Cybercrime , Fraud Management & Cybercrime , ID Fraud
Hacker Claims Details of 45 Million Argentinians Stolen
@AnibalLeaks Says Entire Database for Sale on Hacking ForumA cybercriminal known as cfk on popular hacking forums and @AnibalLeaks on Twitter claims to have stolen a database consisting of 45 million records of Argentina's National Registry of Persons, or ReNaPer.
See Also: Gartner Guide for Digital Forensics and Incident Response
The Argentinian government, in a statement, denied that there has been any unauthorized entry into its systems or a massive leak of data from the agency.
The Leak
The cybercriminal has claimed the authenticity of the data leak by tweeting - through the now-suspended @AnibalLeaks profile - 44 ID card photos and associated personal details of known Argentinian celebrities, including football stars Lionel Messi and Sergio Aguero.
The cybercriminal also posted the ID of Argentina President Alberto Fernández on a hacker forum as additional proof. The database of which the ID is part, he says, has been on sale on the hacker forum since Oct. 10.
According to the hacker forum post, the leaked database includes generic as well as highly critical details, including:
- Photo;
- Full name;
- Date of birth;
- Address;
- Labor ID number and the code located on the back of the card;
- Processing, or trámite, number, which is similar to the Social Security number in the U.S, and its issuance and expiration dates.
As an "important" note, the cybercriminal states that the data is being sold individually and appears particularly interested in handing the data over to identity theft fraudsters and scammers. The criminal says the stolen data is "all the necessary data [required] to create a false identity card."
Government Investigation
According to a government statement on Oct.12, ReNaPer has filed a criminal complaint against the information leak targeting 44 high-profile Argentinian citizens, including politicians Gustavo Béliz, Juan Luis Manzur, Santiago Andrés Cafiero, Oscar Parrilli and Máximo Carlos Kirchner, and former president Néstor Kirchner's daughter, Florencia Kirchner.
The government has, however, denied the hacking allegations. "The database did not suffer any data breach or leak," it says.
While the release does not address how the records of 45 million Argentines ended up on a hacking forum, it does say that ReNaPer's IT security team found an "authorized" virtual private network connection established between ReNaPer and the Ministry of Health of the Nation, which queried 19 images around the same time the cybercriminal published them on Twitter.
The government statement says that "the agency under the Ministry of the Interior confirmed that [the reason behind the leak of the images of 44 Argentines] was an improper use of the user or theft of the user's password" on the authorized virtual private network.
Following these findings, in a statement given to news agency Infobae, the Ministry of the Interior said only eight people have that degree of "access to keys." The ministry added: "They [the employees] could have stolen the key and that is why the IP is being investigated."
The government's statement partly concurs with what the cybercriminal posted on the hacking forum on Oct.8: "I am selling access to an Argentine government network linked to communications and technology. Access is through VPN and domain administrator network credentials (AD) with direct access to the domain controller. There are thousands of office computers and servers, including virtual machines. It is an entity that is throughout the country, so it is a huge network."
Other AnibalLeaks Activity
The @AnibalLeaks Twitter profile was created on Sept. 25, according to Infobae. Archived records from Sept. 25, seen by Information Security Media Group, show the profile's first publication offered "all the personal data of the Gendarmerie, Army, Naval Prefecture, Navy, Air Force, [and] the Ministry of Defense [collectively reaching] 1,193,316 records."
Subsequently, the cybercriminal tweeted several [.]onion links at which the data could be downloaded, along with a screenshot as proof of their claim. The data dump was leaked from IOSFA, an institution in charge of the health safety of all security forces in Argentina, and contains information including names, surnames, military rank, addresses, emails, telephone numbers and family data, according to the hacker forum post, which was also seen by ISMG.
The cybercriminal is currently offering this data for free to anyone interested via a publicly posted download link on the hacker forum.
The cybercriminal's latest activity, observed on Tuesday by ISMG, involved selling an exploit that claimed to reset any email password of an Argentine government military domain website and webmail. "It could be used for social engineering towards other government entities," the cybercriminal says.