Analysis: Cyprus Government domain gov.cy for Infostealers and Cyprus vs. Europe Comparison

This report compares Cyprus to major European countries by adjusting infostealer infection counts relative to population, offering a clearer view of the relative severity across the region.

Infostealer Exposure Summary — gov.cy

Scope: Analysis of leaked infostealer logs affecting .gov.cy portals, employees, and users.
Infostealers Detected: RedLine, Raccoon, Lumma, Vidar, StealC, and others from public logs and dark‑web sources.

Report by: CyberDeleteme part of deleteme.com

Key Findings

• Total Credential Records: 25,973
  • gov.cy domains: 22,167
  • non‑gov/private domains: 3,806
• Compromised Accounts:
  • Employees: ≥ 20 (including payroll, webmail, ministries)
  • Citizens/Users: ≥ 100
  • Third-party Accounts (Gmail, Yahoo, etc.): ≥ 50
• Total Unique gov.cy URLs in Logs: ≥ 120
• Credential Reuse and Weak Passwords: Detected across multiple domains

Risks Identified

• High exposure of credentials across key government systems: tax, payroll, immigration, drones, and education.
• Weak/reused passwords and use of personal emails (Gmail, Hotmail) on official platforms.
• CSIRT CY issued no public alert.
• Threat actors may use Infostealer logs for phishing, social engineering, or insider compromise.

Infostealer Infections per 100,000 Inhabitants

Key Takeaways

• 🔹 Cyprus ranks higher in per‑capita infection rate than Germany, the UK, the Netherlands, and France.
• 🔹 Portugal and Romania show the highest infection rates per capita.
• 🔹 Spain, Poland, Greece, and Italy exhibit comparable or slightly higher rates than Cyprus.

Interpretation

Although Cyprus has fewer total infections, its per capita infection rate is among Europe’s highest. This indicates either targeted activity or underreporting by larger states and highlights the urgent need for:

• Enhanced public awareness and cyber hygiene.
• Deployment of endpoint protection across critical sectors.
• Active monitoring for infostealer indicators of compromise.

Executive Summary

This analysis reveals the exposure of .gov.cy digital assets in infostealer datasets. Over 200 compromised credentials were linked to government employees, contractors, and citizens accessing public portals. Affected services include:

• Tax and payroll systems
• Immigration platforms
• Drone and regulatory services

No direct evidence of a systemic breach was found; however, leaked credentials in stealer logs pose high risks of:

• Account takeover
• Social engineering
• Insider exploitation

Recommended Mitigations:

• Enforce password resets
• Implement multi-factor authentication (MFA)
• Conduct targeted employee and citizen awareness training

The National CSIRT of Cyprus (CSIRT‑CY) is responsible for leading the response and improving the security of .gov.cy assets in light of these findings.

Role of CSIRT‑CY

• Protects Critical Information Infrastructure (CIIs)
• Monitors and coordinates incident response
• No public advisories have been released yet specific to this incident — handling is likely internal.

Summary of Findings for gov.cy

• Employee credentials in dataset: ✅ Yes – multiple records
• User accounts (citizens/clients) affected: ✅ Yes – significant leakage
• Third-party domains involved: Present – Gmail, Hotmail, Yahoo
• gov.cy URLs in stealer logs: ✅ Over 1000 unique URLs
• Cookies of interest: ❌ Not analyzed in current dataset
• Password strength: Mostly weak and reused

Risk Scoring

CSIRT‑CY – National Cybersecurity Role (Infostealers Focus)

 1. Official Mandate

Under the Deputy Ministry of Research, Innovation, and Digital Policy, CSIRT‑CY acts as the national cyber incident coordination center.

Core Functions:

• Cyber incident handling (e.g., malware, infostealers)
• Crisis coordination and response
• Advisory dissemination and early‑warning systems
• Threat landscape monitoring
• Supporting CIIs and the public sector
• Cooperation with EU entities: ENISA, CERT‑EU, and the CSIRTs Network

2. Publicly Known Actions to Date

While much of CSIRT‑CY’s activity remains confidential, known initiatives include:

• General advisories on phishing, ransomware, and credential theft
• Active participation in EU‑level threat exchange
• National training and awareness campaigns
• Advocacy for MFA, endpoint security, and vulnerability patching
• Involvement in Cyber Europe simulations for incident‑response readiness

❗ Gap: No recent, specific advisories on prominent infostealers such as RedLine, Vidar, or Raccoon have been published — an area needing improvement.

3. Strategic Focus Areas Based on Data

With Cyprus reporting 563 infections per 100,000 people, a rate exceeding Germany, the UK, and France, CSIRT‑CY should urgently:

Strategic Actions for CSIRT‑CY

Deleteme.com — Scanning, Alerting & Assistance for Infostealer Protection

Deleteme.com, Europe’s trusted provider of digital privacy, scans and monitors public and dark web sources to detect infostealer exposure affecting individuals, companies, and government agencies.

Capabilities:

• Stealer Log Scanning: Automatically scans datasets from RedLine, Raccoon, Vidar, StealC, Lumma, and other malware.
• gov.cy Domain Monitoring: Alerts institutions if .gov.cy emails, credentials, or session tokens are detected in breach logs.
• Real-Time Alerts: Sends notifications when sensitive data linked to employee emails or national infrastructure is found.
• Identity Risk Dashboard: Visual breakdown of exposure, password hygiene scores, IP geolocation, and stealer type.
• Data Removal Support: Assists with takedown requests and legal removal from indexed search engines and platforms.
• Digital Footprint Shield: Proactive monitoring of Telegram groups, hacking forums, and dark marketplaces.

How deleteme Helps Cyprus:

• Scans .gov.cy domains for exposed accounts in infostealer networks
• Assists ministries in reporting incidents and preparing mitigation reports
• Provides advisory and detection services to support CSIRT‑CY, law enforcement, and public institutions
• Integrates with SOC and SIEM platforms for early warning feeds

Final Thoughts

Cyprus, while small, faces disproportionately high exposure to infostealer campaigns. The lack of a direct .gov.cy breach is positive, but the relative infection rate signals systemic vulnerability.

CSIRT‑CY should immediately:

• Prioritize infostealer-specific protections
• Expand national monitoring and response coverage
• Engage proactively with both private‑sector stakeholders and EU cybersecurity institutions

CyberDeleteme stands ready to assist, offering tailored scanning, exposure alerts, and risk mitigation support to safeguard Cyprus’s public and private digital infrastructure.

Sources & Citations

1. CSIRT-CY Official Website
   National Computer Security Incident Response Team of Cyprus
   https://csirt.cy
2. ENISA – European Union Agency for Cybersecurity
   Role of CSIRTs and EU-wide cybersecurity cooperation
   https://www.enisa.europa.eu/topics/csirts-in-europe
3. CERT-EU – Computer Emergency Response Team for the EU Institutions
   https://cert.europa.eu
4. Bayonet Intelligence – Dark web monitoring & data breach aggregation
   https://bayonet.io
5. CyberDeleteme – Digital privacy and infostealer monitoring platform
   https://deleteme.com
6. Population Estimates 2024-2025 – Eurostat & World Bank

https://ec.europa.eu/eurostat
https://data.worldbank.org

7. Cyber Europe Exercises (ENISA) – National preparedness simulations
   https://www.enisa.europa.eu/topics/cyber-europe
8. NIS2 Directive – Directive (EU) 2022/2555
   https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555
9. GDPR – Regulation (EU) 2016/679
   General Data Protection Regulation
   https://gdpr.eu