OSCE Breached; Internal Documents Posted by Anonymous

The Organization for Security and Cooperation in Europe decided in 2011 to take on cyber security as one of its missions. The reality of threats in cyber space for the OSCE has become even more real now that their internal network has been breached in early November, 2012 by an unknown person or persons and the stolen files uploaded to Par-AnoIA.net. There has been no public acknowledgment from the OSCE that they have even had a breach. Frane Maroevic, Deputy Head of Press and Information for the OSCE told me in an email that "We condemn any illegal publication of confidential documents and will not comment on any such material."

The documents that Anonymous have posted are clearly genuine although it isn't known how they were obtained nor has anyone claimed responsibility for the attack. In addition to election monitoring reports and briefing books for Ukraine, Bosnia and the United States, there are internal RESTRICTED documents as well as emails and contact lists whose contents could be leveraged by bad actors to target members of OSCE and others with spear phishing or other types of targeted attacks.

Several of the documents referred to the "Informal Working Group Established Pursuant to PC Decision 1039" along with a list of its members. The purpose of this group is to establish "a breakthrough on Confidence Building Measures (CBM) designed to enhance cyber security. Our goal must be to maintain the momentum so as to outline a set of Confidence Building Measures in time for adoption at the Ministerial Council in Dublin." I asked Mr. Maroevic if he saw the value in demonstrating such CBMs right now in the face of their own breach. As of the time of this posting there's been no response from Mr. Maroevic.

The Dublin Council meeting mentioned in that document is scheduled to meet on December 6-7, 2012, however a captured Bi-weekly work schedule shows a meeting of the 1039 Working Group happening in Ireland on November 13, 2012 at 15:00. I expect this incident will be the highlight of their meeting especially since the names and email addresses of all of the members were part of the collection of documents posted to Par-AnoIA.net.

I'll update this post with any new developments from OSCE and/or from our examination of the documents.

UPDATE (09NOV12 2314GMT): A source representing Anonymous has claimed credit for the attack against OSCE. They breached the oscepa.at server which is the OSCE Parliamentary Authority hosted by Telekom.at; an Austrian service provider. The attack vector was not revealed although it may have been SQLi or perhaps an employee was compromised via a malicious payload delivered in a .pdf attachment.

Mr. Maroevic told me after my original article was posted that due to the sensitivity of the issue, the OSCE was unable to comment any further.

Comments