Security threat: Government log-in data on sale on dark web

Dark Web, noun: The part of the World Wide Web that is only accessible by means of special software, allowing users and website operators to remain anonymous or untraceable.

Compromised credentials from Singaporean government agencies and educational institutions were put up for sale on the dark web.

Russian cyber-security company Group-IB, a partner of Interpol, revealed on Tuesday (March 19) that it had found user log-ins and passwords from these organisations on the dark web over the course of 2017 and last year.

Among the agencies named by Group-IB were the Government Technology Agency (GovTech), Ministry of Education, Ministry of Health and the Singapore Police Force.

The National University of Singapore's learning management system was also named.

Mr Dmitry Volkov, the chief technology officer and head of threat intelligence at Group-IB, said in a press release that the compromised credentials pose a significant threat to security.

"Users' accounts from government resources are either sold on underground forums or used in targeted attacks on government agencies for the purpose of espionage or sabotage," he said.

"Even one compromised account, unless detected at the right time, can lead to the disruption of internal operations or leak of government secrets."

Mr Alexander Kalinin, head of Group-IB's Computer Emergency Response Team, yesterday told The New Paper his team had reached out to the Singapore Computer Emergency Response Team (SingCert) after the discovery.

"It is likely that these credentials are still on sale on underground forums," he said.

It is not known if any of the compromised credentials was used illegally, but Mr Kalinin said such stolen information has been used by cyber criminals in other cases.

"It is not unusual when a compromised account is used by cyber criminals to infiltrate an organisation's internal network for the purpose of sabotage and espionage," he said.

VERIFICATION

He added that his team had refrained from verifying the credentials themselves, and instead left it to SingCert to do so.

"The verification of stolen credentials would require a log-in session using compromised log-ins and passwords which is not only unethical but also a crime," he said.

"SingCert confirmed the receipt of the information, thanked Group-IB for sharing the list of compromised credentials and promised to verify and perform the necessary actions."

TNP contacted the agencies listed on Tuesday, as well as the Cyber Security Agency of Singapore, for comment.

Replying on their behalf, a Smart Nation and Digital Government Group spokesman said last night that GovTech was alerted to e-mail credentials in illegal data banks in January this year. The credentials comprise e-mail addresses and passwords provided by individuals.

ALSO READ: Data of 14,200 Singapore patients with HIV leaked online by American fraudster who was deported from here

"Around 50,000 of them are government e-mail addresses. They are either outdated or bogus addresses, except for 119 of them which are still being used," he added.

"As an immediate precautionary measure, all officers with affected credentials have changed their passwords."

No other information fields were exposed.

The spokesman said the credentials were not leaked from government systems, but from officers who used them for personal and non-official purposes.

"Officers have been reminded not to use government e-mail addresses for such purposes, as part of basic cyber hygiene," he added.

Last June, the personal data of 1.5 million SingHealth patients, including Prime Minister Lee Hsien Loong, were stolen in the country's largest data breach.

Other breaches included the illegal access of 72 HealthHub accounts last October, the online leak of information of 14,200 patients from the HIV Registry and improper handling of data belonging to more than 800,000 blood donors by a vendor last week.

This article was first published in The New Paper. Permission required for reproduction.