The doc attachment contacts a link, exploiting the Equation Editor vulnerability, and downloads an exe: the malware. Data is then exfiltered via SMTP to an email address.
Till today non all the EU members have transposed in national law the NIS Directive, nevertheless it was adopted on 6 July 2016
Till today non all the EU members have transposed in national law the NIS Directive, nevertheless it was adopted on 6 July 2016. In general it establishes measures for a high common level of security of network and information systems across the European Union. In details, it identifies actions to prevent cyber attacks from disrupting essential services, like energy infrastructures, railway traffic control services, etc….Furthermore member states need to identify, before 9 November 2018, which organizations connected to the internet provide vital services to the public. They also need to make sure that the operators of these essential services do everything in their power to manage the risks of being hacked and report to the authorities if any cyber security breach. Finally, EU members required – by 9 May – to tell the European Commission how they would punish any infringements.
Right now, there isn’t certainty about how many EU countries had complied with all the NIS directive requirements against the cyber attacks to the essential services
But, right now, at EU level there isn’t certainty about how many countries had complied with all the NIS directive requirements. Especially on the penalties notification. The European Union left to member states themselves to determine the legal levels of penalties, which has repeatedly led to a patchwork of fines varying across the bloc. And today there isn’t a list of which states had submitted their respective potential penalties. The commission responded to a EUobserver request of access to the documents, explaining just that it received “several submissions from member states, comprising transposition measures in relation to the NIS directive”. And that it is still studying them, so it expected “to have a more complete overview of the penalty provisions by the end of 2018”. “At this stage, the commission services have not identified such penalty provisions in the transposing measures already notified,” the commission said.
Only 8 EU countries have fully transposed the NIS directive into national law: the Czech Republic, Estonia, Finland, Germany, Italy, Slovakia, Slovenia, and the United Kingdom
In addition to setting penalties, member states had a whole range of requirements to fulfil by 9 May. As EUobserver reported, a majority has apparently still not done so, despite having had two years to prepare. According to a commission-run website, last updated on 6 June, only eight EU states have fully transposed the NIS directive into national law: the Czech Republic, Estonia, Finland, Germany, Italy, Slovakia, Slovenia, and the United Kingdom. Denmark, France, Hungary, and Lithuania had “partially” transposed the directive, while transposition was “in progress” in the others.