DICT traces hack attempts to China
The Department of Information and Communications Technology (DICT) on Saturday said that it had blocked cyberattacks from “within China” on the Overseas Workers Welfare Administration (Owwa), and on the mailboxes of the DICT itself, the Philippine Coast Guard (PCG) and President Marcos’ official website.
Communications and Technology Undersecretary Jeffrey Ian Dy said the attempted hacking of Owwa’s web applications about three weeks ago was made from an internet protocol (IP) address traced to a location in China, which he did not disclose.
“It was a brute force attack to take down the Owwa, but it did not succeed because we were able to attack it,” Dy said in the Saturday News Forum in Quezon City. “In our investigation, we were able to trace the attacker’s command and control operating from within China.”
He said the attackers were “coming from China Unicorn,” a Chinese state-owned telecommunications company.
“I think we will need to coordinate with them so they can help us in this investigation,” he said.
Asked if the Chinese government was possibly involved in the cyberattack, Dy said: “We cannot say that. What we can say is that the threat actors were operating from within Chinese territory.”
Very sophisticated
“We will coordinate with China to help us find this group. But the point is, we don’t want to also underestimate this type of attack because it is very, very complex and sophisticated,” he said.
The agency, in cooperation with Google, also thwarted separate cyberattacks that targeted government email addresses and Google Workspaces. He did not say where the attacks came from.
Three “advanced threat groups” targeted and lurked in government mailboxes and Google Workspaces of the DICT, the PCG’s National Coast Watch and even the President’s official personal website, bongbongmarcos.com.
He said the three groups Lonely Island, Meander and Panda were suspected in these attacks.
“These are believed to be advanced threat groups that operate within the ambit of Chinese territories—that is all I can say—not necessarily government,” Dy said.
On Beijing’s radar
The PCG has been on the radar of the Chinese authorities in recent years as Beijing aggressively asserts its claims to nearly the entire South China Sea, including the West Philippine Sea, waters within the 370-kilometer exclusive economic zone of the Philippines.
Owwa is the main agency in charge of the millions of Filipinos working abroad whose billions of dollars in annual remittances provide critical economic support that helps to keep the national economy afloat.
Google informed the DICT of the attack on the Google Workspaces of the DICT and the PCG, according to Dy.
Private domains and the website of the President were targets of these attacks but these were thwarted, he said.
“In this kind of attack, they just monitor. They don’t see the contents of the emails,” he said.
‘Caught early’
“But the ploy is to check the traffic flow of emails—who sent it and who received it,” the official said. “It’s like spyware, it’s surveillance. The target is really government emails and websites.”
The suspected cyberattacks by Lonely Island, Meander and Panda were “associated with certain state-backed types of cybersecurity activities,” Dy said without identifying the possible state backers.
Unlike ransomware attacks in which perpetrators announce their spoils on the Dark Web, Dy said the attacks involved investing heavily in research and development to “hide its tracks, hence it is an advanced persistent threat.”
The communications and technology undersecretary said their analysis showed that the attackers were unable to view the contents of emails.
“It’s a good thing that we were able to defend ourselves and we caught it early. I would like to surmise that if we were not able to detect it, that could be their possible target,” he said.
‘Volt Typhoon’
While the Philippine official was careful not to directly attribute the cyberattacks to the Chinese government, the United States has said that it had recently successfully dismantled a China-based hacking network known as “Volt Typhoon.”
It accused the group of infiltrating critical US infrastructure networks with the goal of disabling them in the event of conflict, according to the French news agency, Agence France-Presse (AFP) in a report on Thursday.
The group—active since 2021—is allegedly primed to cripple sectors spanning communications, transportation and government.
The FBI has said that China has the biggest hacking program of any country.
Beijing has dismissed the claims as “groundless”—and pointed to the United States’ own history of cyberespionage.
Washington has warned that China represents “the broadest, most active and persistent cyberespionage threat” to its government and private sector.
Its hackers have become adept in recent years at breaking into rival nations’ digital systems to gather trade secrets, according to researchers and Western intelligence officials.
In 2021, the United States, Nato and other allies said China had employed “contract hackers” to exploit a breach in Microsoft email systems, giving state security agents access to sensitive information.
Chinese spies have also hacked the US energy department, utility companies, telecommunications firms and universities, according to US government statements and media reports.
Beijing has been linked to 90 cyberespionage campaigns since the turn of the century—30 percent more than its close partner Russia, Benjamin Jensen, senior fellow at the Center for Strategic and International Studies, told Congress last year.
Key targets
Hackers linked to the Chinese government are targeting critical US infrastructure, preparing to cause “real-world harm” to Americans, FBI Director Christopher Wray told a congressional committee on Wednesday, according to a Reuters report.
Water treatment plants, the electric grid, oil and natural gas pipelines, and transportation hubs are among the targets of state-sponsored hacking operations, he told the House of Representatives Select Committee on competition with China
Wray spoke the same day US officials announced that they had disrupted a sweeping Chinese cyberspying operation.
READ: US State Department warns China could hack infrastructure, including pipelines, rail systems
“They’re not focused just on political and military targets. We can see from where they position themselves across civilian infrastructure, that low blows aren’t just a possibility in the event of conflict, low blows against civilians are part of China’s plan,” he said.
The Chinese foreign ministry did not immediately respond to a Reuters request for comment on the matter.
Wray stressed that US government concerns were not linked to Chinese Americans or Chinese nationals in the United States, who he said were themselves often targets of Beijing’s “aggression.” —WITH REPORTS FROM AFP AND REUTERS