This post is also available in: heעברית (Hebrew)

Polish media has recently reported of a major information breach. According to Polish news, attackers managed to get a hold of a three-year-old email conversation that included login and password details to a sensitive database.

This leaked email allowed access to a detailed map of a military port, the evacuation plan of Warsaw and other highly sensitive data.

Journalists at the Polish investigative journalism outlet also found that the password enclosed in the email, originally sent in 2020, was still valid until as late as May 5th, 2023. The finding indicates that account owners were unaware they were breached for at least three years.

The password worked several hours after the confidential email leaked on a Telegram account called Poufna Rozmowa (Confidential Conversations). Since 2021, Poufna Rozmowa has been leaking the personal correspondence of Michał Dworczyk, who at the time was the Chief of the Chancellery of the Prime Minister of Poland. The recently leaked email also came from the same batch of stolen correspondence, as reported by Cyber News.

Reportedly, the account is tied with UNC1151 attackers, also known as Ghostwriter, a hacker group allegedly originating from Belarus. According to the cybersecurity firm Mandiant, the group has spread disinformation critical of NATO since at least 2016. UNC1151 likely closely cooperates with the Russian special forces.

The group has executed spear-phishing campaigns against members of legitimate press to infiltrate the content management systems of those organizations. Then, the group uses the system to publish their own fake news articles.