Researchers from Group-IB have discovered more than 40,000 user accounts on the Dark Web that appear to be compromised credentials for online government websites in 30 countries.
Most of the victims, the firm says, were in Italy (52%), Saudi Arabia (22%) and Portugal (5%). The researchers also believe the user data might have been sold on underground hacker forums or used in targeted attacks for money theft of information exfiltration.
Official government portals including Poland (gov.pl), Romania (gov.ro), Switzerland (admin.ch), the websites of Italian Ministry of Defense (difesa.it), Israel Defense Forces (idf.il), the Government of Bulgaria (government.bg), the Ministry of Finance of Georgia (mof.ge), Norwegian Directorate of Immigration (udi.no), the Ministries of Foreign Affairs of Romania and Italy and many other government agencies were affected by the data compromise.
Additionally, the security researchers say that government employees, military and civilian citizens with accounts on the official government portals of France (gouv.fr), Hungary (gov.hu) and Croatia (gov.hr) were also affected by this data compromise.
The credentials were stolen using special spyware, Group-IB says, including formgrabbers and keyloggers such as Pony Formgrabber, AZORult and Qbot (Qakbot). The attackers sent phishing emails to personal and corporate email accounts and hid malware as attachments disguised as a legitimate file or archive.
The stolen data, usually sorted by subject (banks’ client data, government portals user accounts, combo lists – email & password) is being sold on underground hacker forums. According to Group-IB, government websites’ user accounts, however, are less common on these forums.
The researchers note that both cybercriminals and state-sponsored APT-groups that focus on sabotage and espionage are usually interested in such information. Armed with credentials of government websites’ users, hackers can obtain classified information from these portals, or infiltrate government networks.
“The scale and simplicity of government employees’ data compromise shows that users, due to their carelessness and lack of reliable cyber defense, fall victims to hackers,” commented Alexandr Kalinin, head of Group-IB’s Computer Emergency Response Team (CERT-GIB).
“Government agencies are easy targets of phishing campaigns because they often publish their employee directories online. They are also highly desired targets because they store sensitive information on state secrets, on new products in the process of approval, including those of the world’s largest companies, and on private citizens. And given budget cuts, many of these agencies rely on large pool of third parties, who are listed in publicly available government sites,” Mike Bittner, Digital Security & Operations Manager of The Media Trust, told SecurityWeek in an emailed comment.
“Since transparency is a government’s responsibility in a democracy, agencies should beef up their security measures. A few key steps include continuously scanning in real time the sites and mobile apps that citizens and companies use to access government services in order to identify any unauthorized activities and nip them in the bud. Second, they should know all who all their third parties are and what activities they have authorized them to conduct. Third, they should use physical devices that generate a new token each time a government employee logs in. Fourth, they should train all staff to be wary of phishing scams and other suspicious events. Finally, since securing sensitive information is key to accomplishing their mission, it should therefore be appropriately funded. These phishing campaigns will only grow in frequency, mainly because they pay off,” Bittner added.
Related: Credential Stuffing Attacks Are Reaching DDoS Proportions
Related: Credential Stuffing: a Successful and Growing Attack Methodology