MANILA, Philippines — Hackers believed to be operating within the country illegally gained access to the network of the Department of Science and Technology (DOST), compromising 2-terabyte worth of data, including research plans, designs and schematics, the Department of Information and Communications Technology (DICT) confirmed on Wednesday.
Information and Communications Technology Assistant Secretary Renato Paraiso, in an interview with the Inquirer, said the DOST had been “locked out” from retrieving the documents following the hacking incident.
“When you say locked out, you do not have access to these data. If you are the custodian, you can pull out various files and documentations. Right now, they can’t,” he explained.
READ: Hackers break into Coast Guard’s Facebook page anew
Paraiso added that the DOST’s IT administrators and employees could not enter the system “because their logins were also compromised.”
This latest hacking incident involving a government agency is seen to delay the approval of pending patents and other research and development initiatives of the DOST, the DICT official said.
READ: Philippines wards off cyber attacks from China-based hackers
Local threat actors
The National Computer Emergency Response Team (NCERT) of the DICT has been deployed to investigate the matter and initial findings confirmed that local threat actors were involved in the hacking incident, which meant the cyberattack originated within the country.
“We have a fairly good idea of what happened,” Paraiso said. However, he noted they could not disclose more details at the moment, given the ongoing probe.
Asked when the DOST would fully regain control of its network, he said: “It really depends on the extent of the damage. We’re still trying to figure it out.”
For now, the NCERT has isolated systems and devices that could have been affected by the cyberattack and also inspected the Wi-Fi network as a cybersecurity measure.
“We’re doing a very thorough investigation,” Paraiso vowed.
Science and Technology Secretary Renato Solidum Jr. on Wednesday said that “immediate action” was already taken to address the hacking incident in one of their infrastructures, the second time the agency was attacked by cybercriminals.
Solidum acknowledged reports of the hacking of one of the DOST’s IT infrastructures—or the combined components such as computers, network and data platform needed to run an agency’s operations—saying that such an incident would raise concerns among their stakeholders and the public.
“[W]e want to assure you that we are treating this matter with … utmost seriousness,” he said in a statement. “Our technical teams are working diligently to address any vulnerabilities and reinforce our cyber defenses.” Recovery plan initiated
Recovery plan initiated
In August last year, the National Privacy Commission said there was a leak on the email addresses of around 1,000 experts and clients registered in the DOST’s OneExpert portal.
READ: DOST also hacked: Email addresses leaked
The DOST was among the three government agencies that had a ransomware attack then, along with the Philippine National Police and the health state insurer, Philippine Health Insurance Corp.
For this particular incident, Solidum did not say what kind of hacking took place in the DOST, but he assured the public that the agency was already conducting a “comprehensive agreement” on the damage caused by the attack.
“Recovery plan has been initiated and continuous effort to revert systems will proceed as we finalize the impact assessment of the incident,” Solidum said.
A cyber advocacy group called “Deep Web Konek” posted on its Facebook page that several websites of the DOST were defaced by a “threat actor” known as a certain “ph1ns.”
According to the group, the cyberattack was part of their operation called “#OpEDSA.”
Websites still down
“The hacker, operating under the banner of #OpEDSA, executed a meticulously planned infiltration, gaining access to critical network components, including hypervisors, NAS (Network Attached Storage) devices, routers, and ultimately, securing Domain Administrator privileges,” the group claimed.
Among the affected DOST websites were its help desk site, the S&T Foundation Unit, its Health Technology Assessment Division, and three of its archive sites.
As of press time, these DOST websites still could not be accessed.
The hacker of the DOST websites also made certain defacements, noting that the site was “seized by the Filipino people!” “Political dynasties and their oligarch allies does (sic) not represent the interests of the 99% of Filipino people,” read the hacker’s defacement, signed “#opEDSA.”
High cost of hacking
While the DICT has yet to complete the investigation, Paraiso explained that hackers could gain access remotely or online to an entity’s network.
An example is launching malicious software—or malware for short—which is designed to disrupt servers or computer networks, he noted.
Other hackers, meanwhile, target the personal devices of employees or members of an organization.
A usual scheme involves hackers sending emails embedded with suspicious links to business emails of company employees. These links lead to fake websites and trick them into providing private corporate information. The illegally obtained data can then be used by the hackers to enter the system.
Paraiso explained that hacker’s motivation might differ but some were financially motivated, referring to those launching ransomware attacks. In this digital attack, hackers hold a system or data hostage until a ransom is paid.
Organizations in the Philippines usually spend about P55 million or $1 million to resolve a single data breach and pay off a ransom to regain system access, according to an estimate by cybersecurity company Fortinet.
Two-fold increase
About 56 percent of the surveyed organizations in the Philippines said they saw a two-fold increase in ransomware attacks last year compared to 2022, Fortinet said, noting more digital threats of the same kind were expected to trouble businesses this year.
Ian Felipe, country manager of enterprise technology company Trend Micro Philippines country manager, earlier said that government agencies were the usual targets of cyberattacks given the significant amount of sensitive information they handle.
Meanwhile, cybersecurity group Deep Web Konek said on Wednesday there was an “allegedly massive 152-GB (gigabyte) leak of the Philippine Citizen Identity Card, which most likely the Philippine Statistics Authority,” adding it was “working on the veracity of the leak.”
Paraiso said this cyberattack was not yet confirmed.