Venezuelan president’s personally identifiable information available for sale

Several officials from the Venezuelan Army, Aviation, and National Guard also compromised

Living up to our mission statement of protecting governments and enterprises from the bad guys is challenging work. Our researchers comb the open and dark web for the smallest tidbits of information that can help our customers be aware of data breaches and act to mitigate disasters.

In one of several incidents of such data breaches, researchers at ThreatLandscape uncovered a leak exposing personally identifiable information of Venezuelan government officials on RaidForums, a well known hacker forum. The leaked data includes their personal Gmail and Hotmail accounts’ information, their associated passwords, and other additional personal info such as:

• First name
• Middle name
• Last name
• Second last name
• Date of birth
• Gender
• Ethnicity
• Identification card details
• Patriot code

Sample of the Venezuelan Police’s passwords

Amongst the people compromised is literally the Venezuelan chief, Nicolas Maduro.

Maduro’s profile on RaidForums

Sleuthing RaidForums

RaidForums is notorious as a watering hole for hackers who sell information with potential identity theft uses. A group called KelvinSecTeam Hackers posted the leak. They have only recently registered on the forum and we have been observing them attacking targets in Colombo, Mexico, and Venezuela, hinting at their South American origins.

Threat actors profiled

Investigating the group further revealed they offer a subscription at $15 a month, giving buyers access to credential dumps and hack tools. The contact address provided is vipsuscriptionkelvinsecurityv1@protonmail.com and their pricing lives at vipsuscription.ksecureteam.com.

KSecureTeam Hackers’ subscription plans

Further investigation into the domain and its ownership revealed the following associated social profiles and a blog page.

1. Twitter: https://twitter.com/kelvinsecteamS
2. Facebook: https://www.facebook.com/Ksecureteam/
3. Blogger: https://kelvinsecteam.blogspot.com/

The Blogger page revealed what seems like the real names of the people in the group.

• Kelvin Parra, Venezuela
• Omar Rodriguez, Peru
• Jhonatan James, Colombia
• Rodrigo Canaza, Peru

Two more names come up on this page.

• Victor Bancayan
• Nellie Romero

Looking deeper into Kevin Parra’s profiles revealed a fair amount of open footprint.

• Hackaday: https://hackaday.io/kelvinparra
• Hackerone: https://hackerone.com/vipsuscriptionkelvinsecurity
• Facebook: https://www.facebook.com/KelvinParraOficial
• Twitter: https://twitter.com/ResearchVIP
• Blogger: https://kelvinparrasecurityinformation.blogspot.com/

It is surprising that Kelvin Parra calls himself a whitehat hacker on his Twitter profile. Even though his website offers penetration testing, auditing, detection, and mitigation services, the KelvinSecTeam seems to be selling hacking tools, carding services, and private data dumps on forums. The team has left public crumbs bragging about their hacks.

KelvinSecTeam targeting individuals

KelvinSecTeam targeting organizations

Timeline of the breach: Best guesstimate

Our researchers have found this plausible timeline of events for the Venezuelan data breach.

Timeline of the breach as discovered by our researchers

This level of data exposure of a government’s top officials and its sale is critically detrimental to any government’s stability and functioning. We have informed the Venezuelan CIRT team about this and will extend all the support we can as they act to fix this.

References

1. Evidence of Venezuelan government data breach
   https://raidforums.com/Thread-Venezuela-s-electoral-system-hacked-and-for-sale
   https://raidforums.com/Thread-Database-of-Military-Barracks-Venezuela-DB-For-Sale
   https://raidforums.com/Thread-Bug-Lets-Steal-Venezuelan-Government-Secrets-for-Sale
   https://raidforums.com/Thread-Government-of-Venezuela-Package-of-Databases-for-Sale
   https://kelvinsecteam.blogspot.com/2015/05/plataformas-inseguras-en-por-parte-del.html
2. Evidence of Mexican government data breach
   https://raidforums.com/Thread-Personal-e-mails-of-the-Government-of-Mexico-for-sale
3. Evidence of Colombian government data breach
   https://raidforums.com/Thread-Government-Of-Colombia-Intranets-Access-Exploit-priv8-For-Sale
4. User profile associated with unethical hacking activity
   https://raidforums.com/User-teamkelvinsecteam
5. E-mail address for facilitating the sale of data leaks
   https://raidforums.com/Thread-KelvinSecTeam-Suscription-Service
6. Public bragging of past hacks by the KelvinSecTeam
   https://www.deviantart.com/windelle
   https://pastebin.com/AY210MGb
   https://pastebin.com/ZVdyfh4L
   https://pastebin.com/Th1TDcWa
   https://pastebin.com/KkKMD68J
   https://pastebin.com/m85hu8Db

Using an Internet-scale data ingestion engine and complex machine-learning algorithms, supervised by threat researchers deeply embedded into sites like RaidForums, ThreatLandscape is primed to be your go-to partner for monitoring the web for attacks that are coming your way and helping you prep for prevention, detection, and mitigation.

Learn how we can help in these ways and more.