'Chinese hackers have more sinister plans'

Posted at 04/28/2012 3:28 AM | Updated as of 04/28/2012 4:15 AM

MANILA, Philippines - Oh, but they were just warming up.

The week-long barrage of hackings on Philippine government websites has left the Filipino people with a sour taste in the mouth, as they woke up to official sources of information suddenly plastered with Chinese assertions on Scarborough Shoal, defaced in much the same way a vandal would spraypaint someone else's wall.

Last April 20, graduating students of the University of the Philippines who were looking for information on when they would march instead found themselves face to face with a map of Scarborough Shoal, labelled in Chinese, but with a caption that said “We come from China! Huangyan Island is Ours!"

On Monday, 3 government websites were flooded by malicious URL requests, prompting the concerned agencies to temporarily shut them down.

These are the websites of the Presidential Museum and Library (malacanang.gov.ph), the Presidential Communications Development and Strategic Planning Office (pcdspo.gov.ph), and the Official Gazette (gov.ph).

On Wednesday, the website of the Department of Budget and Management was defaced with the most callous hack yet: posted over the homepage was a window with the Chinese flag, with an exclamation, "Hacked! Owned by Chinese Hackers!"

Above the Chinese flag were the words "How Come a Small Bitch Border Country are Overconfident?And Challenged to Our Chinese Super Hacker?"

Below it, a warning: “Remember: Don’t Trouble Chinese, Don’t Play with Fire. All Members From Silic Group Hacker F**** Your Mother and All your F**** Families.”

Filipino hackers retaliated and shut down at least 16 Chinese websites.

While it infuriated many Filipinos, the attacks were still publicly perceived as mere bullying – annoying, insulting, but ultimately harmless.

While circumstantial evidence also pointed at China as the obvious culprit behind the attacks, there was no proof nor confirmation that it did.

That is, until cyber forensic experts working for the Philippine government came out, and called it as they saw it.

 "The source of the attacks came from China," said Undersecretary Louis Casambre, executive director of the Information and Communications Technology Office (ICTO) of the Department of Science and Technology (DOST).

 In the same interview aired on ABS-CBN's "Bandila," Casambre was quick to clarify that while the jump-off point was China, in theory, it could very well have come from anywhere else.
 
 Using the analogy of a person on connecting flights to the Philippines, Casambre said the attack could have come from another country, flew to China, and then flew into the Philippines.

Casambre, however, is not inclined to believe so.

"Baka ganun din yon. Nag-stop over siya sa China, and then it jumped to us. However, what I like to call 'the writing on the wall' points to that direction, China."
 
Organized attack

Drexx Laggui, a private cyber forensic analyst now serving as consultant for the government, has no doubt as to the hackings’ origin.

"Yung timing ba, napaka-suspect," Laggui said. "Bakit biglang nagkaroon ng ganyan galing China ngayong mga araw? Kontrolado nila ang Internet nila, kaya mahirap na hindi magkaroon ng hinala na galing sa kanila iyung attack mismo. Iyung persistence, iyung tuluy-tuloy. Tingin ko organisado ito."

Laggui was among those who first responded to the UP website attack. He said he understands why the Chinese hackers picked it as the first target.

"Iyung pinakamalaking nakakuha ng atensyon is nung binanatan yung UP website. Siguro kaya nila binanatan eh alam nilang kakalat kaagad yon. Show of force ‘ika nga. Panindak. Tapos sunud-sunod na.”

Not the 'main event'

Laggui said the cyber vandalism of websites is not even the main event.

He said they merely served as "practice" for the hackers – a testing ground on how much they can do, and where best to do it.

Laggui and his group have uncovered activity far more sinister, all of which occurred within the same week of the UP hacking.

"Yung ibang government webpages, sinusubukan nilang banatan yung e-mail. Kasi maraming laman yung email na yan eh. Ikaw, isipin mo, pag ikaw nasa lugar ng kalaban - tutal di naman barilan ito, more of diplomat versus diplomat, ambassador sa ambassdor. Iyung ambassador mo, kailangan meron siyang impormasyon para mas malakas ang kanyang posisyon pag makikipag-negotiate. One way of doing that is pasukin yung mga websites at email addresses ng matataas na opisyales natin. Para malaman kung pano sila nag-iisip," Laggui said.

Casambre explained how hacking into conversations between government officials would benefit another nation, especially in the context of an international conflict. "For example, diplomatic communications between our embassies. Those could probably be used. You can imagine that there are communications, or there is data that is of value to foreign powers or whatever."

Casambre and Laggui lamented that there is no unified system of security in the government's Internet presence, knowing the wealth of vital information may be found within it.
 
Websites of local government units are particularly weak in terms of security, since many are independently and haphazardly done, with web administrators changing as the incumbents' terms end.
 
They mentioned this because while Chinese hackers initially target websites of the executive branch, they also seem to attack wherever else they can.

Compromised websites

Laggui showed an online forum he and his team discovered, that was originally in Mandarin, but when translated, revealed a "tutorial" of sorts on how to hack into 2 Philippine websites – that of the Philippine Institute for Development Studies (pids.gov.ph), a policy research group; and the procurement information section of the local government of Bulacan (bulacan.gov.ph).

"Dun pinag-uusapan kung sino ang pwede nilang biktimahin, ano na ang ginawa nila dati, at ano pa yung pwedeng gawin para kumalat pa yung mga mabibiktima nila," Laggui said. "Ito yung mg password na ninakaw ko, sundan niyo rin."

In the forum, a hacker posted a complete set of commands on how to enter the PIDS website, with instructions to merely copy and paste them should others want to try.
 
The thread on the Bulacan website listed down compromised usernames and passwords, even announcing the name of a Filipina believed to be an employee of the Bulacan government, whose account they can secretly hack to get information from the site.
 
Senate, Congress websites targeted
 
However, not all government websites are sitting ducks, Casambre said.

Many departments have highly elaborate security systems in place, so much so that attempts to hack are discovered as they are happening, and consequently thwarted by the department's own IT experts.

"Para bang narinig namin na kumakatok sila sa bahay o binubuksan yung bintana. Dahil narinig naming binubuksan nila, nabulabog namin sila, umalis sila," Casambre said.

Laggui revealed that there have also been hacking attempts on the websites of the Senate (senate.gov.ph) and the House of Representatives (congress.gov.ph), but highly-skilled system experts have been successful in fending off the attacks.

 However, the 2 technology experts agree that it is high time for more concerted efforts from the government, and more priority given to securing information found within its archives.
 
They call for a unified set of standards, and more impotantly, the formation of an established group that manages overall cyber security.

Casambre said Malacañang is expected to issue an executive order soon that will set for the formation of a group of top-level cyber experts to address this particular concern.

Repeated attempts to get comment from the Chinese embassy in the Philippines were made, but all calls went unanswered.