A Cybercriminal Stole Government ID Database for Argentina’s Entire Population

The Argentinian government database with ID card data belonging to all the country’s citizens has been stolen by a cybercriminal who has now advertised it for sale online.

The news came as a shock to many people across both the cybersecurity and private sector divide as it emerged that the hacker had managed to harvest the card details of about 46 million citizens.

Worse, it turns out that the hacker has already began selling the large trove of data within underground platforms. This is expected to expose the millions of Argentinians to potential cyberattacks in the form of exploits, scams and breaches.

According to media reports, the cyber event took place in the month of September although details concerning the hack surfaced in October.

The government institution that was affected in the cyberattack is referred to as RENAPER, which is an acronym for Registro Nacional de las Personas (translated as the National Registry of Persons).

The cyberattack has exposed the lengths to which hackers take to compromise critical service regardless of the amount of resources that may be required to pull off a large scale attack on government institutions.

RENAPER serves a very crucial role in Argentina considering that they form part of the county’s interior ministry, which is responsible for issuing identification documents to all citizens of Argentina.

Typically, the ID card data that is normally gathered by the government agency is usually stored in a database that can be accessed by other branches and institutions of the Argentinian government. It would be correct to assert that RENAPER is the proverbial backbone for the majority of government services involving personal data.

Further reports intimated that the first indication that the Argentinian national registry had been hacked came from a post on Twitter by a newly-registered account using the handle @AnibalLeaks that posted the ID card photos and personal details for 44 Argentinian public figures.

Some of the celebrities whose ID photographs were published by the user include the country’s president Alberto Fernández, a number of media personalities and political powerhouses, and including football moguls like Lionel Messi and Sergio Aguero.

It appears that Twitter has since suspended the hacker’s profile on the social media platform owing to the findings we got after trying to search the threat actor’s user name (See screenshot).

Figure 1: The hacker’s Twitter account has been suspended for violating the Twitter rules.

According to additional reports by cybersecurity news platforms, the cybercriminal went on to publish the personal data on a popular hacking site, offering to look up the personal details of any Argentinian citizen.

Apart from ID numbers, the leaked data also comprises the names, home locations, birthdays, Trámite numbers, citizen numbers, government photo IDs, labor identification codes, ID card issuance and expiration dates.

Meanwhile, The Record contacted the hacker who was reportedly renting access to the RENAPER database on illicit cybercriminal forums. According to details that have since been made public by the media platform, the threat actor said that they had a copy of the RENAPER data, an aspect that contradicted the government’s response to the reports.

The Record seemed to be quite certain that the threat actor was actually telling the truth because he managed to provide solid proof to his claims by providing the personal details belonging to Argentinians, including the already-mentioned Trámite numbers that are considered highly sensitive by the citizens.

The individual went on to intimate that they were planning to leak the data belonging to 1 million or two million citizens over the next few days following his revelation on social media. This also included their resolve to continue selling access to the data across various circles with interested buyers.

Government Denies Reports

As Argentinian media joined in to report on the shocking news, the government took its time to respond to the reports about three days following the social media post made by the threat actor.

A probe into the events leading to the massive data breach may have failed to provide clear answers concerning what exactly happened to RENAPER. This is in light of the hacker’s confirmation that their successful hack against the government agency was actually made possible thanks to “careless employees” of the National Registry of Persons that unknowingly granted them access into the system.

An official statement from the Government of Argentina on October 13 came out to dispel reports that an unknown threat actor had gained access into critical government systems to cart citizen personal data away.

What’s interesting is that the same statement went on to reveal that a VPN from an employee working in the Ministry of Health had been compromised and used to provide unauthorized access into the Digital Identity System right before the Twitter account had shared the initial samples of data belonging to members of the Argentinian high society.

The government went on to assert that RENAPER was not subjected to any cyberattack or data leak, although it maintained that the relevant authorities are not hard at work with investigations touching on eight government workers that may be linked to the data leak.

Not the First Time

This is not the first time that the Argentinian society is treated to sensational news about a large scale cyberattack.

The recent breach borrow a leaf from the “La Gorra Leaks” that happened in 2017 and 2019 in which government accounts and databases were compromised by threat actors.

The 2017 incident featured the email account and Twitter of the country’s Minister of Security – the threat actor published screenshots and images drawn from the accounts to the shock of many citizens and public commentators.

What’s interesting is that the media was awash with reports concerning the manner in which the government responded to the problem, even shadowing reports about the data breach itself.

Recent memory takes us to the time when security experts covering the data hack were harassed by the national government for merely posting about the cyber event on social media and in blogs.

One example was that where Argentinian police briefly detained and raided the residence of a reputable security researcher on suspicion of unfounded allegations of hacking and leaking data from government systems.

The security expert, identified as Javier Smaldone, was quick to share information about his detention after he was released from custody. He obtained and posted court documents concerning his arrest on Twitter.

The documents, which are still viewable to date, proved that the Argentinian law enforcement agencies apprehended and raised the home of the security expert for just tweeting about the government hack even without tangible evidence that he had committed any wrongdoing.

He went on to assert that the entire circus was a witch-hunt on the part of the police who arrested and raided his premises for no reason apart from “political persecution”.

Figure 2: court documents shared on Twitter by Javier Smaldone.

Point to note, Javier Smaldone is a well-respected cybersecurity activist that has played significant roles on the frontlines of defending against state-backed actions against democracy.

At one time, the activist testified in front of the Argentinian Senate against the employment of electronic voting machines in the country, and has been on record several times criticizing the government’s plans to use such machines.

The same pattern showed up in 2019 when an unidentified threat actor leaked about 700GB of information harvested from government data bases. Reports indicated that the information included some 200,000 PDF files that were published on dark web and messaging platforms. As much as there was no apparent threat to the country’s cybersecurity due to the cyber event, it turns out that a number of politicians and law enforcement actors suffered dents in their public image.

Another case involved involving a cyberattack targeted against the Argentinian government was last year when the country’s national migration agency announced that it had managed to contain a breach that had forced the government to shut the nation’s borders.

Then, Argentina’s National Directorate of Immigration intimated that it had been hit by an unknown threat actor who succeeded at disrupting a number of critical services such as border control.

According to the government establishment, the Integrated Migration Capture System (SICaM) that is normally used by the country to enable international movement of persons was particularly affected by the cybercriminal – the issue translated to significant bottlenecks at the points of exit and entry into the country.

Point to note, however, the government body insisted that the cyberattack did not get to the very sensitive infrastructure of the agency, including its statement that no personal data or corporate details managed by the National Directorate of migration had been leaked.

At the time, Newsweek contacted the Argentinian government to get full closure of the events surrounding the hack, including the directorate itself and the country’s cybercrime agency that was working to contain the attack.

According to the responses received by the American weekly news magazine, and analyses conducted by a host of local crypto-facing media outlets, the cyberattack was linked to a threat group dubbed Netwalker ransomware hackers that were demanding millions of dollars’ worth of Bitcoin in exchange for the information they had harvested illegally.

At first, the threat actors were demanding $2 million in Bitcoin from the government agency, but this figure quickly jumped to $4 million under unclear circumstances.

Further, additional reports emerged that the attackers had sent messages to Argentinian officials cautioning them against the temptation to “try to recover files without a decryptor program”. They warned that the data would be damaged and that they would never recover the stolen data if they attempted to go that route.

Other crypto news sites intimated that the hackers posted a batch of the stolen data online as a means to provide solid proof that they were actually behind the cyberattack.

It is worth mentioning that no one really got to know what type of data had been stolen from the Argentinian Directorate of Migration notwithstanding the significant media and expert attention that the cyber event attracted – the same goes with the fact that there is no indication about whether the Argentinian government agency recovered the stolen data that was reportedly harvested by the hackers.

A Growing Global Concern

While brazen cyberattacks against government establishments have been uncommon in recent times, large scale attacks against institutions linked to critical services and enterprises have shown a sharp rise in numbers.

Not too long ago, the Norwegian parliament revealed that it had been targeted in a cyberattack that led to the hacking of email accounts belonging to a host of legislators and staff belonging to the Norwegian Labor Party.

In addition, the year 2021 has registered more cyberattacks targeted at important establishments across the world. One incident involved a cyber-espionage group linked to the Russian intelligence services in which they were accused of trying to steal information on COVID-19 vaccine research in the U.S., Canada and Britain.

Moving back to Argentina, it turns out that the government itself has been its own enemy in light of its approach to cybercriminal investigations. This is well reflected in a 2018 decision by the federal government and the City of Buenos Aires to try and pass a new strategy that would permit the police to distribute malware when conducting criminal probes involving complex cases.

Quite obviously, the proposed bills were heavily criticized by various setions of the Argentinian society, including cybersecurity experts and civil society who felt that the government of the day was overstepping their mandate. The argument was that the privacy and security protections were expectedly going to be breached significantly, the bills were never passed.

While speaking to CPO magazine, the Chief Executive of Egress Tony pepper highlighted that the recent events involving the cybercriminal access to Argentinian citizen data is expected to create a serious cybersecurity problem. He said, “With the data of millions at risk, Argentinian citizens are now prime targets for follow-up attacks, such as financial fraud, sophisticated phishing attempts and impersonation scams, aimed at stealing further personal data, identities and even their money.”

Leave a Reply

Your email address will not be published. Required fields are marked *