The dark web site that leads to the download was down for a few hours but is now online again. Migrations did not make the request to be terminated.
The number of downloads grows minute by minute. Within 24 hours of the cybercriminals releasing the stolen data, about 1,500 people downloaded the file compressed with 3 gigs of information pertaining to the National Directorate of Migration (DNM), Which conspicuously has not yet made the request to cancel it.
At that link (known as onion due to its protection system, only accessible through the dark web) there is another link that leads, effectively, to the download of the stolen files.
The first was down for a few hours on Friday morning, which raised questions about the actions of the DNM. Was there a legal action to tear it down? With folders with names like “AFI” and “US Embassy” at leak, the doubt began to circulate in the environment.
But the reality is simpler: first, it is not strange that these links “go up and down” from dark web. “It is common in leak sites, they usually come back after a couple of hours,” Brett Callow, an analyst and computer security expert at Emsisoft, explained to Clarín. And on the other hand, the DNM did not request the removal of the link, as he could confirm Clarion.
On the other hand, the service where the information is hosted ─DropMeFiles─ It is not one of the best known, so it is not clear whether an official request would take effect.
The problem is that beyond these more than 2,000 leaked files, the extortion group that operates with the Netwalker ransomware (virus that they managed to get into the DNM) could have more information that has not yet been published. And this is because this strain of the attack can operate up to 56 days before the victim detects it.
“Deciphering exactly what happened and how much information was stolen is very difficult: it requires forensic expertise that can take weeks, ”Callow specified. And it clarifies that in many cases cybercriminals publish part of the stolen data, and another they save it for future operations or “freelance” the information (sell it to an interested party).
But the Ministry of the Interior headed by Eduardo Wado de Pedro did not make a formal request for the link to the files to be removed.
It happens that the deep Internet is a kind of territory difficult to access for judicial offices, that is why they bet on the responsibility of the media not to disclose personal and confidential data, such as the identity of the members of the Federal Investigation Agency (AFI) that appear in facsimiles and leaked documents.
“It is sensitive information, but not critical for National Security ”, they wielded when referring to the possibility of requesting the withdrawal of information uploaded by cybercriminals. An example of why it is sensitive: there are more than 25 thousand names, documents of Argentines, addresses and emails of Argentines repatriated in times of coronavirus.
They also appear, as he told yesterday Clarion, reports of criminal activity prepared by the Ministry of National Security, with links between foreign criminals who operate in the country, such as Colombian criminal gangs.
But also high exposure profiles of characters linked to scams and fugitive mismanagement, refugee requests and more.
The information is still accessible and can be downloaded by anyone with the link, which is striking: generally, in these cases of extortion, the stolen data is uploaded by cybercriminals and within a few hours a formal request appears to be given. low. It remains to see what actions the DNM takes.
In the meantime, more than 60 downloads of that data occur per hour, since the cybercriminals fulfilled their threat to make public the information for which they asked for a reward of 4 million dollars. The Argentine government refused to pay, considering it an extortion and the case is in the hands of the Justice.
On August 27 at 5.45 am, various border points began to detect problems in the DNM system. It was Microsoft, in charge of managing the Migrations backup, which warned that the data backup had been disconnected. They were immediately disconnected on the Integrated Migration Capture System (SICAM), one of the most sensitive points, next to the database, to preserve the information.
This had a direct impact on the Argentine migration system: for almost four hours no one could enter or leave the country for the suspension of migratory movements.