Over the last year and a half, attackers compromised more than 40,000 credentials for various global government websites and portals, using a combination of spyware tools and phishing tactics.
Portals hosts in more than 30 countries were affected by the campaign, with the majority of victimized users located in Italy (52 percent), Portugal (22 percent) and Saudi Arabia (five percent).
Threat intelligence researchers at the Moscow-based firm Group-IB discovered the affected credentials and believe they could have been sold on dark web forums or leveraged in attacks designed to steal money or sensitive data.
Victims include public sector employees, military members and regular civilians who use the official government portals of Poland, Romania, Switzerland, France, Hungary and Croatia, as well as the websites for the Italian Ministry of Defense, Israel Defense Forces, the Government of Bulgaria, the Ministry of Finance of Georgia, the Norwegian Directorate of Immigration, and the Ministries of Foreign Affairs of Romania and Italy.
The cybercriminals nabbed the compromised account data by sending victims phishing emails designed to infect them with spyware programs such as Pony Formgrabber, AZORult and Qbot, said Group-IB, warning that state-sponsored APT groups could use these credentials to obtain classified information or even infiltrate networks.
"The scale and simplicity of government employees' data compromise shows that users, due to their carelessness and lack of reliable cyber defense, fall victims to hackers," said Alexandr Kalinin, head of Group-IB’s Computer Emergency Response Team (CERT-GIB), in a document emailed to SC Media. "Malware used by cybercriminals to compromise user accounts continue to evolve. For better protection against this type of attacks, it is indeed important to not only use most up-to-date anti-APT solutions, but also to know the context of the attacks: when, where and how exactly your data was compromised."
Group-IB said that in response to its discovery, it alerted CERTs in more than 30 countries about the compromise and also notified local incident response teams.