Lithuania's Centre of Registers (Registrų centras) was quietly drained for months using legitimate Migration Department credentials, exposing more than 600,000 land and legal entity records. The Prosecutor General's Office disclosed the breach on May 22, 2026, and President Gitanas Nausėda publicly characterized the operation as "hostile state" in nature on May 27. Direct financial losses sit at roughly €111,000 (about $129,000), but the strategic exposure is far larger.
What Happened
The intrusion was discovered in early April 2026 after irregular query patterns surfaced inside the Centre of Registers. Investigators determined that valid accounts assigned to Lithuania's Migration Department, an institution legitimately authorized to query the registry, were being used to extract records at scale. No software vulnerability was exploited; the attackers operated entirely within the bounds of trusted access. Centre of Registers chief Adrijus Jusas resigned shortly after the disclosure, citing "years of underinvestment in state IT infrastructure" and estimating that €60 million is required to modernize the systems. Opposition leader Laurynas Kasčiūnas stated the operation carried "the hallmarks of a Russian intelligence operation," though Lithuanian authorities have not issued a formal attribution.
What Was Taken
The theft pulled records from two of Lithuania's most sensitive civil databases: the Real Estate Register and the Legal Entities Register. Exposed fields include:
- Full names and dates of birth
- Personal identification numbers (the Lithuanian equivalent of a social security number)
- Residential and property addresses
- Cadastral information precise enough to geolocate land parcels
- Registry numbers linking individuals to every entity they have registered
Bank account numbers, payment data, and official scanned documents were not part of the affected datasets. In a country of 2.8 million people, however, 600,000 records represent a substantial cross-section of the adult population, including politicians, judges, prosecutors, dissidents, and foreign nationals sheltering in Vilnius.
Why It Matters
For a hostile intelligence service, the value of this dataset is not financial. Combining names, national IDs, and exact home addresses produces a targeting package suitable for surveillance, coercion, recruitment, or kinetic action against named individuals. Belarusian and Russian dissidents residing in Lithuania, EU sanctions officials, and members of the judiciary handling sensitive cases are all plausibly indexed inside the stolen records. The breach also illustrates how an attacker who compromises one government tenant can pivot into another through trusted inter-agency access pathways, a structural risk for every government operating a centralized national registry.
The Attack Technique
The operation was a credential abuse campaign, not an exploit chain. Adversaries acquired and used valid Migration Department logins authorized to query the Centre of Registers, blending into normal inter-agency traffic for months before detection. The chosen access path bypassed perimeter controls entirely, since the queries originated from a legitimate trusted party. The slow extraction tempo and the long dwell time, combined with the targeting profile of the data pulled, are consistent with a patient state-aligned collection operation rather than a financially motivated intrusion. How the Migration Department credentials were initially compromised, whether through phishing, infostealer malware, or insider compromise, has not been publicly disclosed.
What Organizations Should Do
- Treat inter-agency or partner integrations as high-value access paths and apply per-query risk scoring, not just authentication checks.
- Enforce phishing-resistant MFA (FIDO2/WebAuthn) on every account with query access to sensitive registries, including third-party tenants.
- Implement volumetric and behavioral anomaly detection on registry queries; flag deviations from a user's or department's historical query baseline.
- Apply row-level access controls and purpose-binding so that a single compromised account cannot enumerate the full dataset.
- Audit infostealer marketplaces and credential dumps for exposed government identities, and rotate credentials proactively on hits.
- Establish a cross-agency breach simulation that specifically models compromise of a trusted partner integration, not just direct intrusion.
Sources: Lithuania Lost 600K Land Registry Records to Stolen Logins