A Russian cyber-security firm says it discovered login credentials for more than 40,000 accounts on government portals in more than 30 countries. The data includes usernames and cleartext passwords, and the company believes they might be up for sale on underground hacker forums.
Alexandr Kalinin, head of Group-IB's Computer Emergency Response Team (CERT-GIB), says these account details have been collected over time by cyber-criminals with the help of off-the-shelve malware strains such as the Pony and AZORult infostealers, but also the Qbot (Qakbot) multi-purpose trojan.
The crooks who deployed these malware strains collected vasts amounts of data from a large number of infected users. He believes that the people behind these operations might filter and group the government accounts into separate packages to advertise and sell online.
Kalinin says Group-IB shared the cache of compromised accounts with the CERT teams of affected countries, so authorities could contact affected government agencies.
According to Kalinin, more than half of the accounts, 52 percent, belong to Italian government officials, followed by Saudi Arabian government accounts (22 percent), and Portugal government accounts (five percent).
The compromised accounts were from a wide array of government agencies. They varied from accounts on local government sites to state-level agencies and official government portals.
Some of the most high-profile accounts which Group-IB spotted the hackers selling access to included official government portals for:
- Poland (gov.pl)
- Romania (gov.ro)
- Switzerland (admin.ch)
- Bulgaria (government.bg)
But also the websites for state agencies like:
- Italian Ministry of Defense (difesa.it)
- Israel Defense Forces (idf.il)
- Ministry of Finance of Georgia (mof.ge)
- Norwegian Directorate of Immigration (udi.no)
- Ministry of Foreign Affairs of Romania
- Ministry of Foreign Affairs of Italy
It is unclear if the hackers infected workstations of government employees, or if they infected the personal computers of government employees, and stole government login details from employees who logged into government work sites from home.
- Researchers find stolen military drone secrets for sale on the dark web (CNET)
- Websites are attacked 58 times a day, even when patched properly (TechRepublic)
Kalinin pointed out that the accounts could allow attackers access to both commercial or state secrets accessible through those accounts. Furthermore, the accounts could be used for other reconnaissance operations, or as an entry point inside a government agency's internal network from where hackers can execute other attacks, such as cross-site scripting or SQL injections.
"The scale and simplicity of government employees' data compromise shows that users, due to their carelessness and lack of reliable cyber defense, fall victims to hackers," Kalinin told ZDNet. "Cybercrime has no borders and affects private and public companies and ordinary citizens."
Group-IB's discovery comes after Agari spotted a group of online scammers using a custom list containing the details of over 50,000 executives at companies across the world. Agari said the scammers were using this list to send spear-phishing emails that were pushing a classic business email compromise (BEC) scam.