Identical methods and Russian links behind bomb threats in Hungary and Slovenia

The same person or persons, using a Russian-language user account appear to have made bomb threats to schools in both Hungary and Slovenia in past days. The threatening emails were sent from a publicly accessible disposable email address, which shows evidence that the user registered on the Russian-language service of Yandex.

On the 22nd of January, over 200 schools in Hungary suspended teaching after bomb threats were emailed to them in the early morning. Four days later, similar incidents happened in Slovenia, where once again, over 200 schools and kindergartens recieved terroristic threats.

In both cases, the emails referenced Islamic terrorism, although

experts believe it is unlikely that the threats came from actual jihadists, rather, someone trying to invoke a stereotypical image of islamic radicalism.

In both countries, no actual attacks were carried out against any schools.

On Monday, opposition MP Márton Tompos published the email Slovenian schools received and pointed out similarities with the threats sent to Hungarian schools. The first sentence of the email was a close translation of the Hungarian letter’s first line, as well as the usernames of the senders: in Slovenia the sender used the name “bojevnik” in their email address, in Hungary, they used „harcos”, both words meaning “fighter”.

Other similarities point to a possible Russian language origin of the threat campaign. Last week, a Hungarian user of Reddit accessed the email account used by the person sending threats to Hungarian schools from a disposable, publicly accessible email hosting service. Shortly before sending out the threats, the disposable email was connected to an account on the Russian email provider Yandex. Notably, a Russian-language confirmation email could be seen in the account.

We tested Yandex’s registration process on Thursday and confirmed that only those using Russian language browser or account settings,

or the exclusively Russian-language service of Yandex hosted on the Armenian domain (as the bomb threat-sender evidently did) would receive a Russian-language email.

Other users also uncovered a second disposable email address used to send bomb threats to Hungarian schools, which used Yandex’s Azerbaijani-language service.

Acessing the public, disposable email address used to threaten Slovenian schools, Átlátszó comfirmed that the email address (hosted by freecustom.email) was also connected to a Russian-language Yandex account, as evidenced by a now-deleted confirmation email it recieved.

Emails recieved by the account behind Slovenian bomb threats

Active measures

The disposable e-mail accounts used can only receive e-mails, not send them. This is probably why it was necessary to assign the addresses to Yandex accounts, so that they could send emails using the disposable address as sender. Such a service is available on Yandex 360, Yandex’s paid platform.

If this platform was used, the tracing of the perpetrator could even be assisted by bank details – but only if Yandex cooperates with Western authorities,

as all the information is held on the Russian company’s servers.

Prior to the threats against Hungarian schools, Bulgaria and the Czech Republic also dealt with similar attacks. In Bulgaria, the head of the police cybercrime reported that the threats there were linked to a Russian email server. Bulgarian media suggested that attacks like this may be a part of Russia’s hybrid warfare, aiming to cause disruption and panic. Similarly, the Czech secret service also suspected a Russian operation behind the bomb threats.