They are investigating an alleged hack of the Army: what data is for sale and what is it for?

The Argentine Army is analyzing a post by a cybercriminal on a well-known personal information trading forum, which claims to contain information on 50,000 members of the force.

Various government sectors, from the Ministry of Defense to the Federal Cybersecurity Agency , are analyzing the potential scope of the alleged hacking that led to the leak.

The information was released by Birmingham Cyber ​​Arms LTD, a company that conducts threat intelligence and monitors hacks and leaks, both in the state and private sectors. "A threat actor is selling data on 50,000 military personnel in Argentina in a PDF format: ID, date of birth, residency, travel records, diplomas, and more ," it posted on its threat monitoring system, Sheriff .

Mauro Eldritch, the company's director, told Clarín what information is being offered: "It's a batch of 50,000 documents in mixed formats, including PDFs and screenshots, which would indicate the level of access the attacker has to the system from which they were extracted," he explained.

The analyst explained what information can be inferred from the post: "They appear to have been incrementally extracted from a document system, which would indicate a vulnerability that allows the visualization of data (in this case, user profiles) identified by an ascending value ( such as 1, 2, 3, 4 )," he explained. This is what is known in cybersecurity as "IDOR," or Insecure Direct Object Reference.

"What this type of vulnerability enables is for any malicious user to continue the sequence and view foreign data, allowing them to scrape the database (that is, visit it sequentially and automatically to replicate it in a manner permitted by the system)," he continued. So, for example, if a web address ends in "445," changing it to "446" allows them to view another user's profile.

"The batch contains a lot of sensitive information because it's of a military nature , from academic records and photographs to travel information and family details of the soldiers, so it could be a backup copy of a system containing files," he adds.

The Army issued a statement last Tuesday stating that "it could involve access to administrative data that does not compromise the Force's capabilities." Clarín contacted the Army for an update on the status of the incident and confirmed that the complaint filed on May 8 with the Federal Police's Cybercrime Division was expanded this Thursday.

A data breach (or leak, as it's known in cybersecurity) is the unauthorized exposure of information. It can include a full name, address, email address, phone number, passwords, or files. It can also involve sensitive information, as in this case involving the Army.

"The critical part of what is allegedly for sale is the service records, where you can see in great detail the military career of each member, where they served ("arm or service"), in what role, and with what rank at the time. It's basically each person's military history, which often reveals sensitive information not only about the person but also about the internal movements of Destiny (destiny as a military location)," explains Eldritch.

This information is often sold on underground forums and Telegram channels, among other sites more targeted by cybercriminals. These leaks often have a variety of uses, from being sold on the black market to exploiting this data to carry out phishing attacks—fake emails that trick users into visiting fake websites and services.

Typically, once leaked, the data ends up on black markets (the so-called dark web, although it is also sold on Telegram, which does not regulate illicit activities of any kind), is used for all kinds of fraud , or even as a gateway for ransomware attacks.

Argentina has experienced a large number of attacks on state entities in recent years, from the National Directorate of Migration in 2020 , the Senate of the Nation in 2022 , PAMI and the CNV in 2023 and one of the largest cases, RENAPER last year.

This media outlet was able to access the information leaked to RENAPER last year and found that the names, surnames, dates of birth, date of death (if applicable), and ID numbers of millions of Argentines were found.

And there were even very specific folders there, which contained databases of addresses of foreigners residing in Argentina and even information on Navy personnel with full names and military ranks , which indicates that this new case would not be the first to affect the Armed Forces.