The country’s central public institutions declare to Faktoje that there is no IT specialist in their structure. This service is focused on the institution of AKSHI, which during the last 12 years has spent at least 186 million euros on tenders that should ensure the protection of the personal data of the citizens of the Albanian state. The cyber expert Besmir Semanaj, asked by Faktoje about AKSHI report on the July 15-16 cyber attack, states that there is no explanation of how infiltration into AKSHI infrastructure happened. Faktoje sent an information request to AKSHI asking how was the transition from administrata.al SharePoint server to AKSHI’s network/system was possible in technical terms. However, until the time of the publication of this article, there is no answer from this institution. Meanwhile, on November 30, the Prosecutor’s Office of Tirana requested house arrest for five IT employees of the Public Administration Department under the charge of abuse of office.

Patris Pustina 

On October 3, 2022, the hacker group responsible for the July 2022 cyber attack, Homeland Justice, published on Telegram a list of names, photos, and personal information of a number of Albanian citizens. According to rumors, the file named “Suspects” contained data on police suspects and was specifically leaked from MEMEX, the Police’s internal system.

On October 3, when asked about the source of these data, Interior Minister Bledi Çuçi explained that the matter was still under investigation and he did not have a concrete answer. More than three weeks later, on October 27, the Minister repeated the same excuse before the Parliamentary Committee on National Security: “It is an issue that concerns us all, but I have postponed it myself because I am waiting from day to day for the report of experts from the FBI and Microsoft, both teams are working closely and the report is expected to come out any day.”

Thus, almost two months after the data leak from Homeland Justice, there is still no official version of how the event happened. By comparison, after the July 15, 2022 attack that knocked out government websites and online services for citizens, the cybersecurity firm Mandiant published a detailed report on the event on August 4, less than 3 weeks later.

On November 30, 2022, the Prosecutor’s Office of Tirana requested house arrest for five IT employees under the charge of abuse of office “for the cyber attack against the state institution of AKSHI, which maintains all the official government websites in the Republic of Albania.” It is about the cyber attack of July 2022. The prosecutor’s office claims that the five IT specialists in the Department of Public (DPA) Administration should have requested a report from the economic operator contracted by the DPA for the maintenance of administrata.al system regarding the state of this system. If they had requested this report, “then the virus that first entered administrata.al would have been discovered in their systems so that it could be neutralized without affecting AKSHI system.”

In this report of the Prosecutor’s Office, therefore, it is accepted that the AKSHI system was affected in the incident of July 15, where administrata.al server was an entry point.

In AKSHI report on the July 15-16 cyber attack, a report referred to by cyber security expert Besmir Semanaj as rather political than technical, it is emphasized that the infiltration was made possible by exploiting the vulnerabilities of administrata.al system. “This system, procured with IPA funds, has not been implemented, managed or followed by AKSHI, but has only been physically hosted by the Government Datacenter,” the report states.

However, this report, although claiming to represent  “a detailed analysis”, does not include an explanation of how the infiltration of AKSHI infrastructure was achieved.

Speaking to Faktoje.al, cyber security expert Besmir Semanaj said that if administrata.al SharePoint server was not managed by AKSHI, then this server should have been isolated. If the security policies had been properly updated, then the transition from administrata.al server to AKSHI infrastructure should not have been possible.

“Faktoje” sent a request for information to AKSHI to ask how was the transition, in technical terms, possible from the SharePoint administrata.al server to AKSHI’s network/system. At the time of publishing this article, there is still no response from this institution.

The legal framework

In an effort to better understand the data storage structures of Albanian citizens and the cyber security of institutional information systems, Faktoje sent information requests to the Ministries of the Albanian government. Specifically, we asked whether each Ministry had an IT (information technology) directorate in its organigram, and what investments were made by each Ministry in the field of cyber security in a 5-year period.

The questions that “Faktoje” sent to 11 Ministries

Only 7 out of 11 Ministers responded to requests for information from “Faktoje”. With the exception of the Ministry of Defense, all the institutions that responded affirmed that they did not have an IT directorate in their organigram, referring to the Decision of the Council of Ministers no. 673, dated 22.11.2017, ” On the reorganization of the National Agency of the Information Society “, as amended.

The response of the Ministry of the Interior to the request for information sent by Faktoje

The response of the Ministry of Culture to the request for information sent by Faktoje

The response of the Ministry of Justice to the request for information sent by Faktoje

Based on this decision, the responsible ICT structures have been absorbed by the AKSHI, which is also responsible for investments in security. AKSHI provides centralized ICT services for institutions and state administration bodies under the responsibility of the Council of Ministers.

Provision 5.1, point “i” provides that AKSHI “is responsible for the establishment, maintenance, and administration of information and communication technology systems and applications, for centralized infrastructure and ICT infrastructure, for state administration institutions and bodies under the responsibility of the Council of Ministers .”

So, state institutions that access and administer data do not have local directorates of information technology or cyber security.

Funding

AKSHI report on the July attack, though claimed to be a technical analysis, echoes Microsoft’s finding that the attack was coordinated by Iran’s Revolutionary Guards. “The latter’s budget is half of Albania’s GDP (EUR 7 billion, out of EUR 14.4 billion, which is Albania’s GDP for 2021),” the report states. The only reason this detail would be included in a technical report on a cyber attack is to justify the Agency’s inability to deal with an attack sponsored by such a well-funded entity.

It is worth applying the same logic to the accusation of the Prosecutor’s Office of Tirana, which claims that, in the event that five IT employees of the Public Administration Department “would have acted in accordance with the orders of the Information Security Regulation no. 337/1 prot., dated 17.01.2022, and the Internal Regulation of AKSHI by requesting information and updating with the latest antiviruses of the system, then the virus that first entered administrata.al and it could be neutralized without affecting AKSHI system.”

Meanwhile, according to the Public Procurement Agency, in the last 12 years, AKSHI has spent from 186 to 234 million euros on tenders.

Thus, the VKM of 2017 has centralized the ICT services of the state administration and vested the AKSHI with the responsibility to maintain and administer them. In accordance with this responsibility, millions of euros have been made available to the Agency from public funds, which AKSHI has not hesitated to use.

So, as provided by law, and as reflected by the expenses incurred by this Agency, AKSHI is the institution responsible for the maintenance of public administration systems.

Punishment or reflection

Identifying who is responsible for the security failure that made the July cyberattack possible is important beyond punishment. Expert Semanaj says that the nonrecognition of guilt by public institutions makes it impossible to reflect on security failures. At this moment, although the personal data of all Albanian citizens have ceased to be personal, there is still no official notification for all the victims of this attack regarding which of their data have been leaked or an official instruction to inform citizens about the measures they should take to protect themselves in this situation. Moreover, institutional reluctance to admit failure has prevented the organization of a coordinated institutional response to this attack.