The Ministry of Defence is investigating a security breach after hundreds of computer log-in details for its employees were stolen and posted on the dark web. Emails and passwords belonging to almost 600 UK armed personnel, MoD civil servants, and defence contractors have been stolen by cybercriminal groups since 2020. It is understood that the information was stolen using Russian hacking software, although there is no evidence the hack was directed by the Kremlin.
The data includes email addresses and other log-in information required for the MoD’s Defence Gateway portal. Many of the exposed employees are based in the UK, but accounts of MoD staff located in Iraq, Qatar, Cyprus and mainland Europe were also stolen.
The MoD are constantly investigating the theft of credentials, searching on the dark web. It is believed that the majority of the data was stolen from staff using their personal devices to access the Defence Gateway platform.
Cyber security experts believe there is a risk hackers could access other sensitive credentials of MoD staff, including private email accounts, online banking, and social media accounts.
One intelligence source said: “This type of activity is often the first stage of a covert recruitment operation by adversaries. Stolen data provides hackers with personal information hostile actors can then use to coerce or blackmail employees.”
Alon Gal, chief technical officer of cybercrime intelligence firm Hudson Rock, said: “The theft of such credentials can lead to significant security challenges, including supply chain risks, and the ability of an attacker to laterally move across connected platforms.”
The use of cyber attacks has become a common part of modern-day warfare. This year alone, Kremlin-protected hackers have caused catastrophic disruption to the NHS, significantly risked our key emergency services, and built up an impressive arsenal of sensitive data in which to launch further attacks on the UK’s critical infrastructure.
Impressively dynamic hacking software known as infostealers significantly heightens that risk. The sophisticated tool quickly extracts data from devices after victims click fake links or advertisements, download bogus software updates or fall victim to phishing emails.
These tools can be bought on Russian markets for around US$150 (£120) per month and used to raid systems for valuable data, including log-in credentials, browser cookies, cryptocurrency wallets and system data.
The stolen information is then sold on underground markets for other affiliate criminals to launch further attacks on institutions, making this one of the most dynamic and pressing cyber security threats.
As Russia’s hybrid war on the West intensifies and a campaign of sabotage rages across European supply chains, disturbs travel networks, and sows fear into the minds of the everyday, the impact of infostealers is sharply being recognised, and our resilience to these attacks will be tested.
Speaking to reporters earlier last month, the director of MI5 Ken McCallum announced that Russia was on a mission to cause “mayhem” across the UK. As part of this he said we should “expect further testing – and in places defeating – of the West’s cyber defences”.
The material was shared with The i Paper amid pressing concern for the UK’s current response to cyber warfare, and the use of hacks by adversaries such as Russia to attack UK infrastructure.
A network of Russian hackers has been using a database of stolen data from UK firms and government departments since 2018 to launch cyber attacks, this newspaper previously revealed. They work across Eastern Europe, including Russia, Belarus and Moldova, but feed information back to servers based in Russia, where it can be accessed by Russian state officials. The network has been dubbed by some intelligence sources as “Cyber Wagner” – after the Russian mercenary group.
A UK intelligence source said they believe Putin was using crime groups as a tool to attack adversaries as part of hybrid warfare tactics in retaliation for UK government support for Ukraine.
A Government source noted that stolen information may not be current, and not all the compromised passwords would still work for the Defence Gateway. But in this year alone, there have been 124 compromised users of the portal, the intelligence shows.