MANILA, Philippines — The Department of Information and Communications Technology (DICT) has discovered that the Chinese hackers who attacked Philippine government websites and domains early this month had used spyware and apparently intended to conduct espionage activities.
ICT Undersecretary Jeffrey Ian Dy said the DICT’s investigation has further looked into the malicious software or malware used by the hackers who had worked from within China and had identified them as belonging to the Advanced Persistent Threat (APT) Group No. 18 that use the Gh0st RAT (Remote Access Terminal) malware.
Dy added that despite the leads they have gotten in the course of their investigation, they still welcome any assistance that can be provided by the Chinese government in tracking down the hackers.
“Actually, Gh0st RAT is a spyware ... unlike...(the) Medusa ransomware (used in the) PhilHeath (Philippine Health Insurance Corp.) attack... They were after money, ransom,” he said during a virtual interview on Manila-based radio dzBB.
“This Gh0st RAT, it’s the opposite. It hides. It lurks in the deep recesses of the computer. And its objective is really to not be seen. In fact, it does not communicate with a command and control center as often, just so it can hide,” he added.
The DICT official pointed out that Gh0st RAT is being used for espionage and getting information.
“In fact, we know very, very little about it, except its behavior,” he said.
“(Hackers) are not in the habit of advertising their movements. They are not even in the habit of selling in the dark web, whatever they (extract from their hacking activities),” he added.
Risks of such cyber-espionage should not discount the possibility of it being escalated to really disruptive or destructive acts, according to Dy.
“In the realm of possibilities, then we can say that yes, it is possible that, because they are just lurking there, they can, at the right time... cause harm. In this particular case, to our government communications because their target is government email,” he said.
“APT 18, it’s mercenary group. They get paid, either they get paid or are hired by mostly other state actors or for industrial espionage. That is really their modus operandi – to get information. These are professionals… to get information and give to whoever get the information from them, if not state (actors),” he added.
The DICT official disclosed that they have also provided information they have gathered in their investigation to the Asia-Pacific Computer Emergency Response Team (CERT), which is expected to turn it over to China.
“We only state facts... And the fact is, that we detect, not only based on IP (internet protocol) addresses as what has been reported in media... but based on our investigation, we can say with 75-percent certainty that these attacks that we recently got emanated from China, or from within Chinese groups,” he said.
He added that they hope China can indeed provide assistance in tracking the hacker group.
“Hopefully, they can provide more intelligence about this. At the most, the real perpetrators are caught. At the minimum, to provide us more information and intelligence about these groups that are operating,” Dy said.
“We have already provided all the details, to the Asia-Pacific CERT. We have already provided the malware information that we saw, this Gh0st RAT. The world knows that this came from an APT Group No. 18 that operates from within that territory, et cetera,” he added.
The hackers are a known group, according to the DICT official.
“There is a dossier out on them; it is publicly available, (the dossier) on these Advanced Persistent Threat Groups and Actors,” he said. “This was validated not only by governments, but also by the private sector. It’s already well-known, meaning to say, this particular behavior comes from one group, they have a signature.”
Dy told The STAR that the DICT had worked with Google, multinational cybersecurity firms Mandiant and Trend Micro Inc., as well as the Cybercrime Investigation and Coordinating Center in their continuing investigation of the recent attacks on government websites.
|