Lithuania Centre of Registers breach — ~600,000 property/legal-entity records exfiltrated via abused institutional API credentials; foreign-state actor suspected; agency head resigned

Lithuania's Prosecutor General's Office disclosed that attackers accessed more than 600,000 records from the Centre of Registers — the state enterprise that manages the Real Estate Register and the Register of Legal Entities — over a window running from early April to disclosure (The Record, 2026-05-26). The access vector was not a software exploit but credential abuse: attackers obtained and misused login credentials assigned to institutions authorised to query the registers, originating the connections from foreign-administered infrastructure (The Record, 2026-05-26). Exfiltrated fields include names, dates of birth, national ID numbers, property addresses, cadastral numbers and registry identifiers; contact details, bank accounts and payment data were reported as not in the stolen set. Lithuanian officials publicly framed the incident as likely the work of a foreign country, with one politician alleging Russian-intelligence hallmarks, and the head of the Centre of Registers resigned within days (Euronews, 2026-05-25; LRT, 2026-05-22). Reporting cross-references comparable intrusions against Slovakia's land register and Ukraine's state registers.

Why it matters to us: property and corporate-entity registers are high dossier-value targets — they let an intelligence service resolve home addresses and asset holdings for officials, diplomats and military personnel — and the identical register-API architecture is in production across every EU member state, Switzerland's commercial register (Zefix) and cantonal land registries included. The kill chain here is authorised-account abuse (T1078 Valid Accounts / T1530 Data from Cloud Storage), not a CVE: institutional service accounts querying register APIs need per-institution rate limits, MFA on the service principal, ASN/IP-range anchoring (institutional access should originate from known networks), and query-volume anomaly detection. Hunt for bulk-query bursts from institutional accounts outside business hours or from ASNs inconsistent with the institution's historical access pattern, and retain register access logs long enough to reconstruct a multi-week exfiltration window.

ESET's 2026-05-14 analysis of activity observed since March 2026 documents an evolved spearphishing chain: (1) malicious PDFs impersonating Ukrtelecom with embedded redirect links, (2) RAR archives delivering JavaScript PicassoLoader variants, (3) server-side victim geo-validation (serves benign PDF to non-Ukrainian IPs) with system fingerprinting every 10 minutes to determine Cobalt Strike eligibility, (4) persistence via scheduled tasks and registry modifications. The previous Polish-targeting wave exploited CVE-2024-42009 (Roundcube XSS) for credential harvesting; WinRAR CVE-2023-38831 also referenced in the toolchain. The Belarus-aligned actor cluster (UNC1151, UAC-0057, TA445, Storm-0257, Umbral Bison, White Lynx) targets governmental, industrial, healthcare, and logistics sectors. EU scope: Poland, Lithuania, and Ukraine confirmed; broader Eastern European public-sector exposure inferred (ESET WeLiveSecurity; The Hacker News; daily 2026-05-15).

No named EU victim disclosures this run. Status update from the W19 long-running record (item:apt28-apt29-unc1151): ESET's documentation of the geofencing and 10-minute fingerprinting cadence is new operational detail not present in the W19 ABW tri-attribution coverage. Detection: outbound connections to Canarytokens-style endpoints used for fingerprinting; scheduled-task creation with random GUIDs spawned from Office process trees (T1053.005); child processes of WinRAR or archive handlers executing JavaScript (T1059.007); PicassoLoader staging behaviours.

ESET published a new technical report on 2026-05-14 documenting fresh operational activity from FrostyNeighbor — a cluster ESET and Mandiant track as Ghostwriter / UNC1151 / UAC-0057, assessed as apparently Belarus state-aligned — against Polish, Lithuanian, and Ukrainian government and industrial organisations across a March–May 2026 wave (ESET WeLiveSecurity, 2026-05-14). The Ukraine strand distributes RAR archives via spear-phishing PDFs impersonating Ukrtelecom; the archives drop a JavaScript downloader (a PicassoLoader variant) that fingerprints the victim environment (username, process list, OS version) and beacons every 10 minutes to operator infrastructure. A server-side geofencing check delivers a benign decoy to IPs outside Ukraine, making emulation from a non-Ukrainian network appear clean. Polish and Lithuanian targeting covers industrial/manufacturing, healthcare and pharmaceuticals, logistics, and government organisations — ESET documents victimology spanning both NATO member states in the same campaign wave. Once operators manually approve a victim, a Cobalt Strike Beacon payload is staged, indicating deliberate victim-vetting prior to full post-compromise operations. MITRE ATT&CK: T1566.001 (Spearphishing Attachment), T1027 (Obfuscated Files), T1059.007 (JavaScript), T1082 (System Information Discovery — victim-vetting step), T1105 (Ingress Tool Transfer — Cobalt Strike staging). Detection: alert on JavaScript execution from browser/document-viewer parent-process trees, followed by 10-minute periodic outbound HTTP(S) beacons to a new destination; test detections with Ukrainian-egress routing to bypass the geofencing blind spot.