More than 40 000 compromised user credentials of online government services in 30 countries around t
Group-IB, an international company that specializes in preventing cyberattacks, has detected more than 40 000 compromised user credentials of online government services in 30 countries around the world. Most of the victims were in Italy (52%), Saudi Arabia (22%) and Portugal (5%). Users’ data might have been sold on underground hacker forums or used in targeted attacks to steal money or exfiltrate sensitive information. CERT-GIB (Group-IB’s Computer Emergency Response Team) upon identification of this information promptly warned CERTs of the affected countries about the threat so that risks could be mitigated.
Group-IB Threat Intelligence has detected government websites’ user accounts compromised by cyber criminals in 30 countries. Official government portals including Poland (gov.pl), Romania (gov.ro), Switzerland (admin.ch), the websites of Italian Ministry of Defense (difesa.it), Israel Defense Forces (idf.il), the Government of Bulgaria (government.bg), the Ministry of Finance of Georgia (mof.ge), Norwegian Directorate of Immigration (udi.no), the Ministries of Foreign Affairs of Romania and Italy and many other government agencies were affected by the data compromise.
Government employees, military and civilian citizens who had accounts on official government portals of France (gouv.fr), Hungary (gov.hu) and Croatia (gov.hr) became victims of this data compromise. In total Group-IB Threat Intelligence system has detected more than 40 000 comprised user accounts of the largest government websites in 30 countries across the world over the past year and a half — Italy (52%), Saudi Arabia (22%) and Portugal (5%) were affected most.
According to Group-IB experts, cyber criminals stole user accounts’ data using special spyware — formgrabbers, keyloggers, such as Pony Formgrabber, AZORult and Qbot (Qakbot). Phishing emails were sent to personal and corporate email accounts. The infection came from a malware included as an email attachment disguised as a legitimate file or archive. Once opened, it ran a Trojan aimed at stealing personal information. For instance, Pony Formgrabber retrieves login credentials from configuration files, databases, secret storages of more than 70 programs on the victim’s computer and then sends stolen information to cyber criminals’ C&C server. Another Trojan-stealer — AZORult, aside from stealing passwords from popular browsers, is capable of stealing crypto wallets data. Qbot worm gathers login credentials through use of keylogger, steals cookie files and certificates, active internet sessions, and forwards users to fake websites.
The stolen user accounts data is usually sorted by subject (banks’ client data, government portals user accounts, combo lists — email & password) and goes for sale on underground hacker forums. It is worth noting that government websites’ user accounts are less common on the forums. Cyber criminals and state-sponsored APT-groups, specialized in sabotage and espionage, are among those who can buy this information. Knowing the credentials of government websites’ users, hackers can not only obtain classified information from these websites, but also infiltrate government networks. Even one compromised government employee’s account can lead to the theft of commercial or state secrets.