Russian cyber-security company Group-IB, a partner of Interpol, has made the startling revelation that user login details and passwords from several Singapore government agencies were leaked on the dark web over the course of 2017 and 2018.
Among the agencies named by Group-IB were the Government Technology Agency (GovTech), Ministry of Education, Ministry of Health and the Singapore Police Force.
The National University of Singapore’s learning management system was also named.
Dmitry Volkov, the chief technology officer and head of threat intelligence at Group-IB, said in a press statement that the compromised credentials pose a significant threat to security.
“It is not unusual when a compromised account is used by cyber criminals to infiltrate an organisation’s internal network for the purpose of sabotage and espionage.”
The credentials are likely to still be on sale on underground forums.
Group-IB has informed the Cyber Security Agency of Singapore about the leak.
Replying on behalf of the CSA, the Smart Nation and Digital Government Group said:
“Around 50,000 of them are government e-mail addresses. They are either outdated or bogus addresses, except for 119 of them which are still being used.”
Affected officers have been told to change their passwords.
The Group said that the credentials were not leaked from government systems, but from officers who used them for personal and non-official purposes.