Attackers of the federal administration’s payment system, Siafi, diverted around R$2 million originally reserved for a government contract for software maintenance to the account of a commercial establishment in Campinas (SP).
The amounts were committed to Serpro (Federal Data Processing Service), but criminals used the passwords of two MGI (Ministry of Management and Innovation in Public Services) servers to direct the payment to the company Eliezer Toledo Bispo.
Registered under the trade name “Adonai Comércio”, the company’s main activity registered with the Federal Revenue Service is “furniture retail trade”. There are another 15 secondary functions, such as selling travel items, cosmetics, toys and household appliances.
The operation was carried out using a random Pix key at 9:42 pm on March 28, the Thursday before a public holiday (Good Friday). The irregularity was only noticed by MGI on Monday, April 1st.
Sought by the contact registered with the IRS, Adonai did not answer calls and did not respond to messages. The report did not locate the business’s page on social media.
The Ministry of Management said it is not commenting on the case so as not to hinder the investigations.
Folha Mercado
Receive in your email the most important things happening in the economy; open to non-subscribers.
The company is registered in a residential area of Campinas. The payment cites a series of commitments made to Serpro between 2023 and 2024 for evolutionary, adaptive and corrective software maintenance services.
Commitment is the first phase of spending, when the government commits to a certain payment. The actual payment, however, occurs at a later time.
According to documents obtained by the report, the government managed to recover the R$2 million after calling police authorities and the payment institution.
The attackers also used MGI passwords in other operations. They tried to move at least R$9 million from the portfolio and, according to preliminary investigations, they managed to divert at least R$3.5 million (including the R$2 million recovered).
The invasion of Siafi was re]veiled by Sheet. The National Treasury, the system’s managing body, implemented additional security measures to authenticate users authorized to operate the system and authorize payments.
The Federal Police opened an investigation to investigate the case and is working with the support of Abin (Brazilian Intelligence Agency).
According to the document, the department headed by Esther Dweck requested on April 2nd the blocking of amounts from the account that received the diverted amount. In the email to the bank that manages the account, the ministry states that it had identified the irregular payment the day before.
“In this sense, we inform you that the ‘alleged attacks’ occurred on duly attested and appropriate invoices for a contract signed with Serpro”, says the message obtained by Sheet.
On April 5, the bank sent proof of return of the funds to the ministry.
The department headed by Dweck also says, in the email, that the company designated as the destination of around R$2 million “does not have any contractual link with this ministry”.
“The payment tabs and the respective pre-docs were changed, allowing the amounts to no longer be deposited into the account of the legitimate creditor (Serpro)”, states the text.
The timing of the criminals’ action delayed the government’s detection of the embezzlement.
Siafi is a system that manages the entire financial execution of the federal government, moving billions. Therefore, the Treasury defines an operating window for the system. The platform was available from 8am to 10:30pm on March 28 and would be closed on Good Friday.
The invaders acted just minutes before Siafi closed on the eve of the holiday. Since April 11, the National Treasury has restricted the system’s operating hours from 8 am to 8 pm.
The MGI document portrays one of the operations, but there were also attempts at diversion in other bodies.
Government members claim that the TSE (Superior Electoral Court) was the target of attempts to move resources. In the Chamber, criminals also tried to make payments, but were unsuccessful because a series of security barriers prevented the transactions from being completed.
The criminals stole at least seven passwords from servers that have an expense originator profile — that is, they are allowed to issue bank orders in the name of the Union.
There is still no official confirmation of the amounts involved, nor which bodies were the target of the criminal action.
According to interlocutors who assist in the investigations, managers qualified to make financial transactions within Siafi had their access through gov.br used by third parties without authorization.
The investigations indicate that the attackers were able to access Siafi using the CPF and gov.br password of managers and expense originators to operate the payments platform.
The Treasury held a meeting with different government financial agents on April 12 to communicate the existence of an attack on Siafi and gov.br.
According to reports, the system’s management body reported that at the end of March, around Easter, criminals managed to take possession of a profile with privileged access within the system and used this to access bank orders and change expense organizers and beneficiaries of the values.
As shown by Sheetthe suspicion is that the attackers collected the data without authorization via a password fishing system (using malicious links, for example).
One of the hypotheses is that this collection lasted for months until the suspects gathered a considerable volume of passwords to carry out the attack.
Other devices may also have been used by the invaders. The platform has a mechanism that allows you to disable and recreate access based on the user’s CPF, which may have enabled misuse of the system.
UNDERSTAND THE CASE
What is Siafi?
Siafi (Federal Government Integrated Financial Administration System) is an operational system developed by the National Treasury in conjunction with Serpro. It was implemented in January 1987 and, since then, it has been the main instrument used to record, monitor and control the budgetary, financial, patrimonial and accounting execution of the federal government.
It is through it that the government commits expenses (the first phase of spending, when the reserve for payment is made), as well as payments of budget allocations via the issuance of bank orders.
Who uses Siafi?
Managers of direct public administration bodies, local authorities, foundations and federal public companies and mixed capital companies that are included in the Federal Tax Budget or Social Security Budget.
What is under investigation?
Attackers used valid server credentials and accessed Siafi using the CPF and password of these managers and expense originators to operate the payments platform. The PF investigates the case with support from Abin. The government is still investigating the extent of the impacts.
