MATEUS VARGAS AND IDIANA TOMAZELLI
BRASILIA, DF (FOLHAPRESS)
Attackers of the federal administration’s payment system, Siafi, diverted R$6.7 million from the TSE (Superior Electoral Court) in eight different operations carried out in one minute.
The transactions, carried out on April 16, used the stolen access credentials of two agency employees to authorize payments via Pix.
One of the servers was qualified as an expense organizer. The second was a financial manager at the court.
Approval from employees in these roles is required to complete transfers. The times the passwords were used are recorded in Siafi’s bank orders.
In these eight operations, the procedure was identical. The criminals used the originator’s CPF to sign the bank order at 6:23 pm. The next minute, at 6:24 pm, they used the financial manager’s password to give the green light for payment.
In total, records show at least 16 successful attacks within an hour and 12 minutes.
The authors of the action managed to subtract R$11.39 million from the TSE through these operations, concentrated in one-minute intervals. They also tried to divert another R$2.22 million in six additional operations, which were canceled after rejection by the Central Bank.
The invasion of Siafi was revealed by Folha. Data extracted from the system shows that criminals embezzled at least R$15.19 million, R$3.8 million from the MGI (Ministry of Management and Innovation in Public Services), and the remaining amounts from the TSE. So far, it is known that R$2 billion has been recovered.
The Executive does not officially confirm the amounts diverted, on the grounds that the Federal Police investigation is being carried out under secrecy.
Last week, the PF collected statements from employees who had their credentials stolen by criminals. The procedure is considered a formality, given that the main hypothesis is that they were victims of the scheme.
Siafi data shows that operations involving TSE resources were concentrated at six different times, between 5:49 pm and 7:01 pm, on April 16th.
For the first embezzlements from the court, which totaled R$2.5 million, the criminals used the two stolen passwords in the same minute, first at 5:49 pm, then at 5:59 pm.
Transfers of R$6.7 million were later authorized, between 6:23 pm and 6:24 pm.
New transactions totaling R$2.19 million were made between 6:39 pm and 6:40 pm, between 6:54 pm and 6:55 pm and, finally, at 7:01 pm. The sequence was always the same: first, the originator’s signature, followed by the financial manager’s approval in the next minute.
The diverted amounts were committed to Serpro (Federal Data Processing Service), a federal public technology company, and to G4F, a company that provides information technology services.
The attackers changed the final destination of the resources to benefit the accounts of companies and individuals who do not have contracts with the government. The owners of two of these companies told Folha that they were victims of the scheme and had their data misused by criminals.
Siafi data also shows diversions of funds from MGI to three companies on March 28, the day before a public holiday (Good Friday). Ministry technicians noticed the invasion on April 1st.
One of the operations, worth R$1 million, was carried out at 9:22 pm, with both signatures in the same minute. Larger transaction, worth R$2 million, was authorized at 9:42 pm. The final action took place at 10:08 pm, with the transfer of another R$768 thousand.
In total, R$3.8 million was diverted from the portfolio.
After the attack on Siafi, the federal government tightened access to the Union’s systems and set up a task force to issue digital certificates through Serpro, necessary for servers that need to authorize payments.
The measure is a security requirement from the National Treasury after the invasion that used valid government employee credentials on the gov.br platform to divert millions in federal resources.
The Secretary of the National Treasury, Rogério Ceron, acknowledged this Monday (29) that the greater rigor in procedures has caused “operational disruption” in some bodies, but said that it is “fully justifiable” given the episode.
Ceron declined to confirm the misappropriated amounts, on the grounds that the Federal Police requested secrecy on the matter.
The suspicion is that the attackers collected the data without authorization via a password fishing system (using malicious links, for example).
One of the hypotheses is that this collection lasted for months until the suspects gathered a considerable volume of passwords to carry out the attack.
Other devices may also have been used by the invaders. The platform has a mechanism that allows you to disable and recreate access based on the user’s CPF, which may have enabled misuse of the system.
UNDERSTAND THE CASE
What is Siafi?
Siafi (Federal Government Integrated Financial Administration System) is an operational system developed by the National Treasury in conjunction with Serpro. It was implemented in January 1987 and, since then, it has been the main instrument used to record, monitor and control the budgetary, financial, patrimonial and accounting execution of the federal government.
It is through it that the government commits expenses (the first phase of spending, when the reserve for payment is made), as well as payments of budget allocations via the issuance of bank orders.
Who uses Siafi?
Managers of direct public administration bodies, local authorities, foundations and federal public companies and mixed capital companies that are included in the Federal Tax Budget or Social Security Budget.
What is under investigation?
Attackers used valid server credentials and accessed Siafi using the CPF and password of these managers and expense originators to operate the payments platform. The PF investigates the case with support from Abin. The government is still investigating the extent of the impacts.
CHRONOLOGY OF ATTACKS
March 28
Criminals make a payment of R$2 million, via Pix, to a store in Campinas (SP) using resources that originally came from a contract between the Ministry of Management and Serpro. The operation was carried out at 9:42 pm, 48 minutes before Siafi closed on the eve of a public holiday (Good Friday). In total, R$3.8 million was diverted from the portfolio.
April 1st
MGI detects an irregular payment and initiates internal negotiations
April 2nd
The MGI notifies the National Treasury, Siafi’s management body, about the misuse of the Union’s payment system
April 3
After internal assessment, the National Treasury calls the Federal Police to investigate the case. The agency also seeks support from the Central Bank to try to block and recover the amounts
April 5th
The National Treasury calls the PF again after receiving new reports of attempted irregular payments at Siafi, this time in the Chamber of Deputies. The case is now being investigated by the Directorate for Combating Cybercrimes
April 8
The National Treasury now requires, in addition to authentication of access via gov.br, the use of a digital certificate to authorize the issuance of bank orders on behalf of the Union
April 16
The TSE is the target of new action by criminals, who manage to embezzle R$11.4 million in just over an hour
April 17th
Siafi’s management body adopts new measure and starts charging for enabling two-step access verification, in which a security code is sent to the server to complete access to the system
April 22nd
The National Treasury confirms, in a note, the misuse of server credentials to make irregular payments at Siafi, after the case was revealed by Folha. The body also tightens security measures and starts charging the use of a digital certificate issued by Serpro, a federal public company in the technology sector.
Tags: Attack government diverted R6 .7 million TSE operations minute
--
