Lithuania Centre of Registers: Suspected Foreign Intelligence Breach

Lithuanian prosecutors have opened a criminal investigation after more than 600,000 records were stolen from the state Centre of Registers, with authorities saying the unauthorised access likely originated from a foreign state. The breach, which exposed personal identification numbers tied to real estate register extracts, has already triggered the resignation of the agency's chief and prompted warnings that intelligence officers' data may be among the exposed records.

What Happened

The Centre of Registers, Lithuania's state agency responsible for managing property and personal data, confirmed that attackers extracted more than 600,000 records from its systems. Prosecutors confirmed that several unauthorised logins and access attempts were carried out from a foreign state, leveraging systems administered by other Lithuanian institutions. News portal 15min reported the intrusion was conducted through accounts belonging to Lithuania's Migration Department, indicating a likely supply-chain or trusted-relationship abuse pattern. Centre of Registers chief Adrijus Jusas has since resigned, and officials have declined to publicly name the foreign state or the additional institutions implicated.

What Was Taken

According to Jusas, the compromised dataset consists of real estate register extracts containing:

• Personal identification numbers (asmens kodas) of property owners
• Real estate register extract data

Officials maintain that contact details such as phone numbers and email addresses were not compromised, nor were bank account numbers, payment information, or documents relating to property transactions or court rulings. However, opposition leader Laurynas Kašiūnas warned on Facebook that data belonging to intelligence officers may be among the exposed records, elevating the breach from a privacy incident to a potential national security event. Lithuanian authorities have announced that citizens will be able to check whether their Registry Centre data was included in the stolen set.

What Was Taken at Scale

With 600,000 records exposed in a country of roughly 2.8 million people, the breach affects a meaningful percentage of Lithuania's adult population. The combination of personal identification numbers with real estate ownership records creates a high-value targeting dataset: it links identity to physical address, residency status, and financial standing inferable from property holdings. For a hostile intelligence service, that is precisely the type of correlation needed to map officials, build target dossiers, and identify cover identities.

Why It Matters

This incident reflects a recurring pattern across NATO's eastern flank: state registries and adjacent government systems are being treated as strategic intelligence targets, not just opportunistic data troves. The reported pivot through Migration Department accounts is particularly significant. Rather than breaching the Centre of Registers directly, the adversary appears to have abused legitimate interconnections between Lithuanian government agencies. This is a textbook trusted-relationship attack against federated government infrastructure, where one weak credential or compromised partner provides access to systems with far higher sensitivity. The breach also lands amid sustained hybrid pressure on Lithuania, including drone incursions and broader Russia-linked activity in the Baltics, making attribution to a hostile state-aligned actor a logical baseline assumption.

The Attack Technique

Based on prosecutor statements and reporting from 15min, the operation appears to align with the following pattern:

1. Compromise or abuse of accounts at the Lithuanian Migration Department, an agency with legitimate query access to the Centre of Registers
2. Use of those trusted credentials and inter-agency integrations to issue queries against the Registers from outside Lithuania
3. Bulk extraction of real estate register data tied to personal identification numbers, totalling over 600,000 records
4. Connections originating from a foreign state, indicating either direct remote access or routing through compromised infrastructure abroad

This is consistent with credential abuse and federated identity exploitation rather than a zero-day or perimeter breach, and it suggests weak monitoring of cross-agency query volumes and source geolocation.

What Organizations Should Do

1. Audit federated and trusted-relationship access between agencies or business units. Treat partner accounts as untrusted by default and enforce least-privilege at the query level, not just the system level.
2. Implement geofencing and impossible-travel detection on accounts that should only ever be used from inside the country or specific networks. Logins from foreign IP space against citizen-data systems should be a high-severity alert.
3. Enforce phishing-resistant MFA (hardware keys or platform passkeys) on every account with access to population, identity, or property registries, including read-only roles.
4. Deploy query-volume anomaly detection. Bulk extraction of 600,000 records via legitimate accounts should have produced a clear behavioural deviation against any baseline.
5. Segment high-value record types. Records belonging to intelligence officers, judges, prosecutors, and senior officials should be flagged in the data layer so that any unusual access triggers immediate review.
6. Run a tabletop exercise modelling supply-chain access from peer agencies or vendors. Validate that your detection and response playbooks cover the scenario where the attacker is "legitimately" logged in.

Sources: Lithuania investigates massive data breach, suspects foreign intelligence operation - LRT