A massive and deeply troubling wave of cyber-attacks has compromised critical government and scientific institutions, with new threat intelligence data pointing to a multi-pronged assault by sophisticated ransomware gangs. In an exclusive analysis of dark web and malware logs, data reveals that Kuwait’s Ministry of Finance, El Salvador’s Ministry of Local Development, and a premier Czech nuclear research facility have all been successfully breached.

The targets are not small businesses; they are pillars of national infrastructure. The victims include:

• Kuwait Ministry of Finance (mof.gov.kw): The economic heart of the nation. This ministry manages Kuwait’s public treasury, national budget, and oversees the country’s multi-trillion-dollar sovereign wealth fund.
• El Salvador Ministry of Local Development (mindel.gob.sv): A key government body in El Salvador responsible for investing in and coordinating infrastructure works across the country’s municipalities.
• ÚJV Řež (ujv.cz): A top-tier European technology center in the Czech Republic specializing in nuclear power engineering, reactor safety, radiopharmaceuticals, and radioactive waste management.

The breach of such sensitive institutions raises profound national and international security questions.

How They Were Hacked

Intelligence logs paint a damning picture of the attack vectors. This wasn’t a single point of failure; it was a devastating combination of tactics, techniques, and procedures (TTPs) that bypassed defenses.

1. The Open Door: Credential Stuffing The primary entry point for both the Kuwaiti Ministry and the Czech nuclear facility appears to be old-fashioned, recycled passwords. Investigation logs show credentials for employees at both organizations, such as [email protected] and [email protected], available in “Credential Stuffing Lists” circulating on the dark web.

Attackers armed with these lists—massive databases of usernames and passwords from previous, unrelated breaches—could simply log in as legitimate employees.

2. The Inside Man: Infostealer Malware For the Kuwaiti Ministry of Finance, the breach was compounded by malware. Logs from Vidar and Lumma infostealers were discovered, indicating employees’ computers were compromised. This type of malware silently scrapes browsers for saved passwords, session cookies, and cryptocurrency wallets, effectively handing attackers the keys to secure portals, including the ministry’s payment and login gateways.

3. The Public Execution: Double Extortion For all three victims, the endgame was the same: double extortion. The attackers, identified as the notorious Rhysida and Play ransomware gangs, first exfiltrated massive amounts of sensitive data. Only after securing the data did they encrypt the networks.

This data was then posted to their respective “leak sites” on the Tor network, with the threat to release all state secrets, financial records, and nuclear research if the ransom is not paid.

ACTIONABLE INTELLIGENCE: Indicators of Compromise (IOCs)

For cybersecurity professionals and IT leaders, the time to act is now. The following IOCs were identified in this investigation. We urge all network defenders to check their logs immediately for this activity.

Victim 1: Ministry of Finance, Kuwait (mof.gov.kw)

• Threat Actor: Rhysida
• TTPs: Credential Stuffing, Infostealer Malware, Data Exfiltration.
• IOCs (Malware): Vidar Stealer, Lumma Stealer
• IOCs (Compromised Emails): [email protected], [email protected]
• IOCs (Leaked Credentials): rmrmrm1, rawa2001
• IOCs (Targeted Internal URLs): pg.mof.gov.kw, hawayti.mof.gov.kw, souqfri.mof.gov.kw
• IOC (Dark Web Leak Site): http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion

Victim 2: Ministry of Local Development, El Salvador (mindel.gob.sv)

• Threat Actor: Rhysida
• TTPs: Data Exfiltration, Public Leak (Double Extortion).
• IOC (Dark Web Leak Site): http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion

Victim 3: ÚJV Řež – Czech Nuclear Research (ujv.cz)

• Threat Actor: Play
• TTPs: Credential Stuffing, Malware, Data Exfiltration.
• IOCs (Compromised Emails): [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected] (and dozens more).
• IOCs (Leaked Passwords): pav123, Sodexo.841217, barbora, bbbbbb, karel44, rebelmunkee
• IOC (Malware Artifact/File Path): file:///C:/MAREK/PR%C3%81CE_ENERGETIKA%20T%C5%98INEC/scany%20d%C5%AFle%C5%BEit%C3%A5/Diplom.pdf
• IOC (Dark Web Leak Site): http://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion

The Brutal Reminder

This cluster of high-profile attacks is a brutal reminder: the perimeter is dead.

The attacks on the Kuwaiti Ministry and the Czech nuclear facility were not sophisticated zero-day exploits; they were enabled by poor password hygiene and basic malware infections. It proves that even the most secure organizations are only as strong as their least-secure employee or recycled password.

The call to action for every leader on this platform is clear: enforce Multi-Factor Authentication (MFA) everywhere, mandate password managers, train users to spot phishing, and accelerate the adoption of a Zero Trust architecture.