Group-IB Identifies 40K Government
User Credentials on Dark Web|
December 13, 2018
Group-IB has detected more than 40 000 compromised user credentials of online government services in 30 countries around the world. Most of the victims were in Italy (52%), Saudi Arabia (22%) and Portugal (5%). Users’ data might have been sold on underground hacker forums or used in targeted attacks to steal money or exfiltrate sensitive information. CERT-GIB (Group-IB’s Computer Emergency Response Team) upon identification of this information promptly warned CERTs of the affected countries about the threat so that risks could be mitigated.
Group-IB Threat Intelligence has detected government websites’ user accounts compromised by cyber criminals in 30 countries. Official government portals including Poland (gov.pl), Romania (gov.ro), Switzerland (admin.ch), the websites of Italian Ministry of Defense (difesa.it), Israel Defense Forces (idf.il), the Government of Bulgaria (government.bg), the Ministry of Finance of Georgia (mof.ge), Norwegian Directorate of Immigration (udi.no), the Ministries of Foreign Affairs of Romania and Italy and many other government agencies were affected by the data compromise.
Government employees, military and civilian citizens who had accounts on official government portals of France (gouv.fr), Hungary (gov.hu) and Croatia (gov.hr) became victims of this data compromise. In total Group-IB Threat Intelligence system has detected more than 40 000 comprised user accounts of the largest government websites in 30 countries across the world over the past year and a half — Italy (52%), Saudi Arabia (22%) and Portugal (5%) were affected most.
According to Group-IB experts, cyber criminals stole user accounts’ data using special spyware — formgrabbers, keyloggers, such as Pony Formgrabber, AZORult and Qbot (Qakbot). Phishing emails were sent to personal and corporate email accounts. The infection came from a malware included as an email attachment disguised as a legitimate file or archive. Once opened, it ran a Trojan aimed at stealing personal information. For instance, Pony Formgrabber retrieves login credentials from configuration files, databases, secret storages of more than 70 programs on the victim’s computer and then sends stolen information to cyber criminals’ C&C server. Another Trojan-stealer — AZORult, aside from stealing passwords from popular browsers, is capable of stealing crypto wallets data. Qbot worm gathers login credentials through use of keylogger, steals cookie files and certificates, active internet sessions, and forwards users to fake websites.
The stolen user accounts data is usually sorted by subject (banks’ client data, government portals user accounts, combo lists — email & password) and goes for sale on underground hacker forums. It is worth noting that government websites’ user accounts are less common on the forums. Cyber criminals and state-sponsored APT-groups, specialized in sabotage and espionage, are among those who can buy this information. Knowing the credentials of government websites’ users, hackers can not only obtain classified information from these websites, but also infiltrate government networks. Even one compromised government employee’s account can lead to the theft of commercial or state secrets.
Aleksandr Kalinin, Head of Group-IB’s
Computer Emergency Response Team (CERT-GIB) said, "The scale and
simplicity of government employees’ data compromise shows that users,
due to their carelessness and lack of reliable cyber defense, fall
victims to hackers. Malware used by cyber criminals to compromise user
accounts continue to evolve. For better protection against this type of
attacks, it is indeed important to not only use most up-to-date anti-APT
solutions, but also to know the context of the attacks: when, where and
how exactly your data was compromised."
Aleksandr Kalinin, Head of Group-IB’s Computer Emergency Response Team (CERT-GIB) also, noted that, "Threat Intelligence data exchange between official government CERTs is crucial for global fight against cybercrime, it is important for us to cooperate with other CERTs, which allows to provide rapid incident response and gather more information about hackers’ evolving tactics and tools, indicators of compromise, and about most urgent threats. Cybercrime has no borders and affects private and public companies and ordinary citizens. International data exchange on current threats is a backbone of global stability."