MoD Cyberattack: Russian Hackers Expose Passwords, Spark Fears of Espionage and Operational Risks – Mike Gillespie, CEO, Advent IM

News and information from the Advent IM team.

The recent announcement the Ministry of Defence has been hit by a major cyberattack and as a result has had a data breach where passwords belonging to nearly 600 employees were stolen and leaked onto the dark web. has raised a few eyebrows. 

The attack is believed to have been carried out by Russian hackers and has exposed sensitive information of both military personnel, civilian staff and defence contractors and includes email addresses and login credentials for the Defence Gateway portal, a critical online platform.  Whilst not in itself holding classified material, the portal does potentially provide access to HR and Health Data. 

This breach is unusual as it potentially affects data sources from a range of users, military, defence and private sector and raises a number of concerns. 

First, there is the potential for lateral movement and additional attacks, moving deeper into the networks and across other connected systems seeking out vulnerabilities, escalating privileges and in some cases laying down payloads to facilitate later access.  In all cases the aim is to identify and exfiltrate sensitive data.  Despite all of the best practice guidance telling users not to use the same username and password across multiple systems, reality shows us that they do.  This could jeopardise broader operational security for the MoD. 

Then there is the very real risk of espionage.  According to some sources there is also the potential that the attack may also have provided access to other sensitive credentials of MoD staff, including private email accounts, online banking, and social media accounts.  All of this raises the possibility of coercion, blackmail, intimidation and inducement.  Again, we know users are told to use separate passwords for home and work, but do they? 

There is also the possibility that the leaked data contains information not only of UK based personnel, but also of those based overseas, in locations such as the EU, Iraq, Qatar, etc. thus putting the personal safety of overseas personnel at risk, as well as opening them up to risk of espionage and recruitment. 

The diverse nature of the userbase involved in this attack also means that there are now risks not only to Defence systems but also to systems owned and managed by a number of organisations within the supply chain.  In the past the MoD has been particularly lax when it comes to supply chain assurance and has proven to be reluctant to conduct third party assurance audits, relying instead on a trickle down approach of policy and compliance.  This despite previous high profile supply chain breaches including most recently where the details of 270,000 service personnel were accessed following an attack targeting a contractor responsible for managing the MOD’s payroll system. 

Ultimately what this breach shows us is that we must all remain constantly vigilant.  Security must be maintained, and security assurance, like defence itself, must continually evolve.  The recently introduced MoD Secure by Design approach underlines the need for continuous risk assurance to significantly improve the overall level of assurance and risk management applied to MOD systems and is crucial for achieving secure and resilient Defence Outcomes. 

Mike Gillespie, CEO, Advent IM

Share this Post