Over 40 thousand accounts for government websites were found on the darkweb from countries including Saudi Arabia, Italy, Israel, Portugal, Switzerland, Norway, Georgia, Bulgaria, and Romania.
More than half of the accounts (52%) belong to Italian government officials, followed by Saudi Arabian government accounts (22%), and Portugal government accounts (5%).
Group-IB’s is a Russian IT security firm headquartered in Moscow, and it is considered one of the top global vendors of threat intelligence on the market. Head of Group-IB’s Computer Emergency Response Team (CERT-GIB), Alexandr Kalinin, explained that the access credentials were most likely for sale. Their research indicated that the hackers used fairly common pieces of malware and trojans to gather the list. The potentially used software names include Pony, AZORult Infostealer, and Qbot.
Mr. Kalinin believes the list was acquired over time from large samples of victims around the world and then categorized in public officials and privates. Although the credentials vary significantly in importance from local portals to high-level governmental websites, they still pose a high risk in the case of a determined attacker.
The compromised accounts were from a wide array of government agencies. They varied from accounts on local government sites to state-level agencies and official government portals. Some of the most high-profile access areas offered by the hackers include: Switzerland (admin.ch), Poland (gov.pl), Bulgaria (government.bg), Romania (gov.ro), Norwegian Directorate of Immigration (udi.no), Ministry of Finance of Georgia (mof.ge), Israel Defense Forces (idf.il), Italian Ministry of Defense (difesa.it), Ministry of Foreign Affairs of Romania, Ministry of Foreign Affairs of Italy etc.
“The scale and simplicity of government employees’ data compromise, shows that users, due to their carelessness and lack of reliable cyber defense, fall victims to hackers. Cybercrime has no borders and affects private and public companies and ordinary citizens, ” declared Alexandr Kalinin.
The Group-IB took the investigative initiative after following a discovery by Agari IT group who identified another group of scammers with a similar list of 50,000 global CEOs. Most likely used for cyber reconnaissance missions such as Business Email Compromise (BEC) scams.