Prosecutor’s Office: The hacker Kristian did “Bivol search”
He collected the details of numerous individuals, including Peevski, in a folderMonitor News Agency , Sofia
The alleged perpetrator indicted for the cyberattack on the National Revenue Agency (NRA), 20-year-old Kristian Boykov, had obtained the entire database stolen from the information system of the tax agency, before part of it was released online. He searched information about various people by Personal Identification Code, collecting it in separate folders. One in particular, entitled “Bivol search”, contained the details of numerous public figures, including lawmaker and Telegraph Media publisher Delyan Peevski.
This was revealed in a statement by the Prosecutor’s Office. What stands out is the fact that the folder name uses the same word as the name of the so-called investigative website Bivol, which has ties to the Kremlin and an obsession with Peevski.
One office and two personal laptops were seized during the arrest of Boykov and the ensuing raids of his employing company’s offices. The information in all three was encrypted, while Boykov and his employers refused to voluntarily grant access to it. Recently, however, Deputy Prosecutor General Ivan Geshev announced in an interview for the Bulgarian National Television that one of the computers has been unlocked. The Prosecutor’s Office’s statement also revealed that the efforts to decrypt the texts on it are ongoing but that it has been established that all of the 106 databases stolen from the NRA system are on the computer and not just the 57 that were leaked to select media outlets.
“Kristian Boykov entered different searches in the NRA database by Personal Identification Code and changed the original date of the files to 10.11.1989, which matches that of the files released online. It has been ascertained that between 10 July 2019 and 12 July 2019 – three days before the NRA database was leaked to the internet, the office laptop of Kristian Boykov was used to search that database by the Personal Identification Codes of several people: Prime Minister Boyko Borissov, Prosecutor General Sotir Tsatsarov and MP Delyan Peevski,” the statement notes. Immediately prior to that, the details of two other people were searched using the same method but they remain unnamed in the statement. “A search was entered about the law firm Aviora Consult and MEP Emil Radev, after which the results were shared with other users.”
“The folder on Boykov’s office laptop contains a file with the name ‘math for homework’ created on 11 July 2019, which has the unique names of 106 databases and many of their tables, matching those of the 57 NRA databases released online. This indicates that Boykov has the entire database stolen from the NRA system and not just the part published online. In the first e-mail sent to several media outlets on 15 July 2019 an individual who identified himself as a ‘Russian hacker’ claimed that he had uploaded just a portion of the NRA database and that he was in possession of the rest of it, which would be released at a later point in time. Another folder on Boykov’s laptop contains a file entitled ‘counting for homework’ created on 11 July 2019, which has uniquely named databases identical to those of the NRA system, numerous unique names of tables from these databases, as well as the number of entries in each of the tables. It has been established that a user of Boykov’s office laptop entered commands to change the dates of creation of the original files in the NRA database to 10.11.1989, as those of the manipulated files that were released online. Files containing databases with the details of clients of private companies were discovered during the decryption process,” the statement also reads.
The Prosecutor’s Office notes that further investigative actions will be taken that could lead to criminal indictments of other individuals.
The attack on NRA is political
One of the encrypted computers has been hacked, it contains data base of the National Revenue Agency (NRA). Data searches were registered for Boyko Borissov, Delyan Peevski, Sotir Tsatsarov. In brief, initially the probe was focused on an already known person, Krisitan. Currently it is clear that this suspect is only a tool in someone’s hands, a weapon of attack. The main lead on which the investigation is working now is that the company he is working for is engaged in something like cyber racket – they hit firms, trade companies, state institutions aiming to break their computer information security and later make them their customers. Whether this is the whole company, parts of it or some of the top managers is to be established. This is the main lead we are currently working on,” said Deputy Prosecutor General Ivan Geshev for the morning block of the Bulgarian National TV.
“In my opinion, in recent years the term “cyber terrorism” has been coined and become popular. One of the definitions is the use of computer programmes and information systems for hacking certain data bases in order to achieve certain political goals, to cause severe psychological disruption and fear within the society and change its attitudes. This is also a subject of the investigation and one of the leads in our work,” Geshev said and added that this is a highly probable activity.
He also drew attention to the political reaction of Yes, Bulgaria. “The computers that have been confiscated from this person are cryptic. They are equipped with copy protected software. Experts maintain that they may be decrypted within a decade only if modern super computers are used. Thanks to the efforts of the Bulgarian experts and officers of the relevant services one of the office computers was opened within ten days. What we know is a one-millionth fraction of data it contains, but this is shocking. It is not by accident that owners and reps of this company could not provide keys for opening these computers, for their decrypting. If nothing worries you, if you are innocent why wouldn’t you provide this information? They don’t give it out because they know what is inside. Inside there is information about unauthorised access to 106 data bases, 57 of them have become public,” Geshev said further.
“Data search was done with the identification number of the Prime Minister in the data base of NRA, of lawmaker Delyan Peevski, of the Prosecutor General and MEP Radev,” Geshev added. According to him, the hacker attack on NRA coincided with overexposure of the case in certain media connected with the indicted oligarch Ivo Prokopiev and leader of Yes, Bulgaria Hristo Ivanov.