✅ Report Title:
Quick Overview of Korean Ministry of Environment Source Code Breach
✅ Report Summary:
This report shares a brief summary, including a timeline, of the recent discovery that a deep dark web user, IntelBroker, leaked the source code of the South Korean Ministry of Environment.
From early this year, IntelBroker reportedly uploaded a sales post on the prominent Dark Web forum, BreachForums, claiming to have leaked the source code from the Korean Ministry of Environment. Details are outlined in the report below.
*Who is IntelBroker?
- IntelBroker began operating on the Deep/Dark Web in October 2022 as a ransomware actor and data broker targeting corporations in about 23 countries.
- Between October 2022 and March 2023, IntelBroker primarily acted as the developer and operator of the Endurance ransomware. After ceasing ransomware activities, they actively leaked and sold databases, access credentials, and vulnerabilities of targeted companies on forums, gaining a reputation score of over 4,000. Initially operating as an individual, they later joined hacking groups CyberNiggers and Valhal.la.
- In April 2024, IntelBroker became a moderator on BreachForums, starting their role as a forum administrator. Based on their activities and an interview with Cyber Express, IntelBroker is believed to be an adult Serbian national.
- On December 28, 2024, and January 1, 2025, IntelBroker and EnergyWeaponUser, members of the CyberNiggers group, were identified as having attacked the South Korean Ministry of Environment and selling its website source code.
📌 How did the incident unfold chronologically?
1. 2024-12-28: Two tweets, presumed to be posted by IntelBroker and EnergyWeaponUser, were detected on the official South Korean Ministry of Environment Twitter account.
- The tweets included: "North Korea is the best Korea" and "Breached By IntelBroker & EnergyWeaponUser," leaving evidence of the attack. Both tweets were deleted as of December 30, 2024.
- IntelBroker, primarily active on BreachForums as part of the CyberNiggers group, retweeted these posts on their personal Twitter account, sharing the attack publicly.
2. 2024-12-29: IntelBroker shared partial details on their Twitter account about the method used to post the tweets on the Ministry’s account.
- They revealed that the Ministry's Twitter account had 2FA enabled, but they used the Twitter API to post the tweets. (Original: *they had 2FA on so we just used the twitter API to send the tweets*)
3. 2025-01-01: IntelBroker uploaded a sales post on BreachForums, claiming to have leaked source code from the South Korean Ministry of Environment.
- According to IntelBroker, the source code was leaked about a year earlier in January 2024. The sales post also referred to the tweets they had posted on the Ministry's Twitter account.
- The leaked source code is presumed to belong to the Ministry’s National Fine Dust Information Center website (air[.]go.kr), including the main webpage and admin panel source code.
- The source code reportedly contained hardcoded OAuth credentials used for Twitter authentication. These credentials, combined with the Twitter API, were likely used to post unauthorized tweets on the Ministry's account.
✅ Recommended Threat Detection and Mitigation Measures:
Despite the use of 2FA on the Twitter account, secondary damages occurred due to the misuse of API credentials embedded in the leaked source code. To prevent additional damage from data breaches:
- Implement separate management systems for credentials used during the development process.
- Ensure robust security measures are in place to mitigate potential risks associated with leaked credentials.
🧑💻 Report Author: S2W TALON (Updated. 2025-01-02)
👉 For inquiries about the full report: https://s2w.inc/en/contact
*The full report is available upon request and for QUAXAR subscribers.