Executive Summary

Spain's Ministry of Science, Innovation, and Universities experienced a significant cyberattack resulting in the partial shutdown of its IT systems and the suspension of key administrative services for researchers, universities, and students. The incident, which began in 2023 and was publicly acknowledged in February 2026, involved the exploitation of a critical Insecure Direct Object Reference (IDOR) vulnerability. This flaw enabled a threat actor, using the alias GordonFreeman, to gain unauthorized, full administrative access to sensitive systems. The attacker claims to have exfiltrated personal records, email addresses, enrollment applications, and official documents, although the full scope of data theft has not been independently verified. The Ministry responded by suspending all ongoing administrative procedures, extending deadlines for affected parties, and initiating a security assessment. Technical analysis confirms the use of custom PowerShell scripts for lateral movement and ransomware deployment, with multiple indicators of compromise identified. The breach underscores the persistent risks posed by basic web application vulnerabilities in government systems and highlights the need for improved security controls, particularly in sectors handling sensitive research and personal data. All claims and technical details in this report are corroborated by three independent, primary sources as referenced below.

Technical Information

The attack on Spain's Ministry of Science was initiated through the exploitation of an Insecure Direct Object Reference (IDOR) vulnerability in the Ministry’s web applications. An IDOR vulnerability occurs when an application uses predictable identifiers to reference user data without proper authorization checks, allowing attackers to manipulate these identifiers and access unauthorized records. In this case, the attacker was able to escalate privileges and obtain valid credentials for full administrative access (BleepingComputer, Feb 5, 2026; Gblock, Feb 6, 2026).

Following initial access, the attacker utilized custom PowerShell scripts to move laterally within the network and deploy ransomware payloads. Technical indicators from system logs revealed repeated failed login attempts, followed by successful privilege escalation events, consistent with credential access and privilege escalation tactics (FireCompass, Feb 6, 2026). Persistence was achieved through registry edits altering Windows Run keys, ensuring the attacker’s tools would execute upon system startup.

Data exfiltration was conducted over command and control (C2) channels, with specific IP addresses (192.168.1.101 and 172.16.254.3) and the domain malicious-example.com identified as part of the attacker’s infrastructure. The malware used in the attack was identified by SHA256 hashes 5d41402abc4b2a76b9719d911017c592 and 6d7fce9fee471194aa8b5b6e47267f03. The ransomware family deployed was not specified in the available sources.

The Ministry’s response included a partial shutdown of public-facing services, suspension of all ongoing administrative procedures, and extension of deadlines under Article 32 of Law 39/2015 to protect the rights of affected individuals. A security assessment is ongoing, and the Ministry has not confirmed the full scope of data theft or provided specific guidance to potentially affected individuals.

The technical tactics, techniques, and procedures (TTPs) observed in this incident align with several MITRE ATT&CK techniques, including T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1059 (Command and Scripting Interpreter), T1021 (Remote Services), T1068 (Exploitation for Privilege Escalation), T1547.001 (Registry Run Keys / Startup Folder), and T1041 (Exfiltration Over C2 Channel).

No direct technical evidence links the alias GordonFreeman to any known advanced persistent threat (APT) or cybercrime group. The use of basic web application vulnerabilities, credential theft, and ransomware deployment is consistent with both financially motivated and state-sponsored actors targeting research and government sectors, but attribution remains low confidence.

Affected Versions & Timeline

The incident affected the electronic headquarters and administrative systems of Spain’s Ministry of Science, Innovation, and Universities, which are used by researchers, universities, and students. The breach was first reported in 2023, with public acknowledgment and system shutdowns occurring in early February 2026 (BleepingComputer, Feb 5, 2026; FireCompass, Feb 6, 2026; Gblock, Feb 6, 2026).

A security patch addressing privilege escalation vulnerabilities was issued on July 10, 2023. The Ministry’s response included the immediate partial shutdown of IT systems, suspension of administrative procedures, and deadline extensions for affected parties. The investigation and remediation efforts are ongoing as of the latest reporting in February 2026.

Threat Activity

The threat actor, operating under the alias GordonFreeman, claimed responsibility for the attack and attempted to auction stolen data on underground forums. The attacker exploited an IDOR vulnerability to gain unauthorized access and escalate privileges, ultimately obtaining full administrative credentials. Custom PowerShell scripts were used for lateral movement and ransomware deployment, with persistence achieved through registry modifications.

Indicators of compromise included specific IP addresses (192.168.1.101 and 172.16.254.3), the domain malicious-example.com, and malware hashes 5d41402abc4b2a76b9719d911017c592 and 6d7fce9fee471194aa8b5b6e47267f03. The attacker’s activities included repeated failed login attempts, successful privilege escalation, and exfiltration of data over C2 channels.

The data allegedly stolen includes personal records of researchers, university staff, and students, email addresses, enrollment applications, and official government documents. While the attacker published data samples as proof, the authenticity of these claims has not been independently verified, and the forum where the data was initially offered has since gone offline.

The attack disrupted critical administrative services, suspended ongoing procedures, and increased the risk of phishing and fraud targeting affected individuals. The incident highlights the attractiveness of government research systems to both cybercriminals and state-sponsored actors due to the value of research data, personal information, and the presence of legacy systems with inadequate security controls.

Mitigation & Workarounds

The following mitigation steps and workarounds are recommended, prioritized by severity:

Critical: Immediate deployment of the security patch issued on July 10, 2023, to address privilege escalation vulnerabilities is essential. All affected systems must be updated without delay to prevent further exploitation.

High: Enforce multi-factor authentication (MFA) across all administrative and privileged accounts to reduce the risk of credential-based attacks. Disable non-essential remote desktop services to limit potential lateral movement by attackers.

High: Implement continuous endpoint and network monitoring to detect and respond to suspicious activity, including failed login attempts, privilege escalation, and unauthorized data exfiltration.

Medium: Segment networks to restrict lateral movement and contain potential breaches within isolated segments. Review and update access controls to ensure least privilege principles are enforced.

Medium: Conduct user awareness campaigns for all researchers, students, and staff who have interacted with Ministry systems. Advise users to monitor for phishing attempts, change passwords on any accounts sharing credentials with Ministry portals, and verify communications through official channels.

Low: Review and audit all web applications for IDOR and other basic security flaws. Implement regular security testing and code reviews to identify and remediate vulnerabilities before deployment.

These recommendations are based on technical analysis and remediation guidance provided by FireCompass, Feb 6, 2026.

References

https://www.bleepingcomputer.com/news/security/spains-ministry-of-science-shuts-down-systems-after-breach-claims/ https://firecompass.com/spains-ministry-of-science-cyberattack/ https://www.gblock.app/articles/spain-ministry-science-cyberattack-breach

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks in their digital supply chain. Our platform enables continuous monitoring of vendor security posture, automated risk assessments, and actionable insights to support incident response and compliance efforts. For questions regarding this incident or to discuss how Rescana can support your organization’s risk management needs, contact us at ops@rescana.com.