Threat Intel: Lithuania Investigates B2B Credential Misuse Exposing 600,000 National Registry Records

The Lithuanian Prosecutor General’s Office and the Criminal Police Bureau have initiated a joint investigation into a large-scale data exfiltration incident targeting the State Enterprise Centre of Registers. The incident involved the unauthorized copying of over 600,000 records from the country’s national Real Estate and Legal Entities Registers. Rather than exploiting an unpatched software vulnerability, the attack mechanics rely on a classic trust-boundary compromise. The Entry Vector: Cross-Agency Credential Misuse (MITRE T1078) Forensic tracking indicates that the threat actors executed a series of unauthorized connections originating from foreign infrastructure. The entry vector relied on valid, high-privilege B2B institutional login credentials assigned to external state departments authorized to query the central registry database. Independent statements from legislative and defense officials suggest the specific access pathway was carved out by compromising authenticated accounts belonging to the Department of Migration under the Ministry of the Interior. By hijacking these valid inter-agency connection points, the threat actors bypassed perimeter barriers, allowing them to issue massive queries to the backend database without triggering immediate anomaly blocks. Exfiltration Scope & Impact Profile The breach was initially identified by internal monitoring in early April 2026, but public disclosure was delayed due to the ongoing criminal inquiry. The exfiltrated data schemas consist of: Full legal names, dates of birth, and unique national identification numbers. Registered physical addresses, corporate entity structures, and detailed cadastral/property registry extracts. The Centre of Registers has confirmed that primary consumer-facing vectors – such as telephone contact details, email addresses, bank account numbers, or raw cadastral measurement files – were not part of the exfiltrated datasets. The primary operational risk is tactical intelligence gathering. Security analysts have pointed out that bulk access to unlisted residential addresses linked to legal entities can be leveraged by foreign intelligence services for target profiling, spear-phishing orchestration, or coercion of state personnel, diplomats, and military figures. Incident Response & Remediation Following the identification of the unauthorized bulk queries, the Centre of Registers implemented the following controls: Immediate revocation and blocking of all compromised inter-agency institutional accounts. Mandatory credential rotation and strict query-volume throttling across all API and web self-service gateways linked to external state dependencies. The director of the Centre of Registers, Adrijus Jusas, formally stepped down on May 25 following administrative scrutiny regarding legacy IT infrastructure and monitoring gaps. While independent defense officials note the incident matches the operational signatures of state-aligned hybrid surveillance operations, official attribution from the Prosecutor General’s Office remains open. submitted by /u/technadu [link] [comments]Technical Information Security Content & DiscussionRead More