On June 3, a message appeared on the Threat Actor GhostSec channel accusing an Italian company (which was not named) that had requested the group to carry out offensive activities against Macedonian government targets. The company that requested the activity later refused to pay for the services that had been agreed upon, and so GhostSec threatened to disclose the details of the communications that had taken place.

In the screenshots shared by GhostSec, some target IPs appear with port 502 (ModBus) indicated, therefore probably relating to industrial systems.

We therefore contacted GhostSec founder Sebastian Dante Alexander to try to get more information on the matter.

Here are the details of the interview:

Q: Hi Sebastian, how are you?

A: I’m good, how you doing man

Q: All good thanks! I read the message regarding activities with Macedonian targets… do you have any more information to provide? I would like to interview you on this topic.

A: If you have some questions I’m happy to answer

Q: Thank you! In the message you indicated Macedonian targets and Sardinian targets (therefore Italian). Is it the same Italian company that requested the attack actions with these targets?

A: The Italian company hired us to cause some changes in MK government, then we continued to work with them in a defensive manner and also attacking some of MK’s enemies through various operations. The Italian company also hired us to attack a target in Sardinia which was a different company that I know caused them some issues

Q: Is the Italian company that requested to carry out the activity a private company or a public administration company?

A: I can’t say too much but on paper it’s a private company. Off the record, the other guys involved wouldn’t mind giving you the names and all the info exclusively right now for a price (for example allegedly the private company has ties and ran by Italian intelligence). If you aren’t interested then we can continue as we are, but without going too deep into heavy details.

Q: How did you get in touch with this company? Did you propose your services to the company or did the company contact you?

A: The company reached out to us.

Q: I understand that you decided to make this company name public because you were not paid… is that correct?

A: We are going ahead with exposing everything that was done mainly because of that yes.

Q: Are you aware of the legal consequences for this company?

A: Yeah, we know what we’re exposing not just for the company, but also the north Macedonian government.

Q: Are you able to share part of a communication you had with this company (obviously hiding the name and other references)?

A: Not right now unfortunately, but we will be providing it publicly soon.

Q: I ask you for specific information about the payment. In which currency were you supposed to be paid? Crypto?

A: We have offshore accounts setup to receive the money, and without going into too much detail the company dealing with us is a shell company owned by a different entity.

Q: What was the role of the person you spoke to? Is he a manager?

A: Initially it was someone higher up the chain, then later on he’d “get busy” avoid our discussion and send someone in his stead.

Q: Why did this company refuse to pay? Difficulty in transparently managing the payment?

A: Might be a budget issue or they just figured they could screw us and maybe get away with it. Regardless of the reasoning I’m sure if they responded to our messages we’d be able to communicate and come to an understanding. Instead as of 2 weeks ago they started ghosting, ironic I know 🤣

Q: Perhaps the request was made by a single person within the company without management authorization. Just a guess.

A: Could be. Our attacks don’t have to go further, their “boss” can speak to us and I’m sure we can come to an understanding. Today was just a warning shot to show them they wouldn’t be able to get away with simply disappearing.

Q: What amount are we talking about?

A: It is a very good amount.

Q: Will you set an ultimatum with this company before going public?

A: If they respond 🤣 All seriousness yes that’s the whole point of this initial warning shot.

Q: One last question: do you often receive requests for services from companies or was it the first time?

A: That was the first time but it wasn’t the last.