Nepal’s Ministry of Education

This week’s Cyber Intelligence House, Leak of the Week spotlights a significant breach affecting Moest.gov.np, Nepal’s Ministry of Education, Science and Technology.

Timeline of the Incident:
– July 14, 2025: Threat actor Kazu announced the sale of 1.4TB of data allegedly taken from MoEST on DarkForums.
– The Ministry allegedly denied any breach, stating the data was “fake” and refuting all claims in local media.
– July 16, 2025: In direct response to this denial, Kazu released over 100GB of sample data (103.9 GB, 123,822 files) as public proof, distributed via DarkForums and a Telegram channel.

Analysis shows:
– 89,000+ PDFs
– 27,000+ JPG/PNG files
– 3,400+ DOC/DOCX documents
– 1,200+ Excel files

Insights into the types of the files leaked:
1. 78970_admission-letter-1647317236.jpg – Likely contains a scanned admission letter, which typically includes personal identification details and school/college enrollment data.
2. 76115_old-noc-if-already-taken-before-1724754587.pdf – “NOC” stands for No Objection Certificate, often required for official or legal processes and can contain personal identifiers, employment, or migration history.
3. 77216_invoice-letter-1645934620.pdf – Indicates a financial or billing document, which may expose payment amounts, service details, and sensitive client or vendor information.
4. 81064_offer-letteracceptance-letter-i20coecoa-1650431201.pdf – Likely an offer and/or acceptance letter related to employment or university, often containing personal data, position details, or scholarship information.
5. 76574_vatpan-certificate-of-college-1645684739.jpg – Suggests a scanned VAT or PAN certificate, which includes sensitive tax or registration numbers, names, and official credentials of the institution.

The exposed dataset includes tens of thousands of scanned PDFs, images, spreadsheets, and documents tied to student, staff, and financial information, indicating widespread exposure of institutional and personal records.

Implications
For Individuals:
1. Exposure of identity, educational, and financial documents.
2. Heightened risk of fraud and targeted social engineering.
3. Potential credential compromise leading to future attacks.

For Moest.gov.np:
1. Significant reputational damage from public data exposure.
2. Regulatory and compliance consequences from loss of sensitive records.
3. Disruption to internal operations and potential loss of trust.

Cyber Intelligence House Recommendations:
– Audit affected systems and revoke exposed credentials immediately.
– Monitor dark web and Telegram for further distribution or follow-up attacks.
– Strengthen security controls on document management and increase staff vigilance against targeted phishing.