The login credentials of nearly 600 employees accessing a key British Ministry of Defence (MOD) employee portal have been discovered circulating on the dark web in the last four years, it has been reported.According to the i news site, the stolen credentials were for the MOD’s Defence Gateway website, a non-classified portal used by employees for HR, email and collaboration, and education and training. The thefts are ongoing, with 124 compromised credentials said to have been detected during 2024.Affected individuals included employees accessing the Gateway from countries including Iraq, Qatar, and Cyprus, as well as from Europe and the UK itself.Some details in the story are lacking. First, it’s not clear whether the stolen credentials were ever used successfully. That would give access to personal data, something which is not mentioned. That might be because the site is separately reported to have been using multi-factor authentication (MFA), an additional barrier against attack that all public-facing government websites now use. Depending on how stealthy the attackers were, a deeper compromise would also have been likely to have left a forensic trace somewhere in log files.An important question is who stole the credentials, and whether this was opportunistic or part of a larger campaign. The assumption is that the attacks were carried out by criminals with links to the Russian government, even though the evidence for such links remains circumstantial.However, if Russian intelligence did benefit, it was incredibly sloppy to allow the credentials to be posted to a dark web site where they must have known the loss would eventually be detected.As to how the credentials were compromised, i news mentions that the devices used by the employees to access the site were mostly personal rather than issued by the military. As unmanaged devices, this would have raised the risk of a compromise. The most likely vector would have been through a phishing attack or, less likely, using infostealer malware on the devices themselves. CSO Online contacted the UK MOD for comment on the incident but had received no reply at press time. Every time passwords are found on dark web sites a routine occurrence these days this re-confirms what everyone in cybersecurity already knows: passwords on their own are now almost undefendable. Even adding MFA doesn’t completely address this weakness.”Using 2FA does not mean it’s impossible to break into a site. It just means that whoever is trying to break into a site has to be more determined and put more effort into grabbing a 2FA code from a potential victim to enter alongside their username and password,” cybersecurity expert and podcaster Graham Cluley told CSO Online.”Of course, a state-sponsored hacker trying to break into an MOD portal is much more likely to show such determination.”To add to the damage, stolen credentials could render the exposed individuals open to attacks on other websites where the same password might have been re-used.A more general concern is that even relatively low-level credentials can be used in conjunction with other data to build a picture of the individuals using the MOD portal. This would have put employees at risk in other ways, said Cluley.”MOD employees could be targeted by cybercriminals and state-sponsored hackers keen to steal further information from them or infect their systems with spyware. Cybercriminals will also be interested in discovering personal information such as private email addresses, online banking details, and social media accounts,” he said.Arguably, 600 stolen credentials in four years is a tiny haul given the number of people using the MOD site each day. The counter argument is that phishing attacks only need to compromise a small number of people to achieve their aim.The good news is that, amidst daily warnings about Russian hybrid warfare, credential compromise is at least being detected by someone trawling dark web sites. That implies proactive security.Less positively, it also points to the everything everywhere all at once state of current cyberattacks. In October, the UK’s National Cyber “‹”‹Security Center (NCSC) warned that Russia was engaged in a vast data harvesting and reconnaissance exercise designed to probe for weaknesses.The news of another credential compromise underlines how credential losses from years ago could now be fueling this effort.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3615760/hundreds-of-uk-ministry-of-defence-passwords-found-circulating-on-the-dark-web.html
