“Now, hundreds of debts have been forgiven. Hundreds of rejections have been accepted:” Claims by hacker of Chile’s General Treasury of the Republic.
Access to Tesorería General de la República, the General Treasury of the Republic of Chile (TGR) may be up for sale on a popular hacking forum.
A forum post claiming that tesorería.cl and tgr.cl had been hacked was first reported by Germán Fernández on Twitter on January 30. The post by a new forum member provided a lengthy list of tables. Just a small top portion of the post appears below, redacted by DataBreaches.net:
The user’s post says, in part (typos as in the original):
We have all the databases and access to their servers.
We will give the information publicly when those affected make a public statement, indicating how incompetent they are”.
As POC, “we will make everything public when they are not thinking”.
CHILE NEEDS JUSTICE
This just begin”.
In response, TGR issued a statement denying any impact on operations or taxpayer information:
This morning we became aware of a potential vulnerability associated with an internal TGR information server, which would not involve taxpayer tax information. In light of this incident, our teams are analyzing the situation and taking the necessary mitigation measures. This event has not affected the operation of TGR and the services are operating normally. TGR has reported this incident in a timely manner to the CSIRT of the Ministry of the Interior, and all necessary legal actions will be taken as a result of the incident.
– General Treasury of the Republic
The Hacker’s Response
TGR’s statement was not well-received by the hacker, who updated their post:
(Machine translation with links and obscenity redacted by DataBreaches.net:)
TGR SAY: “this event has not affected tgr operations”[Redacted]… WAIT FOR THE GIFT [*]_____________________________________
[*]UPDATED POC 3.0
[*]_____________________________________ [*]”Tesoreria-TGR indicated in an official statement that the “hack” did not affect TGR operations or taxpayers”
[*]Now we tell them that they can put the treasure up their ass.
[*]Not only do they always lie, they also steal and benefit the richest.
[*]Now, hundreds of debts have been forgiven.
[*]Hundreds of rejections have been accepted.
[*]The most interesting thing of all, is that they are going to have to review which ones they were. We wish the forensics every success.
[*]The people are not alone. [*]Enjoy
https://[redacted by DataBreaches.net] https://[redacted by DataBreaches.net] https://[www.youtube.redacted by DataBreaches.net]
And at the end of the post, the user added the following message and threat:
WHY DO WE WANT A RECATE, IF WE HAVE ALL YOUR DATA…XD
AND DON’T TALK ABOUT MORE, YOUR SERVERS ARE OURS, THERE IS LITTLE OLD DATA, THERE IS A LOT OF NEW DATA, THIS IS ACTUAL XD
THE RCE OF OUR KEYS CAN MORE THAN THE MONOPOLY OF YOUR DEPLORABLE STATE.[*]WAIT AND SEE WHAT COMES NEXT
[Note — “Recate” refers to a ransom — Chum1ng0]
One of the links in the post connects to a gallery of screenshots. Two of the screenshots appear to at least partly refute TGR’s statement. One screenshot shows the personal information of an individual, accessed via the intranet. The data fields included the individual’s name, RUT, date of birth, nationality, sex, and marital status information such as status, date of change in marital status, regime, and spouse.
A second screenshot shows that the hacker had the ability to modify the record of personal information on individuals. That information also included some parental information:
From the screenshots, the hacker did appear to have (and claims to still have) access to taxpayers’ personal information.
What the hacker did not demonstrate in the screenshots is that they had the ability to alter taxpayer records in terms of debts or debt forgiveness and that they actually did alter any records.
Additional Claims and Details
DataBreaches.net contacted the forum user via private messages on more than one occasion. In those PMs, they claimed that they have 600 GB of data and that access will be persistent. They also indicated that they used SQLi, RCE, and other methods to gain access.
When asked whether they had any direct contact with TGR, they answered that there was no way for TGR to communicate with them.
The hacker’s mentions of “justice” in their post suggested the hacker might be a hacktivist, a possibility somewhat strengthened by the fact that they posted links to Bella Ciao from Casa de Papel (a song about resistance to fascism) and to the scene in Scarface where Pacino says, “You want to play games? Okay, I play with you.” But when asked if they would describe themselves as hacktivists, they answered, “We are romantic cyber mercenaries. We are HACKERS, we hack to balance.”
When DataBreaches tried to follow up on their claim that they had altered tax payment and rejection records, the romantic cyber mercenary would not reply directly, saying only, “We are the People. No more questions.”
Because the hacker has not responded to some questions, it is not totally clear whether they will actually be selling access or data to TGR, although they claimed that they will sell “persistent” access. It is now ten days since their original post but there has been no actual sales listing for access or for data. Nor have they leaked more data as proof since their February 3 update to their forum post.
As for the government, TGR has not posted any updates to its website or Twitter since its statement on January 30. Nor have they responded to inquiries from DataBreaches asking whether they specifically investigated whether any records had been altered or debts were forgiven as claimed by the hackers in their updated forum post of February 4.
DataBreaches notes that the hacker’s claims and forum post do not appear to have been reported in Chilean news media, which is somewhat surprising given that the attack is on the government treasury.
Research and reporting by Chum1ng0 with additional material and editing by Dissent. If anyone has additional information on this incident, email [email protected] or DM him on Twitter at @Chum1ng0.