Bulgaria SQL Injection

On July 16, the world found out that the tax data of millions of Bulgarian citizens have been stolen. The attacker sent half of the data as proof to many Bulgarian and international media sources. The stolen databases are already available for download via underground forums. At the moment of writing, the authorities still haven’t been able to determine who was behind the attack and what was the reason for it.

The Leak

Your government is retarded. Your Cybersecurity state is a parody.
This email is bulk sent to every single Bulgarian media as well as Reuters and BBC.

Last Tuesday, Bulgarian media received such an email from a yandex.ru account along with an anonfile link to approximately 10 GB of data – supposedly half of all the data stolen from the Bulgarian National Revenue Agency (a department of the Ministry of Finance). The package was password-protected, so one of the local stations saw no harm in showing the download link on TV. It took only a couple of hours for blackhat hackers to crack the password and share it via underground forums.

Records supposedly contain tax data for 5 million citizens (Bulgaria’s population is approximately 7 million) over a span of 10 years, some of them now deceased. The databases include full names, income information, personal identification numbers (EGN), and more: employment status, social benefits, medical insurance. They also include information about companies and information imported from other databases.

The attack was confirmed by the NRA. Bulgaria’s minister of finance Vladislav Goranov and prime minister Boyko Borissov issued public apologies. On the other hand, the Ministry of Finance stated that only 3% of the agency’s information was accessed, thus playing down the scope of the attack.

The Vulnerability

According to various sources, the vulnerability that led to the leak was in a VAT refund service and it existed since 2015. Several sources state with certainty that the leak was a result of an SQL Injection. The hack supposedly happened in June.

In a follow-up email sent to three media outlets, the original attacker claims that the vulnerability has been there not for 4 but for 11 years. They also state that the system was attacked back in 2012 which led to them acquiring 30 GB of information.

The Scapegoat

On July 17, authorities arrested a 20-year old whitehat hacker – Christian Boikov. His employer, the TAD Group, describes him in an official statement as ethical and professional. Several facts don’t seem right about this arrest.

Boikov has no criminal record but he has been in the news before. Two years ago he found a vulnerability in a system managed by the Ministry of Education and Science. The ministry ignored his reports, so Boikov turned to the media and made the information public. This fact and Boikov’s continuous activity in the cybersecurity scene are believed to be why he was immediately arrested as a suspect.

The authorities stated that one of the leaked files contained information about the attacker: computer configuration, a unique username, date, time, and software used to read the database. This information supposedly matched data found on Boikov’s seized personal computer. However, many commenters doubt that a professional whitehat hacker would be involved in such an activity and be sloppy enough to leave behind such obvious information. That is why some security experts believe that Boikov was framed.

Boikov was subsequently released and charges against him were reduced. Supposedly the NRA stated that the system from which Boikov copied data was not part of the criminal infrastructure. This means that Boikov would face only a fine. However, his defense maintains a stand on his innocence and emphasizes that even a fine would destroy the 20-year old’s cybersecurity career.

The Reasons

As the situation develops, different theories emerge. A day before the leak, Bulgaria purchased F-16 fighters to replace their aging MIG-29 aircraft. This inclined the minister of the interior Mladen Marinov to suggest a link between the two events.

There are other facts that point to Russian involvement in the attack. First of all, the attacker email address was registered with a Russian provider. Second of all, in the email, the attacker stated that he is a Russian citizen married to a Bulgarian woman. However, like many other pieces of information involved in this case, this may be a provocation or simply a coincidence.

The Consequences

The National Revenue Agency faces a fine of up to 20 million lev (approximately 10 million euro). The fine is to be imposed by the Commission for Personal Data Protection. However, according to one of the commenters, several months ago the website of the Commission for Personal Data Protection was found to leak personal data of its users.

From a cybersecurity point of view, what is important is that one of the oldest web vulnerabilities, an SQL Injection, was used to acquire sensitive data about nearly the whole population of a country. This leak emphasizes the necessity of suitable protection for web and database servers. It also emphasizes the need for cybersecurity education everywhere: if not for the TV station that exposed the link, perhaps this sensitive data would not become publicly available.

To follow this story further, we recommend that you follow Dr. Vesselin Vladimirov Bontchev, who is continuously updating the public with Bulgarian news stories on the subject.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.