Advanced Persistent Threats (APTs), cybercriminals and hacktivists conducted a plethora of cyber attacks including ransomware and DDoS attacks cherishing an interesting threat landscape for Greece throughout 2023. As developed for 2022, following you will find a report of five (plus one this year!) notable cyber attacks in Greece with information derived from publicly accessible reports and OSINT sources.

Table of Contents

• Greek national high school exams site DDoS attack
• Papaki.gr cyber attack
• TurkHackTeam DDoS attacks
• APT29 attacks Embassies in Greece
• Zimbra zero-day attack on Greek government agency
• Anonymous Collective DDoS attacks
• Further interesting facts
  • Hellenic Federation of Enterprises (SEV) statistics
  • National Cyber Security Index (NCSI) Score
  • National Cyber Security Agency
  • National Intelligence Service (NIS) Annual Report
• Closing remarks

Greek national high school exams site DDoS attack

Candidates for final exams in high schools in Greece, were welcomed to establishments with an unpleasant surprise as at the first two days of the exams, the exam subjects distribution website was inaccessible due to a cyber attack.

Greece's Education Ministry Faces Unprecedented Cyber Attack Targeting High School Exam Platform https://t.co/NEp3Fefpal#greece #greek #greekcitytimes pic.twitter.com/rEjIJmT7LD

— Greek City Times (@greekcitytimes) May 30, 2023

Given the very recent national elections, the cyber attack has gained a lot of attention and controversy, to the point of discussing that this DDoS attack might haven’t been an actual cyber attack, but just a failure following high demand of resources. In light of this, I have prepared a detailed OSINT analysis of the Greek school exams site DDoS attack, proving that this attack, indeed took place. Another issue raised, and analyzed in my blog, reflects whether the attribution from Greek authorities to Killnet is valid or not, where eventually there aren’t any hard evidence that the notorious group is involved.

Papaki.gr cyber attack

Papaki.gr, a prominent Greek domain registrar of over 350.000 domains and member of team.blue brands, announced on July 27th that an unauthorized access to their systems has been identified. While details of the cyber attack haven’t been released, Papaki informed that most probably two clients were affected but be that as it may, all clients should consider their following information as compromised:

• Credentials and information including phone numbers, addresses and other PII of clients.
• Billing information (Invoices etc).
• Domain information (Administrator’s, owner’s information etc).
• Other options available to domain administrators (Domain settings etc).

No further information has been uncovered about the TTPs or the Threat Actors (TAs) behind this attack, but it gained a place in this blog due to its potential impact.

TurkHackTeam DDoS attacks

On the occasion of Turkey’s Victory Day, in August 30th, TurkHackTeam announced that it will be conducting cyber attacks for several days, hitting critical infrastructure of Greece. The following websites have been announced as targets at their Telegram channel.

August 30th	September 1st	September 3rd
Ioannina University	National and Kapodistrian University of Athens	Municipality of Thessaloniki
Greek Ministry of National Defense	Aristotle University of Thessaloniki	Municipality of Larisa
Greek Navy	University of Crete	Municipality of Komotini
Greek Natural Gas Company	University of Patras	Thasos Municipality
Greek Airlines SkyExpress	University of Thessaloniki Macedonia	Municipality of Trikala
Popular Telecom Internet Provider	University of West Macedonia in Greece	Metropolitan Hospital
	International University of Greece	Mediterraneo Hospital
	Greek University American College	Papageorgiou Hospital
	Crete Institute of Technological Education	Venizeleio-Pananeio General Hospital
	Mediterranean University of Greece	Euromedica Hospital

Interestingly, in their last day of attacks, their message included “Our attacks will be on the oppressor’s” indicating a political motive for their attacks.

Further attacks took place after September 3rd, however in a far more lower intensity, which ended in September 13th including an e-shop database dump, further disruption attacks and surprisingly, some CCTV cameras exposure.

APT29 attacks Embassies in Greece

On November 14th, the National Cyber Security Coordination Center (NCSCC) of Ukraine released a report, indicating that embassies situated in Greece, have been targeted from APT29. APT29 is affiliated with Russia’s Foreign Intelligence Service (SVR).

NCSCC supports that this attack, had political motives as APT29 might tried to gather intelligence concerning Azerbaijan’s strategic activities. It’s noteworthy that all countries targeted, Italy, Romania and Greece, maintain significant political and economic ties with Azerbaijan.

APT29 leveraged a newly discovered vulnerability in WinRAR, identified as
CVE-2023-38831, to facilitate their intrusion.

Last, but not least, apart from the embassies in Greece, the prominent ISP Cosmote (OTENET) has also been targeted within the same campaign.

🚨 APT29 attacks Embassies using CVE-2023-38831 🚨

Our latest report unravels meticulously orchestrated cyberattacks of #APT29 targeting embassies across #Europe, including Italy, Greece, Romania, and Azerbaijan.

📖 Read the Full Report Here: https://t.co/J2nvypnv1h

1/4 pic.twitter.com/80P3oSuWrq

— НКЦК (@ncsccUA) November 14, 2023

Zimbra zero-day attack on Greek government agency

In June 2023, Google’s Threat Analysis Group (TAG) discovered an in-the-wild 0-day exploit targeting Zimbra Collaboration, now patched as CVE-2023-37580. The initial in-the-wild discovery of the 0-day vulnerability was a campaign targeting a government organization in Greece.

TAG doesn’t name which government organization has been targeted, also no attribution has taken place with regards to which TA was behind the attack. OSINT information from Shodan, suggests that a lot of organizations use Zimbra in Greece, including government bodies. Hence, it is difficult to narrow down results and guess which organization might have been affected. While there are no, to little information about this attack, it deserves a place here given its complexity and sophistication.

Anonymous Collective DDoS attacks

On December 7th, Anonymous Collective announced they will be targeting Greek Government entities as well as companies, banks and others, following Greece’s supporting of Israel at their war with Palestine.

The politically-driven attacks of Anonymous led to the disruption of prominent companies from public and private sector:

• ose.gr, Hellenic Railway Organization, the Greek national railway company which owns, maintains and operates all railway infrastructure in Greece.
• elta.gr, The Hellenic Post S.A., the state-owned provider of postal services (also, ransomed in 2022 by Vice Society).
• depa.gr, Public Gas Corporation of Greece, the natural gas supply company of Greece.
• coralacademy.gr, SHELL’s retail training platform.
• elin.gr, ELINOIL one of the most dynamic energy groups in Greece, with a nationwide network of 580 petrol stations.

Interestingly, Anonymous Collective have made two false statements that can easily be debunked. First, referring to the Hellenic Railway Organization website, which was stated that it was down for over 14 hours (pic. 3). However, the website was accessible from Greece far more early and as such, there should probably be a geofencing protection present a few hours after the attack.

Anonymous Collective support that their first target, https://t.co/KhnZI7LvYW is still down.

However, there seems to be some sort of Geofencing protection enabled as the website is accessible from 🇬🇷.#OpGreece #ThreatIntel #CTI https://t.co/bu7uODfIL4 pic.twitter.com/tgflLMCDue

— Michalis Michalos (@Cyb3rMik3) December 8, 2023

The second, referred to SHELL’s retail training platform.

There is 2 login pages that shell stations use to order gas or petrol.

Anonymous Collective

This statement is also false, both websites that were taken down are being used for training purposes.

Further interesting facts

Hellenic Federation of Enterprises (SEV) statistics

Hellenic Federation of Enterprises (SEV) provided interesting statistics with regards to Greek small and medium businesses (SMBs). They stated that:

• 40% of the SMBs strategically focus on digital transformation.
• 4 out of 10 SMBs that have suffered a data leak, terminated their operations.
• 57% of SMBs that suffered a cyber attack raised their prices to address the restoration costs.
• 6,9% of Greek businesses (vs 25,5% in the EU) reviewed their strategy and digital security policies during the last 12 months.

National Cyber Security Index (NCSI) Score

Greece enjoys the 7th place within the National Cyber Security Index (NCSI). However, there is space for improvement with regards to community as it has 0 points in Operational support of volunteers in cyber crises as well as at Public cyber threat reports are published annually.

National Cyber Security Authority

Following the undeniable rise in cyber attacks in Greece over the past years, the Greek Government will soon proceed and create the National Cyber Security Authority, as part of the Ministry of Digital Governance. The legislative discussion about the Authority, is taking place is this blog is written.

National Intelligence Service (NIS) Annual Report

For the first time, National Intelligence Service (NIS) has published an annual report including information about Cybersecurity and New Technologies.

Closing remarks

ENISA Threat Landscape 2023 report indicates that the most prevailing threats are ransomware and DDoS attacks. The fact that no ransomware attack is mentioned here, doesn’t mean that no relevant prominent attacks haven’t taken place. Amongst 2023 victims were, Byte Computer, a 30-year old ICT integrator which was ransomed by Lockbit, then Neptune Lines, a carrier of 21 vessels ransomed by Vice Society (an acquainted TA to Greece) and the University of Aegean, which was ransomed by Lockbit. Also, Greece’s state property company, ETAD was hit by ransomware but no information has been disclosed.

Greek threat landscape had it all in 2023. Publicly accessible information presented in this blog indicate a shift towards disruption and espionage, demonstrating that Greece has been made a prominent target for politically and ideologically motivated hacktivists and state-sponsored threat groups. Greek state’s decision to develop a National Cyber Security Authority is a significant move, that sheds optimism for the future of our country’s cyber resilience. However, more needs to be done other than this, including nurturing a community to share, discuss and develop intelligence.

Happy new year!