Hackers Collected More Than 40 000 Login Data to Government Systems in More Than 30 Countries

40 000 login data to government portals in more than 30 countries. It is the result of investigation of the International company Group-IB dealing with cyberattack prevention.

The company using the forensic analysis of malware samples found out that attackers unknown so far were capable of, through different techniques, collecting login data to government systems and portals of more than 40 000 users in about 30 countries. These data are in a non-encrypted form, in clear text.

Login data were collected notably from government portals of the European countries. Attacked were the following countries: Italy, Portugal, Romania, Poland, Bulgaria, Switzerland, Georgia, Norway, and outside the Europe Israel and Saudi Arabia.

Technical details

In order to collect the data attackers used phishing e-mails and several types of malware, particularly Pony Formgrabber, AZORult and Qbot (Qakbot). However, it is currently unclear which computers were infected, whether the workstations of government employees or their personal computers which would mean that escaped data came from employees who logged in to government systems outside their office.

Phishing was targeted at official as well as personal e-mail accounts and malware inside it was distributed as a legitimate file. After the file had been opened the malicious code was installed in the user’s system and started to scan the system for sensitive data.

Malware Pony can target more than 70 programs, searching for login data, configuration files, databases and hidden data storage. If it collects the data, it sends them to the attacker’s control server.  

AZORult focuses on password capture from web browsers and on data related to cryptocurrency.  This Trojan has a wide usage like downloading of another malicious code to the victim’s device or ransomware distribution.

Qbot, known also as QakBot or PinkSlip is a bank Trojan used by attackers almost for 10 years. This type of malware can collect the data about visited websites, cookies and web certificates. It is also capable of keylogging for the purpose of login data collection.   

According to the company which revealed these findings there is a strong assumption that attackers, who collected the data, are selling them further. It is not excluded that the attackers will use these data in order to collect other sensitive or confidential information in government systems. 


Regarding this information the National Unit SK-CERT recommends the users to implement the following preventive measures not only within the government networks: 

For users:

  • if you receive a suspicious e-mail, do not open its attachments and do not click on links;
  • if you are asked directly in e-mail for login data, in no case provide them to anybody;
  • notify your network administrator or the internet provider of receiving such suspicious e-mail. Do not delete the e-mail as its details can help to solve cybersecurity incident.
  • if your organisation uses the services of any CSIRT unit, please contact it. You can contact the National unit SK-CERT as well.
  • use strong passwords. Use different passwords to each system you enter or service you use. If you have many passwords, you can use secure and encrypted applications – the password administrator.
  • update on a regular basis your operating system or computer programs you use. Download updates only from verified sources of the manufacturer.
  • use additional forms of protection like antivirus and antimalware programs, software and physical firewalls, e-mail protection against spam, and so on;
  • in incident solving follow the instructions of the network administrator and CSIRT unit.

For administrators:

  • turn on the most detailed logging on post servers and workstations;
  • when suspicious e-mails occur
    • block e-mail addresses and/or IP addresses of sending servers on the perimeter;
    • retrieve links from e-mails in logs of proxy server or in other security element which can trace the communication towards the internet. Do not visit the links.  
    • check which users opened a suspicious e-mail, clicked on a link and opened an attachment;
  • if users opened the e-mail, downloaded the attachment, clicked on the link or answered it, do initiate the plans for cybersecurity incident solving in your organisation
  • follow all rules of patch management;
  • make regular backups in such a way that in the event of security incident you cannot lose or change the backups.

For management:

  • introduce security politics in your organisation to protect information assets and prevent cybersecurity incidents;
  • perform risk management activities;
  • establish cooperation with CSIRT unit.

« Späť na zoznam