Posts Tagged ‘Trend Micro’

Apparent attack by Russian hackers penetrated Germany’s foreign ministry — “The German government strongly urged Russia to refrain from attacks.”

March 1, 2018


Image result for German foreign ministry, photos, eagle

Security experts discovered malware on the German foreign ministry’s network in December. The defense ministry may have been affected, too. (Michael Kappeler/Associated Press)
 February 28 at 5:51 PM
The Washington Post
 German officials said Wednesday that the government’s information technology networks had been infiltrated and that evidence pointed toward a Russian hacking group that’s been implicated in high-profile cyberattacks worldwide.The breach, acknowledged by the interior ministry in a statement, had been known since December, when security experts discovered malware in the secure computer networks of the foreign ministry, according to a senior German security official. German media outlets reported that the defense ministry also was affected.

The senior security official, who spoke on the condition of anonymity because he was not authorized to comment on the record, said the Federal Office for the Protection of the Constitution and the Federal Office for Information Security allowed the malicious program to keep running in recent months so they could monitor hacker activity. But no significant data was transmitted, according to the official. He said at some stage German officials decided to stop monitoring.

The official also said the country’s security agencies suspected that the Russian-linked hacking network known as APT28, or Fancy Bear, was behind the attack. Germany’s Süddeutsche Zeitung reported that the hackers may have had access to German governmental networks for up to a year.

Fancy Bear has previously been connected to a range of cyberattacks, including one in which phishing and malware was used to infiltrate the U.S. Democratic National Committee before the 2016 presidential election, as well as the networks of Emmanuel Macron’s election campaign before last year’s French presidential election, according to the Tokyo-based cybersecurity research group Trend Micro.

The extent of damage in Germany, if any, was not made public. The interior ministry said in a statement that the breach was “isolated and brought under control.”

Still, the revelation that sensitive systems had been penetrated, with potential Russian fingerprints, represented a major breach just three years after suspected Russian hackers broke into the computer networks at the German parliament and made off with 16 gigabytes worth of data, enough for about a million emails. The information stolen in that attack has never been published.

If the Russian link is proved, it could mark a potential escalation in hostilities between Moscow and the West.

“If the details reported so far are accurate, this attack represents an unprecedented incident,” said Sven Herpig, Director for International Cyber Politics at Germany’s New Responsibility Foundation. “The prior hacking of the German parliament was also problematic, but it only lasted for a short period of time.”

He indicated that whoever was behind the latest attack must have assumed that it would eventually become public.

“Following the parliamentary breach, the German government strongly urged Russia to refrain from attacks,” Herpig said. “The likelihood that such incidents become public relatively quickly is high.”

Some experts believe Fancy Bear was also behind the cyberattack on the parliament, known as the Bundestag, though other experts say there’s not sufficient proof. German security officials publicly said they believed that attack was of Russian origin.

Mekhennet reported from Frankfurt, Noack from London and Beck from Berlin. Griff Witte contributed from Athens.


Iran-linked cyber spies use simple yet effective hacks: report

July 25, 2017


July 25, 2017

Image may contain: one or more people, night and laptop

A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken on March 1, 2017. REUTERS/Kacper Pempel/Illustration/File Photo REUTERS

TEL AVIV (Reuters) – A cyber spying group with links to Iran and active for the past four years is targeting countries including Israel, Saudi Arabia, Germany and the United States, security researchers said on Tuesday.

A new report by Tokyo-based Trend Micro  and ClearSky of Israel detailed incidents as recently as April of this year involving a group known as “CopyKittens”.

The group targets its victims using relatively simple techniques like creating fake Facebook pages, corrupting websites or Microsoft Word attachments with a malicious code, according to the report.

It was seen impersonating popular media brands like Twitter, Youtube, the BBC and security firms such as Microsoft, Intel and even Trend Micro.

“CopyKittens is very persistent, despite lacking technological sophistication and operational discipline,” the researchers said in a statement.

“These characteristics, however, cause it to be relatively noisy, making it easy to find, monitor and apply counter measures relatively quickly,” they said.

Iranian officials were not available for comment.

Image may contain: 7 people

Ayatollah Khameini, the Iranian Supreme Leader, pictured at a military parade

The report itself does not link the group to Iran. As a matter of company policy, Trend Micro research into state-backed attacks focuses on technical evidence and forgoes political analysis.

However Clearsky researchers told Reuters that CopyKittens was “Iranian government infrastructure,” adding that the use of “kitten” in the industry indicates Iranian hackers, just as “panda” or “bear” refer to Chinese and Russians, respectively.

CopyKittens is distinct from another Iran-based cyber spy group dubbed Rocket Kitten, which since 2014 has mounted cyberattacks on high-profile political and military figures in countries near Iran as well as the United States and Venezuela.

CopyKittens has been operating since at least 2013, according to the report, though its activities were first exposed publicly in November 2015 by ClearSky and Minerva Labs. Earlier this year, ClearSky wrote another paper detailing more hacking incidents that affected some members of Germany’s parliament.

Eyal Sela, head of threat intelligence at ClearSky, said that once an initial hack against a government or commercial target is successful, CopyKittens uses that access to then attack other groups, though it tries to remain very focused.

As recently as late April, the group breached the email account of an employee in the Ministry of Foreign Affairs in Turkish Cypriot-controlled northern Cyprus and then tried to infect multiple targets in other governments, the report said.

Another time it used a document, likely stolen from Turkey’s Foreign Ministry, as a decoy.

Reporting by Tova Cohen, Ari Rabinovitch and Eric Auchard; Editing by Richard Balmforth



No automatic alt text available.

A prominent U.S. cyber warfare expert has admonished other cyber security experts for exaggerating the danger posed by Iran’s cyber warfare and espionage organisations and entities.

Dr. Brandon Valeriano, a Reader at Cardiff University in Wales and author of Cyber War versus Cyber Realities published by Oxford University Press in 2015, told the U.S. Senate’s Homeland Security and Governmental Affairs Committee on May 10, 2017, in Washington, DC, that Iran’s cyber warfare and espionage capabilities are inferior when compared to the capabilities of countries such as the United States, Israel, Russia, China, and those of a number of European countries.

“Iran is thought to be a serious and sophisticated cyber actor but evidence suggests the contrary to this conclusion,” Dr. Valeriano told U.S. Senators.

Citing the 2012 Shamoon cyber attacks against Saudi Arabia’s Aramco and Qatar’s RasGas thought to have been carried out by Iran, Dr. Valeriano said, “The Shamoon attacks on Saudi Arabia’s Aramco systems were destructive, but did not impede operations or wipe out critical information. Likely launched in response to the Stuxnet operation, it is also telling that the response by Iran was not to attack the alleged perpetrators directly, but to go after an ally indirectly, Saudi Arabia.”

Dr. Valeriano’s assessment is in line with other studies on Iran’s strategic behaviour that note Tehran’s preference to use indirect methods against its adversaries and avoid open conflict with militarily superior powers such as the United States and Israel.

Referencing the recent attempted espionage operation against Israeli targets by the Iranian-linked OilRig hacker group, as well as cyber-attacks carried out by other Iranian cyber proxies against U.S. financial institutions over the past few years, Dr. Valeriano pointed out that Iran’s cyber operations have been less than impressive:

Recent attacks on Israel have been reported as another telling aspect of the sophistication of Iranian cyber operations, but the reality is that the state was using released malware from the Shadowbrokers info dumps and spear phishing techniques. Similar attacks on U.S. networks have failed more often than succeeded as well. To argue that these are sophisticated attacks betrays our ability to judge information and impact in cyber security operations.

Similarly, the ongoing Shamoon II attacks against Saudi Arabian targets, again thought to be carried out by the OilRig hacker group, are underwhelming when compared to the sophisticated, effective, and even damaging cyber operations carried out by the likes of China and Russia. Dr. Valeriano noted that, “Ongoing attacks on industrial and financial networks have recently been dubbed Shamoon 2. Reports highlight that the new version of the operation builds on the 2012 attacks on Saudi oil networks and reuses 90 percent of the known code. This is not a highly new or original operation, but a continuation of old methods because targets are slow to update their systems and patch known vulnerabilities.”

Dr. Valeriano’s assessment is certainly at variance with that of many officials and analysts. Recently, for example, the U.S. Director of National Intelligence, Dan Coats, told U.S. Senators that:

Tehran continues to leverage cyber espionage, propaganda, and attacks to support its security priorities, influence events and foreign perceptions, and counter threats—including against US allies in the region. Iran has also used its cyber capabilities directly against the United States. For example, in 2013, an Iranian hacker conducted an intrusion into the industrial control system of a US dam, and in 2014, Iranian actors conducted a data deletion attack against the network of a US-based casino.

Such assessments have become the norm among officials and cyber security analysts in the West and Israel, making Dr. Valeriano’s assessment one to seriously consider if only because it is at odds with the dominant narrative on Iran’s cyber warfare and espionage capabilities.

Yet while Dr. Valeriano’s assessment questions the notion of Iranian sophistication and notoriety in cyberspace operations, it is also possible to underestimate their determination and persistence. Writing recently in The New York Times, correspondent Nicole Perlroth notes that, “By most accounts, these [Iranian-linked OilRig] hackers could best be described as the “B Team,” not nearly as sophisticated as the Chinese, Russian or Eastern European hackers whom security firms have been monitoring for more than a decade. But what OilRig’s hackers lacked in sophistication, they made up for in determination. They did their research. They were patient. When they were caught, they would wait for the dust to settle before trying again.”

It should also be pointed out that Iran has demonstrated a particular sophistication in information operations, which are often cyber-enabled, in Syria, Iraq, Yemen, Lebanon, and Bahrain, something that is rarely noticed in the West where attention is often focused on Iran’s often symbolic and indirect cyber warfare and espionage operations.

For Dr. Valeriano, however, the real danger in Iranian cyber operations lurks not so much in their capabilities and direct action, but in their prevalent use of cyber proxies. In his testimony to U.S. Senators, he said, “The main danger from Iran, just as it is in the terrorism threat vector, is the high probability that Iran will use proxy actors to attack Western targets. Enabling these actors, one group being called the Syrian Electronic Army, might be dangerous if Iran was to transfer technology to these groups who could then use known vulnerabilities in their operations.”

“But for now, Iran seems content to harass American allies, probe American networks, and reuse old malware to attack unprepared targets,” he concluded.

Original published at:

Suspected Russia hackers ‘targeted Macron campaign’

April 25, 2017

Researchers say the hacker group Pawn Storm tried to interfere in the campaign of French presidential front-runner Emmanuel Macron. US spy agencies suspect the group of having links to Russia’s intelligence apparatus.

Symbolbild Cyberangriff (picture-alliance/dpa/MAXPPP/A. Marchi)

French presidential candidate Emmanuel Macron’s political campaign was targeted by a hacker group with suspected Russian connections, a report by a cybersecurity research group said on Tuesday, bolstering previous suggestions that the Kremlin has been trying to interfere in the French elections.

Researchers with the Japan-based anti-virus firm Trend Micro said the Pawn Storm group, which is alleged to have carried out a number of high-profile hacking attacks in the West, used so-called “phishing” techniques in an attempt to steal personal data from Macron and his campaign staffers.

“Phishing” employs lookalike websites designed to fool victims into entering sensitive information such as usernames, passwords and credit card details. Trend Micro said it had recently detected four Macron-themed fake domains being created on digital infrastructure used by Pawn Storm, which is also known as Fancy Bear or APT28.

Trend Micro researcher Feike Hacquebord said that determining who was behind a spying campaign was a difficult challenge in the world of cybersecurity, but that he was almost certain.

“This is not a 100 percent confirmation, but it’s very, very likely,” he said.

Read more: France warns Russia

The Kremlin at work?

Trend Micro did not name any country as being behind Pawn Storm’s activities, but the group is widely suspected of having links to Russia’s security services.

The Kremlin is seen as a keen backer of Macron’s rival in the presidential race, Marine Le Pen, who espouses policies considered as likely to be favored by Moscow, such as France’s exit from the European Union. Macron has always staunchly advocated strengthening, rather than weakening, the bloc.

Russia has repeatedly denied accusations of trying to interfere in the French – or other – elections. On Monday, Kremlin spokesman Dmitry Peskov was quoted as saying that claims of the Kremlin’s attempting to influence the election outcome in France were “completely incorrect.”

Pawn Storm is also thought to be behind cyberattacks last summer on the US Democratic National Committee that were suspected to be aimed at undermining Hillary Clinton’s bid for the White House. Other suspected targets in recent months include media groups such as “The New York Times” and Al-Jazeera.
Read more: ‘Election cyberattacks threat in Germany’

Präsidentschaftswahl in Frankreich Emmanuel Macron (Getty Images/V. Isore/IP3)Macron is widely seen as likely to win the second round of elections on May 7

Attempted intrusions

The head of Macron’s digital campaign, Mounir Mahjoubi, confirmed to The Associated Press that there had been attempted intrusions, but said they had all been foiled.

Mahjoubi also confirmed that at least one of the fake sites identified by Trend Micro had been recently used as part of an attempt to steal sensitive information from campaign staffers.

An internal campaign report lists thousands of attempted cyberattacks since Macron launched his campaign last year. In February, the campaign’s secretary-general, Richard Ferrand, said the scale and nature of the intrusions indicated that they were the work of a structured group and not individual hackers.

Macron, who won the first round of France’s presidential election on Sunday, will face Le Pen in a runoff on May 7.

The French elections were carefully monitored for digital interference following suspicions that hackers backed by Moscow had attempted to influence the US electoral contest in 2016.


Germany’s Federal Office for Information Security: Cyber Spies Target Germany Ahead of Election, Party Think Tanks Say

April 25, 2017

FRANKFURT — Two foundations tied to Germany’s ruling coalition parties were attacked by the same cyber spy group that targeted the campaign of French presidential favourite Emmanuel Macron, a leading cyber security expert said on Tuesday.

The group, dubbed “Pawn Storm” by security firm Trend Micro, used email phishing tricks and attempted to install malware at think tanks tied to Chancellor Angela Merkel’s Christian Democratic Union (CDU) party and coalition partner, the Social Democratic Party (SPD), Feike Hacquebord said.

Hacquebord and other experts said the attacks, which took place in March and April, suggest Pawn Storm is seeking to influence the national elections in the two European Union powerhouses.

“I am not sure whether those foundations are the actual target. It could be that they used it as a stepping stone to target, for example, the CDU or the SPD,” Hacquebord said.

The mysterious cyber spying group, also known as Fancy Bear and APT 28, was behind data breaches of U.S. Presidential candidate Hillary Clinton and Merkel’s party last year, Hacquebord said.

Other security experts and former U.S. government officials link it to the Russian military intelligence directorate GRU. Hacquebord and Trend Micro have stopped short of making that connection.

No automatic alt text available.

Russia has denied any involvement in the cyber attacks.

Since 2014, Merkel has pushed the European Union to maintain sanctions on Russia over its actions in eastern Ukraine and Crimea. Her coalition partners, the Social Democrats, back a more conciliatory stance towards Moscow.

“What we are seeing is kind of a replication of what happened in the United States,” David Grout, a Paris-based technical director of U.S. cyber security firm FireEye, said of technical attacks and efforts to spread fake news in Europe.

No automatic alt text available.

Hacquebord said on Monday he had found new evidence that Macron’s campaign was targeted by Pawn Storm. (

German officials have told Reuters that politicians fear sensitive emails stolen from senior lawmakers by Russian hackers in 2015 could be released before the election to damage Merkel, who is seeking a fourth term, and her conservative party.

Trend Micro uncovered efforts to break into the accounts of CDU politicians in April and May, 2016. The BSI, Germany’s federal cyber security agency confirmed these attempts but said they were unsuccessful. New attacks in 2017 suggest renewed efforts to gain comprising data is underway, Hacquebord said.

Pawn Storm set up a fake computer server located based in Germany at to mount email phishing attacks against the CDU party’s Konrad Adenauer Foundation (KAS) and a server located in the Ukraine at to target the SPD’s Friedrich Ebert Foundation (FES).

A KAS spokesman said BSI warned KAS in early March of “peculiarities” but that a subsequent network scan by the government cyber security agency found “nothing suspicious”.

The BSI declined to comment, as did the Friedrich Ebert Foundation.

Kremlin spokesman Dmitry Peskov dismissed allegations of Russian involvement.

“We would be pleased if this investigative group sent us the information, and then we could check it,” Peskov told reporters on Tuesday. “Because for now it does not go beyond the boundaries of some anonymous people.”

Trend Micro published a 41-page report charting Pawn Storm attacks over the past two years, building on a dozen previous technical reports ( A timeline can be downloaded here (

(Additional reporting by Peter Maushagen in Frankfurt, Andreas Rinke and Andrea Shalal in Berlin and Maria Tsvetkova in Moscow; Editing by Richard Lough)


“We are noticing attacks against government networks on a daily basis,” Arne Schoenbohm, president of Germany’s Federal Office for Information Security (BSI), told the newspaper Welt am Sonntag.

BSI is in close contact with election officials, political parties and German federal states to discuss how to guard against cyber attacks and stands ready to react to potential attacks ahead of the elections, Mr Schoenbohm said.

China’s Secret Weapon in South Korea Missile Fight: Hackers

April 21, 2017

China denies it is retaliating over the Thaad missile system, but a U.S. cybersecurity firm says they are

This 2015 handout photo from the U.S. Department of Defense shows a terminal High Altitude Area Defense interceptor being test launched on Wake Island in the Pacific Ocean.

This 2015 handout photo from the U.S. Department of Defense shows a terminal High Altitude Area Defense interceptor being test launched on Wake Island in the Pacific Ocean. PHOTO: AFP PHOTO / DOD / BEN LISTERMAN

April 21, 2017 5:20 a.m. ET

Chinese state-backed hackers have recently targeted South Korean entities involved in deploying a U.S. missile-defense system, says an American cybersecurity firm, despite Beijing’s denial of retaliation against Seoul over the issue.

In recent weeks, two cyberespionage groups that the firm linked to Beijing’s military and intelligence agencies have launched a variety of attacks against South Korea’s government, military, defense companies and a big conglomerate, John Hultquist, director of cyberespionage analysis at FireEye Inc., said in an interview.

No automatic alt text available.

The California-based firm, which counts South Korean agencies as clients, including one that oversees internet security, wouldn’t name the targets.

While FireEye and other cybersecurity experts say Chinese hackers have long targeted South Korea, they note a rise in the number and intensity of attacks in the weeks since South Korea said it would deploy Terminal High-Altitude Area Defense, or Thaad, a sophisticated missile-defense system aimed at defending South Korea from a North Korean missile threat.

China opposes Thaad, saying its radar system can reach deep into its own territory and compromise its security. South Korea and the U.S. say Thaad is purely defensive. The first components of the system arrived in South Korea last month and have been a key issue in the current presidential campaign there.

One of the two hacker groups, which FireEye dubbed Tonto Team, is tied to China’s military and based out of the northeastern Chinese city of Shenyang, where North Korean hackers are also known to be active, said Mr. Hultquist, a former senior U.S. intelligence analyst. FireEye believes the other, known as APT10, may be linked to other Chinese military or intelligence units.

China’s Ministry of Defense said this week Beijing has consistently opposed hacking, and that the People’s Liberation Army “has never supported any hacking activity.” China has said it is itself a major hacking victim but has declined to offer specifics.

Mr. Hultquist said the two hacking groups gained access to their targets’ systems by using web-based intrusions, and by inducing people to click on weaponized email attachments or compromised websites. He declined to offer more specific details.


Recent cyberattacks attributed to Chinese state-backed groups.

  • Since February Spear-phishing* and watering hole** attacks were conducted against South Korean government, military and commercial targets connected to a U.S. missile defense system.
  • February, March Attendees of a board meeting at the National Foreign Trade Council were targeted with malware through the U.S. lobby group’s website.
  • Since 2016 Mining, technology, engineering and other companies in Japan, Europe and North America were intruded on through third-party IT service providers.
  • 2014-2015 Hackers penetrated a network of U.S. Office of Personnel Management to steal records connected to millions of government employees and contractors.
  • 2011-2012 South Korean targets, including government, media, military and think tanks were targeted with spear-phishing attacks.
  • *Sending fraudulent emails made to look as if they come from a trusted party in order to trick a target into downloading malicious software.
  • **A strategy in which the attacker guesses or observes which websites a targeted group often uses and infects them with malware to infect the group’s network..
  • Sources: FireEye, Trend Micro, Fidelis, PricewaterhouseCoopers and BAE Systems, WSJ reporting

Mr. Hultquist added that an error in one of the group’s operational security provided FireEye’s analysts with new information about the group’s origins.

South Korea’s Ministry of Foreign Affairs said last month that its website was targeted in a denial-of-service attack—one in which a flood of hacker-directed computers cripple a website—that originated in China.

A spokesman said that “prompt defensive measures” ensured that the attacks weren’t effective, adding that it was maintaining an “emergency service system” to repel Chinese hackers.

The ministry this week declined to comment further, or to say which cybersecurity firm it had employed or whether he thought the attacks were related to Thaad.

Another cybersecurity company, Russia’s Kaspersky Lab ZAO, said it observed a new wave of attacks on South Korean targets using malicious software that appeared to have been developed by Chinese speakers starting in February.

The attackers used so-called spear-phishing emails armed with malware hidden in documents related to national security, aerospace and other topics of strategic interest, said Park Seong-su, a senior global researcher for Kaspersky. The company typically declines to attribute cyberattacks and said it couldn’t say if the recent ones were related to Thaad.

The two hacking groups with alleged ties to Beijing have been joined by other so-called hacktivists—patriotic Chinese hackers acting independently of the government and using names like the “Panda Intelligence Bureau” and the “Denounce Lotte Group,” Mr. Hultquist said.

South Korea’s Lotte Group has become a particular focus of Chinese ire after the conglomerate approved a land swap this year that allowed the government to deploy a Thaad battery on a company golf course.

Last month, just after the land swap was approved, a Lotte duty-free shopping website was crippled by a denial-of-service attack, said a company spokeswoman, who added that its Chinese website had been disrupted with a virus in February. She declined to comment on its source.

China’s Ministry of Foreign Affairs didn’t respond to questions about the website attacks. The ministry has previously addressed Lotte’s recent troubles in China by saying that the country welcomes foreign companies as long as they abide by Chinese law.

The U.S. has also accused Chinese state-backed hacking groups of breaking into government and commercial networks, though cybersecurity firms say such activity has dropped since the two nations struck a cybersecurity deal in 2015.

The two Chinese hacking groups named by FireEye are suspected of previous cyberattacks.

FireEye linked Tonto Team to an earlier state-backed Chinese hacking campaign, identified by Tokyo-based cybersecurity firm Trend Micro Inc. in 2012, which focused on South Korea’s government, media and military. Trend Micro declined to comment.

Two cybersecurity reports this month accused APT10 of launching a spate of recent attacks around the globe, including on a prominent U.S. trade lobbying group. One of those reports, jointly published by PricewaterhouseCoopers LLP and British weapons maker BAE Systems, said the Chinese hacker collective has recently grown more sophisticated, using custom-designed malware and accessing its targets’ systems by first hacking into trusted third-party IT service providers.

Because of the new scrutiny from that report, FireEye said in a recent blog post that APT10 was likely to lay low, though in the longer run, it added, “we believe they will return to their large-scale operations, potentially employing new tactics, techniques and procedures.”

Write to Jonathan Cheng at and Josh Chin at



For The Philippines: 2016 Was The Year of The Hackers

January 6, 2017
File photo shows members of hackers’ group Anonymous Philippines wearing masks during a rally in Manila. KRIZJOHN ROSALES


MANILA, Philippines – The year 2016 will go down in Philippine history as a year of successful cyber heists following two major hacking incidents that rocked the country in the first half of the year.

In February, hackers siphoned off some $101 million from the account of the Bangladesh bank at the Federal Reserve Bank of New York after gaining access to the bank’s security credentials that enabled the fraudulent money transfer.

News of the heist broke in the Philippines a month later after it was learned that as much as $81 million of the stolen money were transferred to various accounts at the Jupiter Street branch of the Rizal Commercial Banking Corp. (RCBC) in Makati City.

Also in March, an alleged voter database stolen from the website of the Commission on Elections (Comelec) was released following a breach on its online portal.

The poll body initially downplayed the breach, but concerns from various sectors grew when a user-friendly version of the database went online in April, a few weeks before the elections.

On the heels of the cybercrime incidents, the Philippine government continued to improve the country’s cybersecurity systems with the creation of the National Privacy Commission (NPC) and the passage of the law that created the Department of Information and Communications Technology (DICT).

Recently, the DICT said it was crafting the National Cybersecurity Strategy Framework 2022 to address online threats and ensure security of the Philippine cyberspace.

The Bangladesh heist

Various investigations were opened in connection with the Bangladesh bank heist, including those conducted by the Senate Blue Ribbon committee, the Anti-Money Laundering Council (AMLC) and the Bangko Sentral ng Pilipinas (BSP).

Reports on the heist showed that hackers gained access to the credentials of an operator at the Bangladesh bank, enabling them to authorize fraudulent payment orders amounting to over $1 billion from the bank’s account at the Federal Bank of New York.

A total of $101 million were transferred ($20 million to Sri Lanka and $81 million to the Philippines) before the Federal Bank stopped the transfers.

The money transferred to Sri Lanka was recovered, but not all of those sent to fictitious bank accounts in RCBC.

The Senate investigation revealed the money was transferred to remittance company Philrem, where it was converted to Philippine pesos, before being sent to various casinos.

Some $18 million have since been returned to the Bangladeshi government, with one report saying the AMLC has already accounted for around $60 million of the money, including those returned to Bangladesh.


Charges were filed against the Comelec in June after the supposed leak of sensitive personal information of over 50 million voters, including names, addresses, birth dates and biometric information.

Jose Ramon Albert, a senior fellow of the Philippine Institute of Development Studies, filed a complaint before the privacy commission months after a searchable website ( containing the information was created.

Albert, who served as secretary general of the National Statistical Coordination Board and a member of the advisory council of the United Nations Global Pulse, said Comelec failed to comply with the Data Privacy Act when it failed to disclose the nature of the breach.

Albert asked the NPC to compel Comelec to notify all affected subjects on the nature of the breach, information released and measures taken by the poll body to address the matter.

Security software company Trend Micro said cybercriminals can use the information gathered from the data breach to perform acts of extortion.

The security firm alleged the data leaked following the hacking of the Comelec website included sensitive personal identifiable information that puts every registered voter susceptible to fraud.

The Comelec later apologized for the breach, with the National Bureau of Investigation arresting hackers supposedly behind the incident.

West Philippine Sea

Several hacking incidents related to the territorial dispute in the West Philippine Sea were also reported last year.

In July, at least 68 Philippine websites were subjected to cyber attacks after the release of the ruling on the arbitration case filed by Philippines against China.

A high-level government source said the attacks included attempts of hacking and defacement, slowdowns and distributed denial of service attacks.

Also in July, a security firm traced a malware to China that supposedly tried to spy on the Philippine government and other parties related to the territorial dispute in the West Philippine Sea.

Finland-based cyber security firm F-Secure identified the malware as NanHaiShu (translated as South Sea rat), a Remote Access Trojan that can access information from infected computers to its command server.

F-Secure noted the malware was discovered to have attacked the websites of the Department of Justice, the organizers of the 2015 Asia-Pacific Economic Cooperation summit and meetings held in Manila, and an unidentified international law firm involved in the Philippine case against China.

DICT, privacy commission

Meanwhile, the government has officially established DICT and the NPC to address issues relating to ICT and data privacy.

Headed by former science undersecretary Raymund Liboro, the creation of the privacy commission was mandated by the Data Privacy Act signed in 2012.

The commission was tasked to develop and constantly review rules and regulations covering data privacy in the country, as well as serve as an advisory body on matters affecting the protection of personal data.

A quasi-judicial body, it is also tasked to monitor compliance on the provisions of the data privacy law and adjudicate complaints and investigations on matters affecting personal data.

No automatic alt text available.

Philippines elections hack ‘leaks voter data’ — Personal information for 70 million people “hacked”

April 11, 2016

BBC News

The Philippines may have suffered its worst-ever government data breach barely a month before its elections.

Personal information  including fingerprint data and passport information, belonging to around 70 million people is said to have been compromised by hackers.

The Philippine Commission on the Elections (Comelec) saw its website defaced at the end of March.

The Anonymous Philippines group has claimed responsibility for the attack.

The group said it sought to highlight “vulnerabilities” in the system, including the use of automated voting machines that will be used on 9 May.

A second hacker group called LulzSec Philippines is believed to have posted Comelec’s entire database online several days later.

Comelec claims that no sensitive information was released, according to multiple reports.

However, cybersecurity firm Trend Micro believes the incident is the biggest government-related data breach in history and that authorities are downplaying the problem.

“Every registered voter in the Philippines is now susceptible to fraud and other risks,” it said in a report.

Philippines President Benigno Aquino pictured north of Manila on May 11, 2010
Philippines president Benigno Aquino is set to step down after a six-year single term. Getty Images

Why the Philippines?

The Philippines general election takes place every six years and will see a new president, vice-president and more than 18,000 other officials voted into office.

Investors will closely be watching the polls given the Philippines is one of Asia’s fastest-growing economies.

This is only the third time the South East Asian nation has held automated elections and Comelec has faced criticism that security is not tight enough.

Ryan Flores, a senior manager at Trend Micro, said the government’s cybersecurity vulnerabilities could lead to the election being “sabotaged”.

“One of the more sensitive issues is that the [leaked] database is the same for the automated system being used for the election,” he told the BBC.

“Come election period, anyone who has ill intentions can modify the results.”

That was one of the reasons Anonymous Philippines cited for hacking the Comelec website.

It posted a message saying “what happens when the electoral process is so mired with questions and controversies? Can the government still guarantee that the sovereignty of the people is upheld?”

How big is this leak?

Trend Micro believes the Philippines breach may surpass the 2015 hack of the US Office of Personnel Management.

That incident saw the data on 20 million US citizens, including fingerprints and social security numbers, stolen by unknown hackers. Data taken in that attack has, so far, not been found online.

Last week, Panama law firm Mossack Fonseca saw more than 11 million documents released in what is being described as the biggest data leak in history.

Other high-profile targets in recent years where data has been stolen include online dating site Ashley Madison, US retailer Target and the entertainment arm of Sony.

The healthcare and education industries are the most affected by data breaches, according to Trend Micro.

Government agencies are the third biggest sector, followed by retail and financial industries.

The top sectors at risk from a cyber attack according to Trend Micro
Healthcare is ranked by one firm as the industry most at risk from a cyber attack. Trend Micro

What can be done to prevent similar attacks?

Mr Flores believes such breaches are likely to happen again, particularly in developing countries, and that “a stronger security mindset” was needed.

This includes the hiring of an information security team who would be responsible for highly sensitive data, as well as installing software that can track any irregularities in the network.

Mr Flores said countries like the Philippines “don’t really have any agency or mandate in the government to improve their security posture”.

“They have more pressing needs rather than digital security,” he said. “Being a third world country plays into that.”

However, he stressed that the investment was needed given there was an increasing trend of young people with technology know-how gravitating towards hacking groups.

Cybersecurity Experts Call Obamacare Website “A Hackers Paradise” — Many Red Flags

October 15, 2013

Glitches in the Obamacare website are well known, but some cyber experts are also raising red flags about the site’s security. They point to a variety of concerns.

Christian Science Monitor

By Mark Clayton
Cybersecurity professionals are voicing concerns about potential concerns in the new federal health care website system that could open the door to theft of personal information.

In the two weeks since the Affordable Healthcare Act site,, went live, most complaints have centered on long wait times with sites initially overloaded by interested visitors. In response, government officials are scrambling to get more capacity for the main site and its satellites.

More than a week into the glitch-littered launch of the Obamacare insurance exchanges, MailOnline has learned that just 51,000 Americans have used to enroll

But potentially far more serious questions are emerging about cybersecurity. Experts have said that hackers could “spoof” the website with a look-alike website to collect personal information, or criminals could use an automated program to try repeatedly to enter the site even if it didn’t get a login correct.

Experts have stopped short of calling these concerns “vulnerabilities” – a term that means a proven weak spot to hackers. But they say these red flags need attention.

“I’ll ask you your Social Security, your date of birth, [so] an hour later I can empty your bank account,” John McAfee, who founded the cybersecurity company of the same name but is no longer associated with it, complained on Fox News. The Obamacare websites, he said, have “no safeguards,” and the main site’s architecture is “outrageous.”


  John McAfee, founder of the software security company that bears his name.  REUTERS

Federal officials say they have made website security a “top priority,” said Marilyn Tavenner, administrator for the Centers for Medicare & Medicaid Service, which operates the system, during a congressional hearing in July. “We will use appropriate policies, procedures, standards, and implementation specifications to ensure the privacy and security of consumer data in accordance with applicable law.”

For example, the site is supposed to adhere to cybersecurity standards for the federal government set by the National Institute of Standards and Technologies.

But just because all the standards are met does not mean all the holes are plugged. Some cybersecurity experts have echoed Mr. McAfee’s comments. Here are some of the red flags they raise.

Request forgery. One potential flaw with the Obamacare website would grant automated “all-Access Request For Other Sites” – which basically allows another site to make a certain kinds of request to that could lead to “cross-site request forgery” and potentially fooling the government site into releasing restricted information, writes Nidhi Shah, who works on research and development for HP’s Web Security Research Group, on a company blog. That red flag appeared on some of the site’s pages, but she admits it could not be confirmed at the time on the site’s most secure areas because of high traffic volume.

‘Clickjacking.’ The government site lacks defenses to prevent an attacker from putting an invisible layer over the legitimate website, Ms. Shah added. As a result, a user clicking on a link or button might end up at a renegade site that looked just the same – and end up divulging personal information to that site.

‘Cookie theft.’ The site appears not to use a feature that prevents access to cookies that are stored on a user’s personal computer. “ uses cookies to maintain user history on the site and [for] user identification,” Shah writes. At the very least, an attacker could grab “sensitive information such as … possible health issues, income level, and marital status.”

Centers for Medicare and Medicaid Services Acting Administrator Marilyn Tavenner, left, accompanied by Health and Human Services Secretary Kathleen Sebelius, speaks during a news conference at the Health and Humans Services (HHS) Department in Washington, Wednesday, April 10, 2013, to discuss the Health Department's fiscal 2014 budget. (AP Photo/Manuel Balce Ceneta)

Do these ladies look worried? Centers for Medicare and Medicaid Services Acting Administrator Marilyn Tavenner, left, accompanied by Health and Human Services Secretary Kathleen Sebelius, speaks during  a news conference at the Health and Humans Services (HHS) Department in Washington. (AP Photo/Manuel Balce Ceneta)

Verification. A more fundamental problem is the way the website is set up, contends Christopher Budd, communications manager for Trend Micro, a Tokyo-based cybersecurity company. “The health insurance exchange isn’t made up of a single, authoritative site where people can go and register for coverage,” he wrote in a blog post. “In addition to the federal site, people can apply for coverage at sites run by individual states. Then, within each state, there can also be legitimate third-party sites that provide assistance and even broker coverage,” he said.

While the main federal site uses a key security feature called SSL to verify itself, “a survey of state and third-party sites also shows that official sites aren’t required to provide the ability to verify the site using SSL,” he writes. Many of those sites don’t authenticate, he said.

“As people look for health care exchanges, they’re going to be faced with potentially hundreds or thousands of sites that claim to be legitimate, but [they] won’t be able to easily verify that claim,” except based on how a site looks, Mr. Budd wrote.

Login fraud. Basic problems with the site could invite cybercriminals to use automated systems to hack individual accounts, according to researchers at TrustedSec in Strongsville, Ohio. They noted that there were no features to prevent an intruder from using an automated program to try repeatedly to enter the site even if it didn’t get a login try correct. Common tools are available to authenticate that a human is trying to make the attempted login, such as putting on the screen with a word that only a human can read – that would then have to be typed into a box.

“As you can imagine, the site is going to be a major target for hackers, other governments, and organized crime,” the TrustedSec researcher wrote. “There’s a lot of money to be made right now in an untapped market that is fresh for the picking.”



Former White House press secretary Robert Gibbs was extremely critical Monday of the rollout for the Affordable Care Act, saying that the glitches and delays that have beset the health exchange website should cost some officials their jobs.

Gibbs suggested during an apperance on MSNBC that the Obama administration is lucky that the public’s attention has been largely consumed with the government shutdown.

“Can you imagine if we weren’t obsessed with the shutdown what would be going on on health care?” Gibbs, now an MSNBC analyst, said. “In fact, Republicans probably would be a lot closer to their goal had they not done that.”

Read more: