At the end of March, we revealed that since 2010, Russian hackers have penetrated the internal IT networks of the Hungarian Ministry of Foreign Affairs and Trade (MFA) in several waves, including the secure, encrypted channel used to transmit classified information. Our on background discussions as well as official comments we have received in recent months suggest that several of Hungary’s NATO and EU allies are concerned.
For example, az EU country’s senior diplomat in Budapest said that it is not necessarily the hacking that is worrying, as others have suffered similar cyber attacks too, but the Hungarian government’s reaction.
“You have to look at how it is handled. How quickly they stop the infection, whether they alert allies, whether they go to the public, and what the political response is. This is all the responsibility of the attacked party, not the Russians,”
the diplomat said. In recent months, the Orbán government has failed to act publicly on Russian cyberespionage, moreover, Hungary even made new gestures to the Kremlin despite the war in Ukraine.
The U.S. Embassy in Budapest did not comment directly on our report of the hacking of the Hungarian MFA, but made it clear that such attacks were being taken seriously.
”We have previously warned Hungary and other NATO Allies about the potential for Russia to conduct malicious cyber activity against the United States and our Allies and partners,”
the U.S. Embassy in Budapest told Direkt36. They added that a year ago in June 2021, ”when the NATO leaders gathered for the NATO Summit, President Biden consulted with them, and we put out a statement that spoke to cyberattacks and their relationship to Article 5. We have made clear through NATO that cybersecurity is an Alliance issue where NATO is prepared to pull together both to enhance resilience, enhance defenses, and, if necessary, use the appropriate tools to respond.” (Article 5 of the North Atlantic Treaty states that an armed attack on any member of NATO is considered an attack by the members of the alliance against all of them.)
Back at the beginning of February, in an online press conference, we asked U.S. President Joe Biden’s Deputy National Security Advisor for Cyber and Emerging Technology, Anne Neuberger, whether she was aware of a Russian cyberattack against, among others, Hungary, and whether Russian cyberespionage would not jeopardise NATO’s joint regional action against the Russian threat (NATO was at the time planning troop reinforcements in Central Europe because of movements of the Russian army preparing to attack Ukraine). Neuberger replied that she would not give any specific information, but that as White House cyber defence chief, one of the reasons she travelled to the region at the time was to demonstrate U.S. support.
The hacking of the MFA’s systems has also attracted attention in Brussels. „We have seen the reports about this cyber-attack and are in contact with the Hungarian authorities,” an EU spokesperson told Direkt36. „The use of information and communications technologies for malicious purposes is unacceptable. It undermines international stability as well as security in cyberspace. This applies to everyone, no matter who is behind it,” the EU spokesperson added.
An official from the EU’s European External Action Service (EEAS), which also deals with cybersecurity issues, told Direkt36 in Brussels that the vast majority of threats to the EU from cyberspace are linked to Russia, with a smaller part coming from China – other countries play a minor role. The official added that the hands of the EEAS are, however, heavily tied, for example, it has absolutely no authority to order member states what to do and how to react.
But a Hungarian cybersecurity expert pointed out that it is precisely the attacked country that would have the most interest in notifying and cooperating with its EU partners in the event of a similar Russian cyber attack. In 2019, the European Union adopted a so-called cyber diplomacy toolbox, which allows the EU to take joint action against attackers, i.e. the entire community to stand up for an attacked member state.
In practice, this means that member states can jointly name the perpetrators of a cyber attack (attribution), protest to the perpetrators and even impose sanctions.The first such joint action was taken in summer 2020, when, among others, a GRU unit and four Russians were placed on a sanctions list for a cyber attack against the Organisation for the Prohibition of Chemical Weapons (OPCW). According to the expert, such deterrent diplomatic tools are the most effective defense in addition to countering cyber attacks in technical ways.
However, Hungary has not imposed sanctions either in the case of the MFA’s Russian hacking or in the case of other cyber attacks in the past.
“I cannot suspend cooperation with every single country from which such attacks originate, because then there would be practically no need for any foreign policy”,
Péter Szijjártó argued against political responses at a ministerial hearing in the Parliament’s Foreign Affairs Committee on May 18, when asked about Russian cyber attacks against his ministry.
From ‘campaign lie’ to successful defense
After the publication of Direkt36’s article in March, the Hungarian government initially denied everything, and in a statement on March 29 the foreign ministry labeled our article as a ’campaign lie’. A few days later, after Fidesz’s election victory, Prime Minister Viktor Orbán took a completely different tone.
“All Hungarian ministries are under constant attack. So let us be under no illusion, the IT systems of all Hungarian ministries are under constant attack. From several directions. We are constantly defending ourselves,” Orbán told RTL Klub’s reporter. Asked whether he had mentioned the MFA’s Russian hacking to President Vladimir Putin, the Prime Minister replied,
“I don’t ask for mercy from anyone, so I don’t complain to anyone who attacks us, I defend our own territory.”
When the Parliament’s Foreign Affairs Committee heard Szijjártó on May 18, during the confirmation process of the new government, he did not deny the Russian cyber attacks either. “It was not only from Russians that we were confronted with this type of cyber attacks, and not only the foreign ministry was targeted. Whenever we reported these cyber attacks, we always received the maximum and fastest possible support from the institutions responsible for coordinating cyber defense, and they took immediate action to prevent the attacks and minimize the damage,” the foreign minister said in response to a question from opposition MEP Ágnes Vadai.
However, cybersecurity experts have already explained in our previous article that Hungary is not a prime target for Russian hackers. Russians are mainly either looking for allied (EU or NATO) classified information on Hungarian government channels, or they are hiding behind Hungarian government IP addresses to attack NATO allies that are more interesting for Moscow. Balázs Bencsik, the then head of the National Cyber Security Center of the Special Service for National Security (the Hungarian equivalent of the NSA), said that there was a Hungarian connection to the Russian intelligence operation launched to influence the 2016 U.S.presidential election through an infected Hungarian government computer.
According to 444.hu, Bencsik said at the 2017 Tusnádfürdő Summer University that the Russian cyber espionage operation in Hungary during the 2016 U.S. presidential election
“was not directly targeting Hungary, but the hackers infested the Hungarian server in order to use it to disguise the international data traffic needed for attacks against the U.S.”
There are indications that a similar incident occurred later in 2020. A former government official in touch with sources with direct knowledge of the details of the latest Russian infiltration of the MFA told Direkt36 that Russian hackers had certainly penetrated the Hungarian foreign ministry’s internal systems again by mid-2020.
According to the former government official, Hungarian authorities know this because the digital traces left by the hackers showed that the Russians also launched hostile cyber operations against the United States from the Hungarian MFA’s systems during the 2020 U.S. presidential election. This means that in 2020, after 2016, attacks on U.S. systems were also carried out using Hungarian IP addresses of infected MFA computers. Exactly which U.S. targets these were, and whether they were specifically related to the presidential election, the source did not elaborate.
The U.S. Embassy in Budapest also did not respond to our question whether they were aware of Russian attacks originating from infected Hungarian MFA networks during the previous presidential election, and whether the Hungarian government shared information about them.