By Dennis Estopace and Rizal Raoul Reyes
COMPETING information-technology (IT) security firms FireEye Inc. and Trend Micro Inc. have sounded the alarm on IT-based attacks targeting Philippine government entities.
In a report titled “Advanced Persistent Threat (APT 30) and the Mechanics of a Long-Running Cyber Espionage,” FireEye said APT 30, a group allegedly sponsored by Chinese officials, is spying on the Philippines.
“Advanced threat groups like APT 30 illustrate that state-sponsored cyberespionage affects a variety of governments and organizations in the Philippines and Southeast Asian Nations,” Wias Issa, senior director at FireEye, said in a news briefing.
“Governments and businesses in the Philippines face persistent, well-resourced threat actors.”
Issa said the company has been monitoring APT 30 in its cyberespionage since 2005. He claims the group has maintained largely consistent targeting in Southeast Asia and India, including targets in Malaysia, Vietnam and Thailand.
In addition, APT 30’s attack tools, tactics and procedures (TTPs) have remained markedly consistent, since inception—a rare finding as most APT actors adjust their TTPs regularly to evade detection, according to Issa. “It’s highly unusual to see a threat group operate with similar infrastructure for a decade. One explanation for this is they did not have a reason to change to new infrastructure because they were not detected. This would suggest many organizations are not detecting these advanced attacks.”
Issa said the company is sharing its data a decade after first detecting the group because it wants to “help empower organizations in the Philippines to quickly begin to detect, prevent, analyze and respond to this established threat.”
On the other hand, TMI warns that the Philippine military is a prime target of the threat campaign called “Operation Tropic Trooper” (OpTT) that uses steganography as a main tactic.
In a statement on May 27 TMI said its research revealed OpTT is a hacker activity active since 2012 that targets key organizations in both Taiwan and the Philippines.
“The activity uses spear-phishing e-mails that are sent to targeted entities. These e-mails contain malicious files with exploits that are designed for old Microsoft Office vulnerabilities. Once the user opens any of the attachments, an image file will be downloaded with an embedded piece of malicious code.”
TMI calls this steganography, the art of hiding information but which cybercriminals do to avoid antimalware and network perimeter detection.
“Once successful, the attack will perform several malicious routines, which include the following stealing of any kind of data, installing a rootkit, killing processes and services, deleting files and directories and putting systems to sleep.”
According to TMI, throughout March to May, it determined that 62 percent of the Tropic Trooper-related malware infections targeted Taiwanese organizations, while the remaining 38 percent zoned in on Philippine entities.
“Operation Tropic Trooper was seen to have targeted the Philippine military, which is alarming. Security must be of paramount priority for the government to avoid unwanted repercussions to critical data, government services, and worst, to the peace of communities,” Paul Oliveria, Trend Micro Philippines Inc. security focus head, was quoted in a statement as saying.
TMI said the Philippines is vulnerable because some of the computers government agencies use are outdated. The company said 13 percent of the system in the Philippines still run on Microsoft Corp.’s Windows XP operating system.
“Given that it takes a longer for larger agencies to upgrade their systems, there is a high probability that the targets of this campaign still use the vulnerable OS. This makes it easier for the threat actors to conceal malicious activity.”
Image credits: Roy Domingo