Government log-in data on sale on dark web

Compromised credentials from Singaporean government agencies and educational institutions were put up for sale on the dark web.

International cyber-security company Group-IB, a partner of Interpol, revealed on Tuesday that it had found user log-ins and passwords from these organisations on the dark web over the course of 2017 and last year.

Among the agencies named by Group-IB were the Government Technology Agency (GovTech), Ministry of Education, Ministry of Health and the Singapore Police Force.

The National University of Singapore's learning management system was also named.

Mr Dmitry Volkov, the chief technology officer and head of threat intelligence at Group-IB, said in a press release that the compromised credentials pose a significant threat to security.

"Users' accounts from government resources are either sold on underground forums or used in targeted attacks on government agencies for the purpose of espionage or sabotage," he said.

"Even one compromised account, unless detected at the right time, can lead to the disruption of internal operations or leak of government secrets."

While included on Group-IB's list, Singapore Police Force said in a statement that its systems were not at risk.

“Based on a review of the credentials, the Police would like to clarify that no user information and passwords which are used for gaining access into police systems were compromised. Only the user information and password of one employee from the POLWEL Co-operative Society Limited was affected, and his account has been disabled. POLWEL’s computers are not linked to Police’s systems.”

Mr Alexander Kalinin, head of Group-IB's Computer Emergency Response Team, yesterday told The New Paper his team had reached out to the Singapore Computer Emergency Response Team (SingCert) after the discovery.

"It is likely that these credentials are still on sale on underground forums," he said.

It is not known if any of the compromised credentials was used illegally, but Mr Kalinin said such stolen information has been used by cyber criminals in other cases.

"It is not unusual when a compromised account is used by cyber criminals to infiltrate an organisation's internal network for the purpose of sabotage and espionage," he said.

VERIFICATION

He added that his team had refrained from verifying the credentials themselves, and instead left it to SingCert to do so.

"The verification of stolen credentials would require a log-in session using compromised log-ins and passwords which is not only unethical but also a crime," he said.

"SingCert confirmed the receipt of the information, thanked Group-IB for sharing the list of compromised credentials and promised to verify and perform the necessary actions."

TNP contacted the agencies listed on Tuesday, as well as the Cyber Security Agency of Singapore, for comment.

Replying on their behalf, a Smart Nation and Digital Government Group spokesman said last night that GovTech was alerted to e-mail credentials in illegal data banks in January this year. The credentials comprise e-mail addresses and passwords provided by individuals.

"Around 50,000 of them are government e-mail addresses. They are either outdated or bogus addresses, except for 119 of them which are still being used," he added.

"As an immediate precautionary measure, all officers with affected credentials have changed their passwords."

No other information fields were exposed.

The spokesman said the credentials were not leaked from government systems, but from officers who used them for personal and non-official purposes.

"Officers have been reminded not to use government e-mail addresses for such purposes, as part of basic cyber hygiene," he added.

Last June, the personal data of 1.5 million SingHealth patients, including Prime Minister Lee Hsien Loong, were stolen in the country's largest data breach.

Other breaches included the illegal access of 72 HealthHub accounts last October, the online leak of information of 14,200 patients from the HIV Registry and improper handling of data belonging to more than 800,000 blood donors by a vendor last week.