Cyberint, Florin Cosmoiu: We are at war!



Floriana Jucan: Beginning with 2008, SRI has been designated national authority in the field of Cyber Intelligence, by a decision of the Supreme Council of National Defense.

Florin Cosmoiu: Our institutions cyber security concerns have existed before, but from this date efforts to increase capabilities in the area have intensified. The objective is to ensure the protection of national interest cyber infrastructure and to identify cyber assaults that can be held against them. In this sense, Cyberint acts with means that aim at collecting information, but also with technical measures.

Speaking about infrastructure protection and about aggressions, which are the latest attacks coming from outside?

F.C : We are investigating several attacks, which we categorize based on their motivation. Firstly, we identify attacks originating from state actors because these aim strategic cyber infrastructures, especially those held by Romanian state institutions. Another type of attacks are those carried out by criminal organizations, but these are mainly investigated by other institutions. Another typology of attacks are the extremist-terrorist.

Gabriel Mazilu: It is obvious that in a globalized and interconnected world, Romania faces the same threats as the states and alliances to which we belong. Romania is not a collateral target, but a target precisely targeted, and their motivation is the information seepage from cyber infrastructures. Criminal actors want to obtain criminal and financial benefits, and the groups rely increasingly more on cross-border character. Extremist groups have a propagandist reason but their level of technology is relatively low and does not consistently affect the national security of the Romanian state. Instead, these phenomena have a worrying characteristic: are very dynamic and can be radicalized, can reach a large number of people or access, under certain conditions, high technologies as long as they are available on the black market, for charge.

Which are the most dangerous attacks?

F.C : We are targeted by the same players that targets the UE and NATO member countries. As long as we share the same values, we share the same threats. Aggressors have technological capabilities and different resources used to carry out cyber attacks. If we talk about state actors, they have the necessary resources to conduct some of the most sophisticated cyber attacks, but also the necessary time for studying targets and organizing infiltrating campaigns in the computer systems of interest. At the opposite pole are extremist and terrorist groups that have a low technological level, scrolling – usually – cyber attacks that do not seriously affect the infrastructure attacked, but can create image damages. Undoubtedly, the most dangerous attacks are carried out by state actors, those having the greatest impact on national security, especially through the targeted areas, namely the strategic ones.



In cyberwar have been reported cases in which friendly countries such as Israel, France, the United States spied on each other. So should we be afraid of everyone, whether we are part of the same alliance or are our enemies, regardless of the values and strategic objectives?

F.C.: When we talk about cyber attacks precise allocation, the competition is still open. Technology evolves and makes more possible and more probable the threat. In turn, the attackers become more performant, whether for friends or enemies of the Romanian state, but we also become better investigators. We also record a mix, actors actions mélange, state and non state actors, that’s why we haven’t mentioned them randomly.

State actors always don’t want to be identified, have many available people, have resources and strategic objectives. In these terms, they are investing heavily in anonymization. They plant some evidence that can lead to someone else, conceals the origin, making more difficult the task of an investigator. Therefore, I do not think there are information services that can certainly attribute a cyber attack today. Romania is in the top 10 in terms of source of criminal attacks, cyber attacks, but these charts have apparent origins. Romania is the penultimate point of the attack, the point that anonymizes the identity and location of the attack. So, security and defense should be standing in front of everyone.


Do cyber attackers have a specific label to be identified for? For instance, criminals who target nuclear or radioactive objectives can be recognized by their handprints….

G.M : There are certain elements that can lead to a probability coefficient for an identity, but the actual determination is a goal. The award is made currently with some degree of certainty and also uncertainty.

Romania is in the top 10 in terms of source of criminal attacks, cyber attacks, but these charts have apparent origins. Our country is the penultimate point of attack which anonymizes the identity and location of the attack. Florin Cosmoiu

How is possibile for us to be at such an advanced technological level and to let groups such as ISIS to have such propaganda on the internet and attack sites, such as the TV5 television?

F.C :  It is impossible to prevent propaganda because one of the main features of the Internet is to ensure freedom of expression. It can not be deleted and can not prevented the information dissemination. But the success of the attacks can be explained mainly by the very low level of cyber security that infrastructures have targeted.

2015 was the year with the greatest number of ideologically motivated cyber attacks, defacement type, developed by hackers or groups of hackers from among Islamist ideologies supporters, radical-islamist or coming from areas with predominantly Muslim religion. Such attacks have followed to affect the availability and integrity, by altering the content of the attacked web pages, in order to promote different forms, propaganda messages and images, cyber graffiti.

However, I would point out that Romania has never, until now, the target of cyber attacks conducted by ISIS or other terrorist groups. Moreover, SRI can’t confirm that in TV5 case would have been ISIS.



Have you encountered with economic espionage? Are companies in Romania which have been the subject of an attack?

G.M .: There have been at least intentions of attacking private companies infrastructurea or companies owned by the state, but the responsibility to ensure their protection lies to the owners. The romanian state, through the institutions in this field, launched a number awareness actions for risks and threats that targets those infrastructures, companies, but unfortunately ,does not have other available tools.  Romanian Intelligence Service does not secure the infrastructures of other institutions, but only the information that pertains to its strict legal activity. One of the objectives checked by rapid adoption of the Law cybersecurity is to draw attention to critical infrastructure state owners which must protect in order not to expose them to risks that affect the entire population and our national security.

„APT 28” operations digits

1,7 million IPs vulnerable in Ukraine

4.666 in Rusia

1.287 in România

1.272 in Bulgaria

150 in SUA

149 in Canada

2 in Italy


Do you find a certain amount of naivety at businessmen, bankers, for example, regarding the security? Or we meet it also among  administration deciders?

FC: The level of security culture in Romania is not very high, but there are concerns for lifting it both among decision makers from various institutions and companies, as well as across a wider sector of the population such as education, including learners and students. We aim to introduce courses in secondary cycles about risks at which learners are undergoing so that they can protect themselves when accessing the Internet environment. I had a few initiatives at high schools and universities, in addition awareness actions, we want to create specialists in cyber security. There are a number of master classes in several universities, but it is an area where we still have to act and convince. Being a relatively new, it takes time to be assimilated, to capitalize on the opportunities it offers, especially to understand the threats and their forms.



There have been some cases when attackers have penatrated the private e-mails of officials such as Collin Powell, Hillary Clinton, NASA, George Maior etc. How was it possible for a Romanian hacker, Robert Butkya (Iceman), with only 9 grades, to penetrate these electronical systems?

F.C.: If we look strictly at the sense, a hacker means, above all, to have passion for technology and to develop yourself technology tools that will be used later in the course of the attack. In the case raised by you, it is not a person who has developed such applications, so it does not require technical knowledge accumulated during some training processes. One person even with 9 grades can penetrate a computer system, especially if it presents vulnerabilities, using for this purpose the existing and custom applications downloaded from the Internet. Moreover, the use of malware can be easily learned, having access to various sites and hacking forums, and practiced by testing various systems vulnerabilities.

High Court of Cassation and Justice granted

the request for extradition of Marcel Lazar Lehel,hacker,

alias Guccifer in the United States.

GM.: United States have not yet introduced a legislation that can oblige infrastructure holders to implement cybersecurity measures, but always in the implementation of such measures exist also vulnerabilities. When you want to protect infrastructure, a risk analysis is required, estimation of potential losses that may occur, to quantify eventually in money and, according to them, to make an investment in security that will lead to a balance between what you invest and what you can lose. When implementing mistakes occur, generated by human factors, there are vulnerabilities in the software that can be foud on the open market. Cyber security is dynamic and it is difficult to say at some point you have reached perfection.



We could say, for instance, that the most reliable information on the support of SRI are the old ones?

F.C .: No. In the digital age, the information is usually in digital form. I do not think we need to stay anchored in such a mentality, which may originate – in essence – from people fears to use cyberspace. We live in the digital age, and sociological norms require us to adapt in order not to become ineffective. The information in digital format are also safe,  if we implement and respect clear rules and cyber security policy … and the Romanian Intelligence Service does it successfully.

We have an exceptional human factor, even if we are technologically behind other states. This was why Romania has become the leader nation in the Trust Fund, which coordinates the group of countries to improve cyber security of Ukraine. At what stage is this mission that we have received from the Alliance?

G.M.: Romania, through SRI, signed a memorandum of understanding cyber security with NATO since 2011, and since then, it has been a very active actor in this field, in the relationship with the Alliance. I attended a consistent contribution in a series of projects of NATO and here I recall the Cybercoalition exercises that take place each year at NATO, Romania being a member of the Steering Committee of those exercises and being also the nation that has involved a lot in setting up the infrastructure that carries these exercises.

Ambassador Sorin Ducaru, Assistant Secretary General for Emerging Security Challenges at NATO,  tells Q Magazine readers, a few pages later, how he personally witnessed the moment when the Romanian officers from SRI have presented the General Secretary the structure of the first Cybercoalition exercise, which became, from that point on an annual exercise.

SORIN DUCARU: Cyber Defence: An important component of Romania’s NATO strategic profile

G. M.: Indeed, but I want to praise the efforts of all those with whom I have worked over time, from many countries in the Alliance. Although the infrastructure that carries this kind of exercises-scenarios is in Estonia, our specialists have a major contribution to its configuration. There are also a number of projects such as „SMAT pass” in NATO, the multinational project Cyber Defence in which Romania was actively involved and where our specialists have a main contribution.

Based on these circumstances, given the skills we have proved, as cyber specialists, but also due to other factors that were taken into account at the political level, within the NATO Summit in September 2014 Romania was named Nation leader in one of the NATO supporting funds, cybersecurity CBS. Nationally, SRI has been designated as the institution responsible for its implementation and for „Ukraine Project „. We are at the implementation stage of this project, we had several meetings with partners and institutions in Ukraine. The project was finalized and approved by both the Ukrainian side and the NCI Agency (NATO Communication and Information Agency) within the Alliance.

There were several cyber attacks on Ukraine, one just recently to Kiev airport. Have we supported them in any way?

F.C .: We have a cooperation with them in various fields, including exchange of information as we have, in fact, with other partner services.

Through NATO Support Fund for Ukraine cyber defense, we involve ourselves strictly in developing cyber capabilities, Ukraine strictly defensive by establishing a CERT structure, equipping investigating laboratories for security incidents and cyber security of critical cyber infrastructure of Ukraine. Also we train personnel to manage IT equipments and products installed, providing Ukrainian beneficiaries of the project advanced level training, and other forms of training and retraining in order to acquire specific policies. In addition, in specific cases such as the one put forward by you , on the basis of relations of cooperation and requests, the Romanian Intelligence Service, if it holds, provides information that can support partner service. Romania is a provider of cyber security expertise and we managed to confirm and strengthen our position as a regional leader in the field.

I know that the budget is based on voluntary contributions from NATO countries. It is enough?

G.M .: The budget is never enough. It was gathered an amount that allows to start the project, but whenever other NATO member states contributions are welcomed. I thought a modular organization for this project, so whenever there are available funds, it can be extended to more infrastructures in Ukraine.

Do you have the impression that we are in war?

F.C .: It is not just an impression, is a reality. It is the only area in which we are in war every day. We identify new attacks every day.

„The biggest threats are direct attacks on national utility companies (water, electricity) or transport infrastructure. Another real danger is industrial, economic and military espionage. A hostile state will seek details of process technology, available natural resources or the capabilities to mobilize the troops in case of need „.

Bogdan Botezatu, Senior Analyst eThreat, Bitdefender,

exclusively for Q Magazine



Do you think about disaster scenarios? For example taking control of a nuclear installation on a water treatment center in Bucharest, energy interruption? Do you work with such scenarios?

F.C .: Such types of attack, APT (Advanced Persistent Threat n.r.) exist and they are generally state attacks. The reality of recent years has shown that there is a high technological level attacks that can compromise a targeted infrastructure and at the same time, can remain undiscovered for a long time, for years. During this interval, the aggressor’s goal is to collect information and exploit it, or by the control he has, to bring the infrastructure at the the state of disuse or to sabotage it when he wants to generate a crisis. Throughout the attack, the attacker has full control. Putting this theory into the context you mentioned earlier, it is a priority to assess the cybersecurity of such institutions to test and consider procedures to minimize or eliminate risks. We have developed an infrastructure where we want to simulate some scenarios in which we involve several institutions and companies nationwide.

There are many cases of type APT in Romania at the moment? In what areas?

F.C .: Generally, they targeted  state strategic institutions of defense and security. It is difficult, if not impossible, to give a code to APT cyber attacks in Romania. We know with certainty that Romania is targeted by hostile entities active in the online environment, also through the European and Atlantic structures. From this perspective and based on SRI investigated attacks, we can claim that the concerned areas are the strategic ones, especially foreign affairs, defense, national security, economy, research, natural resources.




„Red October”, „APT 28” and „MiniDuke” were cyber attacks of certain states against Romania?

G.M .: Yes, but we have not and we will not venture to make public the names of the states. An assignment is not possible without assumptions and our investigations do not have unequivocal answers.

Our specialists, internationally recognized, are paid much less than their colleagues from the intelligence services. It is more commendable as their performance in this area, for instance, in private, would be paid with sums ten times bigger. How do we attract students, young people, experts , on the state side, when private companies offer much higher salaries?

F.C .: The financial component is not always the only motivating factor. This area attracts many young people and our institution provides the posibility to run certain actions, legally, that outside of this context, would constitute misdemeanor. CYBERINT youth are attracted by the challenges they meet here , by the technological level and of all the tools that we have, which we can say are in the world ranking. We have a very important component of cooperation with partner services and we are recognized as a service that has well developed capabilities.

Can a hacker be turned on the good side, on the state side? Hackers employees who led attacks on websites, companies, states, public figures?

G.M .: Thanks to Romanian legislation, when a young hacker commits a crime, he will be convicted and will execute that sentence – being suspended, but in terms of justice it is sanctioned. We try to address young people concerned and gifted in this area from increasingly smaller ages because very often they are unaware of the consequences of their actions, the risks that they take, and see it as an intellectual challenge, being at the age when they are seeking their identity, they want a meritocratic environment in which to be recognized and often make these actions from vanity, being rebellious. We talk to parents trying to explain that their son has special qualities, that he does not understand the consequences of his actions and should better be directed to faculties in the field. We seek to recover the most of the good side before we”lose” them. All these talented people become attackers in the cyber space,  and will be later considered cyber criminals for the state and  for the private companies.

There is a part of  an offensive part of CYBERINT? Can we attack if we are attacked?

F.C .: From the legal point of view, these things are not even clarified internationally. During this period, in NATO, are being debated issues, there are concerns for clarifying the legal aspects of cyberspace in order to transform the business space in a space land, such as land space, air space, naval space, cosmic, that are declared operational spaces in the ministries of  Defense.

G.M: We have made a series of studies at the Center of Excellence NATO in Tallinn in which  was made an analogy of cyberwar with classic war and where have been discussed and presented thee legality and morality of attacking a civilian infrastructure when you’re in a classic war. When you’re in a conventional war, you can not attack a civilian area and then is put question if whether ” is legally and morally to attack it at cyber level?”. The problem is extremely complex and is not regulated yet.



Why is useful and necessary cyber security law now, in this context?

F.C .: This was and is necessary. From our point of view, it comes too late. Unfortunately, when a form of the law was adopted, it was created an opinion current against, inducing the idea that this law seeks oversight of all Romanian citizens computers, which is false. Law, then and now, concerns only legal public or private entities, and does not concern citizens computers, and the object of the law is extremely simple. It aims obligations and accountability of holders of infrastructure, implementation of protective measures for infrastructures and for the data that those infrastructures store and process.  Public or private institutions are targeted, and here are two categories of institutions: the so-called infrastructure cyber institutions of national interest, in the event of cyber attacks,  that affect the entire security of Romania, and the second category are those legal persons that hold and process personal data.


However, there are many who fear that you will abusively enter their computers.

The objective of this law is to increase citizens’ confidence that the state ensures their right to privacy in cyberspace. Law enforcement agencies can access data only on a warrant issued by a judge. At the same time, we want citizens to have confidence that at the data stored in critical infrastructures will not have access anyone than those authorized. Our major objective is Romanian state security under constant cyber warfare.


Ministry of Communications and Information Society has launched for public debate a new draft of law cybersecurity.

The reality from where was started is less known to the public.

In many state institutions, the civil functionaries have minimal security knowledge, there is no anti-virus programs and there is no sufficient personnel specialized and no legal obligation to protect infrastructures held, there have been several CryptoLocker attacks. This ransomware virus installs a malicious application in computer and basically locks the data stored in it. They demanded huge redemptions to unlock access to that information and because the have not paid, much data was lost or restored by an unimaginable human effort.

In the absence of reporting security incidents it can not even  be made an assessment of the economic losses suffered by the Romanian state, much less to the security of Romania.

On the other side, representatives of several ONG’s demand clarification in the law to prevent abuses of the state and access to data in citizens computers. Although the project clearly specified that no institution can control a private computer of an individual, without a warrant issued by a judge, the controversy continues and perhaps they will move in Parliament, where the law will be debated, amended and approved.

„In its current form, the draft of the law on cyber security for critical infrastructure extends the concept of critical infrastructure also among citizens. After long consultations with Bitdefender experts in information security and legislation, I proposed a set of amendments to make this law applicable in a responsible way. An important issue that we believe it should be regulated is that of security solutions used by state structures. They should come from NATO members and UE, political and military structures of which Romania is part and allies in case of conflict, „said Bogdan Botezatu, Senior Analyst eThreat, Bitdefender for Q Magazine.





Click pentru a comenta

Leave a Reply

Adresa ta de email nu va fi publicată. Câmpurile obligatorii sunt marcate cu *

To Top