Virtual password and lock showing Russian hackers and stolen passwords

Russian Hackers Suspected in UK Ministry of Defence Breach; Stolen Passwords Taken From Employee Personal Devices

Stolen passwords have been leaking from the UK’s Ministry of Defence (MoD) since at least 2020, and Russian hackers are believed to be the culprits based on the tools used. The hack may not be the work of state-backed groups, however, as it came to light when credentials were offered for sale on an underground hacking forum.

The stolen passwords are for the MoD Defence Gateway portal, used by all British personnel for assorted everyday services and applications. The portal is specifically designed to be used safely from home via member personal devices, but it appears the Russian hackers have been targeting the devices themselves and intercepting the credentials as they are entered.

Widespread targeting of UK military personnel by Russian hackers still under investigation

The campaign remains under investigation, but security researchers share that the stolen passwords date back to at least 2020 and that a total of about 600 UK armed personnel, MoD civil servants, and defence contractors had their credentials taken during that time as part of this campaign.

Security researchers have confirmed that the hackers were using software of Russian origin and the stolen passwords were offered in that language, but thus far there is no indication that government-supported hacking teams were involved or that this was part of an espionage campaign. It appears to be more likely that criminals of Russian origin instead found a means of systematically targeting MoD member personal devices.

The hackers would not directly gain access to anything particularly sensitive with a captured MoD login, at least not in terms of espionage interest. The platform does not contain classified information and is mostly used for everyday job and personal functions for the MoD’s wide range of both military and civilian staff. But it is not clear exactly what sensitive personal information the Russian hackers may have had direct access to, and less sensitive contact and job information might well be used for advanced spearphishing attempts or as a way to find an “in” for an espionage campaign. The portal makes use of MFA, which may have stopped the attackers from actually breaching individual accounts with the stolen passwords; it would depend on the authentication method and the level of access they had to individual devices that were compromised.

Most of the stolen passwords come from personnel stationed or working in the UK, but MoD staff in several other countries are impacted: Iraq, Qatar, Cyprus and a number of other nations in mainland Europe.

Stolen passwords surfaced for sale on underground forum

Security researchers believe that the Russian hackers have been deploying these tools in this way since at least 2020, though the campaign is ongoing as 124 of the roughly 600 stolen passwords were taken this year. It remains unclear exactly how the MoD employee devices were compromised, though systematic phishing attempts directed at them would be the most likely explanation.

The story has numerous odd elements that don’t quite add up, at least with publicly available information at present. It is true that profit-seeking Russian hackers have been recruited to work with its government before, and specifically on campaigns of this nature that date back to at least 2018. But it would be strange for such a joint effort to end up with stolen passwords being offered for sale on a dark web forum, particularly if it remains ongoing. And if the MoD site enforces even a basic method of MFA, stolen passwords would not be particularly useful on their own. The total of credentials that were compromised is also rather small for a targeted campaign that has now been going on for almost half a decade; about 250,000 people actively use the portal between service members and civilian staff.

MoD and the National Cyber Security Centre (NCSC) are continuing to investigate the incident and do not have any specific security advice for personnel at present, but do warn that those who have already had credentials compromised may be at risk for blackmail attempts from the Russian hackers or other parties that buy the stolen info. The agencies are working to contact and remediate all accounts that are impacted, and have put “technical measures” in place to monitor potentially breached accounts for suspicious activity.

Darren James, a Senior Product Manager at Specops Software, an Outpost24 company, notes that though the consequences of this breach are potentially serious the fallout is also being managed about as well as possible: “This is another example that state sponsored hacking groups are actively targeting and stealing credentials and sensitive data from government departments. Sources believe that the malware used to gather these credentials was installed on the victims personal devices which were allowed to access the UK’s Defence Gateway platform. Although this service requires MFA to login, the username and stolen password can be used to launch attacks on other systems that person accesses, particularly if they have reused their password.”

“Any data stolen in this way can be used to coerce or blackmail the victim in the future, lead to account takeover, potentially attack an organizations supply chain or used to launch social engineering attacks against the service desk. For ordinary members of the public this is bad enough, but for Ministry of Defence employees, particularly those working abroad, the effects could be very serious indeed. Organizations must review their password security, make sure that compromised or breached passwords are detected and changed, and implement 2FA on as many systems as possible,” added James.

Though it is not clear if there is a connection between the two incidents, Russian hackers also compromised an MoD IT supplier recently. The group involved was described to media sources as being independent criminals but also “Kremlin-protected” and actively involved in seeking out military information, as well as any access that might be used to create chaos in the UK.