Russian Government Scheme Exposes Corporate Data

Thousands of MongoDB databases operated by major domestic and foreign companies in Russia were left exposed for more than three years under a scheme that requires organisations to alow the government to access their data.

The companies affected included banks, telcos and even Disney Russia, according to Dutch researcher Victor Gevers.

MongoDB is typically used for the analysis of large amounts of information, with, for instance, the UK’s Met Office using it to process huge amounts of data from outer space for space weather forecasts.

But when left unsecured they can be targeted by hackers, as occurred two years ago, when Gevers discovered that tens of thousands of MongoDB databases had been deleted by hackers, who requested a ransom to be paid in Bitcoin for their return.

Government access

In this case, the databases were operated by private companies in order to provide the Russian government with access to company data.

But the government “admin@kremlin.ru” credentials were set up without a password, meaning anyone could have accessed the databases from the internet, Gevers said.

Gevers said he didn’t investigate what the databases contained, in order to protect companies’ privacy.

He said Russian law requires the government to be provided with access to company systems that handle financial transactions.

He first discovered the government credentials on a Russian Lotto website, and later found the same credentials used on more than 2,000 others, including Russian banks and financial services companies, and Russian telecoms company TTK, whose network operations centre (NOC) and security information and event management (SIEM) platforms were exposed.

Internal data

Gevers found a MongoDB instance operated by the Ukraine’s Ministry of Internal Affairs which also used the unsecured Russian administrator credentials, in spite of the fact that Russia and the Ukraine had been in conflict for at least two years at the time.

That database contained data on investigations into corrupt politicians by the Ukraine’s General Prosecutor’s Office, Gevers said.

Gevers reported the issue to the Russian government in 2016, but said it took more than three years for the issue to be resolved.

He said he has never had a response from Russia, but that the credentials have not been surfaced for several months.

“The bottom line is if you let a government choose a password, make sure they don’t use the same credentials or password formula the same way over and over,” Gevers told itnews.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago