How Data Leaks Can Get Messy: Bulgaria National Revenue Agency
August 9, 2019 • RBS
It goes without saying that data breaches are significant and distressing events. The realization that valuable information has been stolen from your organization kicks off a flurry of activity, starting with an investigation and remediation and continuing through corrective measures and possibly systemic changes to prevent future events. Understanding how data breaches happen is crucial for early detection and prevention. While key details of breach activity for the first half of the year can be found in the upcoming MidYear Data Breach QuickView Report, it can be helpful to think of breaches as generally occurring in two distinct patterns.
Hacking for Profit
Organizations like Capital One are targeted due to the rich amount of sensitive data they safeguard. Most threat actors aim to steal data that can be sold, traded, used for fraud/extortion, or carries some other financial value. These threat actors will exfiltrate the users table in a SQL dump to obtain credentials, financial information, patient records, or employer/personal information such as W-2 forms and Social Security numbers. In these situations, once something valuable or monetizable is obtained, no other information is typically targeted since it provides no value.
The Smash N’ Grab
Other leaks are seemingly digital “smash ‘n grabs”. In these scenarios, the threat actors seem to grab everything in sight and the attacks are typically motivated by something other than money, such as political or personal reasons. Examples of this include the high profile attack on Sony Pictures, as well as the 2016 leak of emails from the Democratic National Committee, and the corresponding hack of John Podesta’s personal email account; all instances exposed copious amounts of information. Clearly some of the data was highly sensitive but the leaked files also contained insignificant and outright public information.
A more recent example of a smash ‘n grab event is the July 2019 leak from the Bulgarian Government’s National Revenue Agency. Risk Based Security was able to obtain the data and analyze it for some interesting takeaways:
- There is a significant amount of people (about 1 million) affected who are not from Bulgaria, or at least have an address outside of Bulgaria, and the data is in relation to the Automatic Exchange of Information (AEOI) regulation.
- The leak provides some back-end data from what appears to be their “ETax” platform.
- There is a folder that includes developer/bug fix data, with login, passwords, session tokens, login cookies, audit logs.
- There are several files labeled “Footballers”, which contains sensitive information about numerous soccer players from the Bulgarian league. This includes names and EGNs, the Bulgarian equivalent of a Social Security number.
- A folder labeled “EuroFisc”, which relates to the EU anti-fraud network, holds emails, EGNs, names, and occupation information for people in the Bulgarian government.
- A folder labeled JForum_Users, Krasi, and NETP Detail contains email addresses and passwords for Bulgarian government employees.
The leak displays many traits of a typical smash and grab. The attackers nabbed multiple seemingly unrelated files and the data has not been offered for sale. Instead, the attackers choose to share the information with multiple journalists and media outlets. In an especially humorous twist, the very same actors are alleged to have taken control of the irrigation system outside of the National Assembly building in the hopes of dousing politicians as they come and go from the facility. Both figuratively and literally, the breach at the Bulgarian Government proves just how messy a compromise event can get.
Research credit goes to Roy Bass, Threat Intelligence Researcher at RBS