DICT: Hackers in China breached gov’t emails, sites

Hackers believed to be operating in China breached into the email systems and internal websites of several government agencies that used a cloud service provider, most likely to gather information, the Department of Information and Communications Technology (DICT) said on Saturday.

DICT Undersecretary for Cybersecurity Jeff Ian Dy said the department, in cooperation with the cloud service provider, detected and mitigated the situation from further escalation by shutting down the access of hackers.

Dy said it was notified two weeks ago about the cyber-attack, which targeted users of the cloud service.

Specifically for the Philippines, Dy said the hackers targeted those with “gov.ph” domains.

“So ang target niya ay government emails and websites (So the targets are government emails and websites),” he said at the Saturday News Forum in Quezon City.

The DICT official said that the email domains targeted by hackers were:

• cabsec.gov.ph
• coastguard.gov.ph
• cpbrd.congress.gov.ph
• dict.gov.ph
• doj.gov.ph
• ncws.gov.ph

ADVERTISEMENT

Dy said private domains were also targeted, including www.bongbongmarcos.com (pbbm.com.ph) —the private website of President Ferdinand "Bongbong” Marcos Jr.

The DICT official said the cyber-attack, which he described as “academically perfect,” was probably done by one of the three notorious hacking groups: Lonely Island, Meander, and Panda.

“These are believed to be advanced threat groups that operate within the ambit of Chinese territories,” Dy said.

He said the hackers specifically targeted the administrators of the said government agencies’ email domains.

“Hinahanap nila kung sino ‘yung nagla-log in as administrator, selective siya. Kapag nakita niya na ito ay administrator, ‘yun na, doon siya kukuha ng information sa iyo. Tinitingnan niya kung ilan ang mailbox ninyo so hindi niya inatake ang mga mailbox. Ang hinahanap niya administrator,” Dy said.

“Ngayon kung tatanungin niyo ano ang ginawa niya. Doon nga ako nagtataka ngayon, although the investigation is still ongoing, doon ako nagtataka, pagkakuha niya ng administrator, wala na,” he added.

The DICT said that the hackers, after determining the administrators of the email domains, may use the credentials and sensitive information of the administrators "for whatever purpose."

“Their objective may be to gather information for years and strike when the time comes,” Dy said, noting that if the hack was perpetrated by a state actor, it could be considered cyber espionage.

"But let me again emphasize with the help of [the cloud service provider] themselves and our team, along with CICC (Cybercrime Investigation and Coordinating Center) na preempt naman ito. So, we are now in the process of cleaning and removing all these traces,” he added.

Dy said the DICT had already communicated with each of the administrators of the email domains to plan the next course of action to prevent another cyber-attack.

Late last year, several government websites were attacked, such as the Philippine Health Insurance Corp. (PhilHealth) which was hit by a ransomware attack that resulted in the leak of its data.

Also hacked, last year, were the websites of the Philippine Statistics Authority (PSA), the Philippine National Police (PNP), and the Department of Science and Technology (DOST). — DVM, GMA Integrated News