Russian Government Scheme Exposes Corporate Data

Thousands of MongoDB databases operated by major domestic and foreign companies in Russia were left exposed for more than three years under a scheme that requires organisations to alow the government to access their data.

The companies affected included banks, telcos and even Disney Russia, according to Dutch researcher Victor Gevers.

MongoDB is typically used for the analysis of large amounts of information, with, for instance, the UK’s Met Office using it to process huge amounts of data from outer space for space weather forecasts.

But when left unsecured they can be targeted by hackers, as occurred two years ago, when Gevers discovered that tens of thousands of MongoDB databases had been deleted by hackers, who requested a ransom to be paid in Bitcoin for their return.

Government access

In this case, the databases were operated by private companies in order to provide the Russian government with access to company data.

But the government “admin@kremlin.ru” credentials were set up without a password, meaning anyone could have accessed the databases from the internet, Gevers said.

Gevers said he didn’t investigate what the databases contained, in order to protect companies’ privacy.

He said Russian law requires the government to be provided with access to company systems that handle financial transactions.

He first discovered the government credentials on a Russian Lotto website, and later found the same credentials used on more than 2,000 others, including Russian banks and financial services companies, and Russian telecoms company TTK, whose network operations centre (NOC) and security information and event management (SIEM) platforms were exposed.

Internal data

Gevers found a MongoDB instance operated by the Ukraine’s Ministry of Internal Affairs which also used the unsecured Russian administrator credentials, in spite of the fact that Russia and the Ukraine had been in conflict for at least two years at the time.

That database contained data on investigations into corrupt politicians by the Ukraine’s General Prosecutor’s Office, Gevers said.

Gevers reported the issue to the Russian government in 2016, but said it took more than three years for the issue to be resolved.

He said he has never had a response from Russia, but that the credentials have not been surfaced for several months.

“The bottom line is if you let a government choose a password, make sure they don’t use the same credentials or password formula the same way over and over,” Gevers told itnews.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

4 mins ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

52 mins ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

3 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

5 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

6 hours ago

Dutch PM Raises Cyber Espionage Case With China’s Xi

Beijing visit sees Dutch Prime Minister Mark Rutte discuss cyber espionage incident with Chinese President…

7 hours ago