The cyberattack that targeted Cyprus’ state systems on October 13, affecting both Cyprus Post and the government’s internal communications platform 'THALES' has raised serious concerns about the island’s digital defences and the broader state of its cybersecurity infrastructure.
In-depth revelations about the nature of the breach and long-standing weaknesses in state IT systems were made by cybercrime and cybersecurity expert Aristos Polydorou, speaking to Politis radio.
Sensitive state data leaked
Polydorou confirmed that elements of the stolen data have already begun to circulate on the dark web. These include names, addresses, transaction records, official documents, and even digital seals from government departments.
“The THALES system is used for internal communication and document exchange across multiple state services, including the Ministry of Foreign Affairs, the Land Registry, the Customs Department and others,” he explained.
The system, he noted, plays a central role in the functioning of numerous government bodies, making its compromise particularly concerning.
‘Cyber mercenary’
Polydorou attributed the breach to a well-known hacker operating under the alias Byte2Bridge, describing him as a “cyber mercenary”, a hacker-for-hire with no political agenda, who works for either states or private clients in exchange for payment.
“He doesn’t use phishing emails. He targets servers directly. In this case, the administration panel of the THALES system was reportedly left exposed. The platform is outdated, vulnerable, and likely poorly maintained. He found a backdoor and exploited it.”
According to Polydorou, such weaknesses are easily identifiable today using publicly available tools. “You no longer need to be a hacker from the movies with code and keyboards. With a simple tool, you can scan for exposed services and vulnerable servers.”
The expert emphasised that Byte2Bridge does not typically encrypt or destroy data, but simply steals it and exits quietly, making it extremely difficult to determine what was taken.
“To know what was stolen, you need proper network monitoring tools. We don’t have those. So, technically speaking, we can’t say for sure what was accessed or extracted.”
Criticism of the state’s response
Polydorou was sharply critical of the state’s overall handling of cybersecurity.
“The Deputy Ministry of Research and Innovation is essentially decorative. Serious countries treat cybersecurity like a digital army defending national security. They build in-house systems with national programmers. We outsource everything. Cyprus lacks digital sovereignty.”
He stressed that Cyprus has no national digital infrastructure: “There is no foundation, no strategic plan. What happened with THALES proves this.”
Under EU regulations (GDPR), any public authority that suffers a data breach must notify the Commissioner for Personal Data Protection within 24 hours. Polydorou warned that failure to do so can lead to multi-million-euro fines.
“The Commissioner’s role is not to investigate the breach. It’s the duty of the Digital Security Authority and the Deputy Ministry to inform her of exactly what data was compromised. If they don’t even know, that’s a violation in itself.”
National security concerns
Polydorou also commented on the recent incident where a truck severed an overhead internet cable, temporarily cutting connectivity to the Presidential Palace, police services and other ministries.
“In no serious country would this happen. Network design begins with redundancy—three separate lines from different providers. If one goes down, the others keep things running without interruption.”
He added that using overhead cables for government data is an issue of national security. “Anyone can tamper with them and intercept information. No credible certification body would approve a data centre using overhead lines.”
Lack of trust
Polydorou expressed personal concern over the government’s flagship e-government platform: “I will never use the Digital Citizen system. How can I trust it with my personal information when it’s not even hosted in Cyprus? Citizen data is stored on foreign servers operated by Microsoft, Amazon and others. While not illegal, best practices dictate that population data should be stored domestically. It’s a matter of sovereignty.”
A representative from the Digital Security Authority told Politis that the government would not be commenting further while investigations are ongoing. “Since the matter is under investigation, we cannot make any additional statements at this time,” the source said.