently fighting a self-declared "war" against governments that support Kyiv.

"Their specialties are so-called DoS [denial of service] and DDoS [distributed denial of service] attacks," said Trad: "Cyberattacks that flood systems and websites with requests until they are overwhelmed and crash," he explained.

Killnet has launched similar attacks against the US, Norway, Lithuania and a number of other countries.

These types of attacks are traditionally used as a way "to demonstrate power, spread fear — or for blackmail," according to Trad.

"But in this instance, I am convinced that it is about something more," he added. "The way I see it, the attack hasn't stopped — this isn't about blocking government websites, but rather about getting into IT systems in order to access data."

Maning that the Killnet attack on Bulgaria could well be an attempt at cyber espionage — hidden behind the veil of sabotage.

What is cyber warfare?

03:41

This browser does not support the video element.

Was NATO the real target?

Within hours of the attack, the Bulgarian attorney general's office and Ministry of Defense declared that no data had been stolen. "But it's still far too soon to be able to make such a definitive statement," Trad said.

"As a NATO and EU member state, Bulgaria is connected to shared systems for exchanging information," he added. In addition, it is a well-known fact in the hacker scene that Bulgaria's IT systems are highly vulnerable, he pointed out. "In my opinion, Russia is currently seeking to break into NATO systems via Bulgaria."

Moscow, it seems, is willing to go to great lengths to attain information relevant to its war in Ukraine.

But why is Russia so intent on piling pressure on Bulgaria? One reason might be the fact that the country's October 2 elections may have finally delivered a parliamentary majority that favors supplying heavy weapons to Ukraine.

A legislative motion to that end is expected to be presented in parliament some time in the next two weeks. Bulgarian President Rumen Radev and the caretaker government that he appointed in August strictly opposed sending arms to Ukraine.

Though a NATO member, Bulgaria has resisted sending heavy weapons to Ukraine — here, US Secretary of Defense Lloyd Austin visits US troops stationed in BulgariaImage: Robert Burns/AP/dpa/picture alliance

Sofia hesitant to point fingers at Moscow

The day after the cyberattack, interim Defense Minister Dimitar Stoyanov, previously Radev's secretary general, voiced clear opposition to Ukrainian requests for arms. His reason: Bulgaria simply does not have "extra weapons" to give to Ukraine. The next day Radev himself vehemently rejected Kyiv's request.

This is not the first time Bulgaria's caretaker government has reacted tepidly to Russian aggression or its attempts at interference. Last week, Sofia declined to clearly denounce the Kremlin's Kerch Bridge accusations.

The same is happening again with Saturday's cyberattack: Attorney General Geshev went no further than to say that the attack had been launched from the Russian city of Magnitogorsk in the Urals — avoiding any allocation of responsibility or judgment over guilt.

On Sunday, Borislav Sarafov, who heads the body responsible for investigating the cyberattack, said that its author had been identified and was based in Russia. He, too, avoided addressing accusations of blame toward the Russian government.

This article was translated from German by Jon Shelton.

Skip next section Explore more

Explore more

Skip next section DW's Top Story

DW's Top Story

Skip next section More stories from DW