It started on Saturday, October 15, 2022: First the homepage of Bulgaria's President Rumen Radev was unavailable. Then the websites of numerous Bulgarian ministries crashed.
Bulgarian administrations later announced that one single attack had been responsible for the breakdowns, adding that the issues had been resolved just hours later.
The next day, Russian hacker group Killnet claimed responsibility for the attack with an announcement on its Telegram page — emblazoned with a rather personal message directed at Bulgarian Chief Prosecutor Ivan Geshev: "GO F*CK YOURSELF."
Just last week, the Russian government and intelligence services sought to draw a link between the October 8 explosion that destroyed the Kerch Strait Bridge — which connects Russia and Crimea — to EU and NATO member state Bulgaria.
The move was quickly shown to be a blatant propaganda exercise. Now, with Saturday's cyberattack, it appears that Moscow is escalating yet again.
Who is Killnet?
"Killnet is an extremely aggressive group of hackers with ties to Russia's FSB intelligence services," explained Ruslan Trad, a security expert with the Atlantic Council, to DW.
The group was formed directly after Russia's February 24 invasion of Ukraine and is currently fighting a self-declared "war" against governments that support Kyiv.
"Their specialties are so-called DoS [denial of service] and DDoS [distributed denial of service] attacks," said Trad: "Cyberattacks that flood systems and websites with requests until they are overwhelmed and crash," he explained.
Killnet has launched similar attacks against the US, Norway, Lithuania and a number of other countries.
These types of attacks are traditionally used as a way "to demonstrate power, spread fear — or for blackmail," according to Trad.
"But in this instance, I am convinced that it is about something more," he added. "The way I see it, the attack hasn't stopped — this isn't about blocking government websites, but rather about getting into IT systems in order to access data."
Maning that the Killnet attack on Bulgaria could well be an attempt at cyber espionage — hidden behind the veil of sabotage.
Was NATO the real target?
Within hours of the attack, the Bulgarian attorney general's office and Ministry of Defense declared that no data had been stolen. "But it's still far too soon to be able to make such a definitive statement," Trad said.
"As a NATO and EU member state, Bulgaria is connected to shared systems for exchanging information," he added. In addition, it is a well-known fact in the hacker scene that Bulgaria's IT systems are highly vulnerable, he pointed out. "In my opinion, Russia is currently seeking to break into NATO systems via Bulgaria."
Moscow, it seems, is willing to go to great lengths to attain information relevant to its war in Ukraine.
But why is Russia so intent on piling pressure on Bulgaria? One reason might be the fact that the country's October 2 elections may have finally delivered a parliamentary majority that favors supplying heavy weapons to Ukraine.
A legislative motion to that end is expected to be presented in parliament some time in the next two weeks. Bulgarian President Rumen Radev and the caretaker government that he appointed in August strictly opposed sending arms to Ukraine.
Sofia hesitant to point fingers at Moscow
The day after the cyberattack, interim Defense Minister Dimitar Stoyanov, previously Radev's secretary general, voiced clear opposition to Ukrainian requests for arms. His reason: Bulgaria simply does not have "extra weapons" to give to Ukraine. The next day Radev himself vehemently rejected Kyiv's request.
This is not the first time Bulgaria's caretaker government has reacted tepidly to Russian aggression or its attempts at interference. Last week, Sofia declined to clearly denounce the Kremlin's Kerch Bridge accusations.
The same is happening again with Saturday's cyberattack: Attorney General Geshev went no further than to say that the attack had been launched from the Russian city of Magnitogorsk in the Urals — avoiding any allocation of responsibility or judgment over guilt.
On Sunday, Borislav Sarafov, who heads the body responsible for investigating the cyberattack, said that its author had been identified and was based in Russia. He, too, avoided addressing accusations of blame toward the Russian government.
This article was translated from German by Jon Shelton.