NuClide Research
Most recent
navigate open esc close Corpus index built 2026-06-07 23:58 UTC

← All engagement records

Case study May 2, 2026

Government AI Infrastructure Exposures

Bill Rondell, Nick Adams & Dade Murphy — May 2, 2026 — case study — 1 min read — 280 words
Sector
Other

NuClide Research, ongoing · Updated 2026-05-02

Unauthenticated Ollama instances discovered on government networks. Identified via hostname TLD filtering (.gov, .go.id, .gov.br, .gov.tw, .mil, etc.).

Structure

  • US/, United States federal and state government
  • international/CC/, all other countries, grouped by ISO country code

Discovery Method

Primary signal: Shodan port:11434 hostname:".<tld>" across 25 government TLD patterns. Unlike university sweeps (which use org:university), government nodes often don’t self-identify by org name, hostname TLD filtering is more reliable.

python3 data/ollama-recon.py --government --vpn-country id   # Indonesia focus
python3 data/ollama-recon.py --government --rotate-every 5   # rotate VPN every 5 probes

Confirmed Findings

FileOrganizationCountry/TierSeverityKey Finding
aws-govcloud.mdAWS GovCloud (us-gov-east-1)US FederalCRITICAL10 models, DeepSeek + MiniMax cloud proxy, JOSIE custom AI persona, CVE-2025-63389
indonesia-cluster.mdIndonesia Government ClusterIndonesiaCRITICAL5 nodes: 2 account takeovers, RAG pipeline on ICT ministry, Claude-distilled model on provincial server
kominfo-jateng.mdDinas Kominfo Prov. Jawa TengahIndonesia · Central JavaCRITICALAccount takeover (name=da298cd9ca86), BGE-M3 RAG pipeline, sijoli gov system
kaltara-province.mdPemerintah Provinsi Kalimantan UtaraIndonesia · N. KalimantanCRITICALAccount takeover (name=7a3686b3df54), Claude 4.6 Opus distilled model, tool-calling model

Scale (sampled 2026-05-02)

TLDGov EntityHits
.gov (via hostname)US federal + false positives14 raw / 6 GovCloud actual
.go.idIndonesia government7
.gov.brBrazil government4
.gov.twTaiwan Government Service Network3
.milFalse positives (CANTV Venezuela)2
Others1 each: MX, JP, IN3

SOP

  1. Density scan, shodan count across all TLD patterns to find where nodes cluster
  2. Connect Mullvad, geo-appropriate exit node (--vpn-country <cc>)
  3. Probe, --government --vpn-guard [--rotate-every N]
  4. Triage, takeovers first, then cloud proxies, then plain unauth
  5. Write case study, per-node if notable, cluster file if same country/org
  6. Disclose, national CERT (ID-CERT, US-CERT/CISA) + agency contact