Cybercrime, Fraud Management and Cybercrime, Focus Region: Asia
Attacker dismantles department's server infrastructure and deletes up to 25TB of data
Jayan Chakravarty (@JayJay_Tech) •
April 5, 2024
A hacktivist group in the Philippines infiltrated a server owned and operated by the government's Department of Science and Technology, deleting up to 25 terabytes of sensitive data and backups.
Related item: Banks fear further targeted attacks on financial services
The group, which operated under the pseudonym “ph1ns,” targeted the department's servers on Tuesday, compromising two network-attached storage devices and gaining access to virtual servers and employee devices. announced that all data and backups had been deleted.
The Ministry of Information and Communications Technology, the government's cybersecurity agency, announced Thursday that employees of the ministry affected by the cyberattack have lost access to their computers. DICT Spokesperson Assistant Secretary Renato Paraiso told local news agencies during a Zoom press conference that the government is aware of the hacktivist group's claims and is taking steps to restore access to the DOST system. Stated.
“The attacker's initial message was somewhat political, so we're not going to ignore that this is part of hacktivism or something more sinister and sinister,” he said. The attack “left most of the data in our control and under our control,” it added. DOST. ”
“These also included proposed inventions whose backups and even redundancies were compromised,” Paraiso said. DICT announced that up to 25 terabytes of data stored by DOST was lost due to a cyber attack.
The hacktivist group, which carried out the attack under the banner of #OpEDSA, describes itself as a civil rights organization and was a major anti-government populist movement in 1986 that forced then-dictator Ferdinand Marcos Sr. to resign. Inspired by the EDSA People Power Revolution. under. His son, Ferdinand R. Marcos Jr., currently serves as president.
The group regularly launches cyberattacks against government digital infrastructure in order to destroy government credibility, especially in a government that is also grappling with a significant increase in state attacks and espionage from China. A new front is being created.
Analysis by Deep Web Konek, a Philippine cybersecurity firm, shows that hacktivist groups conducted extensive reconnaissance of DOST's servers before launching attacks, researching vulnerabilities in the department's web applications, and targeting servers. It turned out that it was inspecting related accessible domains.
The hacker first executed malicious code to gain initial access to the server infrastructure, establish permanent access to the NAS device, and delete data stored on the device. They also gained root access and administrative control over the server infrastructure before the NAS device became unrecoverable.
“To ensure continued access to compromised systems, the attackers installed backdoors within the DOST server infrastructure. These backdoors provide persistent access and We can now maintain control in the face of detection and removal efforts,” said Deep Web Konek. .
Members of the hacktivist group contacted by the cybersecurity firm said they were specifically targeting DOST's servers to expose vulnerabilities in the technology sector to attacks.
“As we have researched various government agencies, we have found that the DOST is extremely vulnerable. We would like to highlight this agency to illustrate the irony of a technical professional agency being so well protected. Their network configuration wasn't bad, but they made some serious mistakes,'' the hacker said.
Deep Web Konek says the dump of stolen and deleted data includes emails exchanged within the department, human resources logs about DOST employees, attachments, approximately 70,000 Chrome HTML documents, and more than 10,000 embeds. I discovered that it contains an images folder.
“The comprehensive nature of the breach and the diversity of types of compromised data amplify the risks to affected individuals and organizations. Potential impacts include reputational damage, financial loss, and legal consequences. ,” the company said.
The Department of Science and Technology, which leads science and technology projects aimed at boosting the national economy, told Manila News it was investigating the cybersecurity incident.
DOST Secretary Renato U. Solidum Jr. said, “We are aware that this incident may cause concern among our stakeholders and the public, and we are approaching this matter with the utmost seriousness.'' I want to guarantee that.”
“Our technology teams are working diligently to address any vulnerabilities and strengthen our cyber defenses. We will continue to strengthen our cybersecurity protocols to prevent similar incidents in the future.” said.
The successful attack on DOST's servers exposed the continued vulnerability of the government's digital infrastructure to cyberattacks from hacktivists and external adversaries. In February, the government accused China-based attackers of hacking the websites of multiple government agencies and infiltrating government email systems (see also: Philippines blames China for hacking 6 government agencies) condemnation).
In response to the rise in cyberattacks against government agencies, Mr. Marcos in February approved DICT's long-overdue five-year national cybersecurity plan, giving the agency the ability to modernize its IT infrastructure, strengthen cyber awareness, and improve incident response. He was given further powers to make adjustments.
Mr. Marcos also signed an executive order in January creating the National Intelligence Coordination Agency, now the lead agency to direct, coordinate and integrate the government's efforts to protect national security.
The executive order also established the Office of the Deputy Director for Cyber and Emerging Threats under NICA to plan, oversee, and coordinate the agency's response to cybersecurity threats.