Full Report
Data leaked on a dark website, allegedly from a Moldovan portal, does not support the hackers’ claims about how they obtained it. It also raises questions about the government’s May 2025 claim that its network had not been compromised. In Part 1, DataBreaches described a data exposure incident involving Moldova’s job applicant portal, cariere.gov[.]md. In... Source
Analysis Summary
# Incident Report: Compromise of Moldova’s Compensatii Portal
## Executive Summary
In early 2026, the threat actor group "Bashe Team" (formerly APT73) claimed a data breach of **compensatii[.]gov[.]md**, a Moldovan government portal used for energy compensation. While the hackers claimed recent access, investigations suggest the leaked data—consisting of usernames and plaintext passwords—may be recycled or older information. This incident follows a May 2025 denial by the Moldovan government regarding the sale of access credentials for the same platform.
## Incident Details
- **Discovery Date:** January 30, 2026 (Leak site posting)
- **Incident Date:** Claims of access dating back to May 2025 and September 2025
- **Affected Organization:** Government of Moldova (Compensatii platform)
- **Sector:** Government / Social Services
- **Geography:** Moldova
## Timeline of Events
### Initial Access
- **Date/Time:** Circa May 2025 (Initial reports of credential sales); September 2025 (Bashe Team's claimed entry).
- **Vector:** Alleged sale of administrative access keys/credentials.
- **Details:** Reports surfaced in May 2025 that access to the platform was being sold on the dark web. The government officially denied a breach at that time.
### Lateral Movement
- **Details:** Publicly available information does not provide specifics on lateral movement; however, the government claims the environment is isolated and monitored by STISC.
### Data Exfiltration/Impact
- **Details:** A .csv file was leaked containing usernames, email addresses, and plaintext passwords. The full scope of the PII exposed on the portal (IDNPs, cadastral numbers, and IBANs) was not confirmed in the initial .csv sample.
### Detection & Response
- **May 27, 2025:** Government investigated claims of credential sales; denied any compromise, citing "smoke and mirrors."
- **January 30, 2026:** Bashe Team listed the site on their leak portal.
- **February 16, 2026:** DataBreaches contacted Compensatii for comment; no response was received.
## Attack Methodology
- **Initial Access:** Valid Credential Use (alleged purchase of access keys).
- **Persistence:** Not explicitly detailed; hackers claimed long-term access from September 2025.
- **Defense Evasion:** Use of "smoke screens" and potential manipulation/masking of PII in samples to hinder validation (observed behavior of Bashe Team).
- **Collection:** Data gathering of user tables.
- **Exfiltration:** Posting data to a dedicated leak site (DLS).
- **Impact:** Reputational damage to government cybersecurity claims and potential exposure of citizen identifiers.
## Impact Assessment
- **Financial:** Unknown; potential for fraud using stolen IBANs and IDNPs.
- **Data Breach:** Exposure of usernames, emails, and plaintext passwords. Potential risk to sensitive PII (IDNP, Mortgage data).
- **Operational:** No reported disruption to the portal's service.
- **Reputational:** High; raises questions regarding the transparency and efficacy of the government's May 2025 security audit.
## Indicators of Compromise
- **Network indicators:** compensatii[.]gov[.]md; cariere[.]gov[.]md (related exposure).
- **Behavioral indicators:** Unauthorized sale of "Qualified Electronic Signatures" or administrative credentials on darknet forums.
- **Actor:** Bashe Team (formerly Eraleign / APT73).
## Response Actions
- **Containment:** Government claimed the platform operates in an isolated environment.
- **Eradication:** STISC reportedly audited the network in May 2025, though the efficacy of this audit is now contested.
- **Recovery:** No recovery info provided as the government maintains the system's integrity.
## Lessons Learned
- **Credential Integrity:** The reliance on administrative credentials—even those requiring qualified electronic signatures—requires constant monitoring for "keys for sale" on the dark web.
- **Validation Fatigue:** Threat actors like Bashe Team often recycle old data, making it difficult for incident responders to distinguish between new breaches and old exposures.
- **Transparency:** Denying a breach ("smoke and mirrors") that later appears to have some basis in fact can severely damage public trust in government digital infrastructure.
## Recommendations
- **Multi-Factor Authentication (MFA):** Ensure all administrative access requires hardware-based MFA that cannot be easily sold as a "static" credential.
- **Dark Web Monitoring:** Implement automated monitoring for mentions of government domains and employee credentials.
- **Password Hashing:** Ensure no user data is stored in plaintext (as the leaked .csv suggested).
- **Independent Audits:** Conduct third-party forensic audits following darknet claims rather than relying solely on internal press office statements.