Threat Management, Threat Management, Threat Intelligence, Malware, Phishing

Researchers discover 40,000+ compromised credentials for global gov’t websites


Over the last year and a half, attackers compromised more than 40,000 credentials for various global government websites and portals, using a combination of spyware tools and phishing tactics.

Portals hosts in more than 30 countries were affected by the campaign, with the majority of victimized users located in Italy (52 percent), Portugal (22 percent) and Saudi Arabia (five percent).

Threat intelligence researchers at the Moscow-based firm Group-IB discovered the affected credentials and believe they could have been sold on dark web forums or leveraged in attacks designed to steal money or sensitive data.

Victims include public sector employees, military members and regular civilians who use the official government portals of Poland, Romania, Switzerland, France, Hungary and Croatia, as well as the websites for the Italian Ministry of Defense, Israel Defense Forces, the Government of Bulgaria, the Ministry of Finance of Georgia, the Norwegian Directorate of Immigration, and the Ministries of Foreign Affairs of Romania and Italy.

The cybercriminals nabbed the compromised account data by sending victims phishing emails designed to infect them with spyware programs such as Pony Formgrabber, AZORult and Qbot, said Group-IB, warning that state-sponsored APT groups could use these credentials to obtain classified information or even infiltrate networks.

"The scale and simplicity of government employees' data compromise shows that users, due to their carelessness and lack of reliable cyber defense, fall victims to hackers," said Alexandr Kalinin, head of Group-IB’s Computer Emergency Response Team (CERT-GIB), in a document emailed to SC Media. "Malware used by cybercriminals to compromise user accounts continue to evolve. For better protection against this type of attacks, it is indeed important to not only use most up-to-date anti-APT solutions, but also to know the context of the attacks: when, where and how exactly your data was compromised."

Group-IB said that in response to its discovery, it alerted CERTs in more than 30 countries about the compromise and also notified local incident response teams.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.