Israel’s National Cybersecurity Directorate said there was “no breach” of its network after passwords belonging to a senior agency official were stolen from their home computer earlier this year and published online.
A security researcher, who asked not to be named, told TechCrunch that they recently found the INCD official’s stolen credentials posted in mid-June in a public Telegram group known for sharing caches of passwords, crypto wallet keys and other sensitive data stolen from computers infected with the RedLine password stealing malware.
TechCrunch has seen the public Telegram post containing the cache, which was advertised as a nondescript archive file containing the credentials of hundreds of victims, including the senior INCD official.
The cache contained saved credentials, credit card numbers and auto-filled passwords from the official’s home computer, including passwords that relate to the senior official’s work at the INCD, such as threat detection services and other internal Israeli government systems.
A desktop screenshot of the official’s home computer taken at the time of compromise and bundled in the cache of stolen credentials shows the INCD official mistakenly infecting their home computer with the RedLine malware. The screenshot prominently features a virtual machine running FlareVM, a custom software used by cybersecurity professionals for reverse-engineering and analyzing malware, with a sample of RedLine on the virtual machine’s desktop.
RedLine is a notorious password-stealing malware, which was attributed to last year’s hack at Uber and the theft of login details from Worldcoin Orb operators.
TechCrunch is not naming the INCD official, who did not respond to a request for comment. The INCD is responsible for defending Israel’s cyberspace against cyberattacks.
When asked about the incident, INCD said the agency official “reported in accordance with our established security protocols,” but did not say when, or how long after the incident it was reported.
“Following the event, the INCD launched a thorough investigation which confirmed that there was no breach to our well-secured organizational network,” said Libi Oz, a spokesperson for INCD.
“The incident took place on a private computer, disconnected and isolated from the organization’s network, ensuring a clear separation between personal and work-related digital spaces, as required. In addition, there was no sensitive information stored on it,” the spokesperson added.
INCD said that it “routinely applies a multi-layered security framework in the organizational network, which includes multi-factor authentication and other measures, to effectively prevent and minimize the potential impact of such incidents.”