“It took 6 hours to get access to every IT system” of Argentina’s Senate – Vice Society

The Vice Society ransomware team refers to their victims as their “partners” on their leak site. Image: DataBreaches.net.

The web site of Argentina’s senate was hit by a ransomware attack on or about January 12. Unlike other entities that do not disclose quickly, the Senate issued a statement on Twitter about Vice Society’s attack two days later:

As translated by Google, their statement read:

The National Senate suffered an attack by hackers on January 12 at 4 AM. These types of attacks, called ransomware, have been perpetrated in recent months against various public bodies, the Judiciary, and leading companies.

Hackers “hijack” the information and then demand a ransom for it.

In the case of the Senate of the Nation, all the stolen information is public and is available to everyone within our transparency site.

From the moment of the attack, our Computer Security team has been working. So far, it has been possible to recover most of the relevant information and isolate the sensitive equipment, which will allow us to recover operations as soon as possible.

According to their statement, then, the attack encrypted their files but they did not seem concerned about any personal information being revealed because they said it was all public information.

But was it all really all public information? Inspection of the data dump on Vice Society’s leak site revealed thousands of files. As first reported by Clarin, Vice Society dumped more than 30,000 files. While many files appeared related to Senate business and finances, there were also many files with personal information on people who were not senators but were Senate aides or other notables.  As Mauro Eldritch, cybersecurity architect and consultant informed Clarin: “Several bills, opinions and legal documents are seen with all their progressive versions. But there are also plenty of plain text keys, carelessly guarded. There are scans of passports, visas, identity documents, tax information, fingerprints of different officials and visitors to the Senate, and even source codes of internal applications” (machine translation).

We found requests for appointment of advisors, contract for services, selection competition, memoranda, laws, budgets, sessions, attendance, meetings, projects, reports, books, manuals, confirmations, emails, databases, photos, fingerprints, and plain text passwords. Some of the personal data included individuals’ DNI (National Identity Document), photocopies of identity documents, resumes, diplomas, affidavits, credential of payment of monotributo (tax documents), CUIL proof (Unique Code of Labor Identification), proof of registration, passports, date of birth, home address and telephone number, email addresses, and criminal record certificates.

A photocopy of Ambassador Capatanich’s identification has their DNI and personal data: name, surname, sex, nationality, date of birth, date of issue, date of expiration, transaction number, his signature, his picture, and a bar code and document number. Redacted by DataBreaches.net.

 Despite the Senate’s claim that the stolen data were all (just) public documents, then, it was clear that there was also personal data involved, as an unnamed spokesperson acknowledged to Clarin, saying (in translation): “The personal files found on each of the computers are just that, personal information.The Senate cannot and should not be aware of it because it is information of a private nature of each one of the people who work in this institution.”  That statement seems to contradict what they had tweeted on January 14 about only public information being involved.

In addition to data that appeared to be of a clearly personal nature, DataBreaches.net also found files relating to the Counter-Strike video game, the Game of Thrones drama series, and music by Lady Gaga, raising questions as to what security protocols were in place to prevent users from uploading and downloading files unrelated to work.

Many of the files in the data leak had extensions showing that they had been encrypted by Vice: v-society.6CE-B07-B5E. There were 44,922 files with that extension. In a way, that is fortunate for the Senate, as casual observers will not be able to open the files in the data dump with that extension unless they get the decryption key.

DataBreaches.net sent an inquiry to the National Director of Data Protection of Argentina to ask whether, under Argentinian data protection law, ambassadors and ministers have fewer data protection rights as public figures, but we received no response by the time of publication. Nor has the Senate responded to multiple email inquiries sent to multiple departments over the past week. Ambassador Capitanich was also sent an email inquiry as to whether he had been alerted his information had been made publicly available on the internet.  No reply was received by the time of publication.

While politicians did not answer our questions, Vice Society did answer a few questions for us. They, too, it seems, had failed to get any response at all from the Senate despite all their attempts to contact them.

But how difficult was it for Vice Society to attack them?  According to the spokesperson, it took “6 hours to get access to every IT system” (100 computers) and “6 hours to attack.” When the Senate  realized that they had been attacked, Vice Society was reportedly still in their system and able to observe them:

When they realized that we crypted their network we were still there. We were watching them using their cameras. It was funny.

Because DataBreaches.net has received no substantive replies from the Senate nor the data protection regulator, it is not clear what, if anything, is being done to prevent a future similar attack. But if it was this easy to attack Argentina’s senate, and the attack interrupted functioning for a number of weeks, resulting in employees having to request manually provided new passwords to regain access to the system, will we see the Senate attacked again in the near future?  A significant percentage of ransomware victims are revictimized, although the risk of that may relate to whether they previously paid ransom, which Argentina’s Senate has not done. Hopefully, the Senate is hardening their defenses.

Research and reporting by Chum1ng0. Additional reporting and editing by Dissent.

About the author: chum1ng0

Comments are closed.