Cyber Incident Victim: Network Information Center of Paraguay

On February 25, 2014, an Iranian hacker operating under the alias Mormoroth compromised the Network Information Center of Paraguay (NIC.py), the registry managing Paraguay's .py country-code top-level domain. The attacker exploited a remote code execution (RCE) vulnerability in NIC.py's systems, subsequently leveraging improper directory permissions to gain root access to servers. Mormoroth documented his access through published screenshots of NIC.py's backend systems and leaked user credentials and database information obtained during the breach. While no Google systems were compromised, the hacker manipulated DNS records for google.com.py to redirect visitors to a defacement page under his control, creating the appearance of a Google Paraguay website compromise. The DNS alteration represented a targeted disruption rather than persistent access to Google infrastructure.

Mormoroth initially claimed he did not intend to publish stolen NIC.py data but reversed this decision after Paraguayan authorities publicly denied the occurrence of any breach. In a post on ha.cker.ir, he detailed his exploitation methods, noting administrators had configured directory permissions insecurely, enabling unrestricted file access. A cybersecurity expert cited by Paraguayan media outlet ABC Color revealed he had reported the same vulnerability to Paraguay’s National Computing Center five years prior but received no response, leaving the security flaw unaddressed until the breach. The incident exposed NIC.py's operational data and credential information while temporarily disrupting Google Paraguay's domain resolution. No containment actions or post-incident responses from Paraguayan authorities were documented in the available reporting.