Ransomware hacking group Qilin, which at the end of December took responsibility for a cyberattack on Serbia's sole electricity provider, is offering the free download of hundreds of thousands of documents allegedly taken from the state-owned company.
Qilin said it was offering more than 34 gigabytes of Elektroprivreda Srbije (EPS) data on the dark web now and a second tranche will be available on January 27.
The group did not explain further in its short blog post on January 18, but in a ransomware cyberattack, hackers threaten to release stolen data to the public if the entity that was attacked does not pay the ransom.
EPS, wholly owned by the government of Serbia, is the only electric company in the country. It also handles all distribution and trading.
Qilin uses malicious software to infect information systems and block the owners of the data stored on the systems from accessing it. Victims are then told they must pay a ransom to get access to their data. Various online sources say the group typically targets the systems of critical infrastructure, such as energy, traffic, health care, and telecommunications.
Qilin’s blog post included about 20 documents, mostly contracts, invoices, and screenshots of employees' folders.
RFE/RL cannot confirm the authenticity of these documents nor the documents that the group says it is offering for download on the dark web. Users must use the notoriously difficult-to-use Tor browser to download them, and the site where Qilin says the documents are available has been overloaded.
The public first learned that EPS was hacked on December 18 when the company announced it was recovering from an "unprecedented cryptotype cyberattack." The public was reassured at the time that its systems and data were safe.
But since then the public has received no information about when the attack started and whether it has ended, which parts of the system were targeted, and no explanation of how the incident happened.
EPS and the Serbian government did not respond to RFE/RL's request about the documents that Qilin says it is offering. Questions sent to the Office for High-Tech Crime, which is leading the investigation into the cyberattack, also went unanswered.
"We will not make statements during the evidence-gathering stage in this case until the moment when publishing will not affect or jeopardize our further proceedings," the office said in a written response to RFE/RL.
Ivan Markovic a cybersecurity expert and contributor to the Bezbedan Balkan blog, which tracks cyber-incidents, says the silence from EPS and the government speaks to the seriousness of the problem.
"Our institutions are not ready to face such attacks, and as a rule they try to cover up every incident," he told RFE/RL, adding that technical details can be omitted from public announcements if their release would endanger the system.
Details about plans to restore the system, what kind of data was put at risk, and how much information has fallen into the wrong hands can affect everyone's security and should be shared with citizens, he said.
He also said that it is not necessarily the case that all documents possessed by the malicious party are available for download, and whether a ransom was paid is irrelevant.
"What we are sure of and what is important is that the EPS data is in the possession of a third party," which, he said, follows the usual pattern of such cyber-incidents.