US issues rare security alert as Montenegro battles ongoing ransomware attack

The U.S. Embassy in Montenegro has warned Americans that an ongoing ransomware attack in the country could cause widespread disruption to key public services and government services.

The ransomware attack, first confirmed by Montenegro’s Agency for National Security (ANB) last week, targeted government systems and other critical infrastructure and utilities, including electricity, water systems and transportation. At the time of writing, the official website of the government of Montenegro is unavailable and reports suggest that several power plants have switched to manual operations as a result of the attack.

Officials in Montenegro claimed no data was stolen and claimed that no permanent damage was done as a result of the attack.

However, Montenegro's ANB declared that the country was “under a hybrid war,” and blamed "coordinated Russian services" for the attack. Relations between the two countries have remained strained since Montenegro joined the NATO alliance of Western countries in 2017, after which Russia threatened retaliatory action.

The U.S. Embassy in Montenegro has since published its own notice, writing that the government was facing a “persistent and ongoing" cyberattack. “The attack may include disruptions to the public utility, transportation (including border crossings and airport), and telecommunication sectors,” the Embassy warned. It advised citizens residing in the Balkan state to limit travel, review personal security plans and “be aware of your surroundings."

According to malware research group VX-Underground, the Cuba ransomware group claimed responsibility for the attack.

On its dark web leak site, seen by TechCrunch, the Cuba ransomware group claims it obtained “financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation [and] source code" from Montenegro's parliament on August 19.

Montenegro has been without a prime minister since August 20, when the country's parliament voted to pass a no-confidence motion in the ruling government.

Cybersecurity company Profero previously linked the Cuba ransomware group to Russian-speaking hackers, which researchers observed while the group negotiated with its victims. Profero said it believes the group is "not state-sponsored."

The ransomware gang has been around since 2019 and last year the FBI issued an alert that warned organizations that the cybercriminals had been targeting critical infrastructure. The FBI said it had observed roughly 50 targeted entities and that hackers demanded tens of millions of dollars from victims.

The attack on Montenegro comes just months after the Russia-linked Conti ransomware group attacked the Costa Rican government in a weeks-long attack starting in April. In a message posted to its dark web leaks blog, Conti urged the citizens of Costa Rica to pressure their government to pay the ransom, which the group later doubled to $20 million.