Milan Pikula from SKCERT shed light on the behind-the-scenes of handling cyber incidents through concrete examples. From targeted phishing campaigns attributed to the GRU, through the case of border cameras, to the leak of login credentials to a state system. The recurring message was clear: suspicions should be reported, and procedures followed so that incidents can be thoroughly investigated.
From phishing to cameras: how the mosaic comes together
When SKCERT received an extensive report, the first step was to compare it with existing tickets and knowledge. Roughly half of the cases had already been attributed to the same group; others were linked thanks to new connections. A typical vector was targeted phishing emails that appeared trustworthy and sought to gain access to the victim’s infrastructure. Pikula urged people to report even "banal" suspicious messages, because they may be part of a coordinated campaign.
The issue of border cameras drew media attention, and SKCERT issued targeted warnings to organizations at risk. In parallel, it asked partners for non-public information to verify details and the broader context. Contacts of the NBU’s special envoy in Washington also helped, opening doors to the right people. The story shows that an effective response relies on connecting data, collaboration, and rapid information sharing.
Coordination via ISKB depends on quality data
In another case, the so‑called transfer incident, both reporting and coordination took place via the Unified Information System of Cybersecurity (ISKB). The attacker group was identified based on the ransom note text, and the conclusions were confirmed by both forensic and malware analysis. The malware sample and its behavior matched known indicators. The case illustrates that technical evidence and central coordination provide a solid framework for a rapid response.
The problem, however, was that the data in ISKB were filled in chaotically, especially in fields such as "attack analysis" and "plan". This needlessly complicated analysts’ work and prolonged the resolution. Pikula therefore appealed to operators to fill out the forms accurately and clearly. Better data means faster help and less damage.
Infostealer and four accounts for sale: a lesson from the field
The first incident directly related to ISKB was uncovered by leak monitoring: access to the system was being sold on the dark web. It involved four accounts—three statutory representatives and one cybersecurity manager—with three companies sharing the same manager, which is common in Slovakia. SKCERT immediately blocked all the accounts and checked the logins. It turned out that only the manager had logged in, and only from Slovak addresses, which slightly reduced the immediate risk.
Based on the format of the leaked data, it was likely the Luma Stealer malware, and the victim lost nearly 300 login credentials. The affected user mentioned an unexpected login prompt and a subsequent reinstallation of the computer, which made memory and disk analysis impossible. It later turned out that the malicious code had been active in the system longer than they realized. Key takeaway: incidents should be reported without delay and traces should not be wiped—experts can then methodically advise what to do to minimize the damage.
