Ukrainians’ Data Leak and Why It’s Real
Disclaimer. The information below is just my assumption. I’m not responsible for any consequences.
On 22th of January 2022 an anonymous user named FreeCivilian made a post on RaidForum claiming that he is selling 2M database dump of Ukrainians private data (such as names, passport data and so on). 100k of samples are shared for free as a demo version.
Ministry of Digital Transformation of Ukraine denies that the leaked data was grabbed during the last cyber attack in January 2022 on KitSoft software company that develops websites and other services for Ukrainian government. There were statements that the data were crafted by cyber threat actors by combining the data leaked during previous cyber attacks on Ukrainian bank “Privat Bank” and other non-government resources:
💥 Announcement of the sale of “merged” data of Ukrainians as a result of the cyber attack is a provocation and continuation of the hybrid war
Ukraine continues to defend itself in a hybrid war. The main goal of the enemy is to undermine trust in the government with fakes about the vulnerability of critical information infrastructure and the “drain” of data from Ukrainians. This was announced a week ago by the Center for Strategic Communications and Information Security.
Since last weekend, there have been constant advertisements on the Internet for the sale of data allegedly obtained during the cyber attack that took place from January 13 to 14. Including many ads related to the sale of the Action database. Such announcements are not only intended to intimidate society. And also to destabilize the situation in Ukraine by stopping the work of the public sector.
It will be recalled that 13.5 million Ukrainians are users of the Diya mobile application. It does not store personal data, but only reflects what is stored about them in the relevant state registers. More than 13 million Ukrainians visit the Action portal, not 2 million, according to the ads.
We urge Ukrainians not to panic. All personal data are under reliable protection in state registers. And the announcement of the opportunity to buy data obtained after the January 14 hacking is a scam: fraudsters are selling old data from many sources that were merged by 2019.
Now Ukrainian cyber experts must unite to counter the threat and neutralize the enemy.
I assume that this is not the case and the leaked data is real. And here is why.
I’ve analyzed the leaked data samples. Assuming that the “demo samples” were chosen randomly from the whole database, the results of analyzing it must statistically correlate with the whole 2M samples leak.
The oldest document is dated 14th February of 2020. The Ukrainian government application Diia (“Дія” in Ukrainian) was developed by the end of February 2020 as well.
The newest document of the demo samples is dated 15th December of 2021. No newer documents were found in the leaked database. We can assume that the data was leaked not from production database but from some one-month-old local copy (probably made by KitSoft for development process, which would be a huge fault on their side).
The statistical study of the leaked data shows that the number of created database records per day correlates with the reality.
For example, the number of created documents on holidays are lower than on working days (in Ukraine we have week starting with Monday).
Did you spot this huge spike on 7th October, 2021? I’ve tried to find some news on that day or some significant event which could be the reason for that. And it seems like I’ve found it. On 7th October, 2021 it was announced that the “yellow” COVID-19 vaccination certificates become available for Android users of Diia app:
Now “yellow” internal COVID-certificates are also available on Android.
You can generate it on the same day as you received the first dose of the vaccine. Valid for 120 days.
Update Diia app and use. How to generate a “yellow” certificate in a few clicks — see the video instructions → https://bit.ly/3aaE7IP.
FYI, “yellow” certificate is issued after the first dose of vaccine.
Judging by the facts, we can safely assume that the leaked data, unfortunately, is real. Besides, it is highly unlikely that the thread actors were so good in faking the records’ creation date.
It pains me as a Ukrainian. I hope that the authorities will be more wise and careful with our private data. Security must be on the first place when dealing with people’s data during the hybrid war between Ukraine and Russia.
