VirusTotal: Data leak reveals customers of Google's security platform

Zoom Image

Customers upload what they find suspicious to VirusTotal (icon image)

Photo: Mohssen Assanimoghaddam / dpa

The file is small, 313 kilobytes, and it was never meant to become public. But at the end of June, it ends up on the Internet. It is a list of 5600 names, including employees of the US secret service NSA and German intelligence services. They have all registered with the IT security platform VirusTotal.

Most online users hardly ever get lost there, many won't even know about VirusTotal. But among IT security experts, it is considered one of the world's most important and probably most critical services in the fight against cyberattacks.

VirusTotal resembles a huge database of malware. Users can upload what they find suspicious, individual files or links to suspicious websites. Around 70 manufacturers of anti-virus software use VirusTotal to check whether the submissions contain suspicious program lines, i.e. whether a Trojan or other malware has been detected on a computer. The result is a global archive of digital attack tools, a kind of malware library.

The offer is not without controversy. It was only in March last year that the German Federal Office for Information Security (BSI) warned companies and organizations not to automatically upload suspicious files to the platform, as is apparently practiced in some places. In some cases, confidential internal data is inadvertently made "de facto publicly available". It can be assumed that state actors such as secret services are using this specifically for industrial espionage. Confidential BSI information has also been automatically uploaded to VirusTotal by recipients.

The U.S. Cyber Command is particularly present

The leaked list of VirusTotal customers, which is available to SPIEGEL, includes the name of the organization and the e-mail address of the employees who registered the account. SPIEGEL was able to verify that the list is authentic. For example, the names of government employees appear, and some of those affected can also be found on LinkedIn.

The dataset is revealing, especially since it includes numerous users who are reluctant or not at all to talk about their work – nor do they talk about how they get information.

For example, twenty accounts alone lead to the "Cyber Command" of the USA, part of the American military and the hub for offensive and defensive hacking operations. Also represented: the U.S. Department of Justice, the U.S. Federal Bureau of Investigation (FBI) and the National Security Agency (NSA). Official bodies from the Netherlands, Taiwan and Great Britain are also on VirusTotal.

Several German services are affected, including an ominous "federal agency"

From Germany, among others, the Federal Police, the Federal Criminal Police Office, the Military Counterintelligence Service (MAD) and a "Federal Office for Telecommunications Statistics" are represented. For a long time, the federal office functioned as a clandestine camouflage facility of the Federal Intelligence Service, it has various branch offices distributed throughout the country, which belong to the "Technical Reconnaissance" division of the Foreign Intelligence Service. For almost a decade, however, their true purpose and connection have been publicly known.

Also among the platform's customers: three employees of the BSI, the authority that last year at least warned against the automated uploading of potentially confidential data.

Many employees of German corporations also cavort there. Among the leaked addresses, around 30 belong to Deutsche Bahn employees, but the Bundesbank and various DAX giants such as Allianz, BMW, Mercedes-Benz and Deutsche Telekom are also represented.

A leak with possibilities for abuse

Apart from names and e-mail addresses, apparently no other data such as passwords are affected. However, the leak reveals who in the affected corporations, services and organizations deals with IT security and malware. This opens up possibilities for abuse, for example for social engineering or targeted phishing attacks, in which attempts are made to address victims with content that is plausible to them.

The leak is also noteworthy because VirusTotal is part of Google, one of the world's leading companies when it comes to protection against hacker attacks. There are hardly any known cases in which internal data from Google systems became public as a result of a leak.

The importance of VirusTotal in terms of IT security and what critical information can end up there is shown by an email from 2022 that could be found on the security platform at times. In this e-mail, the German Engineering Federation (VDMA) sent a link to a web portal of the Ministry of the Interior of Rhineland-Palatinate as a service to its members – including the corresponding password. The portal can be used to download information about current hacker attacks in order to protect oneself from them. "Please do not share this data outside your company," said the email, which was available to all VirusTotal users – on a website that hackers around the world are probably meticulously watching. With the forwarded e-mail from the industry association, they were now able to log in to the Rhineland-Palatinate web portal and find out which of their attacks had already been noticed and which had gone unnoticed. When asked, the VDMA said that the association had not previously been aware that the e-mail with the confidential content could be viewed by VirusTotal.

A security portal as a factor of uncertainty

The example illustrates how quickly VirusTotal can become a factor of uncertainty. Sometimes the site, which was founded in 2004 by the Spanish Hispasec Sistemas and taken over by Google in 2012, is also used as a leak site for curious content beyond malicious code: Only recently, for example, the master's thesis of a leading Russian intelligence officer ended up there.

Also, many hackers use VirusTotal to ensure that their malware and spyware is not detected by any antivirus vendor. The trade magazine "Wired" recognized a special irony in this: "The Google page that is supposed to protect you helps hackers attack you," it headlined.

The service is free in a basic version, but there are also paid offers. Submitted files are then stored on VirusTotal's servers. Anyone with a special account can find and download them there. For years, IT security experts have assumed that secret services also systematically use VirusTotal to have around 70 antivirus software manufacturers test whether their current attack codes are sounding the alarm. And to track down hackers whose Trojans and other tools end up on the site.

Google wants to improve its leak controls

When asked, the BSI confirmed to SPIEGEL that it was aware of the leak: "The BSI assumes that the data is authentic." The fact that BSI employees are also affected is considered "uncritical", and no risk assessment can be carried out for other affected persons. VirusTotal can be a valuable source of information on IT security issues, the authority continues. "However, the BSI strongly advises the federal authorities not to upload any files to VirusTotal." With the terms of use, you explicitly agree to the transfer of data to third parties. The authority sees no contradiction in the fact that the BSI raises awareness of the use of VirusTotal by means of a security warning, but uses the offer itself: "The BSI uses VirusTotal as a source of information, but does not upload any files to this service itself."

Deutsche Telekom says that the leak is known and that it has already exchanged information with VirusTotal. For their own company, "no critical impact" was found: "The most likely attack scenario from the data would be spear phishing. The affected employees have been informed of this.« They also "generally do not upload suspicious files to VirusTotal".

When asked, a spokeswoman for Google Cloud said that a VirusTotal employee had "inadvertently exposed a small portion" of customer data on VirusTotal. We removed the list from the platform within an hour of uploading it." They are working to improve internal processes and technical controls to prevent such things from happening in the future.