Global fall of the INE due to a possible cyber attack

During the last hours the website of the INE (National Institute of Statistics) of Spain is not operational. Some users have contacted the public institution through Twitter, and part of them have obtained the following response:

“Due to a problem in the communications systems, the INE website is not available at the moment.
We apologize for the inconvenience »

The first query through this medium, of those answered by the INE account on Twitter, It occurred at 5:50 p.m., and got a reply 20 minutes later, at 18.10. From that moment until now, we found that there have been seven queries answered in this way to users who were trying to access the INE website and it was not possible for them. However, a message has not been published informing about this service outage.

Further, we have been able to obtain this image, presumably from the INE website before it was no longer out of service, reporting a possible cyberattack that would be affecting several key elements of the electronic infrastructure of the Spanish digital administration:

Despite the indications of this message, in the tests that I have been able to carry out it seems that Cl @ ve is working at the moment, and the same in accesses with digital certificates, which would indicate that all, or at least part of the services that depend on the SARA network (System of Applications and Networks for Administrations) could have been restored in the last hours.

Let us remember that the SARA network, dependent on the Ministry of Finance and Public Administrations interconnects infrastructures of multiple official institutions and provides access to users to digital administration services. Therefore, a fall in it can have terrible consequences, especially in these times in which the pandemic has substantially increased the volume of operations with the public administration that are carried out online.

However, the reestablishment of SARA services does not seem to have returned the INE website to operation, which at this time is still completely down, without further explanation by any means about the reason for this. If it is a cyber attack, the two most likely options are or a ransomware attack or a distributed denial of service (DDoS) attack.

We have reviewed the information pages of the main cybercriminal groups specializing in ransomware and so far none have attributed an attack to the INE. However, we will continue to check these pages on a regular basis in case, at any time, information about them appears.

In the case of a distributed denial of service attack, we would be talking about good news, as it would indicate that there has not been an infiltration of the INE’s infrastructure. Otherwise, if the fall of the National Employment Institute website is due to the shutdown of systems to stop the spread of an attack or the encryption of assets, in that case the situation is already more complex, especially if there has been exfiltration of them.

If the cyberattack on the SARA network and / or the INE is confirmed, it would come at a particularly bad time for two reasons. The first is that tWe are still finishing recovering from the attack suffered by the SEPE last month. And second, because in two weeks elections will be held in the Community of Madrid, and let us remember that the INE is key in the preparation of the electoral census, an essential element in electoral elections. If it is confirmed that it has been a ransomware attack and that the digital assets of the census have been compromised, it remains to be seen how this could affect the elections to the Community of Madrid.

Given how late it is, it is most likely that today there will be no communication about what happened, but tomorrow we will remain attentive both to the communication channels of the INE and the Ministry of Finance and Public Administrations, as well as to the blogs of the main ransomware groups, in order to try to determine if a cyber attack has really occurred and, if thus, of what type has it been and what consequences can we expect.

Image: Luis García (Zaqarbal)