Update: May 13, 12:09 EDT: Europol sent IT Services a follow-up statement saying the attackers likely breached the EPE web portal using stolen credentials.

​Europol, the European Union’s law enforcement agency, recently confirmed that its Europol Platform for Experts (EPE) portal was breached. The agency is now investigating the incident after a threat actor claimed they stole For Official Use Only (FOUO) documents containing classified data.

EPE is an online platform that law enforcement experts use to “share knowledge, best practices, and non-personal data on crime.”

“Europol is aware of the incident and is assessing the situation. Initial actions have already been taken. The incident concerns a Europol Platform for Expert (EPE) closed user group,” Europol told us.

“No operational information is processed on this EPE application. No core systems of Europol are affected and therefore, no operational data from Europol has been compromised.”

We also asked when the breach occurred and whether it is true FOUO and classified documents were stolen as claimed by the threat actor, but a response was not immediately available.

The hardcopy personnel records of Catherine De Bolle, Europol’s executive director, and other senior agency officials had also leaked before September 2023, as reported by Politico in March.

“On Sep. 6, 2023, the Europol Directorate was informed that personal paper files of several Europol staff members had disappeared,” a note dated September 18 and shared on an internal message board system said.

“Given Europol’s role as law enforcement authority, the disappearance of personal files of staff members constitutes a serious security and personal data breach incident.”

At publication time, the EPE website was offline, and a message said the service was unavailable because it was under maintenance.

​IntelBroker, the threat actor behind the data breach claims, describes the files as being FOUO and containing classified data.

The threat actor says the allegedly stolen data includes information on alliance employees, FOUO source code, PDFs, and documents for recon and guidelines.

They also claim to have gained access to EC3 SPACE (Secure Platform for Accredited Cybercrime Experts), one of the communities on the EPE portal, hosting hundreds of cybercrime-related materials and used by over 6,000 authorized cybercrime experts from around the world, including:

• Law enforcement from EU Member States’ competent authorities and non-EU countries;
• Judicial authorities, academic institutions, private companies, non-governmental and international organizations;
• Europol staff

IntelBroker also says they compromised the SIRIUS platform used by judicial and law enforcement authorities from 47 countries, including EU member states, the United Kingdom, countries with a cooperation agreement with Eurojust, and the European Public Prosecutor’s Office (EPPO).

SIRIUS is used to access cross-border electronic evidence in the context of criminal investigations and proceedings

Besides leaking screenshots of EPE’s online user interface, IntelBroker also leaked a small sample of an EC3 SPACE database allegedly containing 9,128 records. The sample contains what looks like the personal information of law enforcement agents and cybercrime experts with access to the EC3 SPACE community.

“PRICING: Send offers. XMR ONLY. Message me on the forums for a point of contact. Proof of funds is required. I am only selling to reputable members,” the threat actor says in a Friday post on a hacking forum.

​Who is IntelBroker?

Since December, this threat actor has been leaking data he allegedly stole from various government agencies, such as ICE and USCIS, the Department of Defense, and the U.S. Army.

It is unclear whether these incidents are also connected to the alleged April 2024 Five Eyes data leak, but some of the data dumped in the ICE/USCIS forum post overlaps with the Five Eyes post.

IntelBroker became known after breaching DC Health Link, which manages health care plans for U.S. House members, staff, and families.

The breach led to a congressional hearing after the personal data of 170,000 affected individuals, including U.S. House of Representatives members and staff, was exposed.

Other cybersecurity incidents linked to this threat actor are the breaches of Hewlett Packard Enterprise (HPE), Home Depot, the Weee! grocery service, and an alleged breach of General Electric Aviation.

Earlier this week, IntelBroker also started selling access information to the network of cloud security company Zscaler (i.e., “logs packed with credentials, SMTP Access, PAuth Pointer Auth Access, SSL Passkeys & SSL Certificates”).

Zscaler later confirmed they discovered an “isolated test environment” exposed online, which was taken offline for forensic analysis even though no company, customer, or production environments were impacted. Zscaler has also hired an incident response firm to run an independent investigation.

Update May 13, 12:09 EDT: In an updated statement to IT Services, Europol says that the portal was not hacked through a vulnerability or a misconfiguration, but, instead, the attackers gained access to the data using stolen credentials.

Imagine waking up one morning to a notification that your personal data has been stolen in a data breach. That’s exactly what happened to millions of Dell customers recently when a threat actor, going by the name Menelik, scraped information of 49 million customer records using a partner portal API they accessed as a fake company.

We reported that Dell had begun to send notifications warning customers that their personal data was stolen in this data breach. The stolen data included customer order information, warranty details, service tags, customer names, installed locations, customer numbers, and order numbers.

So, How Did This Happen?

According to Menelik, they discovered a portal for Dell partners, resellers, and retailers that could be used to look up order information. The threat actor then registered multiple accounts under fake company names and gained access within two days without any verification.

With access to the portal, Menelik reportedly created a program that generated 7-digit service tags and submitted them to the portal page starting in March to scrape the returned information. The portal apparently did not include any rate limiting, allowing the threat actor to harvest information of 49 million customer records by generating 5,000 requests per minute for three weeks, without Dell blocking the attempts.

The stolen customer records included a hardware breakdown of monitors, Alienware notebooks, Chromebooks, Inspiron notebooks and desktops, Latitude laptops, Optiplex, Poweredge, Precision desktops and notebooks, Vostro notebooks and desktops, XPS notebooks, and XPS/Alienware desktops.

Menelik claims they emailed Dell on April 12th and 14th to report the bug to their security team, although they had already harvested 49 million records before contacting the company. Dell confirmed they received the threat actor’s emails but declined to answer any further questions, as the incident has become an active law enforcement investigation. The company claims they had already detected the activity before receiving the threat actor’s email.

APIs: A Growing Weakness in Data Security

Easy-to-access APIs have become a massive weakness for companies in recent years, with threat actors abusing them to scrape sensitive data and sell them to other threat actors. In 2021, threat actors abused a Facebook API bug to link phone numbers to over 500 million accounts. This data was leaked almost for free on a hacking forum, only requiring an account and paying $2 to download it.

Later that year, in December, threat actors exploited a Twitter API bug to link millions of phone numbers and email addresses to Twitter accounts, which were then sold on hacking forums. More recently, a Trello API flaw was exploited last year to link an email address to 15 million accounts, which were again put up for sale on a hacking forum.

While all of these incidents involved scraping data, they were allowed due to the ease of access to APIs and the lack of proper rate limiting for the number of requests that can be made per second from the same host.

What Can You Do About It?

As cybersecurity experts, we want to help you stay protected and informed. Don’t wait for the next data breach to happen. Stay up-to-date on cybersecurity news, tips, and advice by following our IT Services page. Knowledge is power, and we’re here to keep you in the loop. And if you have any questions or concerns about your own cybersecurity, don’t hesitate to reach out to us. We’re always here to help.

Imagine waking up on Christmas Eve to find out that your personal information has been compromised in a cyberattack. That’s precisely what happened to over 538,000 individuals when the Ohio Lottery experienced a data breach on December 24, 2023.

In a filing with the Office of Maine’s Attorney General, it was revealed that the attackers gained access to names, Social Security numbers, and other personal identifiers. Thankfully, the Ohio Lottery assured that the gaming network was not affected by the incident.

Even though no evidence of fraud using the stolen information was found, the Ohio Lottery provided free credit monitoring and identity theft protection services to all potentially impacted individuals, just to be on the safe side.

DragonForce Ransomware Gang Claims Responsibility

While the Ohio Lottery didn’t disclose the nature of the incident, the DragonForce ransomware gang claimed responsibility for the attack a few days later. The group stated that they encrypted devices and stole documents belonging to both customers and employees of the Ohio Lottery.

On December 27, the ransomware group mentioned on their dark web leak site that they had stolen over 3 million records. After negotiations failed, the gang leaked four .bak archives and multiple CSV files on January 22, allegedly taken from the Ohio Lottery’s systems.

According to DragonForce, the 94 GB of leaked data contains 1.5 million records with Ohio Lottery clients’ names, Social Security numbers, and dates of birth.

DragonForce ransomware seems to be a relatively new operation, having exposed its first victim in December 2023. However, their tactics, negotiation style, and data leak site suggest that they are an experienced extortion group. With nearly four dozen victims listed on their leak site and law enforcement disrupting many ransomware operations recently, it’s possible that this group is a rebrand of a previously known gang.

DragonForce ransomware also claimed responsibility for a cyberattack that impacted Japanese probiotic beverage manufacturer Yakult’s IT systems in Australia and New Zealand in mid-December. Yakult disclosed the attack after the ransomware gang leaked what it claimed to be 95 GB of data stolen from the company’s compromised servers.

Don’t Let This Happen to You

Cyberattacks are becoming more and more sophisticated, and the stakes are higher than ever. With personal information at risk, it’s crucial to stay informed and take proactive steps to protect yourself and your data.

We’re here to help. Our IT Services can assist you in staying up-to-date with the latest cybersecurity threats, providing guidance on how to safeguard your information and helping you navigate the ever-changing digital landscape.

Contact us today to learn more about how we can help you stay secure in this increasingly interconnected world. And don’t forget to keep coming back for the latest cybersecurity news and updates.