Russian Government Scheme Exposes Corporate Data

Thousands of MongoDB databases operated by major domestic and foreign companies in Russia were left exposed for more than three years under a scheme that requires organisations to alow the government to access their data.

The companies affected included banks, telcos and even Disney Russia, according to Dutch researcher Victor Gevers.

MongoDB is typically used for the analysis of large amounts of information, with, for instance, the UK’s Met Office using it to process huge amounts of data from outer space for space weather forecasts.

But when left unsecured they can be targeted by hackers, as occurred two years ago, when Gevers discovered that tens of thousands of MongoDB databases had been deleted by hackers, who requested a ransom to be paid in Bitcoin for their return.

Government access

In this case, the databases were operated by private companies in order to provide the Russian government with access to company data.

But the government “admin@kremlin.ru” credentials were set up without a password, meaning anyone could have accessed the databases from the internet, Gevers said.

Gevers said he didn’t investigate what the databases contained, in order to protect companies’ privacy.

He said Russian law requires the government to be provided with access to company systems that handle financial transactions.

He first discovered the government credentials on a Russian Lotto website, and later found the same credentials used on more than 2,000 others, including Russian banks and financial services companies, and Russian telecoms company TTK, whose network operations centre (NOC) and security information and event management (SIEM) platforms were exposed.

Internal data

Gevers found a MongoDB instance operated by the Ukraine’s Ministry of Internal Affairs which also used the unsecured Russian administrator credentials, in spite of the fact that Russia and the Ukraine had been in conflict for at least two years at the time.

That database contained data on investigations into corrupt politicians by the Ukraine’s General Prosecutor’s Office, Gevers said.

Gevers reported the issue to the Russian government in 2016, but said it took more than three years for the issue to be resolved.

He said he has never had a response from Russia, but that the credentials have not been surfaced for several months.

“The bottom line is if you let a government choose a password, make sure they don’t use the same credentials or password formula the same way over and over,” Gevers told itnews.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Boeing Starliner Launches Successfully, On Route To International Space Station

Boeing's crewless space taxi, CST-100 Starliner, one step closer to NASA certification, as it enters…

2 days ago

Apple Accused By Union Of Staff Law Violations At NY Store

Staff at Apple's World Trade Centre store in New York are allegedly being questioned and…

2 days ago

Canada To Join Five Eyes 5G Ban On Huawei/ZTE

Making it official. Canada is to turn its unofficial ban on 5G kit from Huawei…

2 days ago

Twitter To Hide Tweets That Share False Information During A Crisis

Potentially risking Elon's wrath over free speech, Twitter says it will hide tweets spreading misinformation…

3 days ago

Boeing Starliner Test Flight Readied For Tonight

Third time the charm? Main rival to SpaceX's Dragon capsule, the embattled Boeing Starliner spacecraft,…

3 days ago

September 13 Slated For iPhone 14 Launch – Report

No surprise there. Apple is slated to launch the iPhone 14 on 13 September according…

3 days ago