What we know so far: China-based hackers targeting government servers

Unidentified hackers had tried to breach servers used by overseas Filipino workers and the Google Workspace that hosts the Philippine government’s email and storage for non-confidential information, DICT Undersecretary Jeffrey Ian Dy said during a House hearing on Tuesday.

Here is what we know so far about the most recent hacking attempts of government servers:

OWWA records 17,000 hacking attempts

The DICT first bared in a news forum on February 3 that it had blocked cyberattacks targeting the Overseas Workers Welfare Administration’s (OWWA) web applications.

Dy clarified during the news forum that the hackers who targeted OWWA — which it traced back to a state-owned telecommunications operator in China — were different from the threat actors that attempted to compromise the government’s Google Workspace domains.

During the Tuesday hearing of the House committees on information and communications and public information, Dy shared the findings of the DICT’s joint investigation with the Cybercrime Investigation and Coordinating Center (CICC) on recent hacking attempts into government systems.

Dy said that the OWWA was targeted multiple times from December to at least February 4 and it had recorded at least 17,000 hacking attempts from January alone coming from multiple Chinese IP addresses, Dy added.

How was the hacking attempt carried out? Dy said that the hackers deployed multiple “brute force attacks, which use a trial-and-error approach to systematically guess login information, credentials and encryption keys.”

Dy confirmed that their investigation shows that the attackers had multiple IP addresses coming from “cnc.net, which is located in China.”

“Our investigation currently holds circumstantial evidence suggesting that alleged perpetrators may have operated through Chinese networks and utilized tactics, techniques and procedures used by known Chinese threat actors,” Dy said.

Dy said that there is not enough evidence that indicate these hacking attempts are connected to the Chinese government as the information only shows that the hackers carried out their actions in Chinese territory.

The DICT official explained that they have confirmed that the cyberattacks were not carried out through VPN or relay servers but have yet to cross-check if the same is true “on the Chinese side.”

The Chinese embassy in Manila denied their government’s involvement into the hacking attempts of Philippine government servers, saying: “Some Filipino officials and media maliciously speculated about and groundlessly accused China of engaging in cyberattacks against the Philippines, even went as far as connecting these cyberattacks with the South China Sea disputes. Such remarks are highly irresponsible.”

‘Sophisticated’ hackers try to breach PH government’s Google accounts 

Certain threat actors also attempted to hack into the Philippine government’s Google emails and file storage in January.

Specifically, Dy said that authorities detected persistent malware infections which caused the compromise of Google Workspace administrator accounts connected to different agencies.

Google’s report also mentioned that the hackers tried to breach President Marcos’ personal website “bongbongmarcos.com,” Dy said.

The DICT official explained that the characteristics of the cyberattack indicate that the attempt was “very sophisticated,” describing it as a hacking attempt that is “theoretically perfect. Pinag-aralan (Well-studied).”

How was the hacking attempt carried out? Dy said that the threat actors appeared to have used a “remote actor trojan” that mimics a certain “Gh0stRat” application, which cannot be detected by anti-virus or anti-malware tools.

Citing intelligence reports, the DICT official said this application is also a “known Chinese persistent threat actor.”

“Based on our education guesses, based on the tactics, techniques and procedures used, we believe this could have been perpetrated by three threat actors: Lonely Island, Meander and Panda,” Dy said.

Lonely Island is based in Iran, while Meander and Panda is based in China, the DICT official added.

Unlike the hackers that used Medusa ransomware to gain access to PhilHealth data, the “Gh0strat” application does not make its presence known and keeps itself undetected through the random access memory of a computer not in use, Dy explained.

In November 2023, Cisco Talos — a global intelligence research team — reported that hackers believed to be based in China used a variation of the “Gh0stRat” application to hack into the systems of the Uzbekistan government and users in South Korea.

Next steps

Dy said that those whose Google Workspace administrator accounts were compromised have been asked to change their passwords and enable multi-factor authentication upon login.

As the DICT continues its investigation into the cyberattacks, Dy said that the dubious IP addresses have been blocked, and devices with affected accounts have been scanned and cleaned.

In recent years, the government’s servers have been repeatedly breached by cyberattacks, the largest data leak being the 2016 hacking of the Commission on Elections, which exposed the personal data and biometrics of 55 million Filipino voters.

In 2023, a breach into the PhilHealth database allowed hackers to steal millions of personal data and confidential memorandum, which they used to try to goad the government into paying a $300,000 ransom.

Despite promises by authorities to ramp up cybersecurity, according to a 2023 report by the Asia Pacific Foundation of Canada, the Philippines remains highly vulnerable to cyberattacks due to “widespread internet usage, low cybersecurity awareness, and underdeveloped cybersecurity infrastructure.”

— Cristina Chi