Trust Abuse in the Underbelly of Critical Infrastructure Operations
Downloads
The scientific paper presents a revolutionary cyberattack model that demonstrates how public procurement systems can be weaponized to distribute multi-extortion ransomware in critical infrastructure environments, abusing trust in legally signed documents. The attack scenario unfolds by first developing spyware capable of taking control of the digital device designed for individual use of a legitimate authorized user through which the malicious document will be signed with a qualified electronic signature, a document that will contain a ransomware. The electronically signed document will be used and sent within the framework of public procurement processes, in accordance with the rules imposed by each contracting authority through the electronic platform, named Electronic Public Procurement System. The paper is structured in sections covering the legal framework of public procurement and critical infrastructure, as well as the practical implementation scenario. The novelty of this research lies in the demonstration of a full-spectrum attack chain that combines legal compliance, identity theft and exploitation of institutional trust to bypass traditional security mechanisms.
Downloads
Official Journal of the European Union “Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection” eur-lex.europa.eu. Accessed: July 29, 2025. [Online.] Available: https://eur-lex.europa.eu/eli/dir/2008/114/oj/eng.
Official Journal of the European Union “Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC” eur-lex.europa.eu. Accessed: July 29, 2025. [Online.] Available: https://eur-lex.europa.eu/eli/dir/2022/2557/oj/eng.
Official Journal of the European Union “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)” eur-lex.europa.eu. Accessed: July 29, 2025. [Online.] Available: https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng.
Official Journal of the European Union “Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011” eur-lex.europa.eu. Accessed: July 29, 2025. [Online.] Available: https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng.
Official Journal of the European Union “Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act)” eur-lex.europa.eu. Accessed: July 29, 2025. [Online.] Available: https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng.
Official Journal of the European Union “Regulation (EU) 2021/696 of the European Parliament and of the Council of 28 April 2021 establishing the Union Space Programme and the European Union Agency for the Space Programme and repealing Regulations (EU) No 912/2010, (EU) No 1285/2013 and (EU) No 377/2014 and Decision No 541/2014/EU” eur-lex.europa.eu. Accessed: July 29, 2025. [Online.] Available: https://eur-lex.europa.eu/eli/reg/2021/696/oj/eng.
Official Journal of the European Union “Directive 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement and repealing Directive 2004/18/EC” eur-lex.europa.eu. Accessed: July 29, 2025. [Online.] Available: https://eur-lex.europa.eu/eli/dir/2014/24/oj/eng.
Official Gazette “Law No. 98 of 2016 on public procurement” cdep.ro. Accessed: July 29, 2025. [Online.] Available: https://www.cdep.ro/pls/legis/legis_pck.htp_act?ida=137225.
Official Gazette “Government Decision No. 395/2016 for the approval of the Methodological Norms for the application of the provisions relating to the award of the public procurement contract/framework agreement in Law No. 98/2016 on public procurement.” cdep.ro. Accessed: July 29, 2025. [Online.] Available: https://www.cdep.ro/pls/legis/legis_pck.lista_mof?idp=25750.
Eduard-Ștefan SANDU, “Prevention of Widespread Ransomware Cyber-Attacks through the SEAP Platform” in Proceedings of the International Conference on Cybersecurity and Cybercrime (IC3), Volume X, Romania: RAISA, 2023, pp. 230-240.
