On paper, Greece has what it needs to tackle a growing number of cyber-attacks. In practice, it’s behind the curve, experts warn.
When hackers released hundreds of files from the University of the Aegean on the dark web in late November, it was only the latest in a string of cyber-attacks targeting public bodies in Greece.
The most recent hit the Hellenic Public Properties Co., HPPC, which manages the real estate assets of the Greek state; before that, it was the Ministry of Culture and Sports; and before that, the data bank handling school exam questions. And that’s just in 2023. In 2022, the victims included state natural gas system operator DESFA, the Greek postal service and two hospitals.
Experts say the frequency of attacks on public bodies indicates a weakness in security, something the government of Prime Minister Kyriakos Mitsotakis says it will tackle with new legislation to create a National Cybersecurity Authority. The bill is about to be submitted for public consultation.
“Criminal groups prefer certain infrastructures in public sector services in Greece, and this may be because they find some unpreparedness, some laxity in taking protection measures,” said Ioannis Mavridis, a professor at the Department of Applied Informatics of the University of Macedonia in Thessaloniki.
Mavridis said many organizations are believed to have been targeted before without even knowing; Stefanos Vitoratos, a lawyer and co-founder of Greek digital rights organization Homo Digitalis, said the existing legislation is not enough.
“In several cases, there is no compliance with the requirements of the framework but also there is no serious investment on the part of companies in the protection of their systems,” Vitoratos told BIRN.
Cybercriminals ‘always ahead’
Ransomware, which locks and encrypts the target’s data, and Distributed Denial-of-Service, or DDoS, attacks, which disrupt the normal traffic of a server, have become everyday occurrences.
According to Check Point Research, which provides cyber-security solutions, the number of cyber-attacks globally jumped 38% between 2021 and 2022. In the last 6 months the top six targets in Greece were healthcare, retail/wholesale, finance/banking, manufacturing and transportation.
HPPC suffered a DDoS attack on November 8 but said it had not detected any data breaches; the hacker group Ragnar Locker took responsibility for the attack on DESFA in August last year and posted 361 gigabytes of DESFA data on the dark web; the Greek postal service announced it had been hit in December 2022, nine months after the actual attack, saying data “which may include elements such as identification data, contact data, invoicing data” had been breached.
“An organized security system is really a big deal,” said Mavridis. “Achieving security is a long-term effort and not only a technical problem. A major problem is that when an organisation is attacked it does not take care to provide all the necessary information in time.”
So far, the Hellenic Data Protection Authority, DPA, has not issued any fines for breaches of personal data following cyber-attacks. In 2021, the authority rebuked Greek police after a leak of private data following a cyber-attack.
“We point out that the Authority is not responsible for every issue of cyber security, but only when it concerns the processing of personal data,” a DPA representative told BIRN.
Greece’s left-wing opposition party SYRIZA has accused the government of “inaction on the critical issue of cyber-security”.
But Mavridis said cybercriminals “are always ahead of everyone else”.
“We will always be behind,” he told BIRN. “The point is not to be too far behind. The criminals are the ones who are constantly coming up with new ideas and new forms of attacks, and we should chase them and, if possible, catch up with them.”
Fragmented defence
Currently, the fight against cyber-attacks in Greece is the responsibility of several different organizations.
The military’s Cyber Defence Directorate protects the internet infrastructure of the Greek armed forces, which are part of NATO; the Cyber Security Operations Centre of the intelligence services protects the state’s digital infrastructure; and the police’s Cyber Crime Division handles online crime.
On paper, the legal framework, though complex, looks sufficient to prevent and fight cyber-attacks. “The reality, however, lags behind,” said Vitoratos of Homo Digitalis.
“On the one hand, the level of awareness and education of the majority of the world is low, and on the other hand, there is, in several cases, no serious investment on the part of companies in the protection of their systems, and finally the compliance of the latter with the requirements of the existing legal framework,” he said.
Greek experts say the best way to deal with cyber-attacks is through prevention, detection, reaction, and the sharing of information; specialized cyber security personnel are also necessary, as is heightened security awareness.
“We put a lot of weight on prevention, but we should also be fully prepared for detection,” said Mavridis. Currently, there are systems that are infected without their administrators knowing about it, he said.
And while Greece has some specialized personnel to deal with the issue, it’s not enough, Mavridis warned.
“It needs significantly more and better trained, and broader training of the entire public in what we call security awareness.”
Vitoratos called for a strong National Cybersecurity Authority that has the power to monitor the implementation of Greece’s National Cybersecurity Strategy and the compliance of actors. It must also be transparent and open with the public and civil society.
“Tackling cybercrime and cyber-attacks and creating a safer digital environment requires everyone’s cooperation and is an ongoing process that requires appropriate adaptation to the ever-evolving threat landscape.”
