A Dutch security researcher has stumbled upon the Kremlin’s backdoor account that the government had been using to access the servers of local and foreign businesses operating in Russia.
The backdoor account was found inside thousands of MongoDB databases that had been left exposed online without a password.
Any hacker who noticed the account could have used it to gain access to sensitive information from thousands of companies operating in Russia.
“The first time I saw these credentials was in the user table of a Russian Lotto website,” Victor Gevers told ZDNet in an interview today. “I had to do some digging to understand that the Kremlin requires remote access to systems that handle financial transactions.”
The researcher says that after his initial finding, he later found the same “firstname.lastname@example.org” account on over 2,000 other MongoDB databases that had been left exposed online, all belonging to local and foreign businesses operating in Russia.
Examples include databases belonging to local banks, financial institutions, big telcos, and even Disney Russia.
Gevers even found this account inside a leaky MongoDB database belonging to Ukraine’s Ministry of Internal Affairs that was holding details about ERDR investigations carried out by the country’s General Prosecutor’s Office into corrupt politicians.
This latter case was very strange because, at the time, the Russian-Ukrainian conflict had already been raging for at least two years.
Gevers, who at the time was the Chairman of the GDI Foundation, is one of the world’s top white-hat hackers. His research didn’t include digging through companies’ logs to see what this account was used for, so it’s currently unknown if the Russian government used this account only to retrieve financial-related information or they actively altered data.
“We have been searching for open MongoDB for years,” Gevers told ZDNet. “When we investigate a MongoDB instance, we try to respect privacy as much as possible by limiting the search for breadcrumbs such as the owner’s email addresses to a minimum.”
“All the systems this password was on were already fully accessible to anyone,” Gevers said. “The MongoDB databases were deployed with default settings. So anyone without authentication had CRUD [Create, Read, Update and Delete] access.”