Russian hackers have been taking passwords from the UK’s Ministry of Defence (MoD) for at least the past four years, though the campaign has been rather slow; only about 600 of the roughly 250,000 users of the Defence Gateway portal. Add in to that the fact that the stolen passwords are reinforced by multi-factor authentication, and you have a somewhat head-scratching breach that is much more likely the work of criminals than advanced state-backed teams.
Stolen passwords offered for sale after years of slow exfiltration
The stolen passwords come from the MoD Defence Gateway portal, a public-facing site that British military personnel and civilian employees log into to for pay and health care apps and services among other everyday functions. The site does not contain classified information, but could provide attackers with damaging personal information if individual accounts were compromised.
MFA seems to be required, however, so it’s not clear how many (if any) of the 600 compromised accounts yielded personal info to the Russian hackers. A general lack of success in the campaign might explain why the stolen passwords wound up being offered for sale on a dark web forum instead of being quietly put to use in an espionage campaign.
The activity has been spread out over roughly the last four years, with 124 of the stolen passwords taken this year. Full details on the attack are not available, but the Russian hackers are likely targeting known MoD employees and service members with phishing attacks or malware.
It is not unusual for the Putin government to recruit civilian Russian hackers for campaigns such as this, with some history of this happening dating back to at least 2018. But it would be very odd if the criminals then released the stolen passwords to the dark web after being involved in something like this. MoD and the National Cyber Security Centre (NCSC) are continuing to investigate, and say they have added measures to monitor the potentially compromised accounts for suspicious activity.
Russian hackers pick espionage target, but appear to be for-profit
The target selection and the length of the campaign (with the first activity noted in 2020) point to state-backed espionage, but the outcome points to not particularly capable criminals. By all appearances the Russian hackers were only able to get a relative handful of stolen passwords over this time, and ended up trying to sell them off in desperation.
Of course, more details could certainly emerge in the coming days. While not an apples-to-apples comparison, the reporting on the Chinese hack of US telecoms did similarly spiral and grow over a period of over a month. At minimum, the Russian hackers definitely seemed to at least be specifically targeting known MoD portal users for some reason.
Of the roughly 600 stolen passwords, most came from users in the UK. A handful came from other countries in Europe as well as personnel in Iraq, Qatar, and Cyprus. While the use of the portal may have been blocked by MFA, users that have had their passwords taken should assume that malware may be present on any personal devices they have used to access the site since 2020. It is still not known how the attack unfolded, but the victims may have unknowingly been compromised by a phishing email or text message during this period.