40 thousand user accounts of state resources were in the hands of intruders
The greatest number of victims was in Italy, Saudi Arabia and Portugal.
Group-IB specialists identified more than 40,000 compromised user accounts for the largest public resources in 30 countries, including the state sites of Poland, Romania and Switzerland, the Italian Ministry of Defense, the Israel Defense Forces, the Government of Bulgaria, the Ministry of Finance of Georgia, the Immigration Service Directorate Norway, the Ministry of Foreign Affairs of Romania and Italy, etc. The largest number of victims was in Italy (52%), Saudi Arabia (22%) and Portugal (5%). Experts believe that compromised logins and passwords could be sold in underground forums or used to steal money and information.
Among the victims are civil servants, military and ordinary citizens who were registered on the websites of public services. Cybercriminals used various tools to steal accounts, for example, the Pony Formgrabber, AZORult and Qbot Trojans. The first collects credentials from configuration files, databases, secret repositories of more than 70 programs on the victim's computer, and then sends the information to the intruder’s management server. AZORult Trojan is able to not only steal passwords from popular browsers, but also steal cryptocurrency wallets. The Qbot worm can collect logins and passwords, as well as install keyloggers, steal cookies and digital certificates, intercept active Internet sessions and redirect users to dummy pages.
The malware spread through phishing e-mails sent by hackers to the corporate or personal mail of users. The letters contained a file or archive, after the discovery of which, the malware, stealing information, was launched on the victim’s system.
As a rule, cybercriminals sort the stolen data by topic (data of banks' clients, accounts from the portals of state institutions, combined “combo players” – e-mail / password sets) and place them for sale on underground forums. In some cases, not sorted data is put up for sale. Accounts from state sites are rarely freely available, experts say.
Such information is valuable not only for cybercriminals, but also for ATP-groups specializing in sabotage and cyber espionage. With the help of credentials, attackers can gain access to the personal account of the state portal, confidential information associated with the account, or penetrate the internal network of a public institution. Compromising the data of even one employee represents a serious risk, as it may entail the disclosure of commercial or state secrets.
Specialists have already contacted government centers (CERT) in 30 countries and notified local response teams of the compromised data found.