Cyber attackers, suspected to be based in China, attempted to infiltrate multiple government agencies' email and internal web systems via a third-party cloud service provider, presumably aiming to collect data. According to DICT Undersecretary for Cybersecurity Jeff Ian Dy, the cyber attack was aimed at taking down the OWWA website and its related web applications. The cybersecurity experts at DICT discovered it about three weeks ago.

Dy said the DICT was able to trace the cyber attackers' command and control center to operate from within China Unicom, a Chinese state-owned telecommunications company. He said the DICT would coordinate with China Unicom to help with the investigation.

However, Dy clarified that the DICT is not implicating the Chinese government in the attack but merely noting that the perpetrators were attacking from within China's territories.

The OWWA website provides services and information to overseas Filipino workers (OFWs) and their families. Dy said the cyber attack could have disrupted the delivery of these services and compromised the OFWs' data.

The extended detection and response (XDR) system implemented by OWWA successfully thwarted the assaults, ensuring the system's protection. By aggregating and seamlessly integrating data from various security dimensions – including email, endpoints, servers, cloud workloads, and networks – XDR enhances the speed at which threats are identified. With this, Dy assured the public that the OWWA website is now secure and functional and that no data breach had occurred. 

The DICT also reported that it foiled another cyber attack that targeted various government email addresses, including the Philippine Coast Guard (PCG) and President Marcos's private website. MB Technews learned that the government, Coast Guard, DFA, DepEd, and UP are among the mail systems with compromised accounts. 

Dy said at least three advanced persistent threat groups carried out the attack, which could be classified as cyber espionage.

Dy added that one of the three notorious advanced persistent threat (APT) hacking groups- Lonely Island, Meander, or Panda- probably carried out the attack.

What is APT?

APT, or Advanced Persistent Threat, is a type of sophisticated cyberattack that aims to steal sensitive data or cause damage to a target network over a long period of time.

Advanced Persistent Threat (APT) groups typically have various objectives when they attack a nation. These objectives often align with the strategic needs of the government that sponsors them. Netscout, a global cybersecurity company, enumerated the common purpose of these APT groups when they attack.

Geopolitical Interests: Governments often use APT groups to monitor and infiltrate nearby nations to gain intelligence about economic or military activities, intentions, or strategies.

Intellectual Property Theft: APT groups often aim to steal intellectual property to advance the economic or military goals of the host nation. Stealing proprietary technology can save billions of dollars in research and development costs, giving the offending country a competitive advantage.

Disinformation Campaigns: APT groups increasingly use cyber activities to sow disinformation to influence the voting population in targeted nations.

Graphus AI, a cybersecurity company specializing against highly sophisticated social engineering and zero-day attacks, said that APT attacks are also used for espionage. The goal of an APT attack is often to gain access to systems and information that can be exploited for espionage purposes. Graphus also added that one of the goals is infrastructure damage, as some APT attacks aim to damage a rival nation's infrastructure or economy. The specific objectives of an APT group can vary widely and are often closely guarded secrets of the sponsoring country. 

Possible APT group attackers

Lonely Island, Meander, and Panda are the names of some Advanced Persistent Threat (APT) groups that are involved in cyberattacks and espionage. Usec Dy mentioned these groups as the most likely to have initiated the attack. States or organizations with specific political or economic interests usually sponsor APT groups. They use sophisticated techniques and tools to infiltrate, compromise, and steal data from their targets, including governments, corporations, media outlets, and individuals.

Lonely Island is a suspected Iranian APT group that targets maritime and naval organizations, especially in the Middle East. It uses custom Sea Turtle malware to hijack its victims' domain name systems (DNS) and redirect their traffic to malicious servers¹².

Meander is a suspected Chinese APT group that targets political and diplomatic entities, mainly in Europe and Asia. It uses various malware to gain remote access and exfiltrate data from its victims.

Panda: This is a generic name for several Chinese APT groups. They have different names and objectives but share some common characteristics and tools. Some of the most well-known Panda groups are APT 10, APT 12, and APT 41. They target various sectors, such as defense, government, high-tech, media, telecommunications, and electronics. Among the suspected groups, the APT41 is unique among China-based actors as it leverages non-public malware typically reserved for espionage campaigns in what appears to be an activity for personal gain. Its operations suggest a dual intent to collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities or to create additional accesses and vectors to facilitate future campaigns.

Global cybersecurity company Mandiant claims that APT14 is highly connected to China. "APT41 targeted a hotel's reservation systems ahead of Chinese officials staying there, suggesting the group was tasked to study the facility for security reasons", Mandiant reported (https://www.mandiant.com/resources/blog/apt41-dual-espionage-and-cyber-crime-operation).

With all this information pointing to China as the likely source of the attack, it's crucial to understand that Advanced Persistent Threat (APT) groups operate with a focus on stealth and deception. Hackers aim to elude detection and thwart efforts to neutralize or trace them. These groups typically avoid using their sponsoring country's network infrastructure directly for attacks. Although an attack may be traced back to China, it could have been initiated through a compromised system, leading investigators to a misleading origin.

Next steps

Through a statement from Undersecretary Jeffrey Dy, the DICT has initiated the primary and most urgent measures that the Philippine government can undertake in response to the incidents targeting the email systems of the OWWA and other governmental bodies. The DICT has informed the public and affected individuals about the incident promptly and transparently, acknowledging the attempted breach and outlining the immediate steps taken to contain it.

What the government could do next is offer guidance and support to individuals whose data may have been compromised, including resources for identity theft protection and credit monitoring.

It is also important to keep the public informed about the investigation's progress and any new developments related to the attack through official channels.

The government needs to prioritize critical infrastructure and focus on securing critical government infrastructure potentially vulnerable to cyberattacks, such as power grids, communication networks, and financial institutions.

If hacking attempts are found while securing these critical infrastructures, immediately coordinate with law enforcement agencies to identify and apprehend the perpetrators.

It is also important to seek international assistance. The Philippine government needs to consider seeking assistance from international cybersecurity experts and organizations for specialized expertise and resources.